FlowIntegrator. Integrating Flow Technologies with Mainstream Event Management Systems. Sasha Velednitsky

Similar documents
Network Operations Analytics

V2P Network Visibility

Technology Overview. Overview CHAPTER

NetFlow Integrator Standard

This chapter provides information to configure Cflowd.

NetFlow Optimizer. Overview. Version (Build ) May 2017

Configuring AVC to Monitor MACE Metrics

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

Compare Security Analytics Solutions

Subscriber Data Correlation

NetFlow Monitoring. NetFlow Monitoring

NetFlow Integrator Standard

RIPE76 - Rebuilding a network data pipeline. Louis Poinsignon

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

NFV Platform Service Assurance Intel Infrastructure Management Technologies

System Requirements. Things to Consider Before You Install Foglight NMS. Host Server Hardware and Software System Requirements

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Configuring NetFlow BGP Next Hop Support for Accounting and Analysis

NetFlow Optimizer. User Guide. Version (Build X) November 2017

Scrutinizer Flow Analytics

IBM Security QRadar Version Architecture and Deployment Guide IBM

Security. Reliability

Interface Utilization vs. Flow Analysis

NetFlow Basics and Deployment Strategies

Zone-Based Firewall Logging Export Using NetFlow

Flow-based Accounting: Applications and Standardisation

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Configuring NetFlow and NetFlow Data Export

Overview of IPM. What is IPM? CHAPTER

Monitoring Data CHAPTER

IBM Aurora Flow-Based Network Profiling System

NetFlow Configuration Guide

NetFlow Optimizer. User Guide. Version (Build ) May 2017

SCRIPT: An Architecture for IPFIX Data Distribution

How to Export sflow from a Cisco ASR 9k

Cisco Virtual Networking Solution for OpenStack

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Enterprise Network Compute System (ENCS)

Building a Platform Optimized for the Network Edge

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Introduction to Netflow

Network Management and Monitoring

Seceon s Open Threat Management software

DOWNLOAD PDF CISCO IRONPORT CONFIGURATION GUIDE

Configuring NetFlow. Understanding NetFlow CHAPTER

Configuring Cache Services Using the Web Cache Communication Protocol

WhatsUpGold. v14. Getting Started Guide

vrealize Operations Management Pack for NSX for vsphere 2.0

Delivers fast, accurate data about security threats:

Flow-based Traffic Visibility

Cisco Application Networking Services for VMware Virtual Desktop Infrastructure

GUI Representation of Cisco IOS CLI Commands

Cisco NAC Profiler Architecture Overview

Monitoring and Analysis

McAfee Network Security Platform 8.3

ForeScout ControlFabric TM Architecture

How can we gain the insights and control we need to optimize the performance of applications running on our network?

RIPE75 - Network monitoring at scale. Louis Poinsignon

Driving Network Visibility

vrealize Operations Management Pack for NSX for Multi-Hypervisor

Cisco Security Monitoring, Analysis and Response System 4.2

Seven Criteria for a Sound Investment in WAN Optimization

Configuring NAT for IP Address Conservation

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Network Security Platform 8.1

vcenter Operations Management Pack for NSX-vSphere

Configuring sflow. About sflow. sflow Agent

Implemen'ng IPv6 Segment Rou'ng in the Linux Kernel

UX - User Experience: Multi-Cloud Network Visibility

IBM Proventia Network Anomaly Detection System

Configurable Number of Simultaneous Packets per Flow

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

AutoFocus: A Tool for Automatic Traffic Analysis. Cristian Estan, University of California, San Diego

Cisco Nexus Data Broker for Network Traffic Monitoring and Visibility

Connection Logging. Introduction to Connection Logging

Configuring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced.

INNOVATIVE SD-WAN TECHNOLOGY

ForeScout CounterACT. Configuration Guide. Version 1.2

Advanced Application Reporting USER GUIDE

Implementing Management Plane Protection

Cisco Universal Small Cell 8050 Enterprise Management System

Connection Logging. About Connection Logging

Stager. A Web Based Application for Presenting Network Statistics. Arne Øslebø

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

NOCTION. Intelligent Routing Platform Lite Self-Deployment Guide. Intelligent Routing Platform. Lite (free version)

Monitoring Data CHAPTER

Več kot SDN - SDA arhitektura v uporabniških omrežjih

SIEM Solutions from McAfee

IP Multicast Traffic Measurement Method with IPFIX/PSAMP. Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT

Configure Site Network Settings

Packetron. Your path to an Intelligent Visibility Layer

IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots

Implementing OnePK. One Platform Kit (onepk) is a cross platform API and software development kit that enables the user to

Cisco Tetration Analytics

WhatsUpGold. v14.1. Getting Started Guide

Configuring Cisco IOS IP SLAs Operations

Monitoring and Threat Detection

Using NetFlow Sampling to Select the Network Traffic to Track

Zix Support for Standards

Cisco Traffic Analyzer

Transcription:

FlowIntegrator Integrating Flow Technologies with Mainstream Event Management Systems Sasha Velednitsky svelednitsky@netflowlogic.com NetFlow Logic Corporation January 2012

Problem Network infrastructure devices and devices connected to the network generate disparate types of information flows (syslog, SNMP, NetFlow, sflow, etc.) Unless all sources of information are integrated, critical insights into network management or network security will be missed Unless security events are identified in real time, your enterprise is at risk Unless network problems are discovered in real time, your organization suffers 2

Collecting Syslogs 3

Collecting Flows 4

Putting It All Together! Flow Integrator Flow Integrator 5

Challenges Mid to high end routers may generate hundreds of thousands flow records per second Cisco ASR1000 series router Firewall and CGN features generate up to 400K NetFlow records per second Too much data Flow data consumes terabytes of disk space Flow data is transmitted in hard to decode binary format NetFlow v9/ipfix protocol allows variable record structure Difficult to process in real time Existing solutions require costly distributed infrastructure 6

FlowIntegrator Technology Introduces a mechanism to intelligently process flows based on the content of records Permits configuring arbitrary filtering, aggregation, deduplication and obfuscation rules Time based rules allow for the reporting of flow aggregations and network events in real time with as little as 1 second resolution By converting flow information into the syslog format, seamlessly integrates flow data producers with all existing log collectors and SIEM systems Transparently fits into the existing flow data collection infrastructure Converts to syslog over 350K flow records per second on an 8 core Intel Xeon processor 7

FlowIntegrator Ecosystem Router Kron Policies Kron Rules SIEM / Log Analysis System NetFlow/jFlow messages Input Processing Time Based Rules Engine Content Based Rules Engine Conversion Rules Engine Output Processing Syslog messages NetFlow/jFlow messages Syslog Server Network Switch Content Content Policies Rules Conversion Conversion Rules Conversion Rules Conversion Rules Rules NetFlow/jFlow Collector 8

Processing Rules Rule-based technology able to process multiple flow formats such as NFv5, NFv9, jflow, IPFIX, etc Rules are created via a GUI or SDK A rule may be applied to a specific record type or a subset of record types, or to all flow packets passing through FlowIntegrator Administrators may also specify one or more time-based ( kron ) rules for reporting aggregated information Rules can be chained 9

Conversion Rules A conversion rule implements mapping of a flow record to one or more syslog messages or flow packets Flow protocol to syslog maps are created via the built-in GUI or SDK Default built-in conversion rule provides one-to-one mapping of data in a flow record to a syslog message In this example the resulting syslog message contains a standard header (blue), sourceip:sourceport, destip:destport, and the number of packets exchanged in this flow (prefixed with P ) Feb 26 18:23:47 10.10.0.2 0:0:2:2 10.10.1.14:28382 10.10.2.7:389 P:876 10

Example Rule: Aggregation Objective: Report current traffic load by application by router. In this simplified example we show a rule that reports incoming traffic to all web servers FlowIntegrator Solution: Sum up the number of bytes and packets of the observed web traffic, and report accumulated volume every 10 seconds Feb 26 18:23:47 10.10.0.2 0:0:2:2 Server=10.10.1.14 Packets=976 Bytes=999423 11

Example Rule: Detecting Unusual Traffic Objective: Detect an infected host on internal network. In this example the rule identifies an off-limits device on the internal network which responds to an outside peer FlowIntegrator Solution: Examine NFv9 Original Input and Original Output records and send a syslog message when one of the monitored internal devices attempts an egress communication in response to an ingress communication Feb 26 18:23:47 10.10.0.2 0:0:2:2 Ext=77.10.1.14:22213 Int=10.10.1.21: 8080 Alert=Traffic Pkts=425 12

Features and Benefits FlowIntegrator is a NetFlow/IPFIX Mediator providing real time integration of network metadata into existing SIEM systems, syslog analyzers, flow data collectors, and network management systems Enables network administrators to: detect important network events in real time identify applications for network management and security purposes monitor and troubleshoot their networks for packet loss and jitter filter and aggregate network metadata information enable assured delivery of network metadata information to log collectors Eliminates storage and sifting through terabytes of flow data 13

FlowIntegrator Performance Throughput, rec/sec, 000 600 32-bit Linux 500 64-bit Linux 400 300 200 100 2 2xPentium 4, 3.2GHz 1GB RAM 4 Intel Xeon 5140 @2.33GHz 4GB RAM 8 Intel Xeon E5520 @2.27GHz 3GB RAM 16 Number of processing cores 14

Thank You for Your Time Contact information: Company: NetFlow Logic Corporation www.netflowlogic.com Email: info@netflowlogic.com 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback