Download Slide 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
Document related concepts
no text concepts found
Transcript 
NETFLOW & NETWORK-BASED
APPLICATION RECOGNITION
ITD PRODUCT MANAGEMENT
NOVEMBER 2003
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
1
Overview of NetFlow and
Network-Based Application Recognition
• NetFlow
Pioneering IP accounting technology
Invented and patented by Cisco
IETF export standard
• Network-Based Application Recognition (NBAR)
Intelligent application recognition
Analyzes and identifies application traffic in real time
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
2
NetFlow and NBAR Benefit Footprints
Enterprise
Backbone
Enterprise
Premise Edge
Service Provider
Aggregation Edge
Service Provider Core
NetFlow
•
•
•
•
•
•
•
•
•
•
User (IP) monitoring
Application monitoring
Traffic analysis
Attack Mitigation
Chargeback Billing
Attack mitigation
Billing
AS Peer monitoring
Traffic engineering
Network Planning
NBAR
• Application classification
• Precise Quality of Service (QoS) treatment
• Application statistics for bandwidth provisioning
Top-n views
Threshold settings
• Mapping applications to an SP’s service offering
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
3
NetFlow and NBAR Benefit Footprints
Enterprise
Backbone
Enterprise
Premise Edge
Service Provider
Aggregation Edge
Service Provider Core
NetFlow
• Cisco
Catalyst 4500,
5000, 6500,
7600 Series
ASIC
• Cisco Catalyst 5000, 6500 Series
HW Acceleration
• Cisco Catalyst 4500 Series ASIC
• Cisco 7100, 7200, 7300, 75000
Series
• Cisco AS5300,AS5400, AS5800
Series
• Cisco 830, 1400, 1700, 2600, 3600,
and 3700 Series
• Cisco Catalyst 4500,
5000, 6500 Series;
Cisco 7600 Series ASIC
• Cisco 7100, 7200, 7300,
75000 Series
• Cisco AS5300 and
AS5800 Series
• Cisco MGX8000 Series
• Cisco 10000 and 12000
Series Internet Routers
ASIC
• Cisco Catalyst 5000 and
6500 Series; Cisco 7600
Series ASIC
• Cisco 7500 Series
NBAR
• Cisco
Catalyst
6500 and
7600 Series
MSFC
Planned
ASIC
• Cisco Catalyst 6500 and 7600
Series
FlexWAN, MWAM
Planned ASIC
• Cisco 7100, 7200, and 7500 Series
• Cisco 830, 1400, 1700, 2600, 3600,
NetFlow and NBAR, November 2003and 3700© Series
2003 Cisco Systems, Inc. All rights reserved.
• Cisco Catalyst 6500 and
7600 Series
FlexWAN, MWAM
Planned ASIC
• Cisco 7100, 7200, and
7500 Series
Cisco Catalyst 6500 and
7600 Series
FlexWAN, MWAM
Planned ASIC
• Cisco 7500 Series
4
NetFlow and NBAR: Main Objectives and
Benefits
Main Objective
Main Benefit
NetFlow
Flow Characterization
Which users utilize the network
What types of traffic
When is the network utilized
Where does the traffic go
Network Usage
IP accounting and Billing Technology
Capacity Planning, Traffic Engineering,
Peering
Traffic & routing information analysis
Data Export
Persistent Network Usage Record
NBAR
Identify & classify traffic based on
payload attributes & protocol
characteristics
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
Optimize application performance via QoS
Validation or reclassification of ToS
marking based on packet inspection
Cisco Internal Use Only
5
NetFlow and NBAR:
Additional Objectives and Benefits
Main Objective
Side Benefits
NetFlow
Flow Characterization
DDOS & Worm Detection
Network Usage
Capacity Planning and Traffic
Engineering
Billing
Permanent Record of network activity
Capacity, Traffic Eng, Peering
Optimized Edge Routing (OER)
Data Export
IETF IPFIX WG Standard and NetFlow
v.9 flexible extensible format
NBAR
Identify & classify traffic based on
payload attributes & protocol
characteristics
Detection & dropping/limiting of
undesired traffic – peer-to-peer file
sharing, worms, …
Application statistics for bandwidth
provisioning
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
Cisco Internal Use Only
6
Uniqueness and Strengths
of NetFlow and NBAR
NetFlow
NBAR
• IPv6, MPLS, Multicast, BGP NH
technology integration
• Deep & Stateful Packet Inspection
• Billing, Capacity Planning,
Traffic Engineering
• Protocol Discovery with
application statistics
• Internet Access Monitoring:
Peering & Traffic
• Enables precise classification
& QoS treatment
• IETF Standard for Data Sampling
and Export
• Pre-defined protocol & application
recognition
• Security DDOS Monitoring Tool New
• User-Defined Custom Application
Classification New
• Flow timers, timing of network
traffic types
• Who what where when in the
network
• Large NMS partner community
& open source tools
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
• New application signatures w/o
software upgrade
• Integration with IP Services
(QoS, NAT, Firewall, IDS) New
7
NetFlow and NBAR Differentiation
Link Layer
Header
Interface
NetFlow
TOS
Protocol
IP
Header
TCP/UDP
Header
Data
Packet
Source
IP Address
Destination
IP Address
NetFlow
• Monitors data in Layers 2 thru 4
• Determines applications by port
• Utilizes a 7-tuple for flow
Source
Port
Destination
Port
Deep Packet
(Payload)
Inspection
NetFlow and NBAR, November 2003
NetFlow and NBAR both
leverage Layer 3 and 4
Header Information
NBAR
NBAR
© 2003 Cisco Systems, Inc. All rights reserved.
• Examines data from Layers 3
through 7
• Uses Layers 3 & 4 plus packet
inspection for classification
• Stateful inspection of dynamicport traffic
8
NetFlow and NBAR useful for Security
Flow information is useful against attacks
• NetFlow Mitigates Attacks
Identify the attack
Count the Flows
Inactive flows signal a worm
attack
Classify the attack
Small size flows to same
destination
What is being attacked and
origination of attack
• NetFlow Security partners Arbor
Networks and Mazu, Adlex
• Cisco IT prevented SQL slammer
at Cisco by watching flows
per port
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
• Signature-based detection
• Not historically a main focus
for NBAR
Real-time loadable PDLMs could
provide rapid-update mechanism
for new signatures
Not staffed to react against
malicious applications
• NBAR can detect worms based on
payload signatures
Nimbda
Code Red
Slammer
• Cisco PSIRT provided customers
with NBAR solution to combat
Code Red & Nimbda
9
Summary of Benefits
NetFlow
NBAR
• Internet Access Monitoring
Protocol distribution
Where traffic is going/ coming
• Deep & Stateful Packet
Inspection
Protocol & Application
Discovery
• User Monitoring
• Application Monitoring
Standard protocols
• Accounting and Billing
Corporate applications
(Citrix, ...)
• DDOS Monitoring
• Peering Arrangements
• Network Planning
Undesired traffic
(peer-to-peer, worms, …)
• Real-time PDLM Signature
Update
• Traffic Engineering
NetFlow and NBAR, November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
10
NetFlow and NBAR,
November 2003
© 2003 Cisco Systems, Inc. All rights reserved.
11
Related documents