smartxac / network polygraph
TRANSCRIPT
![Page 1: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/1.jpg)
SMARTxAC / Network Polygraph
“A Network Visibility Service
born at Anella Científica”
Maria Isabel Gandía – [email protected]
Josep Sanjuas – [email protected]
![Page 2: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/2.jpg)
Companies depend on Networks
e-mail, databases, shared folders, VoIP, cloud...
![Page 3: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/3.jpg)
Networks are complex and hard to manage
![Page 4: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/4.jpg)
Network Downtime equals Cost
$42,000/havg cost of downtime
$5,600/minavg cost of downtime(datacenters)
87 hoursavg downtime per year
200 minMTTR per medium outage itpi
![Page 5: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/5.jpg)
Network Visibility
• To properly manage a network, you need to
see what happens inside it
• First step to...– identify congested links
– remove unwanted network traffic
– disconnect bandwidth hogs
– troubleshoot performance issues
– plan for future needs
![Page 6: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/6.jpg)
New User Interface
![Page 7: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/7.jpg)
Network Visibility Technologies
• Hardware-based («Deep Packet
Inspection»)
– Brute-force approach: inspect all packets
– High visibility, but very high cost
• Software-based (NetFlow, SNMP)
– Use traffic statistics exported by routers
– Mid visibility & low cost
![Page 8: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/8.jpg)
Network Polygraph - Technology
• Best of both worlds: high visibility, low cost
• How? NetFlow + artificial intelligence
NetFlow on steroids: application identification, SSL domain ID, attack & anomaly detection capabilities
![Page 9: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/9.jpg)
History: SMARTxAC to Polygraph
Commercial
Internet
![Page 10: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/10.jpg)
1999-2003: Inception
Previous monitoring and analysis projects:
• CASTBA
• MEHARI
• MIRA
With the colaboración among several universities
• UPM (Universidad Politécnica de Madrid)
• UC3M (Universidad Carlos III de Madrid)
• UPC (Universitat Politècnica de Catalunya)
And the participation of:
• RedIRIS
• CESCA
• Telefónica Investigación y Desarrollo
• Institut Català de Tecnologia
Focus: monitoring ATM networks
Approach: deep packet inspection with sampling
![Page 11: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/11.jpg)
2003: The Birth of SMARTxAC
Collaboration: CESCA + CCABA/UPC
Objective: monitoring Anella Cientifica-RedIRIS connection
Roles
• CESCA: requirements, testbed
• CCABA/UPC: research, development
Objectives:
• Low-cost platform
• Continuously monitor Anella Científica
• Detect anomalies and irregular usage
• Multi-tenant: accessible by many institutions– each institution can see their own traffic only
![Page 12: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/12.jpg)
2003: Architecture
CaptureEndace
DAG card
Optical Spitter
Analysis
![Page 13: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/13.jpg)
Port Number Machine learning
2003: User Interface
47.39%
10.34%
0.43%
0.10%
19.65%
7.97%
0.08%
2.48%0.55%
1.84%
2.26%
0.10%
0.53%
6.04%0.23%
40.07%
2.43%
2.97%
18.47%
0.30%8.17%
0.48%
9.67%
1.22%
0.51%
0.30%
1.52%
8.48%
5.42%
A_UKNWN
DNS
FTP
GAMES
IRC
MULTIMEDIA
NETFS
NETWORK
NEWS
NO_TCPUDP
OTHERS
P2P
T_UKNWN
TELNET
UNIX
WWW
![Page 14: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/14.jpg)
2003-2011: Network Scales Up
More network interfaces monitored at Anella Científica:
• RedIRIS
• Commercial internet connection
• CATNIX
Internal traffic not monitored
Increasing bandwidth usage
Realization: DPI is not cost effective!
Last straw: switching to 10Gbps links
Distributed core with to main nodes (Campus Nord &
Telvent)
Solution: NetFlow
![Page 15: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/15.jpg)
2011: Upgrade to 10Gbps - NetFlow
Flow-based analysis
2x10GbpsNetFlow
![Page 16: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/16.jpg)
User Interface Redesign
![Page 17: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/17.jpg)
2013: Commercial Stage & Spin-off
• Research group gathers commercial interest
• Received public funding for tech transfer
– SMARTxAC to generalized product
• From a research product to a commercial one
– Talaia Networks, S.L.: a spin-off of UPC
– Network Polygraph: «spin-off of SMARTxAC»
![Page 18: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/18.jpg)
Network Polygraph
![Page 19: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/19.jpg)
Deployment Models: Cloud
Customer Network
Cloud
![Page 20: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/20.jpg)
Deployment Models: On-Premises
Customer’sDatacenter
![Page 21: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/21.jpg)
Multi-Tenancy Module
Customer A
Customer BCustomer C
![Page 22: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/22.jpg)
Subscription Models
Service (SaaS)
• Monthly or yearly billing
• Includes support
• Externally managed
• Regularly updated
Perpetual License
• Payable upfront
• Support & maintenance fee
• Not accessible by our personnel
![Page 23: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/23.jpg)
The SaaS Advantage
• No upfront costs for end customer
– Lower barrier of entry (esp. small-mid customers)
– No need to “commit” to our solution
– Simply configure routers to send NetFlow to us
• Managed solution
– Zero maintenance, zero hardware, zero software
– Always upgraded to latest version
![Page 24: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/24.jpg)
Main Large-scale Deployments
• CSUC (Anella Científica network)– Connects ≈90 public institutions in Catalonia
– Offered as value-added service to >80 admins
• Red.es (RedIRIS network)– Handles all Spanish academic network traffic
– Connects ≈450 public institutions in Spain
– Won as customer in competitive tender
![Page 25: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/25.jpg)
Use Cases
• Small-medium companies
– Bandwidth is a precious resource, Polygraph helps optimize its usage
• “Why is the network so slow? Should we invest in more bandwidth?”
• Found 1 user constantly downloading files from Mega
• Link was shared with other offices, affecting whole company
![Page 26: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/26.jpg)
Use Cases (2)
• Large companies– Moving a single “hardware DPI probe” around
• Deploying full DPI was too expensive
• With Polygraph they could cover all branches!
– Realized most attacks come from China• ISP can block certain IP subnets
• Attacks do not consume customer bandwidth
– Detected covert bitcoin mining operations• Users were pumping the electricity bill for their
personal gain
![Page 27: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/27.jpg)
Use Cases (3)
• ISP & Managed Network Service Providers– Important customer with an office in North Africa:
• Bandwidth: precious resource
• Wanted to check it is spent wisely – no unwanted traffic
– Receiving large # of copyright violation notices!?• Traffic analysis reveals P2P traffic
• Particularly, upstream traffic: serving illegal content!
– Use our product to detect network attacks• Offer product as value-added service to corporate
customers
• Sell anti-virus solutions to their own customers
![Page 28: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/28.jpg)
Deployment at CATNIX: Proposal
Member A
Member BMember C
![Page 29: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/29.jpg)
Website + On-Line Demo
https://polygraph.io
![Page 30: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/30.jpg)
Network Polygraph
Talaia Networks, S.L.
K2M – Parc UPC Campus Nord
Jordi Girona, 1-3
Barcelona (08034)
Spain
Telephone: +34 93 405 45 87
https://polygraph.io
![Page 31: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/31.jpg)
traffic volume, breakdown by application
![Page 32: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/32.jpg)
protocol breakdown
![Page 33: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/33.jpg)
top talkers (addresses, ports, autonomous systems)
![Page 34: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/34.jpg)
traffic geolocation
![Page 35: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/35.jpg)
anomaly and attack detection with automatic baselining
![Page 36: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/36.jpg)
indexed traffic database for forensic analysis
![Page 37: SMARTxAC / Network Polygraph](https://reader035.vdocument.in/reader035/viewer/2022062406/55a8e2331a28ab3f6a8b4661/html5/thumbnails/37.jpg)
automated downloadable reports