1NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. NETFLOW &...
-
Upload
sierra-gibson -
Category
Documents
-
view
216 -
download
2
Transcript of 1NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. NETFLOW &...
1NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
NETFLOW & NETWORK-BASED APPLICATION RECOGNITIONITD PRODUCT MANAGEMENT
NOVEMBER 2003
2NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 2NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
Overview of NetFlow and Network-Based Application Recognition
• NetFlow
Pioneering IP accounting technology
Invented and patented by Cisco
IETF export standard
• Network-Based Application Recognition (NBAR)
Intelligent application recognition
Analyzes and identifies application traffic in real time
3NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
NetFlow and NBAR Benefit Footprints
NetFlow
• User (IP) monitoring• Application monitoring• Traffic analysis• Attack Mitigation• Chargeback Billing
• Attack mitigation• Billing• AS Peer monitoring• Traffic engineering• Network Planning
NBAR
• Application classification• Precise Quality of Service (QoS) treatment• Application statistics for bandwidth provisioning
Top-n viewsThreshold settings
• Mapping applications to an SP’s service offering
Enterprise Backbone
Enterprise Premise Edge
Service Provider Aggregation Edge
Service Provider Core
4NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
NetFlow and NBAR Benefit Footprints
Enterprise Backbone
Enterprise Premise Edge
Service Provider Aggregation Edge
Service Provider Core
NetFlow
• Cisco Catalyst 4500, 5000, 6500, 7600 Series ASIC
• Cisco Catalyst 5000, 6500 Series HW Acceleration
• Cisco Catalyst 4500 Series ASIC• Cisco 7100, 7200, 7300, 75000
Series• Cisco AS5300,AS5400, AS5800
Series• Cisco 830, 1400, 1700, 2600, 3600,
and 3700 Series
• Cisco Catalyst 4500, 5000, 6500 Series; Cisco 7600 Series ASIC
• Cisco 7100, 7200, 7300, 75000 Series
• Cisco AS5300 and AS5800 Series
• Cisco MGX8000 Series
• Cisco 10000 and 12000 Series Internet Routers ASIC
• Cisco Catalyst 5000 and 6500 Series; Cisco 7600 Series ASIC
• Cisco 7500 Series
NBAR
• Cisco Catalyst 6500 and 7600 Series
MSFCPlanned ASIC
• Cisco Catalyst 6500 and 7600 Series
FlexWAN, MWAMPlanned ASIC
• Cisco 7100, 7200, and 7500 Series• Cisco 830, 1400, 1700, 2600, 3600,
and 3700 Series
• Cisco Catalyst 6500 and 7600 Series
FlexWAN, MWAMPlanned ASIC
• Cisco 7100, 7200, and 7500 Series
Cisco Catalyst 6500 and 7600 Series
FlexWAN, MWAM Planned ASIC
• Cisco 7500 Series
5NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 5NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Internal Use Only
NetFlow and NBAR: Main Objectives and Benefits
Main ObjectiveMain Objective Main BenefitMain Benefit
NetFlow
Flow Characterization Which users utilize the network
What types of traffic
When is the network utilized
Where does the traffic go
Network Usage IP accounting and Billing Technology
Capacity Planning, Traffic Engineering, Peering
Traffic & routing information analysis
Data Export Persistent Network Usage Record
NBAR
Identify & classify traffic based on payload attributes & protocol characteristics
Optimize application performance via QoS
Validation or reclassification of ToS marking based on packet inspection
6NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 6NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Internal Use Only
Main ObjectiveMain Objective Side BenefitsSide Benefits
NetFlow
Flow Characterization DDOS & Worm Detection
Network Usage Capacity Planning and Traffic Engineering
Billing Permanent Record of network activity
Capacity, Traffic Eng, Peering Optimized Edge Routing (OER)
Data Export IETF IPFIX WG Standard and NetFlow v.9 flexible extensible format
NBAR
Identify & classify traffic based on payload attributes & protocol characteristics
Detection & dropping/limiting of undesired traffic – peer-to-peer file sharing, worms, …
Application statistics for bandwidth provisioning
NetFlow and NBAR: Additional Objectives and Benefits
7NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 7NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
Uniqueness and Strengths of NetFlow and NBAR
NetFlowNetFlow
• IPv6, MPLS, Multicast, BGP NH technology integration
• Billing, Capacity Planning, Traffic Engineering
• Internet Access Monitoring: Peering & Traffic
• IETF Standard for Data Sampling and Export
• Security DDOS Monitoring Tool
• Flow timers, timing of network traffic types
• Who what where when in the network
• Large NMS partner community & open source tools
New
NBARNBAR
• Deep & Stateful Packet Inspection
• Protocol Discovery with application statistics
• Enables precise classification & QoS treatment
• Pre-defined protocol & application recognition
• User-Defined Custom Application Classification
• New application signatures w/o software upgrade
• Integration with IP Services (QoS, NAT, Firewall, IDS)
New
New
8NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 8NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
Interface
Source IP Address
IP Header
TCP/UDP Header
SourcePort
Data Packet
DestinationPort
NetFlow and NBAR Differentiation
Protocol
Link Layer Header
Deep Packet (Payload)
Inspection
TOS NetFlow
NBAR
NetFlow and NBAR both leverage Layer 3 and 4 Header Information
Destination IP Address
NetFlow • Monitors data in Layers 2 thru 4• Determines applications by port• Utilizes a 7-tuple for flow
NBAR• Examines data from Layers 3
through 7• Uses Layers 3 & 4 plus packet
inspection for classification• Stateful inspection of dynamic-
port traffic
9NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
NetFlow and NBAR useful for Security
9NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
Flow information is useful against attacksFlow information is useful against attacks
• NetFlow Mitigates Attacks
Identify the attack
Count the Flows
Inactive flows signal a worm attack
Classify the attack
Small size flows to same destination
What is being attacked and origination of attack
• NetFlow Security partners Arbor Networks and Mazu, Adlex
• Cisco IT prevented SQL slammer at Cisco by watching flows per port
• Signature-based detection
• Not historically a main focus for NBAR
Real-time loadable PDLMs could provide rapid-update mechanism for new signatures
Not staffed to react against malicious applications
• NBAR can detect worms based on payload signatures
Nimbda
Code Red
Slammer
• Cisco PSIRT provided customers with NBAR solution to combat Code Red & Nimbda
10NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 10NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
Summary of Benefits
NBARNBAR
• Deep & Stateful Packet Inspection
Protocol & Application Discovery
Standard protocols
Corporate applications(Citrix, ...)
Undesired traffic (peer-to-peer, worms, …)
• Real-time PDLM Signature Update
NetFlowNetFlow
• Internet Access Monitoring
Protocol distribution
Where traffic is going/ coming
• User Monitoring
• Application Monitoring
• Accounting and Billing
• DDOS Monitoring
• Peering Arrangements
• Network Planning
• Traffic Engineering
111111© 2003 Cisco Systems, Inc. All rights reserved.
NetFlow and NBAR, November 2003