The ntop Project: Open Source Network Monitoring

Similar documents
Inside ntop: An Open Source Network Monitoring Tool

Monitoring high-speed networks using ntop. Luca Deri

Open Source in Network Administration: the ntop Project

Challenges in High Performance Network Monitoring

Passively Monitoring Networks at Gigabit Speeds Using Commodity Hardware and Open Source Software. Luca Deri January 2003

High-Speed Network Traffic Monitoring Using ntopng. Luca

Monitoring Network Traffic using ntopng

Firewalls Netasq. Security Management by NETASQ

Who is Generating all This Traffic?

Effective Traffic Measurement Using ntop

Network Management & Monitoring

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Security Technology White Paper

How To Use Ntop

PANDORA FMS NETWORK DEVICE MONITORING

PANDORA FMS NETWORK DEVICES MONITORING

AlliedWare Plus OS How To Use sflow in a Network

Design and Implementation of an Anomaly Detection System: an Empirical Approach

Detection of illegal gateways in protected networks

CSCE 465 Computer & Network Security

Wire-speed Packet Capture and Transmission

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January Cristian Velciov. (+40)

Netflow Overview. PacNOG 6 Nadi, Fiji

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

CIT 380: Securing Computer Systems

Network Monitoring and Management NetFlow Overview

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

NetFlow: What is it, why and how to use it? Miloš Zeković, ICmyNet Chief Customer Officer Soneco d.o.o.

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Network and Services Discovery

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Practical Network Security: Experiences with ntop

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Ntop: beyond Ping and Traceroute

Configuring Flexible NetFlow

ACHILLES CERTIFICATION. SIS Module SLS 1508

Gigabit Content Security Router

10 Gbit Hardware Packet Filtering Using Commodity Network Adapters. Luca Deri Joseph Gasparakis

Linux Network Security

7. Firewall - Concept

1 Introduction to ntop

NetFlow Subinterface Support

Firewalls. Chapter 3

Load Balance Router R258V

Internet Management and Measurements Measurements

Introduction to Netflow

Firewalls. Pehr Söderman KTH-CSC

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

PROFESSIONAL SECURITY SYSTEMS

Denial Of Service. Types of attacks

IxLoad-Attack: Network Security Testing

Network traffic monitoring and management. Sonia Panchen 11 th November 2010

How To Set Up Foglight Nms For A Proof Of Concept

Introduction to Cisco IOS Flexible NetFlow

Brocade NetIron Denial of Service Prevention

Denial of Service Attacks

Huawei Traffic Cleaning Solution

Deployment of Snort IDS in SIP based VoIP environments

Practical Network Forensics

Network Traffic Analysis using HADOOP Architecture. Zeng Shan ISGC2013, Taibei

Gigabit Multi-Homing VPN Security Router

Matt Ryanczak Network Operations Manager

Troubleshooting Tools

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Post-Class Quiz: Telecommunication & Network Security Domain

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

1. Firewall Configuration

A Very Incomplete Diagram of Network Attacks

How do I get to

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Gigabit SSL VPN Security Router

TEIN2 Measurement and Monitoring Workshop.

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

Traffic Analyzer Based on Data Flow Patterns

8 steps to protect your Cisco router

DNS amplification attacks

High-Speed Network Traffic Monitoring Using ntopng

Cisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004

Flow Based Traffic Analysis

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Chapter 28 Denial of Service (DoS) Attack Prevention

CS5008: Internet Computing

Network/Internet Forensic and Intrusion Log Analysis

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

theguard! Service Management Center (Valid for Version 6.3 and higher)

Traffic Monitoring using sflow

Internetworking Microsoft TCP/IP on Microsoft Windows NT 4.0

Overview of TCP/IP. TCP/IP and Internet

Introduction to Network Security Lab 1 - Wireshark

Introduction TELE 301. Routers. Firewalls

vsphere Networking vsphere 6.0 ESXi 6.0 vcenter Server 6.0 EN

Transcription:

The ntop Project: Open Source Network Monitoring Luca Deri <deri@> 1

Agenda 1. What can ntop do for me? 2. ntop and network security 3. Integration with commercial protocols 4. Embedding ntop 5. Work in progress 2

1. What can ntop do for me? 3

What s ntop? ntop is a simple, open source (GPL), portable traffic measurement and monitoring tool, which supports various management activities, including network optimization and planning, and detection of network security violations. 4

Welcome to ntop 5

ntop for WAP 6

ntop Architecture HTTP/HTTPS RRD Cisco NetFlow InMon sflow 7

Network Management: Some Goals (No) Connectivity. Performance. Availability (Failure Detection). Responsiveness to Change and Growth. Inventory. Security. 8

What are the ntop Requirements? Traffic measurement. Traffic characterisation and monitoring. Detection of network security violations. Network optimisation and planning. 9

What are the ntop Goals? Fit end-user needs (no programming required). Easy to use and customize. Standard Interface (Web, SNMP). Open and Portable. Good performance and minimal resource requirements. 10

Traffic Measurement Data sent/received: Volume and packets, classified according to network/ip protocol. Multicast Traffic. TCP Session History. Bandwidth Measurement and Analysis. 11

Traffic Characterisation and Monitoring Network Flows Protocol utilisation (# req, peaks/storms, positive/negative repl.) and distribution. Network Traffic Matrix. ARP, ICMP Monitoring. 12

Network Optimisation and Planning Passive network mapping/inventory: identification of Routers and Internet Servers (DNS, Proxy). Traffic Distribution (Local vs. Remote). Service Mapping: service usage (DNS, Routing). 13

2. ntop and Network Security 14

Defining a new Type of Anomaly Detection System [1/3] Various experiments performed on different networks confirmed the presence of some similarities on traffic. 15

Defining a new Type of Anomaly Detection System [2/3] Simple bytes/packets curves are not very reliable for detecting networks problems, as they can present some peaks caused by various reasons (e.g. a multicast transmission). 16

Defining a new Type of Anomaly Detection System [3/3] The author decided to investigate whether it was possible to: Identify some selected traffic parameters that can be profitably used to model network traffic behaviour. Define traffic rules so that when such rules are violated there is necessarily a network anomaly (e.g. an abnormal network activity). 17

What is an Anomaly? The deviation from the network's expected behaviour that is defined by considering two kinds of knowledge: IP protocol specifications contained in RFCs, that needs to be satisfied by every host and network (static knowledge). Statistical traffic analysis that varies according to network characteristics and type of users (dynamic knowledge). 18

ntop: Some Common Traffic Parameters ICMP ECHO request/response ratio ICMP Destination/Port Unreachable # SYN Pkts vs. # Active TCP Connections Suspicious packets (e.g. out of sequence) Fragments percentage Traffic from/to diagnostic ports (e.g. ident) TCP connections with no data exchanged 19

TCP/IP Stack Verification Network mapping: improper TCP three way handshaking (e.g. queso/nmap OS Detection). Portscan: stealth scanning, unexpected packets (e.g. SYN/FIN). DOS: synflood, invalid packets (ping of death, WinNuke), smurfing. IDS/Firewall elusion: overlapping fragments, unexpected SYN/ACK (sequence guessing). Intruders: peak of RST packets. 20

Intrusion Detection Trojan Horses (e.g. traffic at know ports BO2K). Spoofing: Local (more MAC addresses match the same IP address) and Remote (TTL ). Network discovery (via ICMP, ARP). Viruses: # host contacts in the last 5 minutes (warning: in this respect P2P apps behave as viruses/trojans!) 21

3. Integration with Commercial Network Monitoring Protocols 22

Cisco NetFlow Open standard for network traffic measurement defined by Cisco Systems Together with RMON (Remote MONitoring) is the industrial protocol for traffic measurement. Probes (usually on routers) send traffic flows (coded in NetFlow format) to collectors over UDP. 23

Why shall ntop support commercial network monitoring protocols? It is not always possible to capture traffic in the place we want (e.g. border gateway) Traffic reports used in industry are often trusted only if they are based on commercial products/protocols/probes Solution: let ntop be a NetFlow/sFlow probe and collector to ease its acceptance in the industry. 24

ntop: NetFlow and sflow Currently ntop is able to collect/emit both NetFlow and sflow flows. Due to ntop s original design, ntop is mostly a collector rather than a probe. Flows are very simple whereas ntop provides very complex statistics. Drawback: at highspeeds ntop looses packets due to all the calculations it has to perform. Solution: let an external probe feed ntop. 25

Solution: nprobe+ntop [1/2] The community needed an open source probe able to bring NetFlow both into small and large networks. Ability to run at wire speed (at least until 1 Gb) with no need to sample traffic. Complete open source solution for both flow generation (nprobe) and collection (ntop) 26

Solution: nprobe+ntop [2/2] Internet Border Gateway Traffic Mirror nprobe NetFlow Local Network ntop 27

nprobe: Main Features Ability to keep up with Gbit speeds on Ethernet networks handling thousand of packets per second without packet sampling on commodity hardware. Support of NetFlow v5. Support for major OS including Unix, Windows and MacOS X. Resource (both CPU and memory) savvy, efficient, designed for environments with limited resources. Source code available under GNU GPL. 28

nprobe: Performance Packet Size Network Load nprobe Performance 64 142 Mbit 277 340 packet/sec 64-1500 (random) 953.6 Mbit 152 430 packet /sec 29

4. Embedding ntop 30

Why embedding ntop? In some cases it is easier to ship a simple appliance ready to use rather than provide a software application to install, configure, run. Modern embedded systems are based on OSs such as Linux, making easy the transition to them (no need to use proprietary/costly/ limited OSs such) Several manufacturers are selling cheap boxes suitable for this task. 31

Based on Cyclades TS/100 Appliance It runs nprobe 1.x nbox [1/2] Suitable for networks up to 10 Mbit of speed (e.g. xdsl, Frame Relay) 32

Easy configuration via the embedded web interface. Based on Linux/PPC nbox [2/2] Ability to export flows in NetFlow V5 Ability to drive an LCD display 33

5. Work in Progress 34

nbox Embedded appliance based on a box with 3 Ethernet (1 GE+2x10/100 or 3x10/100) Ability to work in pass-through mode (bridge) Availability: September 2003. 3 35

nprobe 3.x Support of NetFlow v5/v9. Support of a new, open, flow format named nflow (www.nflow.org) Ability to handle both IPv4 and IPv6 (NetFlow v9 only). Improved application performance with respect to current 2.x. Availability: snapshot at (www.), final version (fall 2003) 36

Kernel-based nprobe Kernel traffic collector for improving performance (1 Gbit at full speed with 64 bytes packets and commodity hardware) Status: it currently runs on Linux 2.4. Availability: fall 2003 (with nprobe 3.x) Future Plans: port to FreeBSD based on NetGraph. 37

Wrap-up: ntop Availability Home Page: http://www./ Platforms: Win32 and Unix. License: Gnu Public License (GPL). Distributions: Linux (Debian, Suse, RedHat, Slackware), BSD (MacOS X, OpenBSD, FreeBSD). 38

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information