NetFlow use cases - TERENA · NetFlow Analyzer (ICmyNet.Flow) Statistics per Traffic Patterns and...
Transcript of NetFlow use cases - TERENA · NetFlow Analyzer (ICmyNet.Flow) Statistics per Traffic Patterns and...
NetFlow use casesICmyNet / NetVizura
Miloš Zeković,[email protected]
ICmyNet Chief Customer Officer
Soneco d.o.o. Serbia
2 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Agenda
ICmyNet / NetVizura overview
Use cases / case studiesStatistics per exporter/interfaces
Traffic Patterns – NREN case study
DoS Attack – case study
Statistics with no netflow capable device – case study
Other use cases
Questions
3 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
ICmyNet / NetVizura
ICmyNet → NetVizura: Rebranding in progress
NetFlow Analyzer (ICmyNet.Flow)Statistics per Traffic Patterns and subnets
Statistics per exporter/interfaces (v4)
Statistics for each node, IP hierarchy
More at www.icmynet.com
Free Academic Network Program
4 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Exporter/interface statistic
NetFlow enabled:All significant exporters and their interfaces
All on ingress or egress
Top exporters and interfaces
Top talkers by interface, host, service, …Throughput and Volume
Bit/s, packet/s, flow/s
In/Out + dst/src (host, services, AS)
5 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Exporter/interface statistic (2)
6 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS - challenge
AMRES, Serbian NREN150+ member organisations
150 000 active users
Traffic Analysis per memberGeographically dispersed
Hierarchical network: regions, cities, institutions
IP address/subnet != member
Archive network logs for 1 year
7 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS - Solution
DeploymentCisco NetFlow enabled on 2 central routers
ICmyNet.Flow installed on 1 server
Configuration of ICmyNet.FlowMembers = subnets and Subnet Sets
Specific traffic isolated with Traffic Patterns
NetFlow records in Raw Data
8 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS - Solution (2)
Traffic Pattern
Specific traffic between two networks
9 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS - Solution (3)
10 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS – solution (4)
11 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS – Solution (3)
12 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
NREN CS - Results
Two NetFlow devices – full network statistic
Statistic per memberStatistic independent to network topology
Bandwidth utilization understanding
Increased security awareness
13 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
DoS Attack CS
14 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
DoS Attack CS (2)
15 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
DoS Attack CS (3)
16 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
DoS Attack CS (4)
17 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
DoS Attack CS (5)
Charts:Bits and packets traffic looks normal
Flows traffic shows an anomaly
Anomaly related to UDP protocol and DNS service
Host identified (top talker for DNS flows)
Raw Data:Filtered by host, protocol and service port
Grouped by destination IP addresses
18 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
DoS Attack CS – results (6)
Isolated destinationswith large number of DNS conversations
In several clicks:Attacker discovered
Type of attack determined
Victims identified
19 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
No NetFlow devices CS - challenge
DZ Palilula, primary healthcare center, SerbiaOne main clinic with local clinic network
Centralized Healthcare software system
Access through server in main clinic
Leased network devices (L3VPN)No NetFlow enabled devices
No device access
Privacy issues - patient medical data
20 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
No NetFlow devices CS - solution
NetFlow probe - SoftFlowdinstalled on two server interfaces: to clinics and to database
Netflow data exported to ICmyNet ServerPrivacy - NetFlow only monitors statistic, not traffic content
Local clinics identified by IP addressesSubnets for each clinic and their department
Service/Application monitorTraffic Pattern for each service/application of interest
21 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
No NetFlow devices CS - Results
NetFlow statistics without NetFlow devicesNo devices purchased
Statistics per clinic and department
Statistics per service of interest
Better planning for future leased links and speedMost active personnel and departments identified
Periods of most activity identified
L3VPN link speed optimization per clinic
Better service reliability
22 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Other use cases
AlarmsThreshold basedFaster reaction
Reaction when needed
ConversationsIdentify top End to end talkers
Bandwidth managementMonitor specific services or traffic (Viber, YouTube etc.)
Implement QoS policies
23 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Other use cases (2)
Blocked trafficInterface out is 0 (traffic pattern)
Firewall check
Mitigated attacks check
“Rare” protocolsMonitor protocols other than TCP and UDP (99%)
Specific portsMost attacks utilize open ports on several applications
24 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Question time
Questions?
25 / 26Miloš ZekovićICmyNet Chief Customer OfficerSoneco, d.o.o. Serbia
8th September 2014
Thank you
NetFlow use casesICmyNet / NetVizura
Miloš Zeković,[email protected]
ICmyNet Chief Customer Officer
Soneco d.o.o. Serbia