ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty of Electrical Engineering
NetFlow Challenges: Who is consuming the bandwidth and how? Deep insight i into network traffic Recognize traffic anomaly security threats Network optimization Solution NetFlow TM Protocol developed by Cisco for exporting IP flow statistics Other vendors: J-Flow, NetStream, sflow, IPFIX...
How it works? Exported data: Src/dst IP Src/dst ports Protocol Total bytes, packets, fllows QoS BGP src/dst AS Exporter IP In/out ports Timestamp.. Router (Exporter)
Why to use? Performance management based on SNMP network traffic who is using? CPU/Memory usage why is increased? who is talking with whom?
NetFlow Analyzers Collect, process, present and analyze NetFlow data Most popular p commercial solutions: Solarwinds, MenageEngine, Scrutinyzer... ICmyNet.Flow AMRES participated the development with expertise, requirements, testing Competitive with other commercial solutions Full free software available for NRENs and their members www.icmynet.com live demo download free trial user manual support contact
System architecture Binary raw data files Flows_2009-10-21-09.20.00 Flows_2009-10-21-09.25.00 Flows_2009-10-21-09.30.00 ICmyNet.Flow Collector ICmyNet.Flow Aggregator g Database ICmyNet.Flow Web Raw Data Files Archive
Parameters for traffic analysis Detailed information about: IP subnets traffic Hosts traffic Network Services and applications based on TCP/UDP ports Network Protocols (TCP, UDP, ICMP, GRE...) QoS markers (ToS, IP precedence or DSCP) BGP Autonomous System Numbers For each parameter counters for: Traffic Bandwidth (in bits/s, kbps, Mbps..) Traffic Volume (in MBytes, GB, TB...) Number of Packets, volume and time based diagrams (pps) Number of Flows, volume and time based diagrams (fps) Configurable cut-off percentage or data amount for negligible consumers
Overview Web application is chosen for the user interface De-facto standard for network management applications Accessibility, permanent development, flexibility Java application working under Tomcat JSF technologies
Traffic Patterns Traffic Pattern - Traffic of Interest, defined by user Matches the traffic between Internal and External network Statistics IS NOT per interface Statistics IS per subnet in Traffic Pattern Defined by IP networks other NetFlow parameters Internal network External network
Traffic Patterns Internet Exclude 10000/8 10.0.0.0/8 Internal Network 10.0.0.0/8
Traffic Patterns External Network Internal Network
Traffic Patterns Application Servers 172.16.0.0/2416 0/24 Internal Network 10.0.0.0/8
Traffic Pattern basic element of analysis Internal Network 10.0.0.0/8 External Network 10.0.0.0/8
Traffic Patterns Advanced Traffic Patterns can be configured with flexible matching of any supported NetFlow field Examples: AMRES -> Facebook Internal address 147.91.0.0/16, Src or Dst AS 32934 (Facebook) Router X Internal & External address: 0.0.0.0/0, Exporter 10.1.1.1 Potential attacks: Src or Dst port: 22, 135-139, 445, 1434, Weird Protocols: Protocols: Exclude 6 (TCP) or 17 (UDP) Blocked Traffic: Out Interface: 0 (Null)
Subnets Subnets Defined by name and IP address range in Internal network View tab / Address Space IP address hierarchy of subnets in a tree structure IPv6 are fully supported!
Subnet Sets Subnet Set User defined group of Subnets and/or other Subnets Sets View tab / Custom Space User defined hierarchy of Subnet Sets and belonging Subnets Any logical grouping of Subnets: Institutions Faculties Universities Schools Libraries etc...
View Tab Top N
View Tab Chart
View Tab List
Archived raw data review Raw data are archived in the files created every 5 minutes Compressed and archived in separate folder Every single flow is saved Raw data View Access, review and explore raw data files Searching for a single flow or event that traversed the network
Archived raw data review
Searching and grouping raw data Filter, group and sort by any meaningful column
Case study Analysis of traffic anomaly
Configuration issues Interfaces NetFlow configured in both directions on interfaces Exported data duplication Host A NetFlow Collector
Configuration issues Interfaces NetFlow configured in ingress direction on all interfaces No data duplication Host A
Configuration issues Interfaces NetFlow configured in ingress direction on all interfaces with redundant links Data duplication! Gi0/2 Gi0/3 Gi0/1 Gi0/1 Host A
Configuration issues Interfaces Solution: Configure ingress direction on edge links (do not configure on core links) Exclude interfaces on core links between exporters from Traffic Pattern
Configuration issues - Timers Timer aging Long Defines data export interval for long flows 5 min Bits/s Real Flow Time of export Bits/s 20k Received Flow Time of export 5K t t 20 minutes 5 minutes
Configuration issues - Timers Fast Defines data export criteria based on the threshold (~100packets) Preserves memory overload
Configuration issues - Aggregation Receiving application is using 5 minute aggregation
NetFlow statistics from non-netflow device? L2 switches usually do not support NetFlow protocol Examples: LAN networks FastEthernet 0/1 NREN member FastEthernet 0/2 connected to NREN backbone Solution Port mirroring Server with two NIC Softflowd FastEthernet 0/23 http://www.mindrot.org/projects /softflowd/ http://code.google.com/p/softflo wd/ Interfaces info disappears, but Traffic Patterns don t need it! FastEthernet 0/24 Gigabit Ethernet 0/1 NetFlow Date Export SOFTFLOW DEAMON Gigabit Ethernet 0/0 Mirrored Ports NetFlow Emulator
Conclusions ICmyNet.Flow Pros Traffic Patterns Subnets and Subnet Sets hierarchy Works with non-netflow devices Raw data inspection Full IPv6 support Web based, java OS independent Cons Some net admins prefer link based statistics (physical infrastructure view) Lack of top conversations statistics (plan to support in new version, 2012) Links www.icmynet.com live.icmynet.com/netflowweb
Questions slavko.gajin@rcub.bg.ac.rs