Comprehensive IP Traffic Monitoring with FTAS System

Size: px
Start display at page:

Download "Comprehensive IP Traffic Monitoring with FTAS System"

Transcription

1 Comprehensive IP Traffic Monitoring with FTAS System Tomáš Košňar CESNET, association of legal entities Prague, Czech Republic Abstract System FTAS is designed for large-scale continuous flow-based IP traffic monitoring. It is primarily developed and operated for needs of CESNET e-infrastructure (national ICT infrastructure for research and development in the Czech Republic) and for needs of connected infrastructures and networks. This contribution contains selected examples of solutions of typical user requests in the area of finding and visualisation of traffic of interest its statistical post-processing or its periodical reporting as well as requests in the area of on-the-fly and ex-post anomaly and attack detection. Keywords: flow-based monitoring, IP traffic monitoring. 1 Introduction Contemporary ICT infrastructures are complex systems and despite the fact, that they are built on the same principles and standards, each of them has its own specific aspects usually focusing its purpose - architecture and technologies applied, strategy and manners of administration, user community with specific behaviour and similar. These small differences may imply rather diverse demands on solutions and tools in the area of security and incident handling. Hand in hand with this it does not make sense to apply fixed nor closed all-in-one security solution in the era of high dynamics of ICT development, its growing variability and changes in global user community behaviour when new types of security threats occur frequently. We have to be able to defend our infrastructures and users against known attacks and threats but also have to be able to analyse, understand and eliminate any new or unknown or not typical attempt to break through as fast as possible. I'm trying to express (at least for the traffic monitoring area) that the key role in ensuring secure environment for users and efficient incident handling with minimal impact on infrastructure we are responsible for plays a) skilled, motivated and faithful personnel supported with b) open and flexible tools that are able to provide

2 (beside others) complex traffic analysis on demand. FTAS system is one of such attempts that primarily tries to be something like generic platform for complex traffic analysis while being open for customisation that might lead into automated statistical reporting as well as automated attack detection based on parameters specific for particular network environment. 2 CESNET e-infrastructure and large scale flow based traffic monitoring CESNET e-infrastructure is complex ICT infrastructure that focuses on direct support of research and development community in the Czech Republic and its specific needs. This type of infrastructure is globally known as NREN - National Research and Education Network. NRENs are built, developed and operated on different basis than commercial networks. They are driven by user communities which develop and implement a lot of specific demanding applications and also require dedicated single-purpose networks at different layers beside the shared IP. Network infrastructure itself must be non-blocking and offer a lot of free available capacity anytime. Natural NREN behaviour from traffic course perspective represent for example frequent jumps in tens of Gbps which will be considered as attacks or anomalies in commercial networks. For these and other reasons NREN network behaviour must be transparent as much as possible without any traffic regulation (unless extreme attack elimination). This approach requires from security perspective careful and consistent monitoring, anomaly detection and availability of traffic analysis tools in the whole infrastructure at all relevant layers otherwise it may become very dangerous (capacity reasons) as source or as mirror of massive network attacks. Also the cooperation with administrators and security teams in connected networks has to be very close and well organised. Flow based IP traffic monitoring has a long history at CESNET. We started to develop dedicated SW systems since flow based traffic information became available - "ip-accounting" at the beginning then all generations of so called NetFlow data. Our main SW system for large scale flow based monitoring is called FTAS (FlowBased Traffic Analysis System). Beside that we also started to focus on monitoring based on accelerated programmable HW and develop and operate multi-purpose probes at our external lines. CESNET e-infrastructure is from the service perspective multi-layer hybrid network. We build and operate optical layer (based on DWDM, currently up to 100 Gbps speed) as well as IP/MPLS layer above (running 100 GE core). Simplified topology of IP/MPLS backbone with flow information sources for large scale monitoring (blue - PE, CE routers) and HW accelerated probes (yellow) at all external lines is in Figure 1.

3 Figure 1: flow information sources in CESNET e-infrastructure IP/MPLS core. 3 FTAS System FTAS system is developed and operated for a long time (first flow-based tools before 2000, first generation in 2002) and for reasons mentioned in the introduction section (specific demands of different user groups) it may be nowadays considered as user driven system - most of new features and functions are implemented according to user community requests. Main purposes of the FTAS system are: To allow to provide detailed traffic analysis in short history (weeks) without any traffic condition known before. To provide statistical post-processing of traffic of interest to aggregate big volumes of data while keeping the characteristics of the traffic for a long time (months, years). To provide periodical reporting based on statistical or security based flow information processing. To provide traffic anomaly detection in several ways - from on-the-fly (input flow information stream perspective) to post-processed (based on stored flow information retrieval).

