ZeekWeek 2022 - Network Tapping for Zeek - Michael Smitasin скачать в хорошем качестве

ZeekWeek 2022 - Network Tapping for Zeek - Michael Smitasin

By Michael Smitasin, Systems Security Architect, Lawrence Berkeley Labs Visibility into a network can be crucial for both intrusion detection and troubleshooting, but doing so in modern Research & Education networks with many 40G, 100G and future 400G links is challenging. Where should you tap? What hardware is available? How should it be configured? Berkeley Lab has been running Zeek/Bro since 1994 and we’ve used various forms of taps and tap aggregation since. This talk dives into our current configuration of tapping both at our border and throughout our internal network as we strive for pervasive visibility in a Zero Trust environment with more than 3Tbps of tapped link capacity. This is a technical talk aimed at cyber security and network engineers who wish to deploy taps and tap aggregation to feed Zeek. It looks at the concepts of tapping, example hardware options and minimum configurations, static and dynamic ACLing, limitations of specific hardware, tap placement strategy in an R&E campus network for internal visibility, link aggregation for load balancing to Zeek clusters, and ends with Zeek cluster configuration under both FreeBSD and Linux. For the purposes of time, it may gloss over certain details while leaving pointers for the audience to pursue on their own. Speaker Bio: Michael Smitasin is a cyber security engineer at the Lawrence Berkeley National Laboratory. Previously a network engineer, his current work focuses on open network security architecture, tap aggregation and large scale blocking.