DOCSLIB.ORG

BRKNMS-3132.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
BRKNMS-3132.Pdf Advanced NetFlow BRKNMS-3132 Benoit Claise, Distinguished Engineer . For Your Session Abstract Reference • This advanced session presents the latest NetFlow developments: new features, NetFlow version 9, and its IPFIX standardization at the IETF. Flexible NetFlow feature is covered in detail. Technical details of the new features are addressed with configuration examples, show commands, tricks, and best practice advice. Scenarios such as NetFlow for security and NetFlow for application visibility planning are covered. The NetFlow performance impact is also discussed, as well as the support matrix of all NetFlow features. • This session is for enterprise, service provider, and NREN experts engaged in designing, maintaining, and troubleshooting security, capacity planning, and accounting solutions. Attendees should be familiar with network management basics and should already have some understanding of NetFlow BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 The Content of This Session Is… • Not about – A level one type of presentation – Introduction to IP accounting and NetFlow – Marketing slides – NetFlow collector details – The ecosystem partners applications and mediations – Many platform specific details • About – New features – Advanced information – And a few scenarios … • Assuming the NetFlow basics are known BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda • Introduction • NetFlow Version 9 (with Traditional NetFlow) • Flexible NetFlow • NetFlow for Security • NetFlow for Application Visibility and Control • NetFlow & IPv6 • NetFlow Performance • NetFlow Standardization • Support Matrix • Conclusion BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Version 5 Flow Format Flow Key vs. Non-Key Field From/to . Usage Packet count Source IP address . Byte count . Destination IP address Time . Start sysUpTime . Source TCP/UDP port of Day . End sysUpTime . Destination TCP/UDP port Application Port . Input ifIndex . Next hop address Utilization . Output ifIndex . Source AS number . Type of service . Dest. AS number QoS . TCP flags . Source prefix mask . Protocol . Dest. Prefix mask Routing and Peering BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Traditional NetFlow 1. Create and update flows in NetFlow cache Src Src Src Dst DstM Dst Bytes/P Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts NextHop Active Idle Port Msk AS Port sk AS kt Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4 Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1 Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3 Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14 . Inactive timer expired (15 sec is default) . Active timer expired (30 min is default) => change it 1 min 2. Expiration . NetFlow cache is full (oldest flows are expired) . RST or FIN TCP flag Src Src Src Dst Dst Dst Bytes/ Srclf SrclPadd Dstlf DstlPadd Protocol TOS Flgs Pkts NextHop Active Idle Port Msk AS Port Msk AS Pkt Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4 3. Aggregation 4. Export version E.g., Protocol-Port Aggregation Non-aggregated flows—export version 5, 9, IPFIX Scheme Becomes 5. Transport protocol Protocol Pkts SrcPort DstPort Bytes/Pkt Export Payload 11 11000 00A2 00A2 1528 (UDP) Packet (Flows) Aggregated Flows—Export Version 8 or 9 Header BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Extensibility and Flexibility Requirements Phases Approach • Traditional NetFlow with v5 or v8 NetFlow export – New requirements: build something flexible and extensible • Phase One: NetFlow Version 9 (Lead to IPFIX at the IETF) – Advantages: extensibility • Integrate new technologies/data types quicker Exporting (MPLS, IPv6, BGP next hop, etc.) • Integrate new aggregations quicker Process – Note: for now, the template definitions are fixed • Phase Two: Flexible NetFlow – Advantages: cache and export content flexibility • User selection of flow keys Metering • User definition of the records Process BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Exporting Process versus Metering Process and NetFlow Evolution The Metering Process generates Flow The Exporting Process sends Records. Inputs to the process are IPFIX Messages to one or more packet headers, characteristics, and Collecting Processes = the export Packet Treatment observed at one or protocol more Observation Points. – NetFlow export version 5, (version – Traditional NetFlow 7), version 8 – Flexible