May 23, 2021 by Sarah Banks
As we finished rolling out Corelight’s v21 software release, which saw the delivery of the world’s first 100G, 1U Zeek sensor, I was reminded of when I’d first read the “100G Intrusion Detection” paper written in 2015 at Berkeley Lab. The paper described the challenges they had getting to 100G Zeek processing in a cluster of servers, and this week I was struck by just how far we’ve come in the time since that paper was written.
With the Corelight AP 5000 Sensor, we’ve delivered the world’s first 100G Zeek sensor, all in a 1 rack unit (RU) form factor. It’s a feat of physics, and a feat of engineering, putting as much silicon and electronics into the smallest form factor as possible while driving 100G speeds for both ingest AND processing while keeping fan speeds below lift-off rates! Indeed, the AP 5000 delivers maximum performance in the most compact form factor available on the market.
This is important, namely because we see NDR workloads increasing across the industry. First, we’re seeing more and more Zeek packages developed by the open source community and by Corelight that customers want to deploy. We’ve also seen a common design paradigm where SOCs run Suricata to decorate Zeek log data ahead of arrival at the SIEM, and we added support for this functionality in recent product releases via a novel Zeek/Suricata data integration model and sensor CPU design architecture.. And new content arriving from the Corelight Labs team in our v21 release (15 RDP inferences and over 50 C2 detections and insights) – it was clear we needed to offer an updated platform to enable newer use cases or enhance existing ones.
If you need 100G physical connections, the AP 5000 has you covered with two for monitoring/ingestion. Like all Corelight appliances, customers can manage the AP 5000 through Fleet Manager, a powerful pane of centralized configuration glass that is pure Corelight innovation. Whatever you can do on an AP 1001 or AP 3000, you can do more with an AP 5000, whether your security requirements are driving high throughput today, or whether you’re planning ahead for network growth.
Last, if you’re looking for a platform that scales, the AP 5000 is it. It’ll generate Zeek logs, run any number of packages – Zeek or Content – and Suricata, while delivering the highest performance our portfolio has to offer. This is useful for deployments and SOCs where more than 10Gbps of monitoring is needed, particularly while running content and packages and/or Suricata – not to mention new Corelight content and packages expected over the coming months.
“The world’s first 100G Zeek sensor in a 1RU form factor” remains a powerful message for me to think about, and have the privilege to say and evangelize. As a long time network architect, I’ve always enjoyed working with vendors who give me as many “tools” in the proverbial toolbox as possible; it allows me to build my network the way I see fit, and not make compromises. The AP 5000 provides that rich set of tools and it’ll handle all the packages and content we have today, with plenty of horsepower left over for what’s next. We’ve come a long way from where the original white paper for “100G Zeek” started; delivering a compact 1RU that allows any natively-sized session on the 100G connection to flow where it may without being chopped up; and marrying it with Corelight-sourced advantages like Fleet Manager for simplified GUI configuration.
I’m excited for what lies ahead for the AP 5000, and what new use cases you might think to solve with it.
Tagged With: Zeek, network detection response, network security, Network Security Monitoring, network traffic analysis, network visibility, command and control, open source, open source community, Lawrence Berkeley Labs, SIEM, Announcements, Suricata, Product, Fleet Manager, intrusion detection, RDP, 100G, AP 5000