4 FTAS system logically consists of several more or less linked components. The basic component collects, processes and visualises flow information received from the network (i.e. from primary flow information sources). FTAS may be operated in single-host (Figure 2) or multi-host (Figure 3). Figure 2: FTAS single-host architecture example. Figure 3: FTAS multi-host architecture example. FTAS is IP version transparent with full IPv6 support - at the flow information transport layer as well as in the whole chain of flow information processing. It is able to process almost all known data formats in this area like NetFlow export versions 1, 5, 7, 9 [1], IPFIX (or v10) [2, 3, 4, 5] and sflow [6]. In case of sflow it basically parses samples of packets in sflow records. Internal data structure currently represents set of most demanding flow information fields and is easily extendable (while keeping backward compatibility) - including variable length fields from IPFIX, significant fields defined in NetFlow Flexible Extension, NetFlow Secure Event Logging and similar. Basic flow information processing chain is in Figure 4 with one addition not shown here. There is a possibility (in case of robust

5 flow information sources) to multiplex input stream into several parallel ones (even to different FTAS nodes) to spread utilisation of resources as needed. Figure 4: FTAS input flow information processing chain. Processed and stored flow information data may be statistically post-processed (Figure 5) in order to keep characteristics of the traffic while reducing the volume of data (average aggregation is usually better than 1:10-e2). Figure 5: FTAS post-processing schema. There are multiple ways how to access data collected and processed with FTAS. First group represents Web-based access to data. Basic interactive web-based user interface serves for traffic information selection and visualisation and for system administration and focuses on skilled users - network and service administrators, CSIRTs and security specialists. It is designed for two phase work - query once & visualise multiple. Query form offers either simplified (structured) or comprehensive look up user interface that enables to set query conditions without limits.

6 New query and visualise in a single step interface for requests generated by devices (specific URL construction) is under testing. Interactive UI scheme is in Figure 6. Figure 6: FTAS interactive user interface scheme. For let's say ordinary users or users who aim at statistical overview and manager type reports and users that need click-and-see interface type there is a standalone module called FTAS-reporter. It supplies real user behaviour (given by configuration) in never ending loop and creates trees of static HTML documents bound together with vertical and horizontal links and indexes. It uses interactive user interface on background (Figure 7). Figure 7: FTAS-reporter and interactive UI schema. Second group of accessing results processed by FTAS represent notifications typically transported with .notifications may occur in different parts of flow information processing. First place where notification can occur is detected event in anomaly detection module in FTAS flow information processing core. This anomaly detection is tied with traffic filter identifying traffic of interest and traffic bursts represented in flow

7 count limit for period. This is immediate notification based on actual state without any knowledge in traffic history - therefore the limits here shall be secure and thus high. Simplified scheme of this processing is in Figure 8. Figure 8: FTAS anomaly module behaviour and notification schema. Second place where notification can occur is from within FTAS-reporter. It is usually based on flows stored by anomaly detection module (same as in previous case, but without notification) which are periodically post-processed for longer (configured) period - let's say 10 minutes. Here we can set up softer limits in "anomaly detection" module (as it is a prerequisite only) but we set up hard summary limits for behaviour during the whole period - we look on continuance of such event in this case. Example of anomaly detection processing in FTAS-reporter is in Figure 9. Figure 9: Anomaly detection in FTAS-reporter. Last and specific notifications are aggregated summary reports concerning several observed traffic characteristics (usually top-lists of something) notified all in one for calendar period - typically last day. This functionality is completely in FTASreporter module which prepares plain-text reports as configured (instead creating structures of HTML documents), joins them together and sends at the end to configured destinations. This functionality is an example of alternate visualisation of the same thing to fit local habits of our users (we provide similar reports with different style of visualisation for different groups of users). Typical sub-reports are:

8 top-list of local downloaders, top-list of Microsoft ports users, top-list of nodes accessing SMTP port (none real user writes s per day), top-lists of traffic from/to SSH, SNMP or DNS ports from/to local network etc. 4 FTAS practical examples In previous section I've tried to describe basic principles on which FTAS is based. To understand it better I give a few simple practical examples how it can be used in everyday practice. Example 1, incident ex-post verification: our CSIRT received message about TCP SYN flood from our AS against particular network in period X having packet length greater than 800 Bytes without any detailed information. In this case we use FTAS interactive UI and will analyse whether this flood a) has origin in our AS and b) has origin in network with appropriate prefix allocation let's assume for this case that we did not apply BCP-38 nor other technique of reverse path checks. Query condition example for traffic selection is in Figure 10. It might be applied on data from all backbone edge routers (we retrieve flow source and its interface indexes as well to discover traffic origin). We found approx. 212k flow records and in the first step we may observe the detailed sample (Figure 11) as well as its course in time (Figure 12) and finally aggregated summary information including interface to verify the attack origin (Figure 13). With the help of internal automated interface index translation (service of our another monitoring system G3) we can see SNMP ifindex translation into interface descriptions and addressing (Figure 13). All output examples are visualisations of the same query result in FTAS interactive UI. Example 2, on-the-fly anomaly detection and notification: automated detection (on-the-fly) with notification of potential sources of TCP SYN flood from our AS. This is an example of FTAS traffic filter configuration that acts like anomaly detector. Filter configuration consists of two parts - traffic selection condition (Figure 14) and set up how to process and store such traffic information (Figure 15). Corresponding notification example is in Figure 16. From the event and content perspective it demonstrates the same TCP SYN anomaly as in the first example.

9 Figure 11: FTAS interactive UI, results - attack verification. Figure 10: FTAS interactive UI, query condition to find attack.

10 Figure 12: FTAS interactive UI, results - attack verification. Figure 13: FTAS interactive UI, results - attack verification. Figure 14: FTAS traffic filtering condition configuration.

11 Figure 16: FTAS on-the-fly anomaly notification example. Figure 15: FTAS filter as traffic anomaly detector configuration.

12 Figure 17: FTAS reporter, anomaly detection - overview page. Figure 18: FTAS reporter, anomaly detection - detailed report.

13 Figure 19: FTAS reporter, anomaly detection - alternate overview page.

14 Example 3, anomaly detection in FTAS reporter: example of ex-post periodical detection of internal IP addresses that might attack port numbers 135, 445, We demonstrate overview page (chronological in Figure 17), single anomaly detail report (Figure 18) and alternate overview page (top-list in Figure 19). Examples presented above demonstrate only a fragment of FTAS functionality. Their purpose is to show the there's more than one way how to do it principle (notice: perl programming motto) which we try to incorporate into the FTAS system. 5 FTAS as a service in CESNET e-infrastructure In CESNET e-infrastructure we provide FTAS based services internally for network, service administrators and CSIRTs of course. Beside that we also provide flow-based monitoring services powered by FTAS for our users. There are several typical architectures of delivering such services. The key points are: a) which FTAS installation and b) which flow information data (topology aspects) to use. Simplest architecture is to use primary FTAS installation in CESNET einfrastructure backbone and filtered flow information from nearest router (from user network perspective) export (Figure 20). Users don't need to take care of anything in this case. On the other side they have no information about traffic which does not come across the backbone border. Figure 20: FTAS service architecture 1. Second option is to use primary FTAS installation in CESNET e-infrastructure backbone and export flow information from local devices to it (Figure 21). User has to take care of proper flow information export only and gets information about internal traffic too. In many cases users use mixed architectures 1 and 2 - exporting flow information from critical internal devices only.

15 Figure 21: FTAS service architecture 2. Figure 22: FTAS service architecture 3 Third service model (Figure 22) is based on dedicated FTAS installation in user network (shared administration of that node[s]). This gives users full freedom how FTAS will be configured (independent classification maps etc.). On the other side they have to take care of both - hosting HW and flow information export. Last but not least we offer to our users ad hoc traffic analysis on demand - this makes sense for users who don't want to use traffic monitoring regularly (solve incident handling only). There are currently more than 50 institutions in CESNET e-infrastructure user community which use FTAS in at least one of these service architectures and a lot of them use also additional services like dedicated reporting, various anomaly detection and others. Primary FTAS installation in CESNET e-infrastructure backbone currently consists of 17 nodes and 340 CPUs. Volume of flow-based information data processed (including internal redistribution) in this installation during 2014 is in Figure 23.

