NSFOCUS Network Traffic Analyzer (NTA)

Transcription

1 What does it do? x-flow technology Traffic Statistics and analysis Route analysis Abnormal traffic detection Whom to work with? NSFOCUS Anti-DDoS System Overview NSFOCUS Network Traffic Analyzer (NTA) NSFOCUS Network Traffic Analyzer (NSFOCUS NTA) is a traffic analysis and detection product powered by the Flow technology. Supported by NSFOCUS s decades of accumulative experience in traffic analysis, it is oriented to the telecom carrier network, IDC network and other networks. NSFOCUS NTA provides its users with real-time network status monitoring and real-time alerts of network attacks and anomalies, to secure users' network environments. Throughout years of development, NSFOCUS NTA has already established a good reputation among customers with a track of success cases covering China, the USA, EU, South Korea and other regions worldwide. NSFOCUS NTA has multiple models ranging from carrier-grade to Where to use? Carriers Network IDC Enterprise DC enterpriese-grade, which can be deloyed in the MANs and the backbone networks of the ISPs, government agencies, education orgainzations, enterprises and so forth. It is mainly designed for traffic analysis, anomaly traffic dection and route analysis in the Mbps, Gbps and 10Gbps networks, based on the xflow data from the router. Applications With the rapid expansion of the Internet businesses in recent years, higher and higher bandwidth is required for different links on the internet, which lead to increaing investment in network infrastructure. However, alongside the booming development of network infrastructure and the internet businesses, the network security issues grow to be greater concerns. The reduced attack cost and mushroomed easy-to-use attack techniques result in volumetric 1 / 13

2 anomaly traffic with complex compositions. Therefore, it is imperative to Features Real-time Network-wide Monitoring perform an in-depth analysis of the network traffic (including the varied anomaly traffic) to get throuogh insight into the distribution and trends of the network traffic. Accurate and Detailed Traffic Analysis Powerful Anomaly Detection IPV4/V6 Dual-stack Analysis and Detection Flexible and Diverse Reporting 3-in-1 Solution Value-added Operational Benefits Easy Operation and Maintenance Figure 1: The Deployment of NSFOCUS NTA NSFOCUS NTA is always deployed at the egress of the MAN or the intranet, activating the Netfow capability of the core router to send Netflow data to the NTA system. By virtue of the traffic analysis capability, the NTA system performs traffic analysis, anomaly traffic and attack detection, link stress analysis, route analysis and so forth, providing basic information for anomaly traffic mitigation and network optimizaition. Features Real-time Network-wide Monitoring NSFOCUS NTA monitors the overall network status in real time by collecting and analyzing traffic data. This enables network administrators to have a panoramic view of the network load and trends as well as the usage of network application resources. 2 / 13

3 Figure 2: Network-wide Monitoring As shown in Fig 2, NSFOCUS NTA monitors the network-wide status in the following four aspects: 1. NTA device status: The NTA system monitors the CPU usage, memory usage, hard disk usage, interface status, Flow rate and other indicators of itself, with real-time operating information presented. 2. Network anomaly status: The NTA system detects various network anomalies in real time during network operations, identifying network bottlenecks and the root causes of network performance degradation. 3. Network traffic status: The NTA system monitors the traffic status at the network egress, core devices, specific subnets, and other network objects in real time, with multi-dimensional traffic analysis provided. 4. Network device status: The NTA system monitors status of the routers, the interfaces, and the device traffic in real time and informs administrators of the network load and performance. Accurate and Detailed Traffic Analysis NSFOCUS has continuously improved the data analysis algorithms for the NTA system based on years of experience with Flow data detection and analysis. 3 / 13

4 This ensures accurate NTA analysis for existing network environments with differing levels of complexity. NSFOCUS NTA monitors the network traffic for the Internet egress, critical businesses, specific subnets, key servers, etc., which data are analyzed from the dimensions of total traffic volume, TOP IP, TOP ports/applications, etc. Correlation analysis is performed for objects across different dimensions in order to provide visibility of the network composition, flow, and trends in different time frames. With a minimum analysis granularity of only 30 seconds, it is capable of reflecting network traffic changes in real time. The system also provides analysis data storage for up to a year. Relying on such a long-term analysis of historical data, it can track the traffic distribution and trends by time, region, and flow direction. This helps carriers, data centers, and other institutions gain a deep understanding of their business demands, hotspots, and trends, laying network decision-makers a foundation for network planning and designing. Moreover, when an alert about anomaly traffic is triggered, NSFOCUS NTA can rapidly pinpoint the victimized IP address. Throughout the entire attack process, it logs the size, composition, source, and time-based violations of the attack traffic in detail, allowing further full-course forensics. Powerful Anomaly Detection NSFOCUS NTA also possesses a powerful anomaly detection capability with the following features, supported by NSFOCUS' self-developed anomaly detection algorithms. Abundant Detection Types and Full Coverage of Backbone Threats NSFOCUS NTA provides two types of anomaly detection methods: system build-in anomaly detection and custom anomaly detection. In addition to the built-in detection signatures, users can customize alerts for 128 types of self-discovered abnormal network signatures. The anomaly detection guards 4 / 13

5 against excessive traffic, bandwidth saturation, DDoS attacks, abnormal Dark IP, abnormal private IP, etc. NSFOCUS NTA supports warning of up to 14 types DDoS attacks at the network layer and the application layer, such as SYN FLOOD, ACK FLOOD, HTTP FLOOD, and SIP FLOOD, completely covering all threats on the backbone network. Rapid Attack Detection and Thorough Event Record NSFOCUS NTA responds to attacks so rapidly that it can generate an alert in 20 seconds at minimum. The alert levels are predefined as high, medium, or low severity. Different events will trigger different levels of alerts. In the case of network attacks, NTA records the attacks from multiple dimensions, such as network traffic fluctuations, changes of the traffic streaming to the target IP address before and after the attacks. It also analyzes the attack traffic in depth, including the cause, location, strength, type, composition, etc. From this, the system can backtrack the entire attack process and help network administrators locate the attack source. Intranet Security Protection Attacks are becoming more severe and more diverse. They can occur both on the Intranet and the Extranet. Attacks originated from the intranet can congest outbound bandwidth to make a network bottleneck, so it is also demanding to block this type of attacks. Many organizations are already aware of the dangers posed by attacks from Intranet. For instance, data centers have policies that require monitoring of any attacks launched internally against external targets. Carriers require that, in addition to monitoring external attack against their network infrastructure, they must also prevent attacks launched internally. In response to these new requirements, NTA's self-developed intelligent detection system can not only detect inbound attack traffic, but also monitor outbound anomaly traffic in real time. It intelligently determines if the outbound traffic exceeds the predefined threshold value, and accurately locates the TOP IP of any anomaly 5 / 13

6 traffic streaming out of the intranet. The security of the entire network can only be safeguarded by ferreting out the perpetrators of attacks launched from intranet while guarding against external attacks simultaneously. With no question, NSFOCUS NTA's bi-directional detection can secure users' networks with two-layer protections. Intelligent Detection Algorithm Because of the difficulty in configuring static baseline parameters, its accuracy is not high. Therefore, NSFOCUS NTA has developed an intelligent algorithm for generating dynamic baseline. This feature enables the system to intelligently generate multidimensional network characteristics for an object, following a period of traffic characteristics analysis and modeling for the object to be learnt. The technical principle of the baseline auto-learning technology is as follows. When hosts with similar business and traffic are operating in normal network environment, their traffic volumes and characteristics remain stable. From this, the system models the traffic for different characteristics of the host in normal operation, with the upper limits gained over a period of auto-learning. During this process, the system automatically records variations of the network traffic for basic data modeling. It sets a confidence interval based on the trustworthy data range. By analyzing and calculating the historical data within the confidence interval, the system obtains traffic variation trends and model characteristics. In order to ensure the traffic characteristics to be learnt conform to the normal distribution, the system allows users to enable data modeling in calendar mode, such as setting workdays, weekends, and other calendar time for automated modeling. At the same time, the system supports manual adjustment of the dynamic baseline. This, together with the calendar-based auto-learning mode, ensures the accuracy of the dynamic baseline. Flexible and Efficient Detection 6 / 13

7 The program structure of the system's calculation engine adopts framework and plug-in modes. This ensures the structural flexibility and efficiency of the system. Each plug-in is matched with one or a couple of detection algorithms. Users can load the most suitable plug-ins based on their network and business characteristics. The NTA system also provides different preset plug-in templates for different typical users. For example, telecom carriers are not very concerned about application-layer attacks when it comes to the operation and maintenance of their backbone networks. Therefore, the corresponding detection plug-in does not have to be loaded in such a user environment. IPV4/V6 Dual-stack Analysis and Detection The curtain is gradually rising for the IPV6 age. The transition to IPV6 has already implemented. The carriers in China, a major force for commercial IPV6 implementation, have already entered the functional verification phrase. Large Internet enterprises have also set up their own laboratory platforms to test and pilot IPV6 for their various businesses demands. In this backdrop, NSFOCUS NTA totally supports IPV4/IPV6 dual-stack for traffic analysis and detection, to dispel relevant concerns of the users. Flexible and Diverse Reporting In order to present analysis and detection data in a well-rounded way, NSFOCUS NTA has developed a flexible reporting system which can generate varied reports by customized conditional filtering or combining. The system provides both real-time and historical reports, facilitating the users to check out real-time monitoring data and to track history data for forensics. It supports daily/weekly/monthly/yearly/custom reports which present the data in the forms of pie charts, bar graphs, run charts etc. as well as custom area charts and line graph graphics. When presenting network traffic status reports, the system can select different network objects on demand and customize the report generation 7 / 13

8 rules. This allows it to analyze and present traffic data from multiple dimensions and perspectives. For DDoS attacks, the system provides detailed information about the attack target, the number of attack alerts, attack traffic, traffic diversion and so forth. It can filter the data based on attack type, alert level, statistical objects, etc. The system also has a report integration function to help users combine the data they wish to analyze and generate a comprehensive report. This flexible and diverse reporting system fully caters to various needs of the operations staff. A Complete Solution To enable the Anti-DDoS systems to be manageable and operable to the telecom carriers and large data centers, NSFOCUS has released a 3-in-1 solution. This solution is composed of an anomaly traffic detection system (NSFOCUS NTA), an anomaly traffic cleaning system (NSFOCUS ADS), and a management and forensics system (NSFOCUS ADS M). Figure 3: NSFOCUS 3-in-1 Solution 8 / 13

9 NSFOCUS NTA is responsible for network monitoring and DDoS attack detection. When an attack occurs, the NTA system intelligently enables the coordination mechanism with NSFOCUS ADS and immediately notifies ADS of the event alert. Then, the ADS device activates the traffic diversion function, diverting suspicious traffic from the routers and switches to the ADS device. After finishing purging the DDoS attack traffic, ADS injects the "clean" traffic back into the network. NSFOCUS ADS M acts as the anti-ddos management center to perform a centralized monitoring and policy management for NTA and ADS devices deployed at different network points. Diverse reports are provided to display the whole attack traffic detection and cleaning process. ADS M also has a self-service system, allowing carriers to provide Anti-DDoS value-added services. Value-added Operational Benefits NSFOCUS NTA addresses domain-based (such as by router interface or IP/IP group) attack detection and traffic analysis capabilities to major customers and critical business with value-added operations. Coordinating with the ADS M products, the NTA system provides a specialized value-added service platform for operation/maintenance and self-service. Carriers are thereby able to provide value-added security defense services to large security-sensitive customers, such as security companies, jewelry stores, power companies, government agencies, hotels, IPTV providers, etc. Furthermore, large-scale customers can log onto the self-service portal of NSFOCUS ADS M to view their real-time network traffic, application protocol distribution, attack countermeasures, and other key business information. This platform gives large-scale customers more visibility to their system security, and also enhances their service quality. Easy Operation and Maintenance Plug and Play 9 / 13

10 NSFOCUS NTA has a smart configuration system which only requires simply PNPs to run. For example, configuring the IP address range to be monitored does not require manual input, instead the system would automatically select IP address ranges to be monitored from a list of candidate IP addresses extracted from routing tables. Similarly, the system automatically matches the routers' physical port numbers and names. In addition, it only needs simple configuration of the dynamic baseline auto-learning algorithm to generate parameters for various anomalies to be detected. The system provides a deployment toolkit that includes packet capture tools, PING, router interface direction judgment tools, detection range generation tools, etc., to further simplify the deployment process. High Performance, Convenient Operation and Maintenance By using high-performance hardware and optimized calculation engine algorithms, NSFOCUS NTA has a processing capacity of up to 80,000 xflows per second. The administrators only need a single NSFOCUS NTA device to monitor a telecom-grade high-bandwidth network environment. This greatly reduces the workload on operations and maintenance staff. Expert Operation and Maintenance Support NSFOCUS possesses years of field network security experience and a team of certified professionals. This allows it to provide rapid on-site defensive support as well as defense consultation, deployment, training and other services. Customers are benefited with enhanced defense systems and supports, as well as the establishment of a professional security team. At the same time, NSFOCUS NTA also has access to the NSFOCUS Security Cloud platform with which NSFOCUS experts provide 24/7 managed services and real-time attacks response. Specifications 10 / 13

11 Performance Specifications For more information: For more information about NSFOCUS products and services, please contact the NSFOCUS sales U.S. TEL: EMEA TEL: +44 (0) APAC TEL: Japan TEL: info-jp@nsfocus.com China TEL: info@nsfocus.com For more information visit NSFOCUS Website: Feature Specifications Features NTA NX3-2000E Platform OS 64 bit operation system Data Collection Netflow V5/V9 Format Netstream Cflow Sflow V4/V5 Support Sflow sampling rate self-adaption DDoS Attacks SYN-Flood Detection ACK-Flood UDP-Flood ICMP-Flood IGMP-Flood Protocol Null Flood TCP Flag Misuse TCP Flag Null HTTP Flood HTTPS Flood DNS Request Flood DNS Response Flood Land Flood SIP Flood Dark IP Private IP Abnormal Traffic Business Domain Inbound Attack Traffic Business Domainegion Outbound Attack Traffic IP Group Inbound Attack Traffic IP Group Outbound Attack Traffic Cluster Attack Traffic Alert Threshold Self-learning Custom Alert Performance Alert Router Memory andcpu Usages Abnormality Y Traffic Analysis Interface Bandwidth Abnormality Router Interface Traffic Analysis Router Interface Group traffic analysis IP Group Traffic Analysis Business Domain Traffic Y 11 / 13

12 Analysis AS Traffic Analysis, Support TOP 5 Third Party Interface Port and application Traffic Analysis SNMP GET/TRAP SYSLOG Flow Data Forwarding, Support TOP5 Null Route Single IP Null Route ADS Traffic Diversion Group Null Route Null Route Timeout Automatic Release Null Route Information Memo Sending Null Route to Different Routers based on Attack Traffic Volume Sending Diversion Notice To Different Routers based on Traffic Volume Y Y Safety Weak Password Inspection Support Password Dictionary Support Inspection Source IP Login Restrict Support Language English, Chinese, Japanese Support Flow Data Collection Flow Collection Capacity The Number of Monitored Routers The Number of Monitored Router Interface NTA NX3-2000E 80k Flows/s / 13

13 Hardware Specifications NTA NX3-2000E 1* RJ45 serial port, 2* USB2.0 Interface Weight Height Length Width Rack Device Mgt Power MTBF Operating Temperature Non-operating Temperature interface,2* RJ45 mgt. interface, 4*GE copper port, 4* GE SFP fiber port 16.6kg 88mm 512 mm 432 mm 2U HTTPS,CLI 220V,350W 60,000 hours 0~45 (32~113F) -20~65 About NSFOCUS NSFOCUS is a proven global leader in active perimeter network security for service providers, data centers, and corporations. It focuses on providing network security solutions including: carrier-grade Anti-DDoS System, Web Application Firewall, and Network Intrusion Prevention System - all designed to help customers secure their networks and corporate-critical information. More detailed information is available at 13 / 13