Master Course Computer Networks IN2097

Similar documents
Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Traffic Flow Measurements within IP Networks: Requirements, Technologies and Standardization

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Configuring Application Visibility and Control for Cisco Flexible Netflow

From NetFlow to IPFIX the evolution of IP flow information export

Network Working Group. Category: Informational Fraunhofer FOKUS J. Quittek M. Stiemerling NEC P. Aitken Cisco Systems, Inc.

Introduction to Netflow

Network Management and Monitoring

INTERNET TRAFFIC MEASUREMENT (PART II) Gaia Maselli

Internet Engineering Task Force (IETF) Request for Comments: TU Muenchen K. Ishibashi NTT. April 2011

Configuring Cisco Performance Monitor

Sampling Challenges. Tanja Zseby Competence Center Network Research Fraunhofer Institute FOKUS Berlin. COST TMA September 22, 2008

Towards a collaborative, flow-based, distributed inter-domain Intrusion Detection System

Raw Data Formatting: The RDR Formatter and NetFlow Exporting

Network Working Group. Category: Informational Hitachi Europe N. Brownlee CAIDA B. Claise Cisco Systems, Inc. March 2009

Concept: Traffic Flow. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

This chapter provides information to configure Cflowd.

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Raw Data Formatting: The RDR Formatter and NetFlow Exporting

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Flexible Netflow Configuration Guide, Cisco IOS Release 15S

Passive One-Way-Delay Measurements and Data Export

Network Intrusion Detection Systems. Beyond packet filtering

AVC Configuration. Unified Policy CLI CHAPTER

Using NetFlow Sampling to Select the Network Traffic to Track

Configuring NetFlow and NetFlow Data Export

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Configuring Data Export for Flexible NetFlow with Flow Exporters

Flow-based Accounting: Applications and Standardisation

Experiences with IPFIX-based Traffic Measurement for IPv6 Networks. Nakjung Choi, Hyeongu Son*, Youngseok Lee* and Yanghee Choi

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Flexible NetFlow IPFIX Export Format

Chair for Network Architectures and Services Prof. Carle Department of Computer Science Technische Universität München.

Intelligent WAN NetFlow Monitoring Deployment Guide

Hardware-Accelerated Flexible Flow Measurement

Configuring AVC to Monitor MACE Metrics

Adaptation of Real-time Temporal Resolution for Bitrate Estimates in IPFIX Systems

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Characterization of accuracy problems in NetFlow data and approaches to handle them

SCRIPT: An Architecture for IPFIX Data Distribution

Flexible NetFlow - Top N Talkers Support

YAF A Case Study in Flow Meter Design

Zone-Based Firewall Logging Export Using NetFlow

Cisco IOS Flexible NetFlow Command Reference

Configuring NetFlow. NetFlow Overview

Configuring IP Services

Contents. Introduction. Prerequisites. Background Information

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Configuring NetFlow. Information About NetFlow. What is a Flow. This chapter contains the following sections:

The State of Standardization Efforts to support Data Exchange in the Security Domain

Configuring attack detection and prevention 1

CS 349/449 Internet Protocols Final Exam Winter /15/2003. Name: Course:

Configuring Data Export for Flexible NetFlow with Flow Exporters

Master Course Computer Networks IN2097

Implementing Access Lists and Prefix Lists

Configuring NetFlow. NetFlow Overview

Configuring Cisco IOS IP SLA Operations

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Using NetFlow Sampling to Select the Network Traffic to Track

IP Access List Overview

Master Course Computer Networks IN2097

IPv6 Sampled NetFlow feature was introduced. Destination-based Netflow Accounting feature was introduced.

Internet Traffic Classification using Machine Learning

Configuring NetFlow and NetFlow Data Export

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Configuring Flexible NetFlow

H3C S9500 QoS Technology White Paper

Configuring Flexible NetFlow

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Using NAT in Overlapping Networks

Configuring Cisco IOS IP SLAs Operations

Flows at Masaryk University Brno

Covert channel detection using flow-data

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements

On the State of ECN and TCP Options on the Internet

Stager. A Web Based Application for Presenting Network Statistics. Arne Øslebø

Advanced Registry Operations Curriculum NetFlow

Detecting and Analyzing Network Threats With NetFlow

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Flow export an visualization (Flowviz)

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

Internet Engineering Task Force (IETF) B. Claise Cisco Systems, Inc. G. Muenz Technische Universitaet Muenchen April 2010

Master Course Computer Networks IN2097

Using Flexible NetFlow Top N Talkers to Analyze Network Traffic

Configuring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced.

