Network Monitoring and Measurement

8/10/2019 Network Monitoring and Measurement

1/22

Network Monitoring andMeasurement and its application

in security field

Miao Luo, Wei Jiang


2/22


3/22

Motivation

Needs of service providers:-Understand the behavior of their networks

-Provide fast, high-quality, reliable service to satisfy customers and thusreduce churn rate

-Plan for network deployment and expansion-SLA monitoring, Network security

-Usage-based billing for network users (like telephone calls)

-Marketing using CRM data

Needs of Customers:-Want to get their moneys worth-Fast, reliable, high-quality, secure, virus-free Internet access


4/22

Application

Network Problem Determination and Analysis

Traffic Report Generation

Intrusion & Hacking Attack (e.g., DoS, DDoS)

Detection Service Level Monitoring (SLM)

Network Planning

Usage-based Billing

Customer Relationship Management (CRM) Marketing


5/22

The General Traffic Flow Measurement

Process

Classification &

Flow Recording Store(TCPdump)

Observation

Point

PAYLOAD HEAD

PAYLOAD HEAD

PAYLOAD HEAD

PAYLOAD HEAD

Packet

Capturing

Filtering

Display(Ethereal)

Sampling

Visualize(FlowScan)

Analysisby applications

(TE, attack

detect., QoS

monitoring,

accounting, )

other

packets

Filtering

Samplingflow records

flow records

packets

packets

flow recordsflow

records


6/22

Problems

Capturing Packets:High-speed networks (Mbps ? Gbps ? Tbps)High-volume trafficStreaming media (Windows Media, Real Media, Quicktime)P2P traffic

Network Security Attacks

Flow Generation & Storage:What packet information to save to perform various analysis?How to minimize storage requirements?

Analysis:How to analyze and generate data needed quickly?What kinds of info needs to be generated? -- Depends onapplications


7/22

Goals

Capture all packets

Generate flows

Store flows efficiently

Analyze data efficiently

Generate various reports or information that are suitablefor various application areas

Develop a flexible, scalable traffic monitoring and

analysis system for high-speed, high-volume, richmedia IP networks


8/22

Network Monitoring Metrics

CAIDA Metrics Working Group (www.caida.org)

-Latency

-Packet Loss

-Throughput

-Link Utilization

-Availability

IETFs IP Performance Metrics (IPPM) Working Group

-Connectivity (RFC 2687)

-One-Way Delay (RFC 2679)

-One-Way Packet Loss (RFC 2680)-Round Trip Delay (RFC 2681)

-Delay Variation

-Bulk transfer capacity
http://www.caida.org/http://www.caida.org/


9/22

One way loss

RT loss

One way delay

RT delay

Capacity

Bandwidth

Throughput

Delay variance

Network MonitoringMetrics

AvailabilityConnectivity

Functionality

Loss

Delay

Utilization


10/22


11/22

Monitoring Method

Active Monitoring

Passive Monitoring


12/22

Active Monitoring

Performed by sending test traffic into network-Generate test packets periodically or on-demand

-Measure performance of test packets or responses

-Take the statistics

Impose extra traffic on network and distort itsbehavior in the process

Test packet can be blocked by firewall orprocessed at low priority by routers

Mainly used to monitor network performance


13/22

Passive Monitoring

Carried out by observing network traffic

-Collect packets from a link or network flow from a router

-Perform analysis on captured packets for various purposes

-Network device performance degrades by mirroring or flow

export

Used to perform various trafficusage/characterization analysis/intrusion

detection


14/22

Comparison of Monitoring Approaches

Active monitoring Passive monitoring

Configuration Multi-point Single or multi-point

Data size Small Large

Networkoverhead

Additional traffic - Device overhead

- No overhead ifsplitter is used

Purpose Delay, packet loss,availability

Throughput, trafficpattern, trend, &detection

CPU Requirement Low to Moderate High


15/22

Software in Network Monitoring and

Management

EPM

The ping program

SNMP servers

IBM AURORA Network Performance Profiling System

Intellipool Network Monitor Jumpnode

Microsoft Network Monitor 3

MRTG

Nagios (formerly Netsaint)

Netdisco NetQoS

NetXMS Scalable network and application monitoringsystem


16/22

Software in Network Monitoring and

Management

Opennms PRTG Pandora (Free Monitoring System) - Network and Application

Monitoring System PIKT RANCID - monitors router/switch configuration changes RRDtool siNMs by Siemens SysOrb Server & Network Monitoring System Sentinet3 - Network and Systems Monitoring Appliance ServersCheck Monitoring Software Cacti network graphing solution Zabbix - Network and Application Monitoring System Zenoss - Network and Systems Monitoring Platform Level Platforms - Software support for network monitoring


17/22

Security Monitoring and Management

Attack detection and analysis

-detecting (high volume) traffic patterns

-investigation of origin of attacks

Intrusion detection

-detecting unexpected or illegal packets


18/22

Intrusion detection system

An intrusion detection system (IDS)generally detects unwanted manipulations of computersystems, mainly through the Internet. The manipulationsmay take the form of attacks by crackers.

network intrusion detection system

protocol-based intrusion detection system

application protocol-based intrusion detection

system host-based intrusion detection system

hybrid intrusion detection system


19/22

Protection, Detection and Response

Real-world security includes prevention,detection, and response.

No prevention mechanism is perfect.

Detection and response are not only morecost effective but also more effective thanpiling on more prevention.


20/22

Our problem

The three parts of network security iscomparably isolated from each other.

Can there be a closer combination of them?

A dynamic scheme between detection and

prevention


21/22

detection: NIDS based on patternrecognition, neutral networks, Honeypots.

prevention: Filters

Reponse: traceback.


22/22

Network Monitoring and Measurement

Documents

Transcript of Network Monitoring and Measurement