NetFlow – NetFlow export version 9 – Metric Mediation Agent (Mediation – IPFIX (RFC 7011), which is function exporting performance version 10 (NetFlow version 9 + 1) metrics) – and some others • Exporting Process versus Metering Process are IPFIX (IP Flow Information eXport) terms: the NetFlow term doesn’t make the distinction BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public Exporting Process versus Metering Process and NetFlow Evolution Use cases evolution and hence information elements evolution + Different sources of information (different metering processes) => we need some aggregation Export and correlation in the router => we need a super metering Metric Mediation process: the Metric Mediation Agent Agent Infrastructure Perf PA FNF NBAR2 QoS PfR firewall WAAS Mon (ART) BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 NetFlow Partners Traffic Analysis Denial of Service Billing CS-Mars http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6555/ps6601/networking_solutions_products_genericcontent0900aecd805ff728.html BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Agenda • Introduction • NetFlow Version 9 (with Traditional NetFlow) • Flexible NetFlow • NetFlow for Security • NetFlow for Application Visibility and Control • NetFlow & IPv6 • NetFlow Performance • NetFlow Standardization • Support Matrix • Conclusion BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 NetFlow Version 9 • Version 9 is an export protocol – No changes to the metering process • Version 9 is based on templates and separate flow records – Templates expressing type and length – Flow records expressing template ID and list of values – Sent the template regularly (configurable), because of UDP • Support: 800, 1700, ISR (1800, 2800, 3800), ISR-G2 (1900, 2900, 3900), 2600, 3200, 3600, 3750, 4400, cat 3850, cat4500 , cat6500, 5760 (wireless controller), Cloud Services Router CSR-1000v, 7200, 7300, 7500, 7600, 10000, 12000 (IOS and IOS-XR), CRS-1, ASR 1000, ASR 9000, ASA 5580, Nexus 7000 and Nexus 1000V • RFC3954 Cisco Systems® NetFlow Services Export Version 9 – NetFlow patent: intellectual property right statement at the IETF website BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 NetFlow Version 9 Export Packet Template 1 Template 2 Template FlowSet Data FlowSet Data FlowSet H FlowSet ID #1 FlowSetFlowSet ID ID#1 #2 E Template Template Record Record Data Data Data A Template ID Template Record Record Record D #1 ID #2 (Field (Field (Field E (Specific (Specific Field Field Values) Values) Values) R Types and Types and Lengths) Lengths) BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 NetFlow Version 9 Export Packet Options Template FlowSet Specifies the Scope: Cache, System, Template, etc. Template 3 Options Data FlowSet H Template FlowSet FlowSet ID #3 E Option Option Option Template Record A Data Data Template Record Record D ID #3 (Specific Scope, E (Field (Field Field Types Values) Values) R and Lengths) BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Interface Name Export with NetFlow Version 9 • Example of options template FlowSet: NetFlow exports the ifIndex • Instead of the collector polling the ifName MIB variable for a specific ifIndex, the matching (ifIndex, ifName) is sent in an option data record Router(config)# ip flow-export interface-names • Note: with Flexible NetFlow, Router(config)# option interface-table timeout <time> BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Traditional NetFlow + NetFlow v9 Configuration router(config)# ip flow-export version [5|9] [origin-as|peer-as] [bgp-nexthop] router(config)# ip flow-export template options export-stats router(config)# ip flow-export template options timeout-rate 5 router(config)# ip flow-export template options refresh-rate 20 router(config)# ip flow-export template timeout-rate 5 router(config)# ip flow-export template refresh-rate 20 router(config)# ip flow-export destination 10.10.10.10 9996 (Options)(Options) Templates Templates Sent SentEvery Every Five Five Minutes Minutes • Should you export traditional NetFlow with or Every 20 Packets NetFlow Version 5 or Version 9? or 20 Packets BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Agenda • Introduction • NetFlow Version 9 (with Traditional NetFlow) • Flexible NetFlow • NetFlow for Security • NetFlow for Application Visibility and Control • NetFlow & IPv6 • NetFlow Performance • NetFlow Standardization • Support Matrix • Conclusion BRKNMS-3132 © 2015 Cisco and/or its affiliates. All rights reserved.
Load more

Recommended publications
  • Ngenius Collector Appliance Scalable, High-Capacity Appliance for Collection of Cisco Netflow and Other Flow Data
    l DATA SHEET l nGenius Collector Appliance Scalable, High-Capacity Appliance for Collection of Cisco NetFlow and Other Flow Data Product Overview HIGHLIGHTS Deployed at key traffic aggregation locations, nGenius® Collectors extend the reach of the nGeniusONE® Service Assurance solution and are used primarily to generate flow‑based • Measure service responsiveness across statistics (metadata) in memory for specific traffic types. This NETSCOUT data source collects the network with up to 500 Cisco IP SLA metadata on IP SLA and IPPING protocols, flow data from NetFlow routers, link‑level statistics, synthetic transaction tests and utilization data from MIB‑II routers. • Scalable collection of up to 2 million Cisco NetFlow, IPFIX, Juniper J-Flow, Huawei® Listening passively on an Ethernet wire, nGenius Collectors examine specific traffic collected NetStream and sFlow flows per minute from flow‑enabled routers and switches (e.g., Cisco® NetFlow, Juniper® J-Flow, sFlow®, ® • Captures and stores Flow datagrams for NetStream ) and from IP SLA test results to generate a variety of statistics. In addition, Collectors historical deep-dive analysis can be configured to capture datagrams from Flow‑enabled routers and analyze them via datagram capture, which allows users to perform in‑depth capture and filtering. • Collects Flow data from up to 5,000 flow‑enabled router or switch interfaces Metrics from nGenius Collectors are retrieved through a managing nGenius for Flows Server per appliance for analysis, enabling display of utilization metrics, quality of service (QoS) breakdowns, and • Supports both IPv4 and IPv6 environments application breakdowns in nGenius for Flows and other tools in the nGeniusONE Service • Purpose-built hardware and virtual Assurance Solution.
    [Show full text]
  • Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 5.3.X
    Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 5.3.x First Published: 2015-01-12 Last Modified: 2015-08-27 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Netflow Traffic Analyzer Real-Time Network Utilization and Bandwidth Monitoring
    DATASHEET NetFlow Traffic Analyzer Real-Time Network Utilization and Bandwidth Monitoring An add-on to Network Performance Monitor (NPM), SolarWinds® NetFlow DOWNLOAD FREE TRIAL Traffic Analyzer (NTA) is a multi-vendor flow analysis tool designed to proactively reduce network downtime. NTA delivers actionable insights Fully Functional to help IT pros troubleshoot and optimize spend on bandwidth by better for 30 Days understanding the who, what, and where of traffic consumption. Solve practical operational infrastructure problems with actionable insights and save money with informed network investments. WHY CHOOSE NETFLOW TRAFFIC ANALYZER? • NTA collects and analyzes flow data from multiple vendors, including NetFlow v5 and v9, Juniper® J-Flow™, sFlow®, Huawei® NetStream™, and IPFIX. • NTA alerts you to changes in application traffic or if a device stops sending flow data. • NTA supports advanced application recognition with Cisco® NBAR2. • NTA shows pre- and post-policy CBQoS class maps, so you can optimize your CBQoS policies. • NTA can help you identify malicious or malformed traffic with port 0 monitoring. • NTA includes WLC network traffic analysis so you can see what’s using your wireless bandwidth. • NTA supplements Network Performance Monitor by helping to identify the cause of high bandwidth. Built on the Orion® Platform, NTA provides the ability to purchase and fully integrate with additional network monitoring modules (config management, WAN management, VoIP, device tracking, IP address management), as well as systems, storage, and virtualization management in a single web console. page 1 DATASHEET: NETFLOW TRAFFIC ANALYZER FEATURES New! VMware vSphere Distributed Switch (VDS) Support Comprehensive support for the VMware VDS, providing visibility within the switch fabric to your east-west VM traffic to help IT pros avoid service impacts when moving workloads.
    [Show full text]
  • Netflow Optimizer™
    NetFlow Optimizer™ Installation and Administration Guide Version 2.4.7 (Build 2.4.7.0.23) January 2017 © Copyright 2013-2017 NetFlow Logic Corporation. All rights reserved. Patents both issued and pending. Contents Overview ....................................................................................................................................................................... 3 How NetFlow Optimizer Works .................................................................................................................................. 3 How NFO Updater Works .......................................................................................................................................... 3 NetFlow Optimizer Installation Guide ......................................................................................................................... 4 Before You Install NFO ................................................................................................................................................ 4 Pre-Installation Checklist ........................................................................................................................................... 4 Minimum Requirements ............................................................................................................................................. 4 Supported Platforms .............................................................................................................................................. 4 Virtual Hardware
    [Show full text]
  • Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide Cisco IOS XR Release 3.7.2 March 2009
    Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide Cisco IOS XR Release 3.7.2 March 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: OL-17241-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Flow-Tools Tutorial
    Flow-tools Tutorial SANOG 6 Bhutan Agenda • Network flows • Cisco / Juniper implementation – NetFlow • Cisco / Juniper Configuration • flow-tools programs overview and examples from Abilene and Ohio- Gigapop Network Flows • Packets or frames that have a common attribute. • Creation and expiration policy – what conditions start and stop a flow. • Counters – packets,bytes,time. • Routing information – AS, network mask, interfaces. Network Flows • Unidirectional or bidirectional. • Bidirectional flows can contain other information such as round trip time, TCP behavior. • Application flows look past the headers to classify packets by their contents. • Aggregated flows – flows of flows. Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 10.0.0.1 login: 10.0.0.2 Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 Unidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0 Bidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort
    [Show full text]
  • Brocade Vyatta Network OS Data Sheet
    DATA SHEET Brocade Vyatta Network OS HIGHLIGHTS A Network Operating System for the Way Forward • Offers a proven, modern network The Brocade® Vyatta® Network OS lays the foundation for a flexible, easy- operating system that accelerates the adoption of next-generation to-use, and high-performance network services architecture capable of architectures meeting current and future network demands. The operating system was • Creates an open, programmable built from the ground up to deliver robust network functionality that can environment to enhance be deployed virtually or as an appliance, and in concert with solutions differentiation, service quality, and from a large ecosystem of vendors, to address various Software-Defined competitiveness Networking (SDN) and Network Functions Virtualization (NFV) use cases. • Supports a broad ecosystem for With the Brocade Vyatta Network OS, organizations can bridge the gap optimal customization and service between traditional and new architectures, as well as leverage existing monetization investments and maximize operational efficiencies. Moreover, they can • Simplifies and automates network compose and deploy unique, new services that will drive differentiation functions to improve time to service, increase operational efficiency, and and strengthen competitiveness. reduce costs • Delivers breakthrough performance flexibility, performance, and operational and scale to meet the needs of any A Proven, Modern Operating efficiency, helping organizations create deployment System The Brocade Vyatta Network OS new service offerings and value. Since • Provides flexible deployment options separates the control and data planes in 2012, the benefits of this operating to support a wide variety of use cases software to fit seamlessly within modern system have been proven by the Brocade SDN and NFV environments.
    [Show full text]
  • Introduction to Netflow
    Introduction to Netflow Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated 14th December 2018 Agenda • Netflow – What it is and how it works – Uses and applications • Generating and exporting flow records • Nfdump and NfSen – Architecture – Usage • Lab What is a Network Flow • A set of related packets • Packets that belong to the same transport connection. e.g. – TCP, same src IP, src port, dst IP, dst port – UDP, same src IP, src port, dst IP, dst port – Some tools consider "bidirectional flows", i.e. A->B and B->A as part of the same flow http://en.wikipedia.org/wiki/Traffic_flow_(computer_networking) Simple flows = Packet belonging to flow X = Packet belonging to flow Y Cisco IOS Definition of a Flow • Unidirectional sequence of packets sharing: – Source IP address – Destination IP address – Source port for UDP or TCP, 0 for other protocols – Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols – IP protocol – Ingress interface (SNMP ifIndex) – IP Type of Service IOS: which of these six packets are in the same flows? Src IP Dst IP Protocol Src Port Dst Port A 1.2.3.4 5.6.7.8 6 (TCP) 4001 22 B 5.6.7.8 1.2.3.4 6 (TCP) 22 4001 C 1.2.3.4 5.6.7.8 6 (TCP) 4002 80 D 1.2.3.4 5.6.7.8 6 (TCP) 4001 80 E 1.2.3.4 8.8.8.8 17 (UDP) 65432 53 F 8.8.8.8 1.2.3.4 17 (UDP) 53 65432 IOS: which of these six packets are in the same flows? Src IP Dst IP Protocol Src Port Dst Port A 1.2.3.4 5.6.7.8 6 (TCP) 4001 22 B 5.6.7.8 1.2.3.4 6 (TCP) 22 4001 C 1.2.3.4 5.6.7.8 6 (TCP) 4002 80 D 1.2.3.4 5.6.7.8 6 (TCP) 4001 80 E 1.2.3.4 8.8.8.8 17 (UDP) 65432 53 F 8.8.8.8 1.2.3.4 17 (UDP) 53 65432 What about packets “C” and “D”? Flow Accounting • A summary of all the packets seen in a flow (so far): – Flow identification: protocol, src/dst IP/port..
    [Show full text]
  • Cisco Services Cisco Service Provider Architecture Applications
    Security at the Speed of the Network: Automating and Accelerating Security Through SDN and NfV BRKSEC-2760 Hantzley Tauckoor – CISSP #472723, CCDE #2015::43 Consulting Systems Engineer – MANO & Programmability Global Virtual Engineering, Cisco Systems ./about_me Hantzley Tauckoor Consulting Systems Engineer – MANO & Programmability Global Virtual Engineering, Cisco Systems linkedin.com/in/hantzley Twitter: @hantzley [email protected] Agenda • Security from the Service Provider perspective • Putting SDN/NFV to work – DDoS • Automating Security in the SP Data Centre • Generating new revenue streams with hosted security services • SDN & NFV Infrastructure Security • Summary Agenda • Security from the Service Provider perspective • Putting SDN/NFV to work - DDoS • Automating Security in the SP Data Centre • Generating new revenue streams with hosted security services • SDN & NFV Infrastructure Security • Summary Security from the Service Provider Perspective Trends: New Opportunities … The world has gone mobile Traffic growth, driven by video 120,000 Other (43%, 25%) 10XDynamic Mobile Traffic Growth Threat100,000 LandscapeInternet Video (57%, 75%) From 2013-2019 80,000 Changing 23% Global Customer 60,000 CAGR 40,000 2013- 2018 Expectations Ubiquitous Access to Apps & Services 20,000 Petabytes Petabytes per Month 0 2013 2014 2015 2016 2017 2018 Rise of cloud computingIncreasing ThreatMachine Sophistication-to-Machine Risks to Service ProvidersEmergence of the Internet of Everything Soon to and Their Customers Change SP Architectures/ Changing
    [Show full text]
  • Conntrack, Netfilter, Netflow and NAT Under Linux
    Xurble conntrack, Netfilter, NetFlow and NAT under Linux Oliver Gorwits 9th February 2010 Milton Keynes Perl Mongers 1 “Policy Compliance” • We have legal obligations • Avoiding the courts ✔ • Avoiding the newspapers ✔ 2 (alleged) Copyright Violations Subject: File-sharing of unauthorised content owned by Twentieth Century Fox From: [email protected] Dear Oxford University: Twentieth Century Fox Film Corporation, located in Los Angeles, and its affiliated companies (collectively, 'Fox') own intellectual property rights, including exclusive rights protected under copyright laws, in many motion pictures, television programs and other audio-visual works, including the motion picture AVATAR (collectively, the 'Fox Titles'). Fox conducted an online check by scanning public networks and discovered that your Oxford University internet account was used to access and distribute an unauthorised copy of AVATAR. By distributing Fox content without Fox's permission, you infringed Fox's copyright. Here is the information Fox obtained from the online check: Timestamp of report: 07 Feb 2010 23:12:44 GMT Title details: Avatar (2009) PROPER TS XviD-MAXSPEED IP address: 163.1.xxx.yyy Port ID: 30854 Protocol used: BitTorrent - L5 Please respond to Fox and identify what steps you have taken to resolve this matter by contacting Fox at [email protected] 3 The Process • So, given: ○Timestamp with Time Zone ○IP address ○TCP port number • We need: ○User’s identity • Usually via: ○Network log-in logs, and DHCP logs 4 Linux network subsystems Kernel conntrack netfilter iptables pietroizzo 5 Network Address/Port Translation O’Reilly 6 State Tracking User Firewall Internet 1 A ✔ 2 B pre-NAT post-NAT • Traditional loggers run two packet captures and correlate the timestamps.
    [Show full text]
  • Ipv6-Security Monitoring
    Security Monitoring ITU/APNIC/MICT IPv6 Security Workshop 23rd – 27th May 2016 Bangkok Last updated 22 July 2014 1 Managing and Monitoring IPv6 Networks p SNMP Monitoring p IPv6-Capable SNMP Management Tools p NetFlow Analysis p Syslog p Keeping accurate time p Intrusion Detection p Managing the Security Configuration 2 Using SNMP for Managing IPv6 Networks 3 What is SNMP? p SNMP – Simple Network Management Protocol p Industry standard, hundreds of tools exist to exploit it p Present on any decent network equipment p Query/response based: GET / SET p Monitoring generally uses GET p Object Identifiers (OIDs) p Keys to identify each piece of data p Concept of MIB (Management Information Base) p Defines a collection of OIDs What is SNMP? p Typical queries n Bytes In/Out on an interface, errors n CPU load n Uptime n Temperature or other vendor specific OIDs p For hosts (servers or workstations) n Disk space n Installed software n Running processes n ... p Windows and UNIX have SNMP agents What is SNMP? p UDP protocol, port 161 p Different versions n v1 (1988) – RFC1155, RFC1156, RFC1157 p Original specification n v2 – RFC1901 ... RFC1908 + RFC2578 p Extends v1, new data types, better retrieval methods (GETBULK) p Used is version v2c (simple security model) n v3 – RFC3411 ... RFC3418 (w/security) p Typically we use SNMPv2 (v2c) SNMP roles p Terminology: n Manager (the monitoring station) n Agent (running on the equipment/server) How does it work? p Basic commands n GET (manager → agent) p Query for a value n GET-NEXT (manager → agent) p Get next value (e.g.
    [Show full text]
  • White Paper Netflow Generation Security Value Proposition
    WHITE PAPER Leveraging NetFlow Generation for Maximum Security Value Overview This kind of sparse traffic record is enough to establish trends for network and application performance, but it’s a non-starter for Cisco introduced NetFlow in 1996 as a way to monitor packets security analytics. Advanced persistent threats (APTs) can operate as they enter and exit networking device interfaces. The aim is low and slow on the network, moving laterally and communicating to gain insight and resolve congestion. Typical information in a with command and control sites over long periods of time (days, NetFlow record reveals traffic source and destination, as well months or longer). The key to spotting anomalous traffic is looking as protocol or application, time stamps, and number of packets. for hard-to-spot patterns over the complete network activity Although NetFlow was initially not on a standards track, it has picture. Naturally, looking at a fraction of packet records severely been superseded by the Internet Protocol Flow Information hampers the breadth and accuracy of the analysis. eXport (IPFIX), which is based on the NetFlow Version 9 implementation, and is on the IETF standards track with RFC 5101, Here are the drawbacks of generating NetFlow records using RFC 5102. networking gear: As organizations refocus network security efforts on insider 1. NetFlow generation can degrade router and switch threats and detection of compromise, NetFlow provides rich and performance important contextual information about the traffic, augmenting 2. To manage the impact on performance, networking devices analysis in order to determine where compromise has occurred. may give sampled NetFlow or just drop packets This takes NetFlow out of the traditional realm of use for 3.
    [Show full text]