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Internet Engineering Task Force (IETF) Request for Comments: November 2012

This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Master Course Computer Networks IN2097

Network Configuration Example

NetFlow Multiple Export Destinations

FlowMatrix Tutorial. FlowMatrix modus operandi

ETSF05/ETSF10 Internet Protocols. Performance & QoS Congestion Control

Transcription:

Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils Kammenhuber Chair for Network Architectures and Services Institut für Informatik Technische Universität München http://www.net.in.tum.de Network Measurements Active measurements intrusive Measurement traffic is generated and sent via the operational network Advantages Straightforward Does not depend on existing traffic by active applications Allows measurement of specific parts of the network Disadvantages Additional load Network traffic is affected by the measurement Measurements are influenced by (possibly varying) network load Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 4 Chapter 4 - Network Measurements Network Measurements II Introduction Architecture & Mechanisms Protocols IPFIX (Netflow Accounting) PSAMP ( Sampling) Passive measurements (or Network Monitoring) non-intrusive Monitoring of existing traffic Establishing of packet traces at different locations Identification of packets, e.g. using hash values Scenarios Advantages Does not affect applications Does not modify the network behavior Disadvantages Requires active network traffic Limited to analysis of existing / current network behavior, situations of high load, etc. cannot be simulated/enforced Does not allow the transport of additional information (time stamps, etc.) within measured traffic Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 3 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 5 1

Network Measurements III Monitoring Probe Hybrid measurements Modification of packet flows Piggybacking Header modification Advantages Same as for passive additional information can be included (time-stamps, etc.) Standardized data export Monitoring Software HW adaptation, [filtering] Exporter Monitoring Software libpcap Disadvantages Modifying of data packets may cause problems if not used carefully OS dependent interface (BSD) Network interface BPF Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 6 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 8 Network Monitoring High-Speed Network Monitoring Applications of network monitoring Traffic analysis Traffic engineering Anomaly detection Accounting Resource utilization Accounting and charging Security Intrusion detection Traffic Analysis Accounting Monitoring Security applications Detection of prohibited data transfers (e.g., P2P applications) Requirements Multi-Gigabit/s Links Cheap hardware and software standard PC Simple deployment Problems Several possible bottlenecks in the path from to final analysis Bottlenecks? Open issues Protection of measurement data against illegitimate use (encryption, ) Applicable law ( lawful interception ) Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 7 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 9 2

High-Speed Network Monitoring II Memory Management Approaches High-end (intelligent) network adapters Sophisticated algorithms for Maintaining packet queues Elimination of packet copy operations Managing hash tables describing packet flows Sampling Filtering Aggregation Hash tables Allow fast access to previously stored information Depending on the requirements, different sections of a packet can be used as input to the hash function. Reduction of copy operations Copy operations can be reduced by only transferring references pointing to memory positions holding the packet Management of the memory is complex, garbage collection required Aggregation If aggregated results are sufficient, only counters have to be maintained more on subsequent slides Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 10 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 12 Special Network Adapters Sampling Server NICs (Network Interface Cards) Direct access to main memory (without CPU assistance) Processing of multiple packets in a single block (reduction of copy operations) Reduced interrupt rates Monitoring interface cards Dedicated monitoring hardware Programmable, i.e. certain processing can be performed on the network interface card Goals Reduction of the number of packets to analyze Statistically dropping packets Sampling algorithms Systematic sampling Periodic selection of every n-th element of a trace Selection of all packets that arrive at pre-defined points in time Random sampling n-out-of-n Probabilistic Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 11 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 13 3

Filtering Filtering Algorithms II Goals Reduction of the number of packets to analyze Possibility to look for particular packet flows in more detail, or to completely ignore other packet flows Filter algorithms (explained subsequently) Mask/match filtering Router state filtering Hash-based selection Hash-based filtering Hash function h maps the packet content c, or some portion of it, to a range R The packet is selected if h(c) is an element of S, which is a subset of R called the selection range Required statistical properties of the hash function h h must have good mixing properties Small changes in the input cause large changes in the output Any local clump of values of c is spread widely over R by h Distribution of h(c) is fairly uniform even if the distribution of c is not Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 14 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 16 Filtering Algorithms Filtering Algorithms III Mask/match filtering Based on a given mask and value In the simplest case, the selection range can be a single value in the packet header (e.g., mask out the least significant 6 bits of source IP address, match against 192.0.2.0) In general, it can be a sequence of non-overlapping intervals of the packet Router state filtering Selection based on one or more of the following conditions Ingress/egress interface is of a specific value violated ACL on the router Failed RPF (Reverse Path Forwarding) Failed RSVP No route found for the packet Origin/destination AS equals a specific value or lies within a given range Hash-based filtering (cont.) Usage Random sampling emulation Hash function (normalized) is a pseudorandom variable in the interval [0,1] Consistent packet selection and its application Also known as trajectory sampling If packets are selected quasi-randomly using identical hash function and identical selection range at different points in the network, and are exported to a collector, the latter can reconstruct the trajectories of the selected packets Applications: network path matrix, detection of routing loops, passive performance measurement, network attack tracing Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 15 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 17 4

IPFIX: IP Flow Information Export IPFIX (IP Flow Information export) IETF Working Group Standard track protocol based on Cisco Netflow v5 v9 Goals Collect usage information of individual data flows Accumulate packet and byte counter to reduce the size of the monitored data Approach Each flow is represented by its IP 5-tupel (prot, src-ip, dst-ip, src- Port, dst-port) For each arriving packet, the statistic counters of the appropriate flow are modified If a flow is terminated (TCP-FIN, timeout), the record is exported Sampling algorithms can be activated to reduce the # of flows or data to be analyzed Benefits Allows high-speed operation (standard PC: up to 1Gbps) Flow information can simply be used for accounting purposes as well as to detect attack signatures (increasing # of flows / time) IPFIX Terminology IP Traffic Flow A flow is defined as a set of IP packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow have a set of common properties. Observation Point The observation point is a location in the network where IP packets can be observed. One observation point can be a superset of several other observation points. Metering Process The metering process generates flow records. It consists of a set of functions that includes packet header, timestamping, sampling, classifying, and maintaining flow records. header Timestamping Classifying Maintaining flow records Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 18 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 20 IPFIX - IP Flow Information Export Protocol RFCs Requirements for IP Flow Information Export (RFC 3917) Evaluation of Candidate Protocols for IP Flow Information Export (RFC3955) Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information (RFC 5101) Information Model for IP Flow Information Export (RFC 5102) Bidirectional Flow Export using IP Flow Information Export (IPFIX) (RFC 5103) IPFIX Implementation Guidelines (RFC 5153) Information records Template Record defines structure of fields in Flow Data Record Flow Data Record is a data record that contains values of the Flow Parameters Transport protocol: transport of information records SCTP must be implemented, TCP and UDP may be implemented SCTP should be used TCP may be used UDP may be used (with restrictions congestion control!) Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 19 IPFIX Terminology II Flow Record A flow record contains information about a specific flow that was metered at an observation point. A flow record contains measured properties of the flow (e.g. the total number of bytes of all packets of the flow) and usually also characteristic properties of the flow (e.g. the source IP address). Exporting Process The process sends flow records to one or more processes. The flow records are generated by one or more metering processes. Collecting Process The process receives flow records from one or more processes for further processing. Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 21 5

IPFIX Devices +---+ +-----+ +---------+ +---------+ E-+-> E--+-> E----+-> <-+--E E--+-> / \ M M M M M M / \ / \ / \ / \ / \ O OOO OOO OOO OOO OOO +---+ +-----+ +---------+ +---------+ Probe Basic Complex Multiple Router Router Exporting Processes +---+ +---+ +---+ E-+-> E-+-> E-+------------->---+ +---+ +-+-----+ +-+-+ M M E-+------->-+-C-M-E-+-> +---+ +-+-----+ +-+-+ +-+-+ O M E-+->---+ +---+ M +-+-+ O M +---+ +-----+ O O O ->-+-C-E-+-> +---+ +---+ +---+ +-----+ Protocol Remote Concentrator Proxy Converter Observation O... Observation point M... Metering process E... Exporting process Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 22 IPFIX Applications Usage based accounting For non-flat-rate services Accounting as input for billing Time or volume based tariffs For future services, accounting per class of service, per time of day, etc. Traffic profiling Process of characterizing IP flows by using a model that represents key parameters such as flow duration, volume, time, and burstiness Prerequisite for network planning, network dimensioning, etc. Requires high flexibility of the measurement infrastructure Traffic engineering Comprises methods for measurement, modeling, characterization, and control of a network The goal is the optimization of network resource utilization Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 24 IPFIX Work Principles IPFIX Applications II Identification of individual traffic flows 5-tupel: Protocol, Source-IP, Destination-IP, Source-Port, Destination-Port Example: TCP, 134.2.11.157, 134.2.11.159, 2711, 22 Collection of statistics for each traffic flow # bytes # packets Periodical statistic export for further analysis Flow TCP, 134.2.11.157,134.2.11.159, 4711, 22 TCP, 134.2.11.157,134.2.11.159, 4712, 25 s 10 7899 Bytes 5888 520.202 Attack/intrusion detection Capturing flow information plays an important role for network security Detection of security violation 1) detection of unusual situations or suspicious flows 2) flow analysis in order to get information about the attacking flows QoS monitoring Useful for passive measurement of quality parameters for IP flows Validation of QoS parameters negotiated in a service level specification Often, correlation of data from multiple observation points is required This required clock synchronization of the involved monitoring probes Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 23 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 25 6

Sampling Application Scenarios PSAMP ( SAMPling) WG (IETF) Goals Network monitoring of ultra-high-speed networks Sampling of single packets including the header and parts of the payload for post-analysis of the data packets Allowing various sampling and filtering algorithms Algorithms can be combined in any order Dramatically reducing the packet rate Benefits Allows very high-speed operation depending on the sampling algorithm and the sampling rate Post-analysis for statistical accounting and intrusion detection mechanisms Accounting and Charging Accounting for statistical reasons Accounting for charging Traffic engineering Identification of primary traffic paths Optimization of network parameters (e.g. routing parameters) for better network utilization Network Security Detection of denial-of-service attacks Forensic methods for post-intrusion analysis Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 26 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 28 Implementation of PSAMP / IPFIX Accounting and Charging ObserverThread packet Queue SelectionThread packet Queue ReportingThread libpcap Filter / Sampler List Output buffer... Accounting Domain Accounting Domain Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 27 Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 29 7

Network Security Intrusion detection with automated firewall configuration Network IN2097 - Master Security, Course WS 2008/09, Computer Chapter Networks, 9 WS 2009/2010 30 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback