Inside ntop: An Open Source Network Monitoring Tool

Size: px
Start display at page:

Download "Inside ntop: An Open Source Network Monitoring Tool"

Transcription

1 Inside ntop: An Open Source Network Monitoring Tool Luca Deri 1

2 Agenda 1. Project history 2. What can ntop do for me? 3. ntop and network security 4. Integration with commercial protocols 5. Embedding ntop 6. Work in progress 2

3 1. Project History 3

4 Project History [1/3] Fall 1997: L.Deri started coding a pcap/curses based application for analyzing traffic in the core network segment of unipi. Spring 1998: First public release (0.4) of ntop (network top). S.Suin joined the project. Winter : added web interface, ports to Solaris/AIX. Released v

5 Project History [2/3] : registered, mailing lists created. FreeBSD 4.x port, integration into Suse 7.x R.Carbone joined the project and split ntop into ntop+intop (now ntcsh/hsh) B.Strauss joined the project: added XML support, customer care Added support for commercial monitoring protocols and non-ethernet media 5

6 2003: Project History [3/3] More than 600 mailing list subscribers Part of the mainstream distributions It runs on Unix (Linux, BSD, MacOS X) and Win Commercial ntop support Stable release is 2.2. Release 2.3 on the pipe (expected summer/fall 2003) 6

7 Who s Behind ntop? Luca Deri core developer Rocco Carbone hsh developer Stefano Suin the thinking man Burton Strauss developer, users support Yuri Francalacci (stress) tester 7

8 2. What can ntop do for me? 8

9 Some Project Goals ntop has been created to solve a real monitoring problem (no planning, case studies, market analysis). By the time it has been extended to satisfy user s requirements. Portable and platform neutral: deploy it where you want. Minimal requirements to leverage its use 9

10 Network Management: Some Goals (No) Connectivity. Performance. Availability (Failure Detection). Responsiveness to Change and Growth. Inventory. Security. 10

11 What are the ntop Requirements? Traffic measurement. Traffic characterisation and monitoring. Detection of network security violations. Network optimisation and planning. 11

12 What are the ntop Goals? Fit end-user needs (no programming required). Easy to use and customize. Standard Interface (Web, SNMP). Open and Portable. Good performance and minimal resource requirements. 12

13 What s available on the Internet? Tcpdump, NeTraMet and RMON should be used by experts and are really not suitable for security problems. Management Platforms (HP-OV, Sun NetManager, Tivoli, CA) are difficult to deploy, not truly portable, expensive. 13

14 What s ntop? ntop is a simple, open source (GPL), portable traffic measurement and monitoring tool, which supports various management activities, including network optimization and planning, and detection of network security violations. 14

15 Welcome to ntop 15

16 ntop Architecture HTTP/HTTPS RRD Cisco NetFlow InMon sflow 16

17 ntop Internals: Packet Capture [1/3] ntop sniffer kernel TCP,UDP Pkt filter Pkt filter BPF driver Packet Copy IP,ICMP Ethernet Device driver 17

18 ntop Internals: Data Structures [2/3] Host Hash Sessions Hash 18

19 ntop Internals: Threads [3/3] 1. Packet capture and queue (pcap_dispatch) 2. Packet dequeue and processing 3. Address resolution (numeric to symbolic) 4. Idle host/session scanner 5. Local traffic loop (via lsof calls) 19

20 Side Note: How to Mirror Traffic Hardware: Hub (Copper Ethernet, Token Ring) Optical Splitter (Optical Fibers) Software: Switch Port Mirror (1:1, 1:N) Switch VLAN Mirror (N:1) Switch Traffic Filter/Mirroring (Juniper) 20

21 ntop for WAP: Architecture 21

22 ntop for WAP 22

23 Traffic Measurement Data sent/received: Volume and packets, classified according to network/ip protocol. Multicast Traffic. TCP Session History. Bandwidth Measurement and Analysis. 23

24 Traffic Characterisation and Monitoring Network Flows Protocol utilisation (# req, peaks/storms, positive/negative repl.) and distribution. Network Traffic Matrix. ARP, ICMP Monitoring. 24

