公众号:RiboseYim 个人站点:http://riboseyim.github.io?source=chinaunix
分类: 系统运维
2016-03-20 00:08:28
2015年是一个充满活力的年份,我们得以完善工具,为社区提供更好的服务。
2016年计划如下:
正如在2015年我们已经在PF_RING 中为40 Gbit提供了支持,2016年将为100 Gbit提供支持。
我们已经在PF_RING支持Accolade和Napatech 100 Gbit 网卡,但是我们的计划是使100 Gbit成为基本配置,
如果这样的话不久之后新的Intel Red Rock Canyon 网卡将推出(我们预计他们最迟在1月或2月),我们将在PF_RING中提供支持。
这些新式网卡非常被关注的特性是它可以支持多种速率如10/25/40/100 Gbit ,它可以融合以太网交换机,
我们计划/希望可以用来卸载一些使用主CPU的任务。
除了Intel RRC之外,我们将对额外的100Gbit网卡提供支持,例如InveaTech 100Gbit 网卡。
正如过去这些年从支持1Gbit到10Gbit的工作,100 Gbit的挑战不仅仅意味着更多速率,而是一次全面的应用程序重构。
得益于算法革新和成熟的PF_RING ZC框架,我们希望能推出100Gbit和多种10Gbit的监测产品。
基于这些原因,在下周举办的Flocon会议上,我们将把新版本的nProbe命名为cento,它可以在一台标准的Intel架构服务器上分析100Gbit 流。
这一改进已经可以让我们用一个单核CPU应付10 Gbit流量(500k入口并发流 14.88 Mpps),这就意味着你能使用一台低于1000美元的Intel E3 服务器上完成40Gbit netflow检测。
上个11月在Suricate会议上,我们已经演示了PF_RING能够成功为应用程序加速,例如Suricata,Snort和 Bro。
通常人们希望同时进行流可视化(在流量100%的情况下),在选定流量上运行IDS(入侵检测系统)(例如加密流量),
在cento中我们已经构建、运行验证过确实可以这样做。
这一特性提高IDS在高速率场景下的可扩展性(目前IDS仅能勉强支持10Gbit),避免让IDS花费不必要的时间分析不感兴趣的流量(例如YouTube和Netflix的流量)。
在当前的ntopng开发版本中,我们已经完全支持Nagios,支持类似Nfsen的过滤机制(很快我们针对这一特性发布公告)。
今年我们希望使Ntopng和pfsense融合,以实现基于防火墙的流量分类,可以选择性抛弃、增加流量分类(例如社交网络,新闻,商业等)
这样我们就可以抛弃或者设定流量优先级,不仅基于应用协议,还可以基于信息内容。
对我们的大多数用户来说,另一个感兴趣的方面,是可以按类别选择流量和选择哪些用户可以访问这些信息的功能(例如社交网络,运动,聊天等);
对学校和儿童而言,对这一特性特别感兴趣,这使得不合适的内容可以被过滤。
大体上我们希望在新阶段推出v2版本的时候,提升ntopng的性能,使这个工具变得更加灵活。
正如我们的用户所知,ntop的主要目标之一就是使得过去非常昂贵的事情变得廉价。
这些年我们希望可以使ntopng/n2disk/nprobe融合在一起,满足从小型网络到大型企业的需要,构建一个简单、用户友好的系统(并不是所有的模块都是必须的,最低限度只需要ntopng)
人们可以自己构建一个基于ntop软件的网络传感器,持续地监控他们的网络活动。
在当前ntopng的 git 开发分支上你已经可以预览到新特性:具备解析pcap包的能力,结合了流搜索,数据存储基于MySQL。
等到参加2016年FloCon会议的时候,我们将在星期三 下午5:30安排一个 ntop专题,届时我们将详细介绍有关路线图的更多细节。
敬请期待!
ntop 2016 Roadmap
has been a year full of activities that allowed us to consolidate our tools and thus provide a better service to the community. In 2016 the plan is the following:
100 Gbit
As in 2015 we have added support for 40 Gbit in PF_RING, 2016 will be the year of 100 Gbit. We already support the Accolade and Napatech 100 Gbit NICs in PF_RING, but the plan is to make 100 Gbit commodity, and thus as soon as the newwill be available (we expect them Jan or Feb at latest) we will support them in PF_RING. This new adapter is very interesting as it supports various speeds 10/25/40/100 Gbit and it integrates an ethernet switch that we plan/hope to use to offload some tasks to the adapter instead of using the main CPU. In addition to Intel RRC we are adding support of additional 100Gbit adapters such asInveaTech100Gbit adapters.
nProbe Cento
As happened years ago when moving from 1 Gbit to 10 Gbit, the 100 Gbit challenge does not mean just more speed but it is a complete redesign of applications. Thanks to innovation in computing and to a mature PF_RING ZC framework, we want yo make 100 Gbit and multi-10Gbit monitoring commodity. For this reason next week at theconference, we will present a new version of nProbe named cento, that it is able to generate flows at 100 Gbit on a standard Intel-based server. This efficiency has allowed us to handle 10 Gbit of traffic (500k concurrent flows with ingress traffic of 14.88 M pps) on a single CPU core, that means for instance that you can do 40 Gbit netflow monitoring using a sub 1000$ Intel E3 server.
Flow monitoring and Security
Last november at theconference, we have demonstrated for PF_RING can successfully accelerate applications such as Suricata, Snort and Bro. As often people want to have both flow evidence (on 100% of traffic) and run IDS on selected traffic (e.g. all but encrypted traffic), in cento we have built and engine that allows to do exactly this. This will promote IDS scalability (currently they can hardly handle 10 Gbit) at higher speeds while avoiding spending un-necessary time analysing not interesting traffic for an IDS (e.g. YouTube or Netflix traffic).
ntopng
In the current development version of ntopng, we have implemented full Nagios support and supported nfsen-like filtering (soon we’ll add a post about it). This year we want to integrate ntopng with pfsense for classifying traffic that the firewall can then selectively drop, add traffic categorisation (e.g. divide traffic in categories such as social network, news, business…) so that we can drop/prioritise traffic not only based on application protocols but also based on information content. Another area of interest for most of our users, is the ability to classify traffic in categories (e.g. social network, sport, chat, …) and decide what users can access what information; this is particularly interesting for schools and children so that inappropriate content is blocked. In essence we want to extend ntopng inline capabilities introduced with v2 to the next level to make this tool even more flexible.
Affordable Sensors Everywhere
As our users know, one of the main ntop goals has been to make commodity what used to be very expensive. This year we want to combine ntopng/n2disk/nprobe (not all components will be necessary, the minimum is ntopng) to create a simple and user-friendly system able to serve needs of small networks as of a large enterprise. People should be able to permanently monitor their network activities by building themselves a network sensor based on the ntop software. In the current ntopng git development branch you can already see a preview of pcap-extraction capability integrated with flow-search stored by ntopng int MySQL.
For those attending theconference, we will organise a ntop BoF Wedn at 5.30PM where we will cover this roadmap more in detail.
Stay tuned!