Getting More Information On Your Network Performance



Similar documents
Application Latency Monitoring using nprobe

High-Speed Network Traffic Monitoring Using ntopng. Luca

Monitoring Network Traffic using ntopng

High-speed Network and Service Monitoring. Luca Deri

Monitoring Network Traffic using ntopng

High-Speed Network Traffic Monitoring Using ntopng

ntopng: Realtime Network Traffic View

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

Flow Analysis Versus Packet Analysis. What Should You Choose?

Who is Generating all This Traffic?

Network Troubleshooting Using ntopng Luca Deri

SECURITY & REAL-TIME APPLICATION INSIGHT

Monitoring Mobile Network Traffic (3G/LTE) Luca Deri

Effiziente Filter gegen Kinderpornos und andere Internetinhalte. Lukas Grunwald DN-Systems GmbH CeBIT Heise Forum 2010 Hannover

Monitoring Mobile Network Traffic (3G/LTE) Luca Deri

Getting the Most Out of Your Existing Network A Practical Guide to Traffic Shaping

Distributed Systems. 2. Application Layer

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Towards 100 Gbit Flow-Based Network Monitoring. Luca Deri Alfredo Cardigliano

Cyber Security Scan Report

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Open Source VoIP Traffic Monitoring

Open Source in Network Administration: the ntop Project

PRACTICAL EXPERIENCES BUILDING AN IPFIX BASED OPEN SOURCE BOTNET DETECTOR. ` Mark Graham

SLA para aplicaciones en redes WAN. Alvaro Cayo Urrutia

DPI and Metadata for Cybersecurity Applications

Internet Privacy Options

EAGLE EYE IP TAP. 1. Introduction

The Broadband Service Optimization Handbook Chapter 3

Open Source VoIP Traffic Monitoring

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

The ntop Project: Open Source Network Monitoring

Arbor s Solution for ISP

IBM. Vulnerability scanning and best practices

Gateway Security at Stateful Inspection/Application Proxy

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Cisco Network Analysis Module Software 4.0

February Considerations When Choosing a Secure Web Gateway

Frequently Asked Questions

An Introduction to VoIP Protocols

Hypertext for Hyper Techs

Uncovering the Big Players of the Web

IERG 4080 Building Scalable Internet-based Services

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Monitoring commercial cloud service providers

Understanding Slow Start

Websense Web Security Gateway: What to do when a Web site does not load as expected

Intrusion Detection System

Using IPM to Measure Network Performance

11 THINGS YOUR FIREWALL SHOULD DO. a publication of 2012 INVENIO IT A SMALL BUSINESS WHITEPAPER

Principles of Network Applications. Dr. Philip Cannata

Controlling SSL Decryption. Overview. SSL Variability. Tech Note

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Scalable Internet Services and Load Balancing

Application Detection

Firewall Testing Methodology W H I T E P A P E R

A Standard Modest WebSite

Monitoring high-speed networks using ntop. Luca Deri

Component Details Notes Tested. The virtualization host is a windows 2008 R2 Hyper-V server. Yes

DMZ Network Visibility with Wireshark June 15, 2010

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

Hosted Voice. Best Practice Recommendations for VoIP Deployments

Application Delivery Networking

HTTPS Inspection with Cisco CWS

Going Cloud, Going Mobile: Will Your Network Drag You Down? Wes Morgan, IBM / 2 Feb 2016

Cheap and efficient anti-ddos solution

HOSTED VOICE Bring Your Own Bandwidth & Remote Worker. Install and Best Practices Guide

Project X Mass interception of encrypted connections

Enterprise Network Management. March 4, 2009

Best Practices for Controlling Skype within the Enterprise > White Paper

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

CHAPTER 3 PROBLEM STATEMENT AND RESEARCH METHODOLOGY

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

AppDirector Load balancing IBM Websphere and AppXcel

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model: MX60 MX60W MX80 MX100 MX400 MX600

Chapter 4 Firewall Protection and Content Filtering

Moving Network Security from Black and White to Color Refocusing on Safely Enabling Applications

MEASURING THE POPULAR OTT IS EQUIVALENT AS MEASURING CUSTOMER EXPERIENCE IN MOBILE NETWORKS?

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Barracuda Networks Web Application Firewall

Getting Started with PRTG Network Monitor 2012 Paessler AG

24x7 Monitoring and Troubleshooting Distributed Application Performance

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Debugging With Netalyzr

Adaptive Authentication Integration Options. John Murray Manager, RSA Systems Engineering

Cyber Security Workshop Ethical Web Hacking

From Network Security To Content Filtering

An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Computer Networks. Examples of network applica3ons. Applica3on Layer

Securing the Intelligent Network

Implementing the Application Control Engine Service Module

CGHub Client Security Guide Documentation

HOLDING ON TO YOUR BANDWIDTH

Application-Centric Analysis Helps Maximize the Value of Wireshark

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Transcription:

Getting More Information On Your Network Performance Luca Deri <deri@ntop.org>

Network Traffic is a Moving Target For years network administrators have identified traffic protocols and services using IP address and ports: Port 80 = HTTP. Network x.y.z.0/24 identifies users of factory site Rome. HTTPS is a secure connection to a web site. Unfortunately the above statements do not longer hold: Protocols might use dynamic ports. Well known ports might not carry the traffic we expect (80!= http). Encryption does not always mean security (SSL vs OpenVPN). Users moves and often do not need to connect back to the home network for carrying on their job. 2

The Cloud is Here Up to some years ago, software companies wanted to sell their products (e.g. word processors and spreadsheets). Today many people use collaborative services based on the cloud (e.g. Google Docs or MS Office 365). Remote conferencing (e.g. Webex or GoToMeeting) are all cloud-based. Popular apps such as EverNote used to keep track of notes on computers and mobile devices, storing your (private) data onto the cloud and not on your data centers (where you can enforce the security policy). 3

Network Health Monitoring is Complex Traditional network monitoring systems can limit their supervision activities to home networks. Mobile users, intra-vm data exchange, or cloud services are often invisible to network monitoring systems. Traditional firewalls are becoming blind as: Generic (e.g. HTTP) protocols can be used to tunnel nonhypertext services (e.g. music streaming). HTTPS is not checked so often it flows unrestricted. Cloud services access can t be monitored with simple periodic pings as provides IPs are often unresponsive and change according to our location. 4

Traffic Performance Requirements Make sure that: Locally provided services are in good health. Remote services can be reachable with limited network latency. Cloud services are accessed with good performance. The management console can: Passively track all traffic flows. Identify the application used by each flow so that we can characterize the nature of the traffic flowing onto the network. Compute KPI (Key Performance Indicators) so that network administrators can have a flavor of what is the current network health. 5

Network KPIs Literature and Internet RFCs defined base indicators including bandwidth, packet loss, latency and jitter. Those indicators however need to be associated with a protocol, so that we can trigger alerts: VoIP callers notice roundtrip voice delays of 250 ms (G.114 recommends no more than 150 ms one-way latency) whereas they can operate on networks of limited bandwidth (e.g. 80 Kbit for G.711). HTTP users can tolerate higher latency but pretend larger bandwidth. On a nutshell, application protocol detection is mandatory. 6

The need for DPI DPI (Deep Packet Inspection) is a technique for inspecting the packet payload for the purpose of extracting metadata (e.g. protocol). There are many DPI toolkits available but they are not what we looked for as: They are proprietary (you need to sign an NDA to use them). They are pretty costly for both purchase and maintenance. Adding a new protocol requires vendor support (i.e. it has a high cost and might need time until the vendor supports it) = you re locked-in. Linux L7-filter is quite slow and error prone. On a nutshell DPI is a requirement but the market does not offer an alternative for open-source. 7

