NetFlow use casesICmyNet / NetVizura

Miloš Zeković,milos.zekovic@soneco.rs

ICmyNet Chief Customer Officer

Soneco d.o.o. Serbia

2 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Agenda

ICmyNet / NetVizura overview

Use cases / case studiesStatistics per exporter/interfaces

Traffic Patterns – NREN case study

DoS Attack – case study

Statistics with no netflow capable device – case study

Other use cases

Questions

3 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

ICmyNet / NetVizura

ICmyNet → NetVizura: Rebranding in progress

NetFlow Analyzer (ICmyNet.Flow)Statistics per Traffic Patterns and subnets

Statistics per exporter/interfaces (v4)

Statistics for each node, IP hierarchy

More at www.icmynet.com

Free Academic Network Program

4 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Exporter/interface statistic

NetFlow enabled:All significant exporters and their interfaces

All on ingress or egress

Top exporters and interfaces

Top talkers by interface, host, service, …Throughput and Volume

Bit/s, packet/s, flow/s

In/Out + dst/src (host, services, AS)

5 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Exporter/interface statistic (2)

6 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS - challenge

AMRES, Serbian NREN150+ member organisations

150 000 active users

Traffic Analysis per memberGeographically dispersed

Hierarchical network: regions, cities, institutions

IP address/subnet != member

Archive network logs for 1 year

7 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS - Solution

DeploymentCisco NetFlow enabled on 2 central routers

ICmyNet.Flow installed on 1 server

Configuration of ICmyNet.FlowMembers = subnets and Subnet Sets

Specific traffic isolated with Traffic Patterns

NetFlow records in Raw Data

8 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS - Solution (2)

Traffic Pattern

Specific traffic between two networks

9 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS - Solution (3)

10 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS – solution (4)

11 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS – Solution (3)

12 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

NREN CS - Results

Two NetFlow devices – full network statistic

Statistic per memberStatistic independent to network topology

Bandwidth utilization understanding

Increased security awareness

13 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

DoS Attack CS

14 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

DoS Attack CS (2)

15 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

DoS Attack CS (3)

16 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

DoS Attack CS (4)

17 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

DoS Attack CS (5)

Charts:Bits and packets traffic looks normal

Flows traffic shows an anomaly

Anomaly related to UDP protocol and DNS service

Host identified (top talker for DNS flows)

Raw Data:Filtered by host, protocol and service port

Grouped by destination IP addresses

18 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

DoS Attack CS – results (6)

Isolated destinationswith large number of DNS conversations

In several clicks:Attacker discovered

Type of attack determined

Victims identified

19 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

No NetFlow devices CS - challenge

DZ Palilula, primary healthcare center, SerbiaOne main clinic with local clinic network

Centralized Healthcare software system

Access through server in main clinic

Leased network devices (L3VPN)No NetFlow enabled devices

No device access

Privacy issues - patient medical data

20 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

No NetFlow devices CS - solution

NetFlow probe - SoftFlowdinstalled on two server interfaces: to clinics and to database

Netflow data exported to ICmyNet ServerPrivacy - NetFlow only monitors statistic, not traffic content

Local clinics identified by IP addressesSubnets for each clinic and their department

Service/Application monitorTraffic Pattern for each service/application of interest

21 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

No NetFlow devices CS - Results

NetFlow statistics without NetFlow devicesNo devices purchased

Statistics per clinic and department

Statistics per service of interest

Better planning for future leased links and speedMost active personnel and departments identified

Periods of most activity identified

L3VPN link speed optimization per clinic

Better service reliability

22 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Other use cases

AlarmsThreshold basedFaster reaction

Reaction when needed

ConversationsIdentify top End to end talkers

Bandwidth managementMonitor specific services or traffic (Viber, YouTube etc.)

Implement QoS policies

23 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Other use cases (2)

Blocked trafficInterface out is 0 (traffic pattern)

Firewall check

Mitigated attacks check

“Rare” protocolsMonitor protocols other than TCP and UDP (99%)

Specific portsMost attacks utilize open ports on several applications

24 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Question time

Questions?

25 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia

8th September 2014

Thank you

NetFlow use casesICmyNet / NetVizura

Miloš Zeković,milos.zekovic@soneco.rs

ICmyNet Chief Customer Officer

Soneco d.o.o. Serbia