Transcript - Hi-aXXess Technologies

Catapult NetFlow Probe
Product Introduction
© 2007 nPulse Network Systems LLC
1
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architecture
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
2
www.npulsenetworks.com
What is a flow?
A flow is a uni-directional description
of the packet stream (“uni-directional
conversation”).
It is defined by seven unique keys:
• Source IP address
• Destination IP address
• Source port
• Destination port
• Layer 3 protocol type
• Type of Service
• Interface Index
© 2007 nPulse Network Systems LLC
3
www.npulsenetworks.com
How Flow Management Works
(1/2)
When:
- Session is finished (RST or FIN TCP Flag)
- Inactivity timer expired [nProbe/nBox default: 30s]
Active timer expired (flow too long) [nProbe/nBox default: 120s ]
the probe marks the flow as closed and ...
Timer
A flow is stateful, meaning that
the probe (or any netflow agent
like a router) maintains counters
for it whilst it is active.
Probe (NetFlow agent)
If
Source
Destination
Proto
Port
TOS
Pkts
Octets
Timer
Ge0
192.168.175.143
172.20.15.23
TCP
43060
0
84
4564
11
Ge0
192.168.175.143
172.20.15.23
TCP
43061
0
43
2567
57
Ge0
192.168.175.143
172.20.15.23
TCP
43067
0
1
45
24
Ge0
172.20.15.23
192.168.175.143
TCP
23
0
13
745
13
© 2007 nPulse Network Systems LLC
4
www.npulsenetworks.com
How Flow Management Works (2/2)
... once a flow is closed the router can generate a
flow-export record, which has summary
information about the session (e.g. how many
packets were sent, who the source was, what the
destination was and what the application was).
NetFlow
Collector
UDP
Flow Export
Record
Once the flow-export record has
been transmitted by the probe, it
can remove the flow entry from it's
memory (table) to make space for
new ones.
Probe (NetFlow agent)
If
Source
Destination
Proto
Port
TOS
Pkts
Octets
Timer
Ge0
192.168.175.143
172.20.15.23
TCP
43060
0
84
4564
11
Ge0
192.168.175.143
172.20.15.23
TCP
43061
0
43
2567
57
Ge0
192.168.175.143
172.20.15.23
TCP
43067
0
1
45
24
Ge0
172.20.15.23
192.168.175.143
TCP
23
0
13
745
13
© 2007 nPulse Network Systems LLC
5
www.npulsenetworks.com
Why NetFlow ?
• NetFlow is the primary traffic flow-based monitoring
and network accounting technology in the industry
• NetFlow answers questions regarding IP traffic: who,
what, where, when, and how
• Standard de-facto for flow analysis
• Developed by Darren Kerr and Barry Bruins at
Cisco Systems in 1996
• Available in different versions since ‘96, from v1
for IP traffic up to v9 to assure full flexibility and
extensibility of multiprotocol flow analysis
© 2007 nPulse Network Systems LLC
6
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architecture
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
7
www.npulsenetworks.com
NetFlow Versions
NetFlow
Version
Comments
1
Original
5
Standard and most common
Cisco-specific version for Catalyst (similar to v5)
7
8
Choice of aggregation schemes in order to reduce
resource usage (*)
9
Flexible, extensible file export format to enable
easier support of additional fields & technologies
such as MPLS and IPv6
Supported by Catapult Probe
(*) Probe supports aggregation also with v5 (IP Address, Port,
Protocol, IP Address + Protocol).
© 2007 nPulse Network Systems LLC
8
www.npulsenetworks.com
NetFlow Version 5 – Flow Entry
• Time of Day:
– Start time of flow
– End time of flow
• From/To:
– Source IP Address
– Destination IP Address
• Application:
– Source Port
– Destination Port
• QoS:
– IP protocol
– Type of Service
• Usage
– Packet Count
– Byte Count
• Routing / Peering:
– Source AS number
– Dest. AS number
– Next-Hop IP address
– ...
© 2007 nPulse Network Systems LLC
9
www.npulsenetworks.com
NetFlow v9 – Flow Entry Options
%BYTES
%PKTS
%FLOWS
%PROT
%TOS
%TCP_FLAGS
%L4_SRC_PORT
%IP_SRC_ADDR
%SRC_MASK
%INPUT_SNMP
%L4_DST_PORT
%IP_DST_ADDR
%DST_MASK
%OUTPUT_SNMP
%IP_NEXT_HOP
%SRC_AS
%DST_AS
© 2007 nPulse Network Systems LLC
%FIRST_SWITCHED
%LAST_SWITCHED
%IPV6_SRC_ADDR
%IPV6_DST_ADDR
%ICMP_TYPE
%SAMPLING_INTERVAL
%SAMPLING_ALGORITHM
%FLOW_ACTIVE_TIMEOUT
%FLOW_INACTIVE_TIMEOUT
%ENGINE_TYPE
%ENGINE_ID
%TOTAL_BYTES_EXP
%TOTAL_PKTS_EXP
%TOTAL_FLOWS_EXP
%IP_PROTOCOL_VERSION
%DIRECTION
%MPLS_LABEL_1
10
%MPLS_LABEL_2
%MPLS_LABEL_3
%MPLS_LABEL_4
...
%MPLS_LABEL_10
%SRC_MAC
%DST_MAC
%VLAN_TAG
%FRAGMENTED
%FINGERPRINT
%VLAN_TAG
%NW_LATENCY_SEC
%NW_LATENCY_NSEC
%APPL_LATENCY_SEC
%APPL_LATENCY_NSEC
%PAYLOAD
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architecture
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
11
www.npulsenetworks.com
NetFlow benefits
Service Provider
Enterprise
• Accounting & Billing
• Traffic Monitoring
• Internet access
monitoring
• Security Monitoring
• User Monitoring
• SLA Analysis & Reporting
• Application Monitoring
• Traffic Engineering
• Internal cost distribution
for departments
• Capacity Planning
• Security Monitoring
• Traffic Interception
• Network utilization
• Network utilization
© 2007 nPulse Network Systems LLC
12
www.npulsenetworks.com
Accounting & Billing
• Current billing policies are:
– Flat-rate billing, simple and basic. No opportunity to
differentiate for applications, bandwidth utilization, direction
(e.g. local network/national/international), ...
– Usage-based billing: competitive pricing models can be
created and customized
• Usage-based billing considerations
– Time of day
– Within or outside of the network
– Application
– Distance-based
– Quality of Service (QoS) / Class of Service (CoS)
– Bandwidth usage
– Transit or peer
– Data transferred
• Full documentation about each conversation (flows) as
for traditional telephone services
© 2007 nPulse Network Systems LLC
13
www.npulsenetworks.com
Traffic Monitoring &
Network Utilization
• Monitoring Network (& Applications)
– Top Applications
– Traffic distribution
– Bandwidth x application
– Typical pattern of usage between sites
– Network / Application Latency
• Monitoring Users
– Users on the network at a given time
– How long users spend connected to the network
– Where Internet sites do they use?
– User usage patterns
– Peer-to-Peer traffic (WinMX, Morpheus, Gnutella, Kazaa, ...)
• Aggregation
– Summary of traffic information for Autonomous System,
Protocols, Source or Destination subnets, etc.
© 2007 nPulse Network Systems LLC
14
www.npulsenetworks.com
Security Monitoring
- Anomaly detection
•
•
•
•
Top volume flows
Atypical traffic distribution
Host fingerprints
Monitoring Top Applications and related users
- DoS-Attack detection
• Identify source of attack
• Alarm DOS attacks like smurf, fraggle, and SYN flood
• Suggest access-list/filters on Edge or Internet Peering
- Input for specific DoS-Attack Detection or
security tools
© 2007 nPulse Network Systems LLC
15
www.npulsenetworks.com
SLA Monitoring and Reporting
- Service Level Agreement
•
•
•
•
•
•
Bandwidth per-connection/circuit
Network Latency
Application Latency
Quality of Service measurements
End-to-end traffic flows
Minimum/Peak bps
•
•
•
per user
per application
per conversation
- Traffic documentation
• Each conversation/flow is reported with full information about
dates, traffic, directions, etc, (e.g. normal telephone service
bill we are usual to get)
© 2007 nPulse Network Systems LLC
16
www.npulsenetworks.com
Interception /
Traffic Documentation
- Splitter/Network TAP can be included in
network links to allow passive and trasparent
monitor of traffic flows
•
•
•
NetFlow v9 extensions by nMon.net includes
payload information (full/partial)
‘Selected’/’Filtered’ users or applications or
conversations may be processed as flow
NetFlow data may be sent to Interception
Systems for evaluations
- Traffic documentation
•
•
Each conversation/flow is reported with full
information about dates, traffic, directions, ..
Easy way to find destinations or applications
on a per-user basis
© 2007 nPulse Network Systems LLC
17
www.npulsenetworks.com
Capacity Planning &
Traffic Engineering
• Key areas to monitor for capacity planning
– Top user and Top applications consuming bandwidth
– Traffic distribution and direction of flows
– Network traffic analysis by application
• Network utilization and capacity
– Traffic distribution between peerings
– Link and bandwidth inventory
• Routing and Peering information (v5/v9)
– Source and Destination AS number
• Advanced monitoring via NetFlow v9
– MPLS, Multicast, IPv6
• Aggregation
– Summary of traffic information for Autonomous System,
Protocols, Source or Destination subnets, etc.
© 2007 nPulse Network Systems LLC
18
www.npulsenetworks.com
Others
• Departmental chargeback / Cost Distribution
– Distribute ‘cost’ for Internet connection to different internal departments
– Network traffic analysis by application on per-department basis
• CoS Measurements
– Confirm appropriate bandwidth has been allocated to each Class of Service
– Verify that no CoS is over- or under-subscribed
– Network Latency and Application Latency measurements with v9
© 2007 nPulse Network Systems LLC
19
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architectures
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
20
www.npulsenetworks.com
Catapult Probe – Main Points
• Capture rate at wire-speed on Gigabit Ethernet
– nCap technology (network card drivers/firmware to Monitoring
applications, no CPU involved)
– Hardware acceleration in 2-port models
• Analysis (NetFlow, IPFIX) at high speed
– Software & RAM ...
• Support for IPv4, IPv6 and MPLS.
• Optimization for NetFlow v5, with and without aggregation,
and v9.
• 1U Rack unit version
• Tested and fully interoperable with main NetFlow Collectors
in the market including Cisco FlowCollector, HP, etc.
© 2007 nPulse Network Systems LLC
21
www.npulsenetworks.com
Network Integration (1/2)
• Catapult Probe captures traffic from:
– Span/Mirror port (router, switch)
– Network Tap/Splitter or even Hub (UTP or Fiber)
Probe
© 2007 nPulse Network Systems LLC
22
www.npulsenetworks.com
Network Integration (2/2)
• Catapult Probe captures traffic from:
– Span/Mirror port (router, switch)
– Network Tap/Splitter or even Hub (UTP or Fiber)
Inside
Outside
Cisco
Inside
(Span port)
Outside
Extreme (Mirror port)
Inside
Outside
Juniper (PortMirror)
© 2007 nPulse Network Systems LLC
23
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architecture
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
24
www.npulsenetworks.com
Catapult Probe - Performance
• Capture (Mpps):
– NP-1410 (Accelerated Probe) reaches 3Mpps on Gigabit
Ethernet (independent of packet size)
• NetFlow Analysis (Flow per second)
– depends from type/nature of traffic, aggregation (and
Flow-template for NetFlow v9).
– typical environment performance: 75k-200k Flows per
second (conservative data).
– important to evaluate capacity of Flow Collectors to
receive and manage a large number of flows/s
© 2007 nPulse Network Systems LLC
25
www.npulsenetworks.com
Flow Collection Optimization
(1/2)
• The main argument in evaluating a scalable NetFlow Accounting
solution is the capacity of Flow Collector (Cisco, HP, InfoVista, ...)
• Some of the special features provided by Catapult Probe to
minimize impact and efforts on the Flow Collector side are:
• Multiple Collectors
Catapult Probe can be configured to send flows to multiple collectors in roundrobin (split load between different Collectors) or redirector (replication to multiple
redundant Collectors)
• Flow Export Delay
Some collectors cannot keep up with Catapult Probe speed. This feature allows
flow export to be slow down by waiting a short delay (ms) between two
consecutive exports towards the same Collector.
• Minimum TCP size
Peer-to-peer applications, attacks or misconfigured applications often generate a
lot of tiny TCP flows that can cause significant load on the Collector side. It’s
possible to configure Catapult Probe to not emit such flows (note: that’s only for
TCP while UDP, ICMP and other protocols are not affected)
© 2007 nPulse Network Systems LLC
26
www.npulsenetworks.com
Flow Collection Optimization
(2/2)
• Minimum number of flows per netflow packet
In order to minimize the number of emitted packets containing flows, it can be
specified the minimum number of flows that need to be contained in a netflow
packet towards the Collector(s).
•Sampling rate
Catapult Probe usually capture all packets for calculating flows. In some
situations (e.g. cost distribution / sharing, heavy DoS Attack condition) it’s not
needed to work with all packets but could be enough a sampling rate (number of
packets to be discarded before two packets used to produce flows)
• Packet Capture Filter
Filtering to allow Catapult Probe to take into account only those packet that
match the filter. The list of filter expression primitives can be found in product
documentation, 30+ primitives such as source-address, dest-address, ports,
protocols, packet size (less than/greater than), ... see next slide
• Export Flow Filtering and Aggregation
The probe can manage aggregation (netflow v5, v9) or even a Flow Export
Filtering in order to export only flows with IP addresses in certain ranges, while
all the other are aggregated as 0.0.0.0
© 2007 nPulse Network Systems LLC
27
www.npulsenetworks.com
Packet Capture Filter
 These are the main conditions (primitives) that is possible to apply
in order to filter packet capture:
• IP Host/Subnet
• IP Destination Host/Subnet
• IP Source Host/Subnet
• MAC Host
• MAC Destination Host
• MAC Source Host
Primitives may be combined using:
• Port
• Negation (`!' or `not').
• Source Port
• Concatenation (`&&' or `and').
• Destination Port
• Alternation (`||' or `or').
• Packet Length
• Protocol
• Multicast
• Broadcast
• ...
© 2007 nPulse Network Systems LLC
28
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architecture
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
29
www.npulsenetworks.com
HA & Redundancy (1/2)
• Single Catapult Probe solution (via Tap)
Probe
• Multi Catapult Probe solution
(Regeneration Tap)
Same results even with a
single-port tap and an external
hub (shared):
Probe
© 2007 nPulse Network Systems LLC
Probe
Probe
30
Probe
High Availability via a
dedicated ethernet link
www.npulsenetworks.com
HA & Redundancy (2/2)
Not only network monitoring…
Probe
© 2007 nPulse Network Systems LLC
31
www.npulsenetworks.com
Catapult Probe: Manageability
• Access:
• Console
• Telnet
• SSH
• Embedded Web Interface
• http/https
• SNMP
• SNMPv1
• SNMPv2c
• SNMPv3
• Syslog
© 2007 nPulse Network Systems LLC
32
www.npulsenetworks.com
NetFlow Collector vendors
(examples)
Traffic Analysis
Collection
Flow-Tools
Denial of Service
© 2007 nPulse Network Systems LLC
Billing
33
www.npulsenetworks.com
Open Source NetFlow Collector
nTop
• Network Monitoring application
– IPv4/v6
– NetFlow (v5/7/9)
– sFlow (v2/v4/v5)
• 7 years of experience
• Customized/Contributions from
people in 10+ countries all
around the world
• Thousands of users across the
world
• Available for: BSD, Linux,
Windows, MacOS X, Solaris.
© 2007 nPulse Network Systems LLC
34
www.npulsenetworks.com
Agenda
• Why NetFlow ...
• What is an IP Flow and how is it managed
• NetFlow versions
• What you can do with NetFlow information ...
• Catapult Probe Product Overview
•
•
•
•
Base technology
Integration into Network Architecture
Performance
Manageability and High Availability
• Catapult Probe portfolio
© 2007 nPulse Network Systems LLC
35
www.npulsenetworks.com
Probe Portfolio
Catapult NetFlow Probe
Applications
•
•
•
•
•
•
•
•
•
•
•
•
High-performance Gigabit NetFlow v5/v9/IPFIX probe
Standard (1-port) and Accelerated (2-port) models
Over 75,000 flows per second in base model
Capture >1 million packets/sec in standard model
Up to 3 million packets/sec in accelerated model
Supports IPv4,IPv6 and MPLS traffic
VoIP (SIP and RTP) traffic analysis
Easy customization and extensions
Full flow capture or sampling models
Export flow filtering and buffering to manage collector loading
Multiple Collector mode for load balancing or redundancy
Management Access via Embedded Web GUI, Console, Telnet,
SSH, SNMP or Syslog
• Fully interoperable with commercial NetFlow collectors from all
major vendors
© 2007 nPulse Network Systems LLC
36
www.npulsenetworks.com
Catapult Probe - Unique Features
• Capture
– Wire-speed capture (nCap technology – no CPU).
• Analysis
– NetFlow v5, v9, Row Data (file)
– software & RAM, Differentiation between HC,MC,LC
– up to 50k+ Flows per second
• Support of IPv4, IPv6 (NetFlow v9 only), MPLS
• NetFlow v9 extensions:
– Application Latency, Network Latency, First payload packets (good
to identify P2P traffic), Host fingerprints
• NetFlow v9: extensive flow template support
• Easy customization and extensions – nCap technology is
independent from monitoring applications
• Support of IPFIX (draft 3) over SCTP/TCP/UDP.
© 2007 nPulse Network Systems LLC
37
www.npulsenetworks.com
Catapult NetFlow Probe
Thank You
© 2007 nPulse Network Systems LLC
38
www.npulsenetworks.com