Say hello to ndpi ntop has decided to develop its own GPL DPI toolkit (based on a DPI toolkit now popped off the Internet) in order to build an open DPI layer for ntop and third party applications. Supported protocols (over 140) include: P2P (Skype, BitTorrent) Messaging (Viber, Whatsapp, MSN, The Facebook) Multimedia (YouTube, Last.gm, itunes) Conferencing (Webex, CitrixOnLine) Streaming (Zattoo, Icecast, Shoutcast, Netflix) Business (VNC, RDP, Citrix, *SQL) 8

ntop/nprobe with ndpi 9

Tracking Generic KPIs with nprobe [1/2] nprobe is an open source network traffic probe developed by ntop and used in many products such as Würth-Phoenix NetEye. Recently nprobe has been enhanced for continuously tracking KPIs and not just at the beginning of each connection as in past versions. KPIs are complemented with protocol information detected by the ndpi toolkit. This enables network administrators to evaluate the application performance for the whole duration of the communication. 10

Tracking Generic KPIs with nprobe [2/2] Monitored Generic KPIs (per flow) include: Network and application delay, partitioned in client and server delay (i.e. you know if the bottleneck is on the client or on the server side). TCP packet retransmission (i.e. your network is leaking packets) IP packets out-of-order (i.e. you have congestion issues) TCP window change (i.e. monitor how healthy the TCP layer believes your connection is) All these KPIs are enough for giving a baseline of the connection healthiness and thus of your users perceive the provided network quality. 11

Monitoring Nested Communications [1/2] DNS Request/Response HTTP Processing Oracle Query Total Duration When customers experience slow service response, it is necessary to rebuild all communication elements, and identify the source of the delay. Correlation of network events helps to figure out which component(s) is responsible for the poor performance. 12

DNS Monitoring in nprobe [NFv9 57677][IPFIX 35632.205] %DNS_QUERY [NFv9 57678][IPFIX 35632.206] %DNS_QUERY_ID [NFv9 57679][IPFIX 35632.207] %DNS_QUERY_TYPE [NFv9 57680][IPFIX 35632.208] %DNS_RET_CODE [NFv9 57681][IPFIX 35632.209] %DNS_NUM_ANSWER [NFv9 57558][IPFIX 35632.86] %APPL_LATENCY_SEC [NFv9 57559][IPFIX 35632.87] %APPL_LATENCY_USEC DNS query DNS query transaction Id DNS query type (e.g. 1=A, 2=NS..) DNS return code (e.g. 0=no error) DNS # of returned answers Application latency (sec) Application latency (usec) # # When DNS_Client AS ClientCountry ClientCity DNS_Server Query NumRetCode RetCode NumAnswer NumQueryType QueryType TransactionId Answers AuthNSs # 1326819546.137 A.B.C.D XXXX US 192.12.192.5 blogsearch.google.it 0 NOERROR 0 1 A 52017 ns2.google.com;ns1.google.com;ns4.google.com;ns3.google.com 13

HTTP Monitoring in nprobe [1/2] [NFv9 57652][IPFIX 35632.180] %HTTP_URL HTTP URL [NFv9 57653][IPFIX 35632.181] %HTTP_RET_CODE HTTP return code (e.g. 200, 304...) [NFv9 57654][IPFIX 35632.182] %HTTP_REFERER HTTP Referer [NFv9 57655][IPFIX 35632.183] %HTTP_UA HTTP User Agent [NFv9 57656][IPFIX 35632.184] %HTTP_MIME HTTP Mime Type # # Client Server Protocol Method URL HTTPReturnCode Location Referer UserAgent ContentType Bytes BeginTime EndTime Flow Hash Cookie Terminator ApplLatency(ms) ClientLatency(ms) ServerLatency(ms) Application BalancerHostServerIP RetransmittedPkts # 192.168.1.92 www.facebook.com http GET /ajax/presence/reconnect.php? a=1&reason=6&iframe_loaded=false&post_form_id=efe1a067adb2f9db341d72d56ce42c5b& user =675644907 200 www.facebook.com/repubblica? v=wall&ref=hrht-3 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3 application/x-javascript 3181 1318023905.364 1318023905.990 106224292 41840 C 367 0.038 128.810 Unknown 69.171.224.40 0 14

Oracle/MySQL Monitoring in nprobe [NFv9 57667][IPFIX 35632.195] %MYSQL_SERVER_VERSION MySQL server version [NFv9 57668][IPFIX 35632.196] %MYSQL_USERNAME MySQL username [NFv9 57669][IPFIX 35632.197] %MYSQL_DB MySQL database in use [NFv9 57670][IPFIX 35632.198] %MYSQL_QUERY MySQL Query [NFv9 57671][IPFIX 35632.199] %MYSQL_RESPONSE MySQL server response [NFv9 57672][IPFIX 35632.200] %ORACLE_USERNAME Oracle Username [NFv9 57673][IPFIX 35632.201] %ORACLE_QUERY Oracle Query [NFv9 57674][IPFIX 35632.202] %ORACLE_RSP_CODE Oracle Response Code [NFv9 57675][IPFIX 35632.203] %ORACLE_RSP_STRING Oracle Response String [NFv9 57676][IPFIX 35632.204] %ORACLE_QUERY_DURATION Oracle Query Duration (msec) # # Client Server User Query ResponseCode ResponseMsg Bytes BeginTime EndTime QueryDuration(sec) ClientLatency(ms) ServerLatency(ms) # 0.62.4.118 10.62.6.211 select * from COMPANY where JDOID =78544 0 310037 1333461770.861 1333461795.892 0.024 0.000 0.000 15

Characterizing Encrypted Traffic As SSL usage is becoming pervasive, we cannot assume that SSL traffic is safe. HTTPS can flow through proxies as follows: CONNECT server.example.com:80 HTTP/1.1 CONNECT is insecure when: It is used for bypassing the security as with Skype (connect with numeric IPs). HTTPS/SSL is insecure when: It is used as faked HTTP(s), e.g. used in OpenVPN for creating long-standing tunnels with the external sites. 16

How to Discriminate Good from Bad SSL? It is necessary to: Decode the SSL certificate in order to find out the symbolic name of the server we re connecting to. Find out on the certificate, who has signed it in order to figure out if it s a self-signed certificate (thus not trustable) As of today nprobe and ndpi decode the certificate and use it for giving network administrators evidence. 192.168.1.92 www.facebook.com https 0 99552 1335613695.591 1335613700.723 106229198 0 C 0 0.090 74.162 192.168.1.92 www.mps.it https 0 4925 1335613685.470 1335613686.557 2209353430 0 C 0 0.039 36.204 192.168.1.92 www.intesasanpaolo.com https 0 19512 1335613677.972 1335613708.776 2178073166 0 S 0 0.029 37.234 192.168.1.92 p05-caldav.icloud.com https 0 6274 1335613713.652 1335613714.340 3528810468 0 C 0 0.071 84.526 17

What s next? We re developing an extension to nprobe that allows people to both Generate flow records on monitored traffic. Use the probe as application firewall that can block/pass/shape traffic based on layer 7 protocols. You can for instance (per IP, MAC address) say block Skype, shape Facebook to 32 KB, let all the other traffic pass Traffic Rules Company n Internet nprobe 18

Conclusions Generic KPI give administrators the ability to understand how the network is behaving. ndpi allows you to associate these KPIs with an application protocol and thus an application. nprobe provides protocol-specific information (e.g. URL, cookie, SQL query, called VoIP number, voice quality indicators) in order to enable information correlation and thus better visibility. All you have read on this presentation is immediately available onto every nbox/neteye box as well for your virtualized environments. 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information