nbar and netflow 2003 ccmigration_09186a00801da7de
TRANSCRIPT
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
1/11
1NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
NETFLOW & NETWORK-BASEDAPPLICATION RECOGNITIONITD PRODUCT MANAGEMENT
NOVEMBER 2003
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
2/11
2NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
2NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
Overview of NetFlow andNetwork-Based Application Recognition
NetFlow
Pioneering IP accounting technology
Invented and patented by Cisco
IETF export standard
Network-Based Application Recognition (NBAR)
Intelligent application recognition
Analyzes and identifies application traffic in real time
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
3/11
3NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
NetFlow and NBAR Benefit Footprints
NetFlow
User (IP) monitoring
Application monitoring
Traffic analysis
Attack Mitigation
Chargeback Billing
Attack mitigation
Billing
AS Peer monitoring
Traffic engineering
Network Planning
NBAR
Application classification
Precise Quality of Service (QoS) treatment
Application statistics for bandwidth provisioning
Top-n views
Threshold settings
Mapping applications to an SPs service offering
Enterprise
Backbone
Enterprise
Premise EdgeService Provider
Aggregation Edge
Service Provider Core
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
4/11
4NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
NetFlow and NBAR Benefit Footprints
EnterpriseBackbone
EnterprisePremise Edge
Service ProviderAggregation Edge
Service Provider Core
NetFlow Cisco
Catalyst 4500,5000, 6500,7600 SeriesASIC
Cisco Catalyst 5000, 6500 SeriesHW Acceleration
Cisco Catalyst 4500 Series ASIC
Cisco 7100, 7200, 7300, 75000Series
Cisco AS5300,AS5400, AS5800Series
Cisco 830, 1400, 1700, 2600, 3600,and 3700 Series
Cisco Catalyst 4500,5000, 6500 Series;Cisco 7600 Series ASIC
Cisco 7100, 7200, 7300,75000 Series
Cisco AS5300 andAS5800 Series
Cisco MGX8000 Series
Cisco 10000 and 12000Series Internet RoutersASIC
Cisco Catalyst 5000 and6500 Series; Cisco 7600Series ASIC
Cisco 7500 Series
NBAR
CiscoCatalyst6500 and7600 Series
MSFC
PlannedASIC
Cisco Catalyst 6500 and 7600Series
FlexWAN, MWAM
Planned ASIC
Cisco 7100, 7200, and 7500 Series
Cisco 830, 1400, 1700, 2600, 3600,and 3700 Series
Cisco Catalyst 6500 and7600 Series
FlexWAN, MWAM
Planned ASIC
Cisco 7100, 7200, and
7500 Series
Cisco Catalyst 6500 and7600 Series
FlexWAN, MWAMPlanned ASIC
Cisco 7500 Series
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
5/11
5NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
5NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved. Cisco Internal Use Only
NetFlow and NBAR: Main Objectives andBenefits
Main ObjectiveMain Objective Main BenefitMain Benefit
NetFlow
Flow Characterization Which users utilize the network
What types of traffic
When is the network utilized
Where does the traffic go
Network Usage IP accounting and Billing Technology
Capacity Planning, Traffic Engineering,Peering
Traffic & routing information analysis
Data Export Persistent Network Usage Record
NBAR
Identify & classify traffic based onpayload attributes & protocolcharacteristics
Optimize application performance via QoS
Validation or reclassification of ToSmarking based on packet inspection
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
6/11
6NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
6NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved. Cisco Internal Use Only
Main ObjectiveMain Objective Side BenefitsSide Benefits
NetFlow
Flow Characterization DDOS & Worm Detection
Network Usage Capacity Planning and TrafficEngineering
Billing Permanent Record of network activity
Capacity, Traffic Eng, Peering Optimized Edge Routing (OER)
Data Export IETF IPFIX WG Standard and NetFlowv.9 flexible extensible format
NBAR
Identify & classify traffic based onpayload attributes & protocolcharacteristics
Detection & dropping/limiting ofundesired traffic peer-to-peer filesharing, worms,
Application statistics for bandwidth
provisioning
NetFlow and NBAR:Additional Objectives and Benefits
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
7/11
7NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved. 7NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
Uniqueness and Strengthsof NetFlow and NBAR
NetFlowNetFlow
IPv6, MPLS, Multicast, BGP NHtechnology integration
Billing, Capacity Planning,
Traffic Engineering
Internet Access Monitoring: Peering& Traffic
IETF Standard for Data Samplingand Export
Security DDOS Monitoring Tool
Flow timers, timing of networktraffic types
Who what where when in thenetwork
Large NMS partner community& open source tools
New
NBARNBAR
Deep & Stateful Packet Inspection
Protocol Discovery with
application statistics
Enables precise classification& QoS treatment
Pre-defined protocol & applicationrecognition
User-Defined Custom Application
Classification New application signatures w/o
software upgrade
Integration with IP Services(QoS, NAT, Firewall, IDS)
New
New
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
8/11
8NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved. 8NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
Interface
SourceIP Address
IP
Header
TCP/UDP
Header
SourcePort
Data
Packet
DestinationPort
NetFlow and NBAR Differentiation
Protocol
Link Layer
Header
Deep Packet(Payload)Inspection
TOSNetFlow
NBAR
NetFlow and NBAR both
leverage Layer 3 and 4
Header Information
DestinationIP Address
NetFlow Monitors data in Layers 2 thru 4 Determines applications by port
Utilizes a 7-tuple for flow
NBAR Examines data from Layers 3
through 7 Uses Layers 3 & 4 plus packet
inspection for classification
Stateful inspection of dynamic-
port traffic
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
9/11
9NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
NetFlow and NBAR useful for Security
9NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
Flow information is useful against attacksFlow information is useful against attacks
NetFlow Mitigates Attacks
Identify the attack
Count the Flows
Inactive flows signal a wormattack
Classify the attack
Small size flows to samedestination
What is being attacked and
origination of attack NetFlow Security partners Arbor
Networks and Mazu, Adlex
Cisco IT prevented SQL slammerat Cisco by watching flowsper port
Signature-based detection
Not historically a main focusfor NBAR
Real-time loadable PDLMs couldprovide rapid-update mechanismfor new signatures
Not staffed to react againstmalicious applications
NBAR can detect worms based onpayload signatures
Nimbda
Code Red
Slammer
Cisco PSIRT provided customerswith NBAR solution to combatCode Red & Nimbda
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
10/11
10NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved. 10NetFlow and NBAR, November 2003 2003 Cisco Systems, Inc. A ll rights reserved.
Summary of Benefits
NBARNBAR
Deep & Stateful Packet
InspectionProtocol & ApplicationDiscovery
Standard protocols
Corporate applications(Citrix, ...)
Undesired traffic
(peer-to-peer, worms, )
Real-time PDLM SignatureUpdate
NetFlowNetFlow
Internet Access Monitoring
Protocol distribution
Where traffic is going/ coming
User Monitoring
Application Monitoring
Accounting and Billing
DDOS Monitoring
Peering Arrangements
Network Planning
Traffic Engineering
-
8/8/2019 NBAR and NetFlow 2003 Ccmigration_09186a00801da7de
11/11
111111 2003 Cisco Systems, Inc. A ll rights reserved.
NetFlow and NBAR,
November 2003