Comprehensive IP Traffic Monitoring with FTAS System
|
|
- Giles Bryan
- 8 years ago
- Views:
Transcription
1 Comprehensive IP Traffic Monitoring with FTAS System Tomáš Košňar CESNET, association of legal entities Prague, Czech Republic Abstract System FTAS is designed for large-scale continuous flow-based IP traffic monitoring. It is primarily developed and operated for needs of CESNET e-infrastructure (national ICT infrastructure for research and development in the Czech Republic) and for needs of connected infrastructures and networks. This contribution contains selected examples of solutions of typical user requests in the area of finding and visualisation of traffic of interest its statistical post-processing or its periodical reporting as well as requests in the area of on-the-fly and ex-post anomaly and attack detection. Keywords: flow-based monitoring, IP traffic monitoring. 1 Introduction Contemporary ICT infrastructures are complex systems and despite the fact, that they are built on the same principles and standards, each of them has its own specific aspects usually focusing its purpose - architecture and technologies applied, strategy and manners of administration, user community with specific behaviour and similar. These small differences may imply rather diverse demands on solutions and tools in the area of security and incident handling. Hand in hand with this it does not make sense to apply fixed nor closed all-in-one security solution in the era of high dynamics of ICT development, its growing variability and changes in global user community behaviour when new types of security threats occur frequently. We have to be able to defend our infrastructures and users against known attacks and threats but also have to be able to analyse, understand and eliminate any new or unknown or not typical attempt to break through as fast as possible. I'm trying to express (at least for the traffic monitoring area) that the key role in ensuring secure environment for users and efficient incident handling with minimal impact on infrastructure we are responsible for plays a) skilled, motivated and faithful personnel supported with b) open and flexible tools that are able to provide
2 (beside others) complex traffic analysis on demand. FTAS system is one of such attempts that primarily tries to be something like generic platform for complex traffic analysis while being open for customisation that might lead into automated statistical reporting as well as automated attack detection based on parameters specific for particular network environment. 2 CESNET e-infrastructure and large scale flow based traffic monitoring CESNET e-infrastructure is complex ICT infrastructure that focuses on direct support of research and development community in the Czech Republic and its specific needs. This type of infrastructure is globally known as NREN - National Research and Education Network. NRENs are built, developed and operated on different basis than commercial networks. They are driven by user communities which develop and implement a lot of specific demanding applications and also require dedicated single-purpose networks at different layers beside the shared IP. Network infrastructure itself must be non-blocking and offer a lot of free available capacity anytime. Natural NREN behaviour from traffic course perspective represent for example frequent jumps in tens of Gbps which will be considered as attacks or anomalies in commercial networks. For these and other reasons NREN network behaviour must be transparent as much as possible without any traffic regulation (unless extreme attack elimination). This approach requires from security perspective careful and consistent monitoring, anomaly detection and availability of traffic analysis tools in the whole infrastructure at all relevant layers otherwise it may become very dangerous (capacity reasons) as source or as mirror of massive network attacks. Also the cooperation with administrators and security teams in connected networks has to be very close and well organised. Flow based IP traffic monitoring has a long history at CESNET. We started to develop dedicated SW systems since flow based traffic information became available - "ip-accounting" at the beginning then all generations of so called NetFlow data. Our main SW system for large scale flow based monitoring is called FTAS (FlowBased Traffic Analysis System). Beside that we also started to focus on monitoring based on accelerated programmable HW and develop and operate multi-purpose probes at our external lines. CESNET e-infrastructure is from the service perspective multi-layer hybrid network. We build and operate optical layer (based on DWDM, currently up to 100 Gbps speed) as well as IP/MPLS layer above (running 100 GE core). Simplified topology of IP/MPLS backbone with flow information sources for large scale monitoring (blue - PE, CE routers) and HW accelerated probes (yellow) at all external lines is in Figure 1.
3 Figure 1: flow information sources in CESNET e-infrastructure IP/MPLS core. 3 FTAS System FTAS system is developed and operated for a long time (first flow-based tools before 2000, first generation in 2002) and for reasons mentioned in the introduction section (specific demands of different user groups) it may be nowadays considered as user driven system - most of new features and functions are implemented according to user community requests. Main purposes of the FTAS system are: To allow to provide detailed traffic analysis in short history (weeks) without any traffic condition known before. To provide statistical post-processing of traffic of interest to aggregate big volumes of data while keeping the characteristics of the traffic for a long time (months, years). To provide periodical reporting based on statistical or security based flow information processing. To provide traffic anomaly detection in several ways - from on-the-fly (input flow information stream perspective) to post-processed (based on stored flow information retrieval).
4 FTAS system logically consists of several more or less linked components. The basic component collects, processes and visualises flow information received from the network (i.e. from primary flow information sources). FTAS may be operated in single-host (Figure 2) or multi-host (Figure 3). Figure 2: FTAS single-host architecture example. Figure 3: FTAS multi-host architecture example. FTAS is IP version transparent with full IPv6 support - at the flow information transport layer as well as in the whole chain of flow information processing. It is able to process almost all known data formats in this area like NetFlow export versions 1, 5, 7, 9 [1], IPFIX (or v10) [2, 3, 4, 5] and sflow [6]. In case of sflow it basically parses samples of packets in sflow records. Internal data structure currently represents set of most demanding flow information fields and is easily extendable (while keeping backward compatibility) - including variable length fields from IPFIX, significant fields defined in NetFlow Flexible Extension, NetFlow Secure Event Logging and similar. Basic flow information processing chain is in Figure 4 with one addition not shown here. There is a possibility (in case of robust
5 flow information sources) to multiplex input stream into several parallel ones (even to different FTAS nodes) to spread utilisation of resources as needed. Figure 4: FTAS input flow information processing chain. Processed and stored flow information data may be statistically post-processed (Figure 5) in order to keep characteristics of the traffic while reducing the volume of data (average aggregation is usually better than 1:10-e2). Figure 5: FTAS post-processing schema. There are multiple ways how to access data collected and processed with FTAS. First group represents Web-based access to data. Basic interactive web-based user interface serves for traffic information selection and visualisation and for system administration and focuses on skilled users - network and service administrators, CSIRTs and security specialists. It is designed for two phase work - query once & visualise multiple. Query form offers either simplified (structured) or comprehensive look up user interface that enables to set query conditions without limits.
6 New query and visualise in a single step interface for requests generated by devices (specific URL construction) is under testing. Interactive UI scheme is in Figure 6. Figure 6: FTAS interactive user interface scheme. For let's say ordinary users or users who aim at statistical overview and manager type reports and users that need click-and-see interface type there is a standalone module called FTAS-reporter. It supplies real user behaviour (given by configuration) in never ending loop and creates trees of static HTML documents bound together with vertical and horizontal links and indexes. It uses interactive user interface on background (Figure 7). Figure 7: FTAS-reporter and interactive UI schema. Second group of accessing results processed by FTAS represent notifications typically transported with .notifications may occur in different parts of flow information processing. First place where notification can occur is detected event in anomaly detection module in FTAS flow information processing core. This anomaly detection is tied with traffic filter identifying traffic of interest and traffic bursts represented in flow
7 count limit for period. This is immediate notification based on actual state without any knowledge in traffic history - therefore the limits here shall be secure and thus high. Simplified scheme of this processing is in Figure 8. Figure 8: FTAS anomaly module behaviour and notification schema. Second place where notification can occur is from within FTAS-reporter. It is usually based on flows stored by anomaly detection module (same as in previous case, but without notification) which are periodically post-processed for longer (configured) period - let's say 10 minutes. Here we can set up softer limits in "anomaly detection" module (as it is a prerequisite only) but we set up hard summary limits for behaviour during the whole period - we look on continuance of such event in this case. Example of anomaly detection processing in FTAS-reporter is in Figure 9. Figure 9: Anomaly detection in FTAS-reporter. Last and specific notifications are aggregated summary reports concerning several observed traffic characteristics (usually top-lists of something) notified all in one for calendar period - typically last day. This functionality is completely in FTASreporter module which prepares plain-text reports as configured (instead creating structures of HTML documents), joins them together and sends at the end to configured destinations. This functionality is an example of alternate visualisation of the same thing to fit local habits of our users (we provide similar reports with different style of visualisation for different groups of users). Typical sub-reports are:
