OpenSAFE : Hardware-Based Network Monitoring Using Software Control

Administrators of today’s networks are highly interested in monitoring traffic for purposes of collecting statistics, detecting intrusions, and providing forensic evidence. Unfortunately, network size and complexity can make this a daunting task. Aside from the problems in analyzing the network traffic itself for this information—an extremely difficult task on its own—a more fundamental problem exists: how to direct the traffic for network analysis and measurement in a flexible, high performance manner. Current solutions fail to fully address the challenges of directing traffic for both onand off-path monitoring. In this paper, we propose OpenSAFE, a system for enabling the arbitrary direction of traffic for security monitoring applications at line rates. Flexible policies are specified in ALARMS, a flow specification language that greatly simplifies management of network monitoring appliances. Finally, we demonstrate our OpenSAFE implementation using both live network traffic and replayed traces. Analysis shows that our OpenSAFE implementation handles higher traffic volumes than our existing monitoring infrastructure.