BitBouncer (BB) is an AVC (Application Visibility and Control) network appliance, developed by HSD’s Technology arm. BB provides a comprehensive toolkit to enable network operators to achieve visibility and control of the network at the application layer.
BitBouncer
Achieve Application Visibility and Control with HSD BitBouncer
Features at a glance
- Application Visibility – complete visibility of applications in realtime, with option to record traffic and/or flows
- Application Control – configure custom rules to control, i.e., drop, copy or forward, matching application traffic
- Flexible configuration of input/output interfaces, with support for high-performance software packet capture technologies including (Linux) Netmap pipes and PF_RING
- Specialised output interfaces, including support for TAP devices and raw sockets, as well as Pcap output direct-to-disk.
- Support for Napatech hardware – based capture cards (up to 10G) as both input/output interfaces
- Web-based dashboard and admin UI – provides realtime visibility and reporting of analytics and administration by authorised personnel
- Advanced rule configuration, with support for Layer-4 (BPF) filters as well as custom application (Layer-7) protocols
- Optional device identification – BB discovers network devices by inspecting DHCP and Bonjour traffic
- Time Series (embedded SQLite) database persistence for metrics, with configurable sample times (1s, 1m, 10m, 1h, 1d) and matching retention periods
- Enterprise ready – AD/LDAP integration option for authentication and authorisation; support for Oracle/PostgreSQL databases for demanding database loads.
- Support for Silicom Ethernet Bypass cards – for inline, network tap, configurations
Application Layer Visibility
The application-layer visibility engine at the heart of BB is Procera Networks’ NAVL. The engine supports the classification and extraction of metadata in real-time.
Integration
From its inception, BB was designed with integration in mind, not just as a “black box” appliance. This design is reflected in the feature set, which includes options designed to support integration with complementary systems and services.
Capability
Overview
AD/LDAP Directory
Ready integration with both AD and LDAP directories for centralised user authentication and authorisation in enterprise environments
NAVL Net Flow
Optional persistence of NAVL Net Flow files to disk for individual applications or based on custom rules
Packet Stamping
Packets may be stamped (“coloured”) using custom rules for processing by downstream services/systems
RESTful API
Ready integration with third-party tools - Scripting automation
TSDB (Time Series Database)
Optional persistence of time series metrics to TSDB, with configurable sampling and retention periods. Data collected may be consumed by diverse applications, e.g., Grafana for visualisation
Input/Output
BB supports a range of input/output options that enable flexible configurations whereby BB may be deployed as part of a pipeline, providing pre-or-post processing services.
The following tables provide a summary of the device support, respectively, for input and output. (The term “device” in this context includes software/hardware devices, as well logical devices such as streams and files.)
Input Device
Overview
Pcap device
Support for standard NICs (in “promiscuous” mode)
PF_RING
Support for PF_RING, a native Linux kernel-based high speed packet capture library
Napatech hardware capture card
Support for Napatech capture cards (as input device) for the most demanding applications (max 10GbE, for aggregate 20Gbps capture)
Silicom Ethernet Bypass card
Support for Silicom bypass cards for inline and network tap configurations
Output Device
Overview
Pcap (to disk)
Support for writing standard Pcap-format files to disk, enabling selective recording of the traffic of interest
Napatech hardware capture card
Support for Napatech capture cards (as output device) for the most demanding applications (max 10GbE, for aggregate 20Gbps throughput)
Netmap pipe
Support for O/S netmap pipes, enabling selective output of traffic of interest to applications running on same host
Raw sockets
Support for Linux raw sockets, enabling selective output of traffic of interest for post processing applications
TAP device
Support for Linux TAP devices, i.e., virtual network interfaces, enabling selective output of traffic of interest for post processing applications
Rules Engine
BB’s rule engine allows filtering to be performed at both the network and application layers.
At the network layer, BB supports the use of standard BFP (Berkeley Packet Filter) rules to filter traffic. The standard BPF grammar is available along with a custom (SQL-like) “in” operator, which may be used to match custom address blocks.
At the application layer, rules are applied to classes of applications, using the classification determined by the NAVL engine. These classifications take the form of simple names such as “FACEBOOK”, “SIP”, “YOUTUBE”. Matching applications is as simple as selecting the class of application by name.
Custom application rules provide the ability to further filter application traffic based on application metadata. Note, access to detailed metadata (fields) for particular protocols is subject to access to plaintext communications, or in other words encryption. In the case of TLS (Transport Layer Security), for example, the set of detailed metadata includes all information that is exchanged between the client and server in plaintext as part of the TLS “handshake”.
Network/Application Layer Rule
Overview
vlan and host in PrivateRange
Match VLAN-tagged packets in the “PrivateRange” custom address block
TLS and host=*.mysecureserver.com
Match TLS (traffic) where the servername matches “*.mysecureserver.com”, e.g., “www.mysecureserver.com”
Standard Actions
BB “actions” are commands that determine the fate of traffic matched by the rules engine. These actions may be likened to the standard actions available in conventional firewalls such as “Drop” and “Reject”.
Action
Overview
Nothing
The default action, i.e., traffic is analysed but no action is taken.
Copy to output stream
Copy traffic to a designated output “stream”, e.g., a netmap pipe, raw socket, etc.
Drop
Traffic is dropped (generally used for firewall applications)
Store to Pcap
Store (record) traffic to a Pcap dump file
MAC Stamp
Stamp (“colour”) packet for post-processing applications