8 top-list of local downloaders, top-list of Microsoft ports users, top-list of nodes accessing SMTP port (none real user writes s per day), top-lists of traffic from/to SSH, SNMP or DNS ports from/to local network etc. 4 FTAS practical examples In previous section I've tried to describe basic principles on which FTAS is based. To understand it better I give a few simple practical examples how it can be used in everyday practice. Example 1, incident ex-post verification: our CSIRT received message about TCP SYN flood from our AS against particular network in period X having packet length greater than 800 Bytes without any detailed information. In this case we use FTAS interactive UI and will analyse whether this flood a) has origin in our AS and b) has origin in network with appropriate prefix allocation let's assume for this case that we did not apply BCP-38 nor other technique of reverse path checks. Query condition example for traffic selection is in Figure 10. It might be applied on data from all backbone edge routers (we retrieve flow source and its interface indexes as well to discover traffic origin). We found approx. 212k flow records and in the first step we may observe the detailed sample (Figure 11) as well as its course in time (Figure 12) and finally aggregated summary information including interface to verify the attack origin (Figure 13). With the help of internal automated interface index translation (service of our another monitoring system G3) we can see SNMP ifindex translation into interface descriptions and addressing (Figure 13). All output examples are visualisations of the same query result in FTAS interactive UI. Example 2, on-the-fly anomaly detection and notification: automated detection (on-the-fly) with notification of potential sources of TCP SYN flood from our AS. This is an example of FTAS traffic filter configuration that acts like anomaly detector. Filter configuration consists of two parts - traffic selection condition (Figure 14) and set up how to process and store such traffic information (Figure 15). Corresponding notification example is in Figure 16. From the event and content perspective it demonstrates the same TCP SYN anomaly as in the first example.
9 Figure 11: FTAS interactive UI, results - attack verification. Figure 10: FTAS interactive UI, query condition to find attack.
10 Figure 12: FTAS interactive UI, results - attack verification. Figure 13: FTAS interactive UI, results - attack verification. Figure 14: FTAS traffic filtering condition configuration.
11 Figure 16: FTAS on-the-fly anomaly notification example. Figure 15: FTAS filter as traffic anomaly detector configuration.
12 Figure 17: FTAS reporter, anomaly detection - overview page. Figure 18: FTAS reporter, anomaly detection - detailed report.
13 Figure 19: FTAS reporter, anomaly detection - alternate overview page.
14 Example 3, anomaly detection in FTAS reporter: example of ex-post periodical detection of internal IP addresses that might attack port numbers 135, 445, We demonstrate overview page (chronological in Figure 17), single anomaly detail report (Figure 18) and alternate overview page (top-list in Figure 19). Examples presented above demonstrate only a fragment of FTAS functionality. Their purpose is to show the there's more than one way how to do it principle (notice: perl programming motto) which we try to incorporate into the FTAS system. 5 FTAS as a service in CESNET e-infrastructure In CESNET e-infrastructure we provide FTAS based services internally for network, service administrators and CSIRTs of course. Beside that we also provide flow-based monitoring services powered by FTAS for our users. There are several typical architectures of delivering such services. The key points are: a) which FTAS installation and b) which flow information data (topology aspects) to use. Simplest architecture is to use primary FTAS installation in CESNET einfrastructure backbone and filtered flow information from nearest router (from user network perspective) export (Figure 20). Users don't need to take care of anything in this case. On the other side they have no information about traffic which does not come across the backbone border. Figure 20: FTAS service architecture 1. Second option is to use primary FTAS installation in CESNET e-infrastructure backbone and export flow information from local devices to it (Figure 21). User has to take care of proper flow information export only and gets information about internal traffic too. In many cases users use mixed architectures 1 and 2 - exporting flow information from critical internal devices only.
