Challenges in NetFlow based Event Logging



Similar documents
Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

Configuring NetFlow Secure Event Logging (NSEL)

Real World IPv6 Migration Solutions. Asoka De Saram Sr. Director of Systems Engineering, A10 Networks

Configuring NetFlow Secure Event Logging (NSEL)

EXPEDITING ACCESS TO V6 SERVICES: GETTING WEB CONTENT AVAILABLE OVER IPV6 QUICKLY AND AT LOW COST

IPv6-only hosts in a dual stack environnment

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Scalable Extraction, Aggregation, and Response to Network Intelligence

Transition to IPv6 in Service Providers

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Cisco NetFlow Security Event Logging Guide: Cisco ASA 5580 Adaptive Security Appliance and Cisco NetFlow Collector

NetFlow Analytics for Splunk

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

NAT and Firewall Traversal with STUN / TURN / ICE

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Secure64. Use cases for DNS64/NAT64

NAT Tutorial. Dan Wing, IETF78, Maastricht July 25, 2010

EXPLORER. TFT Filter CONFIGURATION

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Cisco Integrated Services Routers Performance Overview

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Securing Networks with PIX and ASA

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

IPV6 DEPLOYMENT GUIDELINES FOR. ARRIS Group, Inc.

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

NetFlow/IPFIX Various Thoughts

MULTI WAN TECHNICAL OVERVIEW

TR-296 IPv6 Transition Mechanisms Test Plan

DEPLOYMENT GUIDE Version 1.4. Configuring IP Address Sharing in a Large Scale Network: DNS64/NAT64

HP IMC User Behavior Auditor

Implications of Large Scale Network Address Translation (NAT)

21.4 Network Address Translation (NAT) NAT concept

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Availability Digest. Redundant Load Balancing for High Availability July 2013

NetScaler carriergrade network

IP Phone Presence Setup

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

SolarWinds Technical Reference

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

SolarWinds Certified Professional. Exam Preparation Guide

Firewall Defaults and Some Basic Rules

NAT and Firewall Traversal with STUN / TURN / ICE

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Barracuda Link Balancer

Cisco ASA, PIX, and FWSM Firewall Handbook

6.0. Getting Started Guide

nexvortex Setup Guide

MANAGED FIREWALL SERVICE. Service definition

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Gigabit Multi-Homing VPN Security Router

Load Balancing Bloxx Web Filter. Deployment Guide

Flow Analysis Versus Packet Analysis. What Should You Choose?

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

VMware vcloud Air Networking Guide

Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting

Cisco RV 120W Wireless-N VPN Firewall

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Network Agent Quick Start

Securing the Transition Mechanisms

Load Balancing Barracuda Web Filter. Deployment Guide

About Firewall Protection

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

FortiDDos Size isn t everything

Network Management & Monitoring

FIREWALLS & CBAC. philip.heimer@hh.se

Use Domain Name System and IP Version 6

NetFlow Auditor Manual Getting Started

464XLAT in mobile networks

Cyber Essentials. Test Specification

Load Balance Router R258V

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Load Balancing Web Proxies Load Balancing Web Filters Load Balancing Web Gateways. Deployment Guide

Cisco IOS Flexible NetFlow Technology

How To Configure Virtual Host with Load Balancing and Health Checking

Matt Ryanczak Network Operations Manager

Load Balancing Sophos Web Gateway. Deployment Guide

PANDORA FMS NETWORK DEVICES MONITORING

How To Set Up Foglight Nms For A Proof Of Concept

Take the NetFlow Challenge!

A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems

IPv6 Network Management.

IPv6, Perspective from small to medium ISP

IP/MPLS VPN SERVICE - ADDITIONAL TERMS & CONDITIONS to the IP/MPLS Service Addendum

Monitoring Remote Access VPN Services

Configuring NetFlow-lite

GregSowell.com. Mikrotik Security

Transcription:

Challenges in NetFlow based Event Logging Stefan Künkel IsarNet sk@isarnet.de 31.03.2012

Agenda Introduction Getting Events Example NSEL What is it? Analysis Example CGN Motivation NAT overview NAT Logging Analysis Summary Take aways 4/3/2012 Challenges in NetFlow based Event Logging 2012 IsarNet SWS GmbH Page 2

About IsarNet IsarNet offers highly specialized consulting services, software solutions and workshops covering all aspects of networking 34 CCIEs 3 CCDEs Located in Munich, Germany Page 3

IsarFlow at a glance Analyses NetFlow enabled Network SNMP, QoS, IPSLA NetFlow Export IsarFlow Analyzer Automated reports via e- mail Threshold monitoring and alerting Automated storage of reports and accounting data A decadeofnetflow experience! Page 4

Getting Events Classic NetFlow is data traffic information Example Analysis Protocol Overview Top Session and Top Talker NetFlow based Event logging not only new NetFlow export templates not only new traffic in network new requirements for collector and data storage new ways to analyse data Examples NSEL & CGN Page 5

NSEL NetFlow Security Event logging Cisco: NetFlow export from the ASA ASA: Cisco s Firewall Bidirectional flows are already assembled internally Event driven data export creation denial teardown But what about Syslog? 4/3/2012 Challenges in NetFlow based Event Logging 2012 IsarNet SWS GmbH Page 6

NSEL Analysis Timeframe Filter Device or Interfaces Source IP (v4 & v6) Destination IP(v4 & v6) Username Protocol Destination Port Event Type still under development 4/3/2012 Challenges in NetFlow based Event Logging 2012 IsarNet SWS GmbH Page 7

NSEL Analysis more details user1 user1 still under development 4/3/2012 Challenges in NetFlow based Event Logging 2012 IsarNet SWS GmbH

CGN Carrier Grade NAT aka Large Scale Nat (LSN) Motivation NAT overview NAT Logging Analysis Summary Page 9

Motivation Problem Increasing number of IP-enabled (mobile) devices IPv4 Address space exhausted Solutions 1. Efficient use of remaining IPv4 addresses 2. Migration to IPv6 (+translations to reach IPv4) both require address translation! http://www.potaroo.net/tools/ipv4/ Implementation Address translation in the provider network Carrier Grade Network Address Translation CGNs will exist for several years (forever?) should use IPv4 addresses efficiently (many subscribers per public IPv4 Address) page 10

NAT 44 / NAT 444 NAT overview Private IPv4 (customer) CPE (NAT) CGN Private IPv4 (provider) ALG NAT Public IPv4 Internet RFC 1918 private addresses or shared transition space (draft-weil-shared-transition-space-request-15) More efficient usage of IPv4 resources Application Layer Gateway (ALG) for IP-address-bound applications Short-term solution no IPv6 deployed page 11

NAT 64, RFC 6146 NAT overview CGN DNS64 Public IPv4 Internet IPv4 service IPv6 provider network ALG NAT Routing IPv6 Internet Provider network fully migrated to IPv6 IPv6 clients only IPv4 content reachable via DNS64-translation and NAT Long-term solution will be there for several years (?) IPv6 service page 12

NAT overview Dual Stack Lite (DS-Lite), RFC 6333 Dual stack client Private IPv4 (customer) IPv6 (customer) CPE Tunnel Routing IPv6 provider network CGN ALG NAT 44 Tunnel Routing Public IPv4 Internet IPv4 service v6app v4app IPv4 IPv6 Tunnel Directly connected device (internal dual stack) IPv6 Internet IPv6 service Dual Stack from client point of view IPv4 and/or IPv6 clients/applications Provider network IPv6 only page 13

Implementation & Deployment Exemplary CGN device: Cisco CGSE for CRS-1 Performance Concurrent sessions: 20 Million Session creation rate: 1 Msessions/s Throughput: 20 Gbps full-duplex Default configuration Portlimit 100 Timeouts (inital/active) TCP timeout 120s/1800s UDP timeout 30s/120s ICMP timeout: 60 s page 14

NAT Logging CGN events via NetFlow (session created/deleted) CGN event logging system Log analysis Special versionofisarflow monitoring system: IsarFlow CGN page 15

NAT Logging Logging requirements and solutions Worst case scenario for dimensioning: failover All sessions of one location move to other locations Event-burst from one CGSE 20 Million add events in 20 seconds 1 Mevents/s 180 Mbit/s Performance of IsarFlow CGN NAT 44 performance per server (COTS Linux box) 1.5 Mevents/s 270 Mbit/s sustained rate Loading of data into compressed database at that rate Peak rate beyond 3 Mevents/s (540 Mbit/s) without loss Performance scales with number of servers (distributed DB) Storage requirements: 8 MB for 1 Million sessions (compressed) page 16

CGN Analysis NAT44

CGN Analysis NAT64

CGN Analysis events Typical event rate patterns Monday to Sunday page 19

NAT Logging Ideas for reducing logging effort Bulk port allocation Allocate several ports at once for each client One log event for large port range Problem: deterministic source ports are a security problem (RFC 6056) Possible solution: algorithmic port scattering General problem of bulk port allocation Bulk allocation is port over-provisioning lower NAT efficiency Trade-off NAT efficiency (cost of public IPv4 addresses) Logging efficiency (cost of hard disk space) page 20

Traffic impact First studies of traffic characteristics Based on inspection of 400k sessions No surprise: lots of short sessions Cause high NAT event rates Affect NAT efficiency: timeout until port can be reused Avg. Session duration (incl. timeouts) 135 s > 30 % UDP sessions (!) DNS Resolver in public IP space? SIP/VoIP also across NAT? Evil Traffic? page 21

Summary CGN Summary Carrier grade NATs are currently getting deployed Still lots of standardization effort and new ideas (IETF Softwire, Behave, v6ops ) NAT session logging is a major concern IsarFlow CGN proves feasibility of large-scale full session logging Bulk allocation: Trade-off between NAT efficiency and logging Traffic impact Portlimit: limited number of sessions per user Timeouts: keepalives necessary, as with current CPE NATs Short sessions: Cause high event rates and block resources due to timeouts page 22

Take aways Events are different from classic network traffic data Events can not be summarized or aggregated Logging introduces a new dimension for flow-rates New ways to analyze events Do we need to cross classic traffic information with events? Please discuss with us? What are your questions? page 23

IsarNet Logo 4/3/2012 IsarNet IsarFlow & Overview IsarFlow 2012 2009 IsarNet SWS GmbH Page Seite 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information