16 Figure 23: FTAS in CESNET e-infrastructure backbone, volume of processed data in References Claise, B., Cisco Systems NetFlow Services Export Version 9, IETF, RFC 3954, October Boschi, E. and B. Trammell, Bidirectional Flow Export Using IP Flow Information Export (IPFIX), IETF, RFC 5103, January Boschi, E., Mark, L., Trammell, B. and T. Zseby, Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements, IETF, RFC 5610, July Claise, B., Trammell, B. and P. Aitken, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information, IETF, RFC 7011, September Claise, B. and B. Trammell, Information Model for IP Flow Information Export (IPFIX), RFC 7012, September Phaal, P., Panchen, S. and N. McKee, InMon Corporation's sflow: A Method for Monitoring Traffic in Switched and Routed Networks, IETF, RFC3176, Septempber 2001.

Nemea: Searching for Botnet Footprints

Nemea: Searching for Botnet Footprints Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech

More information

Scalable Extraction, Aggregation, and Response to Network Intelligence

Scalable Extraction, Aggregation, and Response to Network Intelligence Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues

More information

Network Traffic Performance & Security Monitoring

Network Traffic Performance & Security Monitoring Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.

More information

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

Take the NetFlow Challenge!

Take the NetFlow Challenge! TM Scrutinizer NetFlow and sflow Analysis Scrutinizer is a NetFlow and sflow analyzer that provides another layer of cyber threat detection and incredibly detailed network utilization information about

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Flow Analysis Versus Packet Analysis. What Should You Choose?

Flow Analysis Versus Packet Analysis. What Should You Choose? Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation

More information

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl The SCAMPI Scaleable Monitoring Platform for the Internet Baiba Kaskina TERENA baiba@terena.nl Agenda Project overview Project objectives Project partners Work packages Technical information SCAMPI architecture

More information

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand

More information

Introduction to Netflow

Introduction to Netflow Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

Network congestion control using NetFlow

Network congestion control using NetFlow Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.

More information

Flow Based Traffic Analysis

Flow Based Traffic Analysis Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode

More information

DDoS attacks in CESNET2

DDoS attacks in CESNET2 DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities

More information

Non-blocking Switching in the Cloud Computing Era

Non-blocking Switching in the Cloud Computing Era Non-blocking Switching in the Cloud Computing Era Contents 1 Foreword... 3 2 Networks Must Go With the Flow in the Cloud Computing Era... 3 3 Fat-tree Architecture Achieves a Non-blocking Data Center Network...

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs

and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to

More information

ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks

ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks Release: 1 ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks Modification

More information

Monitoring applications to increase security in 40G and 100G networks

Monitoring applications to increase security in 40G and 100G networks Monitoring applications to increase security in 40G and 100G networks Cyber Security and Today s Communication Technologies TPEB workshop, 30.1.2014 Petr Kastovsky kastovsky@invea.com Company Introduction

More information

Netflow Overview. PacNOG 6 Nadi, Fiji

Netflow Overview. PacNOG 6 Nadi, Fiji Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools

More information

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA What is ReporterAnalyzer? ReporterAnalyzer gives network professionals insight into how application traffic is impacting network performance.

More information

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK

More information

LUCOM GmbH * Ansbacher Str. 2a * 90513 Zirndorf * Tel. 09127/59 460-10 * Fax. 09127/59 460-20 * www.lucom.de

LUCOM GmbH * Ansbacher Str. 2a * 90513 Zirndorf * Tel. 09127/59 460-10 * Fax. 09127/59 460-20 * www.lucom.de User module Advanced Security APPLICATION NOTE USED SYMBOLS Used symbols Danger important notice, which may have an influence on the user s safety or the function of the device. Attention notice on possible

More information

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o. NetFlow use cases ICmyNet / NetVizura, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic Patterns NREN

More information

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring

More information

OpenDaylight Project Proposal Dynamic Flow Management

OpenDaylight Project Proposal Dynamic Flow Management OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table

More information

NetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

NetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o. NetFlow: What is it, why and how to use it?, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda What is NetFlow? What are the benefits? How to deploy NetFlow? Questions 2 / 22 What is NetFlow? NetFlow

