Post on 17-Jul-2015
SMARTxAC / Network Polygraph
“A Network Visibility Service
born at Anella Científica”
Maria Isabel Gandía – mariaisabel.gandia@csuc.cat
Josep Sanjuas – jsanjuas@polygraph.io
Companies depend on Networks
e-mail, databases, shared folders, VoIP, cloud...
Networks are complex and hard to manage
Network Downtime equals Cost
$42,000/havg cost of downtime
$5,600/minavg cost of downtime(datacenters)
87 hoursavg downtime per year
200 minMTTR per medium outage itpi
Network Visibility
• To properly manage a network, you need to
see what happens inside it
• First step to...– identify congested links
– remove unwanted network traffic
– disconnect bandwidth hogs
– troubleshoot performance issues
– plan for future needs
New User Interface
Network Visibility Technologies
• Hardware-based («Deep Packet
Inspection»)
– Brute-force approach: inspect all packets
– High visibility, but very high cost
• Software-based (NetFlow, SNMP)
– Use traffic statistics exported by routers
– Mid visibility & low cost
Network Polygraph - Technology
• Best of both worlds: high visibility, low cost
• How? NetFlow + artificial intelligence
NetFlow on steroids: application identification, SSL domain ID, attack & anomaly detection capabilities
History: SMARTxAC to Polygraph
Commercial
Internet
1999-2003: Inception
Previous monitoring and analysis projects:
• CASTBA
• MEHARI
• MIRA
With the colaboración among several universities
• UPM (Universidad Politécnica de Madrid)
• UC3M (Universidad Carlos III de Madrid)
• UPC (Universitat Politècnica de Catalunya)
And the participation of:
• RedIRIS
• CESCA
• Telefónica Investigación y Desarrollo
• Institut Català de Tecnologia
Focus: monitoring ATM networks
Approach: deep packet inspection with sampling
2003: The Birth of SMARTxAC
Collaboration: CESCA + CCABA/UPC
Objective: monitoring Anella Cientifica-RedIRIS connection
Roles
• CESCA: requirements, testbed
• CCABA/UPC: research, development
Objectives:
• Low-cost platform
• Continuously monitor Anella Científica
• Detect anomalies and irregular usage
• Multi-tenant: accessible by many institutions– each institution can see their own traffic only
2003: Architecture
CaptureEndace
DAG card
Optical Spitter
Analysis
Port Number Machine learning
2003: User Interface
47.39%
10.34%
0.43%
0.10%
19.65%
7.97%
0.08%
2.48%0.55%
1.84%
2.26%
0.10%
0.53%
6.04%0.23%
40.07%
2.43%
2.97%
18.47%
0.30%8.17%
0.48%
9.67%
1.22%
0.51%
0.30%
1.52%
8.48%
5.42%
A_UKNWN
DNS
FTP
GAMES
IRC
MULTIMEDIA
NETFS
NETWORK
NEWS
NO_TCPUDP
OTHERS
P2P
T_UKNWN
TELNET
UNIX
WWW
2003-2011: Network Scales Up
More network interfaces monitored at Anella Científica:
• RedIRIS
• Commercial internet connection
• CATNIX
Internal traffic not monitored
Increasing bandwidth usage
Realization: DPI is not cost effective!
Last straw: switching to 10Gbps links
Distributed core with to main nodes (Campus Nord &
Telvent)
Solution: NetFlow
2011: Upgrade to 10Gbps - NetFlow
Flow-based analysis
2x10GbpsNetFlow
User Interface Redesign
2013: Commercial Stage & Spin-off
• Research group gathers commercial interest
• Received public funding for tech transfer
– SMARTxAC to generalized product
• From a research product to a commercial one
– Talaia Networks, S.L.: a spin-off of UPC
– Network Polygraph: «spin-off of SMARTxAC»
Network Polygraph
Deployment Models: Cloud
Customer Network
Cloud
Deployment Models: On-Premises
Customer’sDatacenter
Multi-Tenancy Module
Customer A
Customer BCustomer C
Subscription Models
Service (SaaS)
• Monthly or yearly billing
• Includes support
• Externally managed
• Regularly updated
Perpetual License
• Payable upfront
• Support & maintenance fee
• Not accessible by our personnel
The SaaS Advantage
• No upfront costs for end customer
– Lower barrier of entry (esp. small-mid customers)
– No need to “commit” to our solution
– Simply configure routers to send NetFlow to us
• Managed solution
– Zero maintenance, zero hardware, zero software
– Always upgraded to latest version
Main Large-scale Deployments
• CSUC (Anella Científica network)– Connects ≈90 public institutions in Catalonia
– Offered as value-added service to >80 admins
• Red.es (RedIRIS network)– Handles all Spanish academic network traffic
– Connects ≈450 public institutions in Spain
– Won as customer in competitive tender
Use Cases
• Small-medium companies
– Bandwidth is a precious resource, Polygraph helps optimize its usage
• “Why is the network so slow? Should we invest in more bandwidth?”
• Found 1 user constantly downloading files from Mega
• Link was shared with other offices, affecting whole company
Use Cases (2)
• Large companies– Moving a single “hardware DPI probe” around
• Deploying full DPI was too expensive
• With Polygraph they could cover all branches!
– Realized most attacks come from China• ISP can block certain IP subnets
• Attacks do not consume customer bandwidth
– Detected covert bitcoin mining operations• Users were pumping the electricity bill for their
personal gain
Use Cases (3)
• ISP & Managed Network Service Providers– Important customer with an office in North Africa:
• Bandwidth: precious resource
• Wanted to check it is spent wisely – no unwanted traffic
– Receiving large # of copyright violation notices!?• Traffic analysis reveals P2P traffic
• Particularly, upstream traffic: serving illegal content!
– Use our product to detect network attacks• Offer product as value-added service to corporate
customers
• Sell anti-virus solutions to their own customers
Deployment at CATNIX: Proposal
Member A
Member BMember C
Website + On-Line Demo
https://polygraph.io
Network Polygraph
Talaia Networks, S.L.
K2M – Parc UPC Campus Nord
Jordi Girona, 1-3
Barcelona (08034)
Spain
Telephone: +34 93 405 45 87
contact@polygraph.io
https://polygraph.io
traffic volume, breakdown by application
protocol breakdown
top talkers (addresses, ports, autonomous systems)
traffic geolocation
anomaly and attack detection with automatic baselining
indexed traffic database for forensic analysis
automated downloadable reports