15 Figure 21: FTAS service architecture 2. Figure 22: FTAS service architecture 3 Third service model (Figure 22) is based on dedicated FTAS installation in user network (shared administration of that node[s]). This gives users full freedom how FTAS will be configured (independent classification maps etc.). On the other side they have to take care of both - hosting HW and flow information export. Last but not least we offer to our users ad hoc traffic analysis on demand - this makes sense for users who don't want to use traffic monitoring regularly (solve incident handling only). There are currently more than 50 institutions in CESNET e-infrastructure user community which use FTAS in at least one of these service architectures and a lot of them use also additional services like dedicated reporting, various anomaly detection and others. Primary FTAS installation in CESNET e-infrastructure backbone currently consists of 17 nodes and 340 CPUs. Volume of flow-based information data processed (including internal redistribution) in this installation during 2014 is in Figure 23.
16 Figure 23: FTAS in CESNET e-infrastructure backbone, volume of processed data in References Claise, B., Cisco Systems NetFlow Services Export Version 9, IETF, RFC 3954, October Boschi, E. and B. Trammell, Bidirectional Flow Export Using IP Flow Information Export (IPFIX), IETF, RFC 5103, January Boschi, E., Mark, L., Trammell, B. and T. Zseby, Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements, IETF, RFC 5610, July Claise, B., Trammell, B. and P. Aitken, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information, IETF, RFC 7011, September Claise, B. and B. Trammell, Information Model for IP Flow Information Export (IPFIX), RFC 7012, September Phaal, P., Panchen, S. and N. McKee, InMon Corporation's sflow: A Method for Monitoring Traffic in Switched and Routed Networks, IETF, RFC3176, Septempber 2001.
Nemea: Searching for Botnet Footprints
Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More informationHow To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)
Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.
More informationHP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide
HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with
More informationTake the NetFlow Challenge!
TM Scrutinizer NetFlow and sflow Analysis Scrutinizer is a NetFlow and sflow analyzer that provides another layer of cyber threat detection and incredibly detailed network utilization information about
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationThe SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl
The SCAMPI Scaleable Monitoring Platform for the Internet Baiba Kaskina TERENA baiba@terena.nl Agenda Project overview Project objectives Project partners Work packages Technical information SCAMPI architecture
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationCISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY
CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand
More informationDDoS attacks in CESNET2
DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationNon-blocking Switching in the Cloud Computing Era
Non-blocking Switching in the Cloud Computing Era Contents 1 Foreword... 3 2 Networks Must Go With the Flow in the Cloud Computing Era... 3 3 Fat-tree Architecture Achieves a Non-blocking Data Center Network...
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks
ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks Release: 1 ICANWK613A Develop plans to manage structured troubleshooting process of enterprise networks Modification
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationMonitoring applications to increase security in 40G and 100G networks
Monitoring applications to increase security in 40G and 100G networks Cyber Security and Today s Communication Technologies TPEB workshop, 30.1.2014 Petr Kastovsky kastovsky@invea.com Company Introduction
More informationViete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA
Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA What is ReporterAnalyzer? ReporterAnalyzer gives network professionals insight into how application traffic is impacting network performance.
More informationLUCOM GmbH * Ansbacher Str. 2a * 90513 Zirndorf * Tel. 09127/59 460-10 * Fax. 09127/59 460-20 * www.lucom.de
User module Advanced Security APPLICATION NOTE USED SYMBOLS Used symbols Danger important notice, which may have an influence on the user s safety or the function of the device. Attention notice on possible
More informationOpenDaylight Project Proposal Dynamic Flow Management
OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table
More informationPilot Deployment of Metering Points at CESNET Border Links
CESNET Technical Report 5/2012 Pilot Deployment of Metering Points at CESNET Border Links VÁCLAV BARTOš, PAVEL ČELEDA, TOMÁš KREUZWIESER, VIKTOR PUš, PETR VELAN, MARTIN ŽÁDNÍK Received 12. 12. 2012 Abstract
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationNetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.
NetFlow use cases ICmyNet / NetVizura, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic Patterns NREN
More informationMonitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX
Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1,3, Matěj Grégr 1,2 and Pavel Čeleda1,3 1 CESNET, z.s.p.o., Prague, Czech Republic 2 Brno University of Technology,
More informationNetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.
NetFlow: What is it, why and how to use it?, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda What is NetFlow? What are the benefits? How to deploy NetFlow? Questions 2 / 22 What is NetFlow? NetFlow
More informationRESILIENT NETWORK DESIGN
Matěj Grégr RESILIENT NETWORK DESIGN 1/36 2011 Brno University of Technology, Faculty of Information Technology, Matěj Grégr, igregr@fit.vutbr.cz Campus Best Practices - Resilient network design Campus
More informationNetFlow Configuration Guide, Cisco IOS Release 12.4
NetFlow Configuration Guide, Cisco IOS Release 12.4 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationTRILL for Service Provider Data Center and IXP. Francois Tallet, Cisco Systems
for Service Provider Data Center and IXP Francois Tallet, Cisco Systems 1 : Transparent Interconnection of Lots of Links overview How works designs Conclusion 2 IETF standard for Layer 2 multipathing Driven
More informationFrom NetFlow to IPFIX the evolution of IP flow information export
From NetFlow to IPFIX the evolution of IP flow information export presented by Carsten Schmoll - Fraunhofer FOKUS - Berlin, DE Elisa Boschi - Hitachi Europe - Zurich, CH Brian Trammell - CERT/NetSA - Pittsburgh,
More informationSignature-aware Traffic Monitoring with IPFIX 1
Signature-aware Traffic Monitoring with IPFIX 1 Youngseok Lee, Seongho Shin, and Taeck-geun Kwon Dept. of Computer Engineering, Chungnam National University, 220 Gungdong Yusonggu, Daejon, Korea, 305-764
More informationThe Value of Flow Data for Peering Decisions
The Value of Flow Data for Peering Decisions Hurricane Electric IPv6 Native Backbone Massive Peering! Martin J. Levy Director, IPv6 Strategy Hurricane Electric 22 nd August 2012 Introduction Goal of this
More informationConfiguring a Load-Balancing Scheme
Configuring a Load-Balancing Scheme Finding Feature Information Configuring a Load-Balancing Scheme Last Updated: August 15, 2011 This module contains information about Cisco Express Forwarding and describes
More informationNetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6
(Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationCatalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting
Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting Document ID: 70974 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationFrom traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik
From traditional to alternative approach to storage and analysis of flow data Petr Velan, Martin Zadnik Introduction Network flow monitoring Visibility of network traffic Flow analysis and storage enables
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationPractical Experience with IPFIX Flow Collectors
Practical Experience with IPFIX Flow Collectors Petr Velan CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic petr.velan@cesnet.cz Abstract As the number of Internet applications grows, the number
More informationAnalysis of SIP Traffic Behavior with NetFlow-based Statistical Information
Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information Changyong Lee, Hwankuk-Kim, Hyuncheol Jeong, Yoojae Won Korea Information Security Agency, IT Infrastructure Protection Division
More informationPANDORA FMS NETWORK DEVICE MONITORING
NETWORK DEVICE MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS is able to monitor all network devices available on the marke such as Routers, Switches, Modems, Access points,
More informationSolarWinds Log & Event Manager
Corona Technical Services SolarWinds Log & Event Manager Training Project/Implementation Outline James Kluza 14 Table of Contents Overview... 3 Example Project Schedule... 3 Pre-engagement Checklist...
More informationData Sheet. DPtech Anti-DDoS Series. Overview
Data Sheet DPtech Anti-DDoS Series DPtech Anti-DDoS Series Overview DoS (Denial of Service) leverage various service requests to exhaust victims system resources, causing the victim to deny service to
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationMPLS VPN over mgre. Finding Feature Information. Prerequisites for MPLS VPN over mgre
The feature overcomes the requirement that a carrier support multiprotocol label switching (MPLS) by allowing you to provide MPLS connectivity between networks that are connected by IP-only networks. This
More informationHow To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address
Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and
More informationPANDORA FMS NETWORK DEVICES MONITORING
NETWORK DEVICES MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS can monitor all the network devices available in the market, like Routers, Switches, Modems, Access points,
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationsflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007
sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007 Richard A. Steenbergen nlayer Communications, Inc. What is sflow? sflow is a standards based protocol for exporting
More informationQAME Support for Policy-Based Management of Country-wide Networks
QAME Support for Policy-Based Management of Country-wide Networks Clarissa C. Marquezan, Lisandro Z. Granville, Ricardo L. Vianna, Rodrigo S. Alves Institute of Informatics Computer Networks Group Federal
More informationNetwork traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010
Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationApache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, 2013 2:32 pm Pacific
Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide Revised February 28, 2013 2:32 pm Pacific Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide
More informationConfiguring a Load-Balancing Scheme
Configuring a Load-Balancing Scheme Last Updated: October 5, 2011 This module contains information about Cisco Express Forwarding and describes the tasks for configuring a load-balancing scheme for Cisco
More informationAutonomous NetFlow Probe
Autonomous Ladislav Lhotka lhotka@cesnet.cz Martin Žádník xzadni00@stud.fit.vutbr.cz TF-CSIRT meeting, September 15, 2005 Outline 1 2 Specification Hardware Firmware Software 3 4 Short-term fixes Test
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationNetFlow Configuration Guide, Cisco IOS Release 15M&T
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationRecommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document
Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.
More informationChuck Cranor, Ted Johnson, Oliver Spatscheck
Gigascope: How to monitor network traffic 5Gbit/sec at a time. Chuck Cranor, Ted Johnson, Oliver Spatscheck June, 2003 1 Outline Motivation Illustrative applications Gigascope features Gigascope technical
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationFlow Analysis. Make A Right Policy for Your Network. GenieNRM
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
More informationRapidIO Network Management and Diagnostics
RapidIO Network Management and Diagnostics... Is now even easier! Release 1.1 Overview RapidIO Discovery and Diagnostic Basics Loopback Diagnostic Mode (NEW) Multiple Simultaneous Routing paths (New) Controlling
More informationIPv6 network management. Where and when?
IPv6 network management 1 Contributions Simon Muyal, RENATER Bernard Tuy, RENATER Jérôme Durand, RENATER Ralf Wolter, Cisco Patrick Grossetête, Cisco Munechika Sumikawa, Hitachi Patrick Paul, 6WIND 2 Agenda
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationBeyond Monitoring Root-Cause Analysis
WHITE PAPER With the introduction of NetFlow and similar flow-based technologies, solutions based on flow-based data have become the most popular methods of network monitoring. While effective, flow-based
More informationHARTING Ha-VIS Management Software
HARTING Ha-VIS Management Software People Power Partnership HARTING Management Software Network Management Automation IT - with mcon Switches from HARTING With the Ha-VIS mcon families, HARTING has expanded
More informationHow To Manage Ipv6 Networks On A Network With Ipvv6 (Ipv6) On A Pc Or Ipv4 (Ip6) (Ip V6) Or Ip V6 ( Ipv5) ( Ip V5
IPv6 networks management Simon.Muyal@renater.fr Contribs Bernard Tuy, Renater Simon Muyal, Renater Ralf Wolter, Cisco Patrick Grossetête, Cisco Munechika Sumikawa, Hitachi Patrick Paul, 6WIND Simon Muyal
More informationHow Cisco IT Protects Against Distributed Denial of Service Attacks
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationUKCMG Industry Forum November 2006
UKCMG Industry Forum November 2006 Capacity and Performance Management of IP Networks Using IP Flow Measurement Agenda Challenges of capacity and performance management of IP based networks What is IP
More informationJuniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net www.juniper.net
Juniper Networks and IPv6 Tim LeMaster Ipv6.juniper.net www.juniper.net IPv6 Leadership IPv6 supported in Junos since 2001 IPv6 supported in ScreenOS since 2004 First router to be IPv6 Certified by DoD/
More informationHow Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations
How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations Cisco PIX Security Appliance provides stateful firewall protection at smaller Internet gateways. Cisco IT Case Study / Security and
More informationSecuring and Monitoring BYOD Networks using NetFlow
Securing and Monitoring BYOD Networks using NetFlow How NetFlow can help with Security Analysis, Application Detection and Traffic Monitoring Don Thomas Jacob Technical Marketing Engineer ManageEngine
More informationNetwork Monitoring Based on IP Data Flows
Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Author:MartinŽádník March2010 TERENA 2010. All rights reserved. Document
More informationCourse Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.
Course Name: TCP/IP Networking Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network. TCP/IP is the globally accepted group of protocols
More informationOne software solution to monitor your entire network, including devices, applications traffic and availability.
One software solution to monitor your entire network, including devices, applications traffic and availability. About Britannic Expert Integrators We are award winning specialists in IP communications,
More informationNetwork Monitoring Based on IP Data Flows Best Practice Document
Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Authors: Martin Žádník March 2010 TERENA 2010. All rights reserved.
More informationHow To Understand and Configure Your Network for IntraVUE
How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of
More informationNetFlow Subinterface Support
NetFlow Subinterface Support Feature History Release Modification 12.2(14)S This feature was introduced. 12.2(15)T This feature was integrated into Cisco IOS Release 12.2 T. This document describes the
More information8. 網路流量管理 Network Traffic Management
8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationConfiguring the Transparent or Routed Firewall
5 CHAPTER This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall works in each firewall mode. This chapter also includes information about customizing
More informationConfiguring SNMP and using the NetFlow MIB to Monitor NetFlow Data
Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data NetFlow is a technology that provides highly granular per-flow statistics on traffic in a Cisco router. The NetFlow MIB feature provides
More informationIPv6 network management. 6DEPLOY. IPv6 Deployment and Support
IPv6 network management 6DEPLOY. IPv6 Deployment and Support 1 Contributions Simon Muyal, RENATER Bernard Tuy, RENATER Jérôme Durand, RENATER Ralf Wolter, Cisco Patrick Grossetête, Cisco 10/28/2010 IPv6
More informationSymantec Event Collector for Cisco NetFlow version 3.7 Quick Reference
Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference Symantec Event Collector for Cisco NetFlow Quick Reference The software described in this book is furnished under a license agreement
More informationAgenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project
Cisco Research SCRIPT and the Big Picture Ralf Wolter, Cisco Systems 1 Agenda Building Blocks for the SCRIPT Project Cisco Research Center (CRC) NetFlow: the story and the challenge IPFIX @ IETF Cisco
More informationDesigning Reliable IP/MPLS Core Transport Networks
Designing Reliable IP/MPLS Core Transport Networks Matthias Ermel Workshop ITG FG 5.2.1 14. November 2008 München Content 1. Introduction 2. Protection Mechanisms 3. Failure Detection Page 1 Architecture
More informationRedefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance
White Paper Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance What You Will Learn Modern data centers power businesses through a new generation of applications,
More informationInternet Management and Measurements Measurements
Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?
More informationRadware s Attack Mitigation Solution On-line Business Protection
Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...
More informationHigh Performance Network Security at SLAC
High Performance Network Security at SLAC ESnet Site Coordinators Committee Meeting, 17-18 January 2013, Hawaii (US) Antonio Ceseracciu Introduction Assume familiarity with Science DMZ model. Look at alternative
More information