More information

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1,3, Matěj Grégr 1,2 and Pavel Čeleda1,3 1 CESNET, z.s.p.o., Prague, Czech Republic 2 Brno University of Technology,

More information

TRILL for Service Provider Data Center and IXP. Francois Tallet, Cisco Systems

TRILL for Service Provider Data Center and IXP. Francois Tallet, Cisco Systems for Service Provider Data Center and IXP Francois Tallet, Cisco Systems 1 : Transparent Interconnection of Lots of Links overview How works designs Conclusion 2 IETF standard for Layer 2 multipathing Driven

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

RESILIENT NETWORK DESIGN

RESILIENT NETWORK DESIGN Matěj Grégr RESILIENT NETWORK DESIGN 1/36 2011 Brno University of Technology, Faculty of Information Technology, Matěj Grégr, igregr@fit.vutbr.cz Campus Best Practices - Resilient network design Campus

More information

The Value of Flow Data for Peering Decisions

The Value of Flow Data for Peering Decisions The Value of Flow Data for Peering Decisions Hurricane Electric IPv6 Native Backbone Massive Peering! Martin J. Levy Director, IPv6 Strategy Hurricane Electric 22 nd August 2012 Introduction Goal of this

More information

Configuring a Load-Balancing Scheme

Configuring a Load-Balancing Scheme Configuring a Load-Balancing Scheme Finding Feature Information Configuring a Load-Balancing Scheme Last Updated: August 15, 2011 This module contains information about Cisco Express Forwarding and describes

More information

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6 (Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

DDoS Overview and Incident Response Guide. July 2014

DDoS Overview and Incident Response Guide. July 2014 DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target

More information

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik From traditional to alternative approach to storage and analysis of flow data Petr Velan, Martin Zadnik Introduction Network flow monitoring Visibility of network traffic Flow analysis and storage enables

More information

NetFlow/IPFIX Various Thoughts

NetFlow/IPFIX Various Thoughts NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application

More information

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting Document ID: 70974 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram

More information

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring

More information

PANDORA FMS NETWORK DEVICE MONITORING

PANDORA FMS NETWORK DEVICE MONITORING NETWORK DEVICE MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS is able to monitor all network devices available on the marke such as Routers, Switches, Modems, Access points,

More information

From NetFlow to IPFIX the evolution of IP flow information export

From NetFlow to IPFIX the evolution of IP flow information export From NetFlow to IPFIX the evolution of IP flow information export presented by Carsten Schmoll - Fraunhofer FOKUS - Berlin, DE Elisa Boschi - Hitachi Europe - Zurich, CH Brian Trammell - CERT/NetSA - Pittsburgh,

More information

Practical Experience with IPFIX Flow Collectors

Practical Experience with IPFIX Flow Collectors Practical Experience with IPFIX Flow Collectors Petr Velan CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic petr.velan@cesnet.cz Abstract As the number of Internet applications grows, the number

More information

Data Sheet. DPtech Anti-DDoS Series. Overview

Data Sheet. DPtech Anti-DDoS Series. Overview Data Sheet DPtech Anti-DDoS Series DPtech Anti-DDoS Series Overview DoS (Denial of Service) leverage various service requests to exhaust victims system resources, causing the victim to deny service to

More information

sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007

sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007 sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007 Richard A. Steenbergen nlayer Communications, Inc. What is sflow? sflow is a standards based protocol for exporting

More information

NetFlow Configuration Guide, Cisco IOS Release 12.4

NetFlow Configuration Guide, Cisco IOS Release 12.4 NetFlow Configuration Guide, Cisco IOS Release 12.4 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)

More information

PANDORA FMS NETWORK DEVICES MONITORING

PANDORA FMS NETWORK DEVICES MONITORING NETWORK DEVICES MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS can monitor all the network devices available in the market, like Routers, Switches, Modems, Access points,

More information

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc. Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet

More information

Pilot Deployment of Metering Points at CESNET Border Links

Pilot Deployment of Metering Points at CESNET Border Links CESNET Technical Report 5/2012 Pilot Deployment of Metering Points at CESNET Border Links VÁCLAV BARTOš, PAVEL ČELEDA, TOMÁš KREUZWIESER, VIKTOR PUš, PETR VELAN, MARTIN ŽÁDNÍK Received 12. 12. 2012 Abstract

More information

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre

MPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This

More information

Introduction to Cisco IOS Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity

More information

Signature-aware Traffic Monitoring with IPFIX 1

Signature-aware Traffic Monitoring with IPFIX 1 Signature-aware Traffic Monitoring with IPFIX 1 Youngseok Lee, Seongho Shin, and Taeck-geun Kwon Dept. of Computer Engineering, Chungnam National University, 220 Gungdong Yusonggu, Daejon, Korea, 305-764

More information

QAME Support for Policy-Based Management of Country-wide Networks

QAME Support for Policy-Based Management of Country-wide Networks QAME Support for Policy-Based Management of Country-wide Networks Clarissa C. Marquezan, Lisandro Z. Granville, Ricardo L. Vianna, Rodrigo S. Alves Institute of Informatics Computer Networks Group Federal

More information

Autonomous NetFlow Probe

Autonomous NetFlow Probe Autonomous Ladislav Lhotka lhotka@cesnet.cz Martin Žádník xzadni00@stud.fit.vutbr.cz TF-CSIRT meeting, September 15, 2005 Outline 1 2 Specification Hardware Firmware Software 3 4 Short-term fixes Test

More information

Network traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010

Network traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring

More information

Configuring a Load-Balancing Scheme

Configuring a Load-Balancing Scheme Configuring a Load-Balancing Scheme Last Updated: October 5, 2011 This module contains information about Cisco Express Forwarding and describes the tasks for configuring a load-balancing scheme for Cisco

More information

Introducing FortiDDoS. Mar, 2013

Introducing FortiDDoS. Mar, 2013 Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline

More information

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, 2013 2:32 pm Pacific

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, 2013 2:32 pm Pacific Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide Revised February 28, 2013 2:32 pm Pacific Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information Changyong Lee, Hwankuk-Kim, Hyuncheol Jeong, Yoojae Won Korea Information Security Agency, IT Infrastructure Protection Division

More information

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.

More information

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Flow Analysis. Make A Right Policy for Your Network. GenieNRM Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do

More information

NetFlow Configuration Guide, Cisco IOS Release 15M&T

NetFlow Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure

More information

SolarWinds Log & Event Manager

SolarWinds Log & Event Manager Corona Technical Services SolarWinds Log & Event Manager Training Project/Implementation Outline James Kluza 14 Table of Contents Overview... 3 Example Project Schedule... 3 Pre-engagement Checklist...

More information

Inter-provider Coordination for Real-Time Tracebacks

Inter-provider Coordination for Real-Time Tracebacks Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and

More information

Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

More information

Beyond Monitoring Root-Cause Analysis

Beyond Monitoring Root-Cause Analysis WHITE PAPER With the introduction of NetFlow and similar flow-based technologies, solutions based on flow-based data have become the most popular methods of network monitoring. While effective, flow-based

More information

UKCMG Industry Forum November 2006

UKCMG Industry Forum November 2006 UKCMG Industry Forum November 2006 Capacity and Performance Management of IP Networks Using IP Flow Measurement Agenda Challenges of capacity and performance management of IP based networks What is IP

More information

HARTING Ha-VIS Management Software

HARTING Ha-VIS Management Software HARTING Ha-VIS Management Software People Power Partnership HARTING Management Software Network Management Automation IT - with mcon Switches from HARTING With the Ha-VIS mcon families, HARTING has expanded

More information

How To Understand and Configure Your Network for IntraVUE

How To Understand and Configure Your Network for IntraVUE How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

IPv6 networks management. Simon.Muyal@renater.fr

IPv6 networks management. Simon.Muyal@renater.fr IPv6 networks management Simon.Muyal@renater.fr Contribs Bernard Tuy, Renater Simon Muyal, Renater Ralf Wolter, Cisco Patrick Grossetête, Cisco Munechika Sumikawa, Hitachi Patrick Paul, 6WIND Simon Muyal

More information

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols

More information

Securing and Monitoring BYOD Networks using NetFlow

Securing and Monitoring BYOD Networks using NetFlow Securing and Monitoring BYOD Networks using NetFlow How NetFlow can help with Security Analysis, Application Detection and Traffic Monitoring Don Thomas Jacob Technical Marketing Engineer ManageEngine

More information

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B. ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow

More information

8. 網路流量管理 Network Traffic Management

8. 網路流量管理 Network Traffic Management 8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error

More information

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior

More information

Chuck Cranor, Ted Johnson, Oliver Spatscheck

Chuck Cranor, Ted Johnson, Oliver Spatscheck Gigascope: How to monitor network traffic 5Gbit/sec at a time. Chuck Cranor, Ted Johnson, Oliver Spatscheck June, 2003 1 Outline Motivation Illustrative applications Gigascope features Gigascope technical

More information

NetFlow Subinterface Support

NetFlow Subinterface Support NetFlow Subinterface Support Feature History Release Modification 12.2(14)S This feature was introduced. 12.2(15)T This feature was integrated into Cisco IOS Release 12.2 T. This document describes the

More information

One software solution to monitor your entire network, including devices, applications traffic and availability.

One software solution to monitor your entire network, including devices, applications traffic and availability. One software solution to monitor your entire network, including devices, applications traffic and availability. About Britannic Expert Integrators We are award winning specialists in IP communications,

More information

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net www.juniper.net

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net www.juniper.net Juniper Networks and IPv6 Tim LeMaster Ipv6.juniper.net www.juniper.net IPv6 Leadership IPv6 supported in Junos since 2001 IPv6 supported in ScreenOS since 2004 First router to be IPv6 Certified by DoD/

More information

Configuring the Transparent or Routed Firewall

Configuring the Transparent or Routed Firewall 5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing

More information

Network Monitoring Based on IP Data Flows

Network Monitoring Based on IP Data Flows Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Author:MartinŽádník March2010 TERENA 2010. All rights reserved. Document

More information

Network Monitoring Based on IP Data Flows Best Practice Document

Network Monitoring Based on IP Data Flows Best Practice Document Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Authors: Martin Žádník March 2010 TERENA 2010. All rights reserved.

More information

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data NetFlow is a technology that provides highly granular per-flow statistics on traffic in a Cisco router. The NetFlow MIB feature provides

More information

Designing Reliable IP/MPLS Core Transport Networks

Designing Reliable IP/MPLS Core Transport Networks Designing Reliable IP/MPLS Core Transport Networks Matthias Ermel Workshop ITG FG 5.2.1 14. November 2008 München Content 1. Introduction 2. Protection Mechanisms 3. Failure Detection Page 1 Architecture

More information

RapidIO Network Management and Diagnostics

RapidIO Network Management and Diagnostics RapidIO Network Management and Diagnostics... Is now even easier! Release 1.1 Overview RapidIO Discovery and Diagnostic Basics Loopback Diagnostic Mode (NEW) Multiple Simultaneous Routing paths (New) Controlling

More information

Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference

Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference Symantec Event Collector for Cisco NetFlow Quick Reference The software described in this book is furnished under a license agreement

More information

Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project

Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project Cisco Research SCRIPT and the Big Picture Ralf Wolter, Cisco Systems 1 Agenda Building Blocks for the SCRIPT Project Cisco Research Center (CRC) NetFlow: the story and the challenge IPFIX @ IETF Cisco

More information

Per-Packet Load Balancing

Per-Packet Load Balancing Per-Packet Load Balancing Feature History Release 12.0(19)ST 12.0(21)S 12.0(22)S Modification This feature was introduced on the Cisco 10000 series routers. This feature was introduced on the Cisco 12000

More information

Internet Management and Measurements Measurements

Internet Management and Measurements Measurements Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?

More information

Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance

Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance White Paper Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance What You Will Learn Modern data centers power businesses through a new generation of applications,

More information

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

Service Definition. Internet Service. Introduction. Product Overview. Service Specification Service Definition Introduction This Service Definition describes Nexium s from the customer s perspective. In this document the product is described in terms of an overview, service specification, service

More information

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

Multi-layer switch hardware commutation across various layers. Mario Baldi. Politecnico di Torino. http://staff.polito.it/mario.

Multi-layer switch hardware commutation across various layers. Mario Baldi. Politecnico di Torino. http://staff.polito.it/mario. Multi-layer switch hardware commutation across various layers Mario Baldi Politecnico di Torino http://staff.polito.it/mario.baldi Based on chapter 10 of: M. Baldi, P. Nicoletti, Switched LAN, McGraw-Hill,

More information

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations Cisco PIX Security Appliance provides stateful firewall protection at smaller Internet gateways. Cisco IT Case Study / Security and

More information