Network Monitoring and Measurement
-
Upload
leovotinh85 -
Category
Documents
-
view
221 -
download
0
Transcript of Network Monitoring and Measurement
-
8/10/2019 Network Monitoring and Measurement
1/22
Network Monitoring andMeasurement and its application
in security field
Miao Luo, Wei Jiang
-
8/10/2019 Network Monitoring and Measurement
2/22
-
8/10/2019 Network Monitoring and Measurement
3/22
Motivation
Needs of service providers:-Understand the behavior of their networks
-Provide fast, high-quality, reliable service to satisfy customers and thusreduce churn rate
-Plan for network deployment and expansion-SLA monitoring, Network security
-Usage-based billing for network users (like telephone calls)
-Marketing using CRM data
Needs of Customers:-Want to get their moneys worth-Fast, reliable, high-quality, secure, virus-free Internet access
-
8/10/2019 Network Monitoring and Measurement
4/22
Application
Network Problem Determination and Analysis
Traffic Report Generation
Intrusion & Hacking Attack (e.g., DoS, DDoS)
Detection Service Level Monitoring (SLM)
Network Planning
Usage-based Billing
Customer Relationship Management (CRM) Marketing
-
8/10/2019 Network Monitoring and Measurement
5/22
The General Traffic Flow Measurement
Process
Classification &
Flow Recording Store(TCPdump)
Observation
Point
PAYLOAD HEAD
PAYLOAD HEAD
PAYLOAD HEAD
PAYLOAD HEAD
Packet
Capturing
Filtering
Display(Ethereal)
Sampling
Visualize(FlowScan)
Analysisby applications
(TE, attack
detect., QoS
monitoring,
accounting, )
other
packets
Filtering
Samplingflow records
flow records
packets
packets
flow recordsflow
records
-
8/10/2019 Network Monitoring and Measurement
6