Netzwerkkonzept Informationsveranstaltung am 03.07.2007 Im Bristol Hotel Mainz Ideen zum Netzwerkdesign - Switching -WLAN - Security - VoIP Datum: 03.07.2007, Seite: 1 InMon Traffic Sentinel Complete network visibility and control with and InMon Traffic Sentinel Datum: 03.07.2007, Seite: 2 Seite 1
Network management without visibility control decisions based on guesswork guess experiment Run around with a protocol analyser during an emergency Delayed control decisions based on partial data Business productivity impacted by slow resolution to network problems Untargeted reactive controls cause significant business impact Labour intensive resolutions = high cost Datum: 03.07.2007, Seite: 3 The industry standard for monitoring traffic in complex, multi-layer switched and routed networks intranet internet central mgmt core dc distribution wired edge Measurements from every port, all of the time = network-wide visibility Effective controls to ensure high performance and reliable networks Datum: 03.07.2007, Seite: 4 Seite 2
in operation Switch/Router Datagram forwarding tables interface counters Switching ASIC agent 1 in N sampling packet header src/dst i/f sampling parms forwarding user ID URL i/f counters eg 128B rate pool src 802.1p/Q dst 802.1p/Q next hop src/dst mask AS path communities localpref MPLS src/dst Radius TACACS InMon Traffic Sentinel Collector & Analyser Datum: 03.07.2007, Seite: 5 Network-wide visibility all of the time Collector/Analyzer Eg InMon Traffic Sentinel Always-on, real-time measurements from every port sent to a single collector forms central, network-wide view Control decisions that ensure high performance and reliable networks Datum: 03.07.2007, Seite: 6 Seite 3
Traffic Sentinel detecting and controlling threats Identify security threats Suspicious and anomalous behaviour Network intrusions Policy violation Unauthorised traffic Scans DoS ARP storms Ensure quality of service of VoIP in converged networks Troubleshoot network and application problems Why is the network is slow? Pinpoint congestion Account for traffic and chargeback to discourage misuse Optimise BGP peering Manage multicast traffic Analyse trends in usage for network planning Datum: 03.07.2007, Seite: 7 Firewall, IDS necessary for perimeter defence but Rules not installed for zero day attacks email, web, plugins not blocked Insecure or unauthorized wireless access Infected hosts brought in from outside Unauthorised access to servers Perimeter protection may be breached or evaded Cannot rely on integrity of or access to end hosts Datum: 03.07.2007, Seite: 8 Seite 4
and Traffic Sentinel detects internal security threats Traffic Sentinel Continuous, network-wide monitoring with immediately detects anomalous behavior and threat signatures from the inside Datum: 03.07.2007, Seite: 9 Security in depth Alert on anomalous host behaviour: This host appears to have been compromised Alert on specific signatures: I know that packet should not be on my network Back it up with a detailed traffic history: Who else did he talk to? how much data was transferred? what other services is he running? Datum: 03.07.2007, Seite: 10 Seite 5
Alert on anomalous behaviour: Scanning Security alert raised on detection of anomalous scanning behaviour 172.16.144.52 has been observed connecting to a large number of hosts using TCP ports 445 and 139 Datum: 03.07.2007, Seite: 11 Back it up with detailed traffic history Scanning behavior has been consistent for the last hour. Large number of ICMP destination unreachable messages often associated with scanning Hosts are grouped into security zones. Fan indicates scanning activity contained within single zone Datum: 03.07.2007, Seite: 12 Seite 6
Detect policy violations: Unauthorised NAT device Policy forbids users to attach their own NAT devices, since this could allow unauthorised hosts to obtain unrestricted access to the network Datum: 03.07.2007, Seite: 13 Detection of unauthorised NAT device Detect unauthorised NAT device by correlating TTL values exported in and raise alert Identify NAT device manufacturer by MAC address Identify switch and interface connecting NAT device Datum: 03.07.2007, Seite: 14 Seite 7
Ensure quality of service VoIP is carried by RTP which provides distributed connectivity for load balancing and redundancy. Traffic Sentinel s network-wide monitoring with is uniquely suited to directly identifying QoS problems Datum: 03.07.2007, Seite: 15 Reports identify QoS issues Packet loss is fairly consistent But spike in jitter at 10:35 Problem is confined to Embarcadero zone Datum: 03.07.2007, Seite: 16 Seite 8
Controlling utilisation, error rates and discards Alert on thresholds Pinpoint the problem Identify the cause Datum: 03.07.2007, Seite: 17 More information information http://www.sflow.org Tools supporting InMon Traffic Sentinel, IronView, HP-IUM, HP-OV Performance Insight, GenieNRM, NetScout, Trend. Public Domain tcpdump, snort, ntop, rrdtool, ethereal http://www.inmon.com Products - Product data sheets Technology - Application notes Demo & http://demo.inmon.com - Demo http://www.inmon.com/technology/sflow.php - Open source tool Datum: 03.07.2007, Seite: 18 Seite 9