25 Network Optimisation and Planning Passive network mapping: identification of Routers and Internet Servers (DNS, Proxy). Traffic Distribution (Local vs. Remote). Service Mapping: service usage (DNS, Routing). 25

26 Network Inventory [1/2] Identification of routers and internet servers (DNS, NFS, Proxy). Resource (Hw Manufacturer), services and OS inventory. 26

27 Network Inventory [2/2] The fingerprint database has the following structure: WWWW:MSS:TTL:WS:S:N:D:T:F:LEN:OS WWWW: 4 digit hex field indicating the TCP Window Size MSS : 4 digit hex field indicating the TCP Option Maximum Segment Size if omitted in the packet or unknown it is "_MSS" TTL : 2 digit hex field indicating the IP Time To Live WS : 2 digit hex field indicating the TCP Option Window Scale if omitted in the packet or unknown it is "WS" S : 1 digit field indicating if the TCP Option SACK permitted is true N : 1 digit field indicating if the TCP Options contain a NOP D : 1 digit field indicating if the IP Don't Fragment flag is set T F : 1 digit field indicating if the TCP Timestamp is present : 1 digit ascii field indicating the flag of the packet S = SYN A = SYN + ACK LEN : 2 digit hex field indicating the length of the packet if irrilevant or unknown it is "LT" OS : an ascii string representing the OS Courtesy of 27

28 3. ntop and Network Security 28

29 Goal of This Work In every network there are some global variables that can be profitably used for detecting network anomalies, regardless of the type of network users and equipment. As most of the relations among these variables are fixed, it is possible to define generic network rules for automatically detecting selected network anomalies. 29

30 How N-IDS Systems Work [1/2] Signature detection systems use patterns of well-known attacks or weak spots of the system to match and identify known intrusions. Advantage: known attacks are detected efficiently. Disadvantage: lack of the ability to detect new attacks 30

31 How N-IDS Systems Work [2/2] Anomaly detection systems flag observed activities that deviate significantly from the established normal usage profiles as anomalies: something that is abnormal is probably suspicious. Advantage: it does not require prior knowledge of the intrusion so it can detect new intrusions. Disadvantage: no clear definition of an attacks hence it can have high false positive rate. 31

32 Defining a new Type of Anomaly Detection System [1/3] Various experiments performed on different networks confirmed the presence of some similarities on traffic. 32

33 Defining a new Type of Anomaly Detection System [2/3] Simple bytes/packets curves are not very reliable for detecting networks problems, as they can present some peaks caused by various reasons (e.g. a multicast transmission). 33

34 Defining a new Type of Anomaly Detection System [3/3] The authors (Luca and Stefano) decided to investigate whether it was possible to: Identify some selected traffic parameters that can be profitably used to model network traffic behaviour. Define traffic rules so that when such rules are violated there is necessarily a network anomaly (e.g. an abnormal network activity). 34

35 What is an Anomaly? The deviation from the network's expected behaviour that is defined by considering two kinds of knowledge: IP protocol specifications contained in RFCs, that needs to be satisfied by every host and network (static knowledge). Statistical traffic analysis that varies according to network characteristics and type of users (dynamic knowledge). 35

36 Building Static Knowledge Classification of effects on the network of known network security violations. IP protocol dissection (RFCs). Network traffic monitoring parameters used by monitoring applications (e.g. RMON) Experience: survery of parameters checked by network administrators 36

37 Building Dynamic Knowledge Produce a traffic model for each monitored asset that includes: List of provided network services. Thresholds for some specific traffic (e.g. SYN pkt ratio, # concurrent outgoing connections). A security index that idenfies how safe is an host. 37

38 Some Common Traffic Parameters ICMP ECHO request/response ratio ICMP Destination/Port Unreachable # SYN Pkts vs. # Active TCP Connections Suspicious packets (e.g. out of sequence) Fragments percentage Traffic from/to diagnostic ports (e.g. ident) TCP connections with no data exchanged 38

39 ntop Requirements: Security Ability to automatically (i.e. no configuration) detect common network problems. Track ongoing attacks and identify potential security holes. 39

40 ntop: Some Security Features TCP/IP Stack Verification. Application Misuse. Intrusion Detection. 40

41 TCP/IP Stack Verification Network mapping: improper TCP three way handshaking (e.g. queso/nmap OS Detection). Portscan: stealth scanning, unexpected packets (e.g. SYN/FIN). DOS: synflood, invalid packets (ping of death, WinNuke), smurfing. IDS/Firewall elusion: overlapping fragments, unexpected SYN/ACK (sequence guessing). Intruders: peak of RST packets. 41

42 Application Misuse Unauthorized Application Usage (e.g. P2P, ICQ). Misconfigured Applications (e.g. peak of DNS, NTP requests towards non existing servers). 42

43 Intrusion Detection Trojan Horses (e.g. traffic at know ports BO2K). Spoofing: Local (more MAC addresses match the same IP address) and Remote (TTL ). Network discovery (via ICMP, ARP). # host contacts in the last 5 minutes (warning: in this respect P2P apps behave as viruses/ trojans!) 43

44 Validation Playground [1/2] Extension to ntop for accounting selected traffic parameters and calculating security thresholds. Test on the Unipi backbone ATM Backbone Internet Link Juniper ntop 44

45 Validation Playground [2/2] 45

46 Evaluation [1/3] Anomaly detection based on expected behaviour and the study of RFCs, guarantees a better longevity with respect to detection mechanisms based on pattern matching and signature detection. The ADS is effective in many situations where a firewall or an intrusion detection system fail (e.g. a cracker gain host access by means of a buffer overflow). Attacks, when classified in terms of anomaly categories, are very few with respect to the large number of signatures and patterns that similar solutions need to handle. 46

47 Evaluation [2/3] # of knowledge rules you use: ~50 rules per host ~20 global rules (applied to the whole net) Rate of false positives < 10% on known hosts unknown hosts : investigation needed (informational) What is normal behaviour? Thresholds for servers/workstations/p2p s 47

48 Evaluation [3/3] The study of the results produced by the ADS can be very well used for: Network bandwidth optimisation. Detection of network bandwidth killers. Avoidance of unwanted protocols. Network misconfiguration. Unwanted server activity detection. TCP/IP stack tuning based on the distribution of TCP connection number, flags (e.g. RST, SYN), and latency. 48

49 4. Integration with Commercial Network Monitoring Protocols 49

50 Cisco NetFlow [1/2] Open standard for network traffic measurement defined by Cisco Systems Together with RMON (Remote MONitoring) is the industrial protocol for traffic measurement. Probes (usually on routers) send traffic flows (coded in NetFlow format) to collectors over UDP. 50

51 Cisco NetFlow [2/2] Collectors perform various aggregations: AS, ports, protocols, src/dst-prefix. Collectors aggregate data and produce reports (accounting, billing, etc.) 51

52 InMon sflow Similar to NetFlow: probes send traffic flows to collectors over UDP in sflow format (RFC 3176). A sflow probe is basically a sniffer that captures packets at X rate (1:400 is default) and sends them coded in sflow format. The more flows are captured, the more precise are the statistics. Tuning sample rate allows probes to capture at Gb speeds and above. 52

53 Why shall ntop support commercial network monitoring protocols? It is not always possible to capture traffic in the place we want (e.g. border gateway) Traffic reports used in industry are often trusted only if they are based on commercial products/protocols/probes Solution: let ntop be a NetFlow/sFlow probe and collector to ease its acceptance in the industry. 53

54 ntop: NetFlow and sflow Currently ntop is able to collect/emit both NetFlow and sflow flows. Due to ntop s original design, ntop is mostly a collector rather than a probe. Flows are very simple whereas ntop provides very complex statistics. Drawback: at highspeeds ntop looses packets due to all the calculations it has to perform. Solution: let an external probe feed ntop. 54

55 NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper, Extreme) ship appliances with embedded NetFlow probes. Most commercial probes perform very poorly (~ pkt/sec) 55

56 NetFlow: State of the Art [1/2] Several collectors available (both commercial and Open Source). Very little offering in the probe side. NetFlow monitoring cannot cope with Gbit speeds and above hence new mechanisms (e.g. sampled NetFlow) have been used to overcome this problem. sflow, if more popular, could become a good alternative for high speeds and backbone monitoring. 56

57 NetFlow: State of the Art [2/2] NetFlow is supported only on high-end routers (no support or inability to use it on mid/low-end routers. Most people still rely on SNMP MIB II interface counters (no fine grained measurement at all). RMON is relatively used and difficult to both instrument and use. 57

58 Solution: nprobe+ntop [1/2] The community needed an open source probe able to bring NetFlow both into small and large networks. Ability to run at wire speed (at least until 1 Gb) with no need to sample traffic. Complete open source solution for both flow generation (nprobe) and collection (ntop) 58

59 Solution: nprobe+ntop [2/2] Internet Border Gateway Traffic Mirror nprobe NetFlow Local Network ntop 59

60 nprobe: Main Features Ability to keep up with Gbit speeds on Ethernet networks handling thousand of packets per second without packet sampling on commodity hardware. Support for major OS including Unix, Windows and MacOS X. Resource (both CPU and memory) savvy, efficient, designed for environments with limited resources. Source code available under GNU GPL. 60

61 nprobe: Internals One thread captures packets, classifies, and stores them into a hash table A second thread periodically walks the table and emits expired flows. Static hash (dynamic hashes may loose packets during resize) No dynamic memory: everything is allocated at startup (no need to call malloc/free hence better performance). 61

62 nprobe: BGP Support NetFlow packets include information about ASs (Autonomous System) origin/peer. nprobe has no access to the BGP table (it is not running on a router). AS information is read from file. AS file can be produced reading the BGP table (e.g. via SNMP) from the local router or downloading it from public sites on the Internet. 62

63 nprobe: Performance [1/2] Tests performed using a traffic generator (Agilent RouterTester 900). nprobe run on a Dual Athlon, Intel Pro 1000 Gbit Ethernet card, GNU/Linux Debian 3.0, standard setup, no kernel tuning, Intel drivers (publicly available) 63

64 nprobe: Performance [2/2] Packet Size Network Load nprobe Performance Mbit packet/sec (random) Mbit packet /sec 64

65 5. Embedding ntop 65

66 Why embedding ntop? In some cases it is easier to ship a simple appliance ready to use rather than provide a software application to install, configure, run. Modern embedded systems are based on OSs such as Linux, making easy the transition to them (no need to use proprietary/costly/ limited OSs such) Several manufacturers are selling cheap boxes suitable for this task. 66

67 What to embed? ntop is a collector that needs disk space to save statistics (e.g. RRD) and memory for tracking hosts. nprobe makes more sense: easier to embed (weak requirements) distributed traffic capture vs. centralized collection less sw requirements -> less hw requirements -> cheap appliance -> small appliance 67

68 Based on Cyclades TS/100 Appliance It runs nprobe 1.x nbox [1/2] Suitable for networks up to 10 Mbit of speed (e.g. xdsl, Frame Relay) 68

69 Easy configuration via the embedded web interface. Based on Linux/PPC nbox [2/2] Ability to export flows in NetFlow V5 Ability to drive an LCD display 69

70 6. Work in Progress 70

71 nbox 3 Embedded appliance based on a Lex box with 3 Ethernet (1 GE+2x10/100 or 3x10/100) Ability to work in pass-through mode (bridge) Availability: late summer

72 Beyond NetFlow: nflow nflow (http://www.nflow.org) Proposed to IETF as flow protocol for IPFIX Based on NetFlow V9 Security (non repudiation) Flow compression (gzip) MPLS/VLAN/IPv6 information Payload information Application/network performance. 72

73 Kernel-based nprobe Kernel traffic collector for improving performance (1 Gbit at full speed with 64 bytes packets and commodity hardware) Status: it currently runs on Linux 2.4. Plans: port to FreeBSD based on NetGraph. Availability: summer

74 ntop Availability Home Page: Platforms: Win32 and Unix. License: Gnu Public License (GPL). Distributions: Linux (Debian, Suse, RedHat, Caldera, Slackware), BSD (MacOS X, OpenBSD, FreeBSD). 74

The ntop Project: Open Source Network Monitoring

The ntop Project: Open Source Network Monitoring The ntop Project: Open Source Network Monitoring Luca Deri 1 Agenda 1. What can ntop do for me? 2. ntop and network security 3. Integration with commercial protocols 4. Embedding ntop 5. Work in

More information

Monitoring high-speed networks using ntop. Luca Deri

Monitoring high-speed networks using ntop. Luca Deri <deri@ntop.org> Monitoring high-speed networks using ntop Luca Deri 1 Project History Started in 1997 as monitoring application for the Univ. of Pisa 1998: First public release v 0.4 (GPL2) 1999-2002:

More information

Open Source in Network Administration: the ntop Project

Open Source in Network Administration: the ntop Project Open Source in Network Administration: the ntop Project Luca Deri 1 Project History Started in 1997 as monitoring application for the Univ. of Pisa 1998: First public release v 0.4 (GPL2) 1999-2002:

More information

Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software. Luca Deri January 2003

Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software. Luca Deri January 2003 Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software Luca Deri January 2003 Current Situation: Applications Most modern applications are bandwidth hungry (P2P).

More information

Challenges in High Performance Network Monitoring

Challenges in High Performance Network Monitoring Outline Challenges in High Performance Network Monitoring How to monitor networks that become faster and faster Fulvio Risso (fulvio.risso@polito.it) http://staff.polito.it/fulvio.risso/ Introduction What

More information

Netflow Overview. PacNOG 6 Nadi, Fiji

Netflow Overview. PacNOG 6 Nadi, Fiji Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools

More information

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and

More information

Effective Traffic Measurement Using ntop

Effective Traffic Measurement Using ntop NETWORK TRAFFIC MEASUREMENTS AND EXPERIMENTS Effective Traffic Measurement Using ntop Luca Deri, Finsiel S.p.A. Stefano Suin, University of Pisa ABSTRACT Traffic measurements are becoming increasingly

More information

NTOP Network TOP. An Overview

NTOP Network TOP. An Overview NTOP Network TOP An Overview ASSIGNMENT : Report INSTRUCTOR : Aiko Pras DATE : June 2000 COURSE : Internet Management Protocols COURSE CODE : 265310 GROUP : 2 STUDENTS[S] : João Paulo Almeida, 9816763

More information

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance

More information

High-Speed Network Traffic Monitoring Using ntopng. Luca Deri @lucaderi

High-Speed Network Traffic Monitoring Using ntopng. Luca Deri @lucaderi High-Speed Network Traffic Monitoring Using ntopng Luca Deri @lucaderi Some History In 1998, the original ntop has been created. It was a C-based app embedding a web server able to capture traffic and

More information

PANDORA FMS NETWORK DEVICES MONITORING

PANDORA FMS NETWORK DEVICES MONITORING NETWORK DEVICES MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS can monitor all the network devices available in the market, like Routers, Switches, Modems, Access points,

More information

PANDORA FMS NETWORK DEVICE MONITORING

PANDORA FMS NETWORK DEVICE MONITORING NETWORK DEVICE MONITORING pag. 2 INTRODUCTION This document aims to explain how Pandora FMS is able to monitor all network devices available on the marke such as Routers, Switches, Modems, Access points,

More information

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems CIT 380: Securing Computer Systems Scanning CIT 380: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting 5. Vulnerability Scanning

More information

Monitoring Network Traffic using ntopng

Monitoring Network Traffic using ntopng Monitoring Network Traffic using ntopng Luca Deri Outlook What are the main activities of ntop.org? ntop s view on network monitoring. From ntop to ntopng. ntopng architecture and design.

More information

Infrastructure for active and passive measurements at 10Gbps and beyond

Infrastructure for active and passive measurements at 10Gbps and beyond Infrastructure for active and passive measurements at 10Gbps and beyond Best Practice Document Produced by UNINETT led working group on network monitoring (UFS 142) Author: Arne Øslebø August 2014 1 TERENA

More information

Design and Implementation of an Anomaly Detection System: an Empirical Approach

Design and Implementation of an Anomaly Detection System: an Empirical Approach Design and Implementation of an Anomaly Detection System: an Empirical Approach Gaia Maselli Dipartimento di Informatica University of Pisa Via Buonarroti 2 56100, Pisa, Italy maselli@di.unipi.it Luca

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Ntop: beyond Ping and Traceroute

Ntop: beyond Ping and Traceroute Ntop: beyond Ping and Traceroute Luca Deri 1 2 and Stefano Suin 2 The task of network management is becoming increasingly complex due to the increasing number of networked computers running different operating

More information

Firewalls Netasq. Security Management by NETASQ

Firewalls Netasq. Security Management by NETASQ Firewalls Netasq Security Management by NETASQ 1. 0 M a n a g e m e n t o f t h e s e c u r i t y b y N E T A S Q 1 pyright NETASQ 2002 Security Management is handled by the ASQ, a Technology developed

More information

Internet Management and Measurements Measurements

Internet Management and Measurements Measurements Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?

More information

Wire-speed Packet Capture and Transmission

Wire-speed Packet Capture and Transmission Wire-speed Packet Capture and Transmission Luca Deri Packet Capture: Open Issues Monitoring low speed (100 Mbit) networks is already possible using commodity hardware and tools based on libpcap.

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Detection of illegal gateways in protected networks

Detection of illegal gateways in protected networks Detection of illegal gateways in protected networks Risto Vaarandi and Kārlis Podiņš Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia firstname.lastname@ccdcoe.org 1. Introduction In this

More information

Post-Class Quiz: Telecommunication & Network Security Domain

Post-Class Quiz: Telecommunication & Network Security Domain 1. What type of network is more likely to include Frame Relay, Switched Multi-megabit Data Services (SMDS), and X.25? A. Local area network (LAN) B. Wide area network (WAN) C. Intranet D. Internet 2. Which

More information

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright

More information

Practical Network Forensics

Practical Network Forensics BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe issg@securesystemssupport.co.uk www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.

More information

1 Introduction to ntop

1 Introduction to ntop Introduction to ntop 1 Introduction to ntop Network management is becoming an increasingly complex task due to the variety of network types and the integration of different network media. As networks become

More information

Introduction to Netflow

Introduction to Netflow Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem

More information

Foglight NMS Overview

Foglight NMS Overview Page 1 of 5 Foglight NMS Overview Foglight Network Management System (NMS) is a robust and complete network monitoring solution that allows you to thoroughly and efficiently manage your network. It is

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities

More information

Network and Services Discovery

Network and Services Discovery A quick theorical introduction to network scanning January 8, 2016 Disclaimer/Intro Disclaimer/Intro Network scanning is not exact science When an information system is able to interact over the network

More information

Network Management and Monitoring Software

Network Management and Monitoring Software Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the

More information

Who is Generating all This Traffic?

Who is Generating all This Traffic? Who is Generating all This Traffic? Network Monitoring in Practice Luca Deri Who s ntop.org? Started in 1998 as open-source monitoring project for developing an easy to use passive monitoring

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

3. MONITORING AND TESTING THE ETHERNET NETWORK

3. MONITORING AND TESTING THE ETHERNET NETWORK 3. MONITORING AND TESTING THE ETHERNET NETWORK 3.1 Introduction The following parameters are covered by the Ethernet performance metrics: Latency (delay) the amount of time required for a frame to travel

More information

Firewalls. Pehr Söderman KTH-CSC Pehrs@kth.se

Firewalls. Pehr Söderman KTH-CSC Pehrs@kth.se Firewalls Pehr Söderman KTH-CSC Pehrs@kth.se 1 Definition A firewall is a network device that separates two parts of a network, enforcing a policy for all traversing traffic. 2 Fundamental requirements

More information

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca Abstract TCP SYN flooding attack is a kind of denial-of-service attack. This SYN flooding attack is using the weakness

More information

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls

More information

How do I get to www.randomsite.com?

How do I get to www.randomsite.com? Networking Primer* *caveat: this is just a brief and incomplete introduction to networking to help students without a networking background learn Network Security. How do I get to www.randomsite.com? Local

More information

Course Title: Penetration Testing: Security Analysis

Course Title: Penetration Testing: Security Analysis Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced

More information

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Chapter 28 Denial of Service (DoS) Attack Prevention

Chapter 28 Denial of Service (DoS) Attack Prevention Chapter 28 Denial of Service (DoS) Attack Prevention Introduction... 28-2 Overview of Denial of Service Attacks... 28-2 IP Options... 28-2 LAND Attack... 28-3 Ping of Death Attack... 28-4 Smurf Attack...

More information

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January 2009. Cristian Velciov. ceo@andrisoft.com (+40) 721 250246

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January 2009. Cristian Velciov. ceo@andrisoft.com (+40) 721 250246 Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard January 2009 Cristian Velciov ceo@andrisoft.com (+40) 721 250246 Andrisoft Solution WANGuard Platform is an enterprise-grade Linux-based software

More information

Lab VI Capturing and monitoring the network traffic

Lab VI Capturing and monitoring the network traffic Lab VI Capturing and monitoring the network traffic 1. Goals To gain general knowledge about the network analyzers and to understand their utility To learn how to use network traffic analyzer tools (Wireshark)

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

ACHILLES CERTIFICATION. SIS Module SLS 1508

ACHILLES CERTIFICATION. SIS Module SLS 1508 ACHILLES CERTIFICATION PUBLIC REPORT Final DeltaV Report SIS Module SLS 1508 Disclaimer Wurldtech Security Inc. retains the right to change information in this report without notice. Wurldtech Security

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Brocade NetIron Denial of Service Prevention

Brocade NetIron Denial of Service Prevention White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron

More information

NetFlow Subinterface Support

NetFlow Subinterface Support NetFlow Subinterface Support Feature History Release Modification 12.2(14)S This feature was introduced. 12.2(15)T This feature was integrated into Cisco IOS Release 12.2 T. This document describes the

More information

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline

TCP/IP Fundamentals. OSI Seven Layer Model & Seminar Outline OSI Seven Layer Model & Seminar Outline TCP/IP Fundamentals This seminar will present TCP/IP communications starting from Layer 2 up to Layer 4 (TCP/IP applications cover Layers 5-7) IP Addresses Data

More information

Introduction to Cisco IOS Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity

More information

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 REVISED 23 FEBRUARY 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

More information

Deployment of Snort IDS in SIP based VoIP environments

Deployment of Snort IDS in SIP based VoIP environments Deployment of Snort IDS in SIP based VoIP environments Jiří Markl, Jaroslav Dočkal Jaroslav.Dockal@unob.cz K-209 Univerzita obrany Kounicova 65, 612 00 Brno Czech Republic Abstract This paper describes

More information

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab CET442L Lab #2 IP Configuration and Network Traffic Analysis Lab Goals: In this lab you will plan and implement the IP configuration for the Windows server computers on your group s network. You will use

More information

Practical Network Security: Experiences with ntop

Practical Network Security: Experiences with ntop Practical Network Security: Experiences with ntop Luca Deri 1 2 and Stefano Suin 2 1 Finsiel S.p.A., Via Matteucci 34/b, 56124 Pisa. Email l.deri@finsiel.it 2 Centro Serra, University of Pisa, Lungarno

More information

8. 網路流量管理 Network Traffic Management

8. 網路流量管理 Network Traffic Management 8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Open Source VoIP Traffic Monitoring

Open Source VoIP Traffic Monitoring Open Source VoIP Traffic Monitoring Luca Deri Why VoIP is a Hot Topic? Thanks to open source projects (e.g. Asterisk, Gizmo), and custom Linux distributions (e.g. Asterisk@Home) setting up a VoIP

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow

More information

Firewalls. Network Security. Firewalls Defined. Firewalls

Firewalls. Network Security. Firewalls Defined. Firewalls Network Security Firewalls Firewalls Types of Firewalls Screening router firewalls Computer-based firewalls Firewall appliances Host firewalls (firewalls on clients and servers) Inspection Methods Firewall

More information

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004 Cisco NetFlow TM Briefing Paper Release 2.2 Monday, 02 August 2004 Contents EXECUTIVE SUMMARY...3 THE PROBLEM...3 THE TRADITIONAL SOLUTIONS...4 COMPARISON WITH OTHER TECHNIQUES...6 CISCO NETFLOW OVERVIEW...7

More information

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6 (Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means

More information

Application Latency Monitoring using nprobe

Application Latency Monitoring using nprobe Application Latency Monitoring using nprobe Luca Deri Problem Statement Users demand services measurements. Network boxes provide simple, aggregated network measurements. You cannot always

More information

Content Distribution Networks (CDNs)

Content Distribution Networks (CDNs) 229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

Traffic Analyzer Based on Data Flow Patterns

Traffic Analyzer Based on Data Flow Patterns AUTOMATYKA 2011 Tom 15 Zeszyt 3 Artur Sierszeñ*, ukasz Sturgulewski* Traffic Analyzer Based on Data Flow Patterns 1. Introduction Nowadays, there are many systems of Network Intrusion Detection System

More information

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior

More information

IPv6 Security from point of view firewalls

IPv6 Security from point of view firewalls IPv6 Security from point of view firewalls János Mohácsi 09/June/2004 János Mohácsi, Research Associate, Network Engineer NIIF/HUNGARNET Contents Requirements IPv6 firewall architectures Firewalls and

More information

Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software

Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software Luca Deri, NETikos S.p.A. Abstract Passive network monitoring is a complex activity that mainly consists

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

More information

Remote Network Analysis

Remote Network Analysis Remote Network Analysis Torsten Hoefler htor@cs.tu-chemnitz.de (DMZ), mostly between two packet filters and application gateways. The different possibilities to connect DMZ-hosts are also shown in Figure

More information

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

More information

Denial Of Service. Types of attacks

Denial Of Service. Types of attacks Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

More information

Autonomous NetFlow Probe

Autonomous NetFlow Probe Autonomous Ladislav Lhotka lhotka@cesnet.cz Martin Žádník xzadni00@stud.fit.vutbr.cz TF-CSIRT meeting, September 15, 2005 Outline 1 2 Specification Hardware Firmware Software 3 4 Short-term fixes Test

More information

Traffic monitoring with sflow and ProCurve Manager Plus

Traffic monitoring with sflow and ProCurve Manager Plus An HP ProCurve Networking Application Note Traffic monitoring with sflow and ProCurve Manager Plus Contents 1. Introduction... 3 2. Prerequisites... 3 3. Network diagram... 3 4. About the sflow protocol...

More information

IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS. James E. Thiel S.W.A.T. IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

More information

Rules definition for anomaly based intrusion detection

Rules definition for anomaly based intrusion detection Rules definition for anomaly based intrusion detection 2002 By Lubomir Nistor Introduction Intrusion detection systems (IDS) are one of the fastest growing technologies within the security space. Unfortunately,

More information

and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs

and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty

More information

Measuring IP Performance. Geoff Huston Telstra

Measuring IP Performance. Geoff Huston Telstra Measuring IP Performance Geoff Huston Telstra What are you trying to measure? User experience Responsiveness Sustained Throughput Application performance quality Consistency Availability Network Behaviour

More information

Chapter 8 Network Security

Chapter 8 Network Security [Computer networking, 5 th ed., Kurose] Chapter 8 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 84Securing 8.4 e-mail 8.5 Securing TCP connections: SSL 8.6 Network

More information

Router Architecture Overview. Input Port Functions. Switching Via Memory. Three types of switching fabrics. Switching Via a Bus

Router Architecture Overview. Input Port Functions. Switching Via Memory. Three types of switching fabrics. Switching Via a Bus Router Architecture Overview Two key router functions: run routing algorithms/protocol (RIP, OSPF, BGP) forwarding grams from incoming to outgoing link Input Port Functions Physical layer: bit-level reception

More information

Flow Based Traffic Analysis

Flow Based Traffic Analysis Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode

More information

TEIN2 Measurement and Monitoring Workshop. Bruce.Morgan@aarnet.edu.au

TEIN2 Measurement and Monitoring Workshop. Bruce.Morgan@aarnet.edu.au TEIN2 Measurement and Monitoring Workshop Bruce.Morgan@aarnet.edu.au Introduction Agenda TEIN2 Topology Network Monitoring Network Measurement Day 1 Session I: Introduction 09:00-09:30 Introduction to

More information

Security: Attack and Defense

Security: Attack and Defense Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing

More information

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage AdRem NetCrunch 6 Network Monitoring Server With NetCrunch, you always know exactly what is happening with your critical applications, servers, and devices. Document Explore physical and logical network

More information