An alchemists view from the bar

Network Security Alchemy

An OpenFPC Example: Clustering packet capture over multiple links/devices/countries.

with 3 comments

It’s been a while since my last post, but it’s because I’ve been busy working on ofpc. To rectify that, I thought I would share some of the concepts that are behind how OpenFPC should be able to grow rapidly into a distributed system.

One of the more useful features of ofpc is its self-referencing method for scaling out master/master/slave devices. This concept gets interest when I explain it to people, however it’s not really documented anywhere. So let me introduce it here with a working example……

There are a few common situations where the master/slave relationship can provide real value via clustering.

  • Geographically separated network links with guaranteed or possible asymmetric traffic paths
  • Multi-link trunks
  • High(er) speed links where you need to spread traffic load over multiple slaves

Firstly, please forgive my terrible retro-diagram skills.

OpenFPC Cluster diagram

So here’s the situation:

There are two pipes between network “A” and network “B”, and for whatever the reason, you don’t know if the traffic you want to grab from the buffer could be in the archive of SLAVE1 or SLAVE2. You do know however it’s going to be in one or more of them. Combined they become one *logical* network link.

By requesting the data from the Master queue daemon responsible for these two devices (MASTER in the diagram here), without specifying which slave you want to route your request to, it will search/extract from all of the slaves below it. The master ofpc-queued doesn’t need to be on a separate bit of hardware, it’s just represented in the diagram that way.

Here’s an example of it functioning in my test environment.

lward@UbuntuDesktop:~/code/openfpc$ ./ofpc-client.pl  -a fetch \
 --src-addr=192.168.222.1 --dst-port=22
* ofpc-client.pl 0.1 *
Part of the OpenFPC project
Username: master
Password for user master : 
#####################################
Filename: /tmp/extracted-ofpc-1284615954.pcap
Size    : 7.0M
MD5     : a495c1f38dce3dc9dff50ead47a415ab
lward@UbuntuDesktop:~/code/openfpc$

 

This ofpc request provided me with a 7MB pcap file made up from the traffic seen by “slave1” and “slave2”, it’s all merged together so I can inspect the traffic as the logical link processes it rather than what can be captured on one physical leg of the link. This isn’t limited to a maximum of two slaves, it can of course be many many more.

If for any given reason I would still prefer to only look at the traffic on one slave, I can either:

  • Make an ofpc request directly to one of the ofpc-slave devices
  • Specify the device to focus on to the master

For example…..

lward@UbuntuDesktop:~/code/openfpc$ ./ofpc-client.pl  -a fetch \
--src-addr=192.168.222.1 --dst-port=22 -o 4240 --device slave2
* ofpc-client.pl 0.1 *
Part of the OpenFPC project
Username: master
Password for user master :
#####################################
Filename: /tmp/extracted-ofpc-1284616271.pcap
Size    : 6.0M
MD5     : 68132e2e12c16665913cb1e7f36336f3
lward@UbuntuDesktop:~/code/openfpc$ 

If you want to test this feature out, make sure you’re using the latest openfpc code out of svn.

-Leon

Advertisements

Written by leonward

September 24, 2010 at 12:42 pm

Posted in OpenFPC, Security

Tagged with , , ,

3 Responses

Subscribe to comments with RSS.

  1. Cool project. Would love to help out when I get some time. Shy –src etc and not just bpf ? Al

    al

    September 24, 2010 at 4:49 pm

    • Good question, with a hopefully valid answer:

      One of the goals of ofpc is to translate non-standard methods of requesting a session(s) into the pcap result. My own “ofpc-client.pl –src-addr” etc is just another example of a non-standard request method (kind of by design). Think about requesting data by copy/pasting in an IPS, IIS, Firewall, Snort, or Apache log line, those can/will/are supported. There is a translation at the back-end into a BPF, it would be simple to add native BPF support. You can now consider it on the near-term TODO list.

      -Leon

      leonward

      September 24, 2010 at 5:51 pm

    • Oh, and by the way –bpf has now been added to svn.

      leonward

      October 2, 2010 at 7:58 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: