Scalable Extraction, Aggregation, and Response to Network Intelligence

Similar documents
NetFlow/IPFIX Various Thoughts

Cisco IOS Flexible NetFlow Technology

Flow Analysis Versus Packet Analysis. What Should You Choose?

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Flow Based Traffic Analysis

NetFlow-Lite offers network administrators and engineers the following capabilities:

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

and reporting Slavko Gajin

An overview of traffic analysis using NetFlow

Network congestion control using NetFlow

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

Introduction to Cisco IOS Flexible NetFlow

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

From traditional to alternative approach to storage and analysis of flow data. Petr Velan, Martin Zadnik

IPv6 network management. 6DEPLOY. IPv6 Deployment and Support

IPv6 network management. Where and when?

QRadar Security Management Appliances

QRadar Security Intelligence Platform Appliances

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Securing and Monitoring BYOD Networks using NetFlow

Beyond Monitoring Root-Cause Analysis

Network Monitoring and Management NetFlow Overview

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

The use of SNMP and other network management tools in UNINETT. Arne Øslebø March 4, 2014

Configuring Flexible NetFlow

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

NetFlow The De Facto Standard for Traffic Analytics

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Netflow Overview. PacNOG 6 Nadi, Fiji

Network Management & Monitoring

UltraFlow -Cisco Netflow tools-

NetFlow v9 Export Format

Cisco NetFlow Generation Appliance (NGA) 3140

Fluke Networks NetFlow Tracker

Introduction to Netflow

Enhancing Flow Based Network Monitoring

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Comprehensive IP Traffic Monitoring with FTAS System

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Bridging the gap between COTS tool alerting and raw data analysis

Wireshark Developer and User Conference

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Autonomous NetFlow Probe

End-to-End Network Centric Performance Management

NetFlow Tips and Tricks

Beyond Monitoring Root-Cause Analysis

Cisco IOS Flexible NetFlow Command Reference

Configuring NetFlow-lite

Signature-aware Traffic Monitoring with IPFIX 1

Lab Characterizing Network Applications

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Stateful Firewalls. Hank and Foo

Challenges in NetFlow based Event Logging

NfSen Plugin Supporting The Virtual Network Monitoring

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

How To Make A Vpc More Secure With A Cloud Network Overlay (Network) On A Vlan) On An Openstack Vlan On A Server On A Network On A 2D (Vlan) (Vpn) On Your Vlan

SLA para aplicaciones en redes WAN. Alvaro Cayo Urrutia

SonicOS 5.8: NetFlow Reporting

Chapter 9. IP Secure

Cisco Catalyst 4948E NetFlow- lite

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

The Value of Flow Data for Peering Decisions

Practical Experience with IPFIX Flow Collectors

12. Firewalls Content

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

NetFlow & BGP multi-path: quo vadis?

How-To Configure NetFlow v5 & v9 on Cisco Routers

HP IMC User Behavior Auditor

CCNA Security 1.1 Instructional Resource

How To Manage Ipv6 Networks On A Network With Ipvv6 (Ipv6) On A Pc Or Ipv4 (Ip6) (Ip V6) Or Ip V6 ( Ipv5) ( Ip V5

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

From NetFlow to IPFIX the evolution of IP flow information export

Take the NetFlow Challenge!

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

PRACTICAL EXPERIENCES BUILDING AN IPFIX BASED OPEN SOURCE BOTNET DETECTOR. ` Mark Graham

Configuring NetFlow Secure Event Logging (NSEL)

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

Cisco Which VPN Solution is Right for You?

NetFlow Configuration Guide, Cisco IOS Release 15M&T

NetFlow Configuration Guide, Cisco IOS Release 12.4

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

sflow Why You Should Use It And Like It NANOG 39 February 04-07, 2007

CISCO IOS NETFLOW AND SECURITY

Are Second Generation Firewalls Good for Industrial Control Systems?

Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Traffic Analysis. CSF: Forensics Cyber-Security. Part II.B. Techniques and Tools: Network Forensics. Fall 2015 Nuno Santos

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Security threats and network. Software firewall. Hardware firewall. Firewalls

NetFlow Configuration Guide, Cisco IOS Release 12.2SR

Transcription:

Scalable Extraction, Aggregation, and Response to Network Intelligence

Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues through a combination of Deep Packet Inspection and IPFIX Mediation Applications of this approach to Cybersecurity and Network Monitoring Mantaro s work in this area

Netflow Introduction Netflow is a protocol that was introduced by Cisco and is used for flow reporting on network traffic Information is typically reported on a flow basis, rather than on a packet basis However it is possible to report on packets via sampling The two popular versions are Netflow v5 and Netflow v9 Other equipment vendors have their own variants but they are similar Netflow IPFIX NetStream Jflow Rflow Cflowd

Information Reported in Netflow v5 Source and Destination IP addresses SNMP indices of input and output interface IP address of next hop Packets in the flow NETFLOW Total L3 bytes in flow Sysuptime of start and end of flow Source and Destination ports IP protocol, TOS, TCP flag info L7-Application L6-Presentation L5 - Session L4 -Transport L3- Network L2 Data Link L1 -Physical OSI Model

The difference between Netflow v5 and v9 Netflow v9 added support for IPv6 addresses Concept of a template was introduced in Netflow v9 A template is a packet that is used to describe the structure of subsequent Netflow packets of the same identifier It is like a recipe that tells the Collector the format of the information to follow The advantage of this scheme is that the data sets are purely an identifier and associated data. They do not have any other parsing information which makes transport more efficient Netflow v5 Netflow v9 Flow Header Flow Record Flow Header Template Template Template Flow Header Data Record Data Record Data Record Fixed Format Extensible Format

Pros and Cons of Netflow Pro Gives flow level traffic visibility which enables numerous applications Con Adds processing load to routers and switches Reports on L3 and L4 information as well as flow timing Reports on flow length Supported on many different networking devices natively Is often run in sampled mode to reduce strain on the router and misses fidelity on small flows Higher layer visibility limited to IP protocol field Only reports L3 and L4 metadata Collection Architecture Doesn t Scale Well to 10Gbps rates How Do We Address These Issues?

Problem 1 More Visibility Needed We d Like to See More Than L3 and L4 Metadata for better Situational Awareness Combine Deep Packet Inspection with IPFIX!

IPFIX Introduced in 2008 IPFIX was standardized by the IETF in Jan 2008 It uses the template based approach started in Netflow v9 Added Two Very Important New Features: 1. An Enterprise specific field 2. Variable length fields It is space efficient and gives us flexibility to include Enterprise specific data!

IPFIX Framework and Nomenclature Packet Headers Metering Process Exporting Process IPFIX Collecting Process Collecting Process Observation Point Exporting Process Exporter Collector

Deep Packet Inspection for L4 through L7 Visibility IPFIX has enterprise specific fields Mantaro has created one to encapsulate metadata extracted through Deep Packet Inspection What we do is report session level metadata using an IPFIX enterprise specific field The DPI engine can extract application layer metadata from different protocols (700 protocols and about 4000 metadata attributes) Mantaro IPFIX L7-Application L6-Presentation L5 - Session L4 -Transport L3- Network L2 Data Link L1 -Physical

Problem 2 Scaling of Metadata Collection to Multi-Gigabit Speeds How can we architect the system to scale? Leverage Session Level Metadata and use IPFIX Mediation!

Session Versus Packet Level Extraction To do a wide survey of the network, you cannot work at the packet level The session level is the only way to scale to multi-gigabit speeds and beyond. Ideally you d like to do this without having to rely on sampling. By reporting at the session level, you perform an information reduction exercise which reduces metadata rates by 100 times.

Packet Based Metadata Reporting MySQL Limit Doesn t Scale: DB can t keep up

Flow Based Metadata Reporting Scales to below MySQL limit!

Current Monitoring Paradigm Network Traffic Exporter 1 Observation Point Network Traffic Exporter 2 Observation Point Netflow Collector Metadata Database Network Traffic Exporter 3 Collection Point Observation Point Does Not Scale Metadata Overwhelms Database

IPFIX Mediation IPFIX Mediation was proposed to provide Aggregation Correlation Filtering Data Record modification Preprocessing Reduces Load on Exporter Preprocesses IPFIX for the Collector

IPFIX Mediation Architecture Exporter 1 Mediator Anonymization Collector 1 Exporter 2 Aggregation Conversion Correlation Collector 2 Selection Exporter N Mediator N Collector N

Advantages of this solution Unparalleled visibility into application layer data Scales to higher network speeds Standards Based meaning no lock in to existing vendors Scales to multiple observation points Architecture enables new applications Flexibility with mediation capabilities Session based reporting reduces monitoring information

Mantaro s Work In This Area Created an IPFIX Exporter capable of reporting on 700 protocols and about 4000 metadata attributes Created an IPFIX Collector that can log and store these attributes to a database Currently designing a standards compliant IPFIX Mediator Have created numerous applications to show the utility of the system

Mantaro s Approach Enables: Network Performance Monitoring Traffic Profiling Network Asset Discovery Network Forensics IM and Email Investigation Network Profiling Application Intelligent Firewall

Thank You! Please visit the Mantaro booth for a demonstration of our system For more information please contact us at info@mantaro.com

References RFC 5470 RFC 6183 draft-ietf-ipfix-mediators-problem-statement-09 draft-claise-ipfix-mediation-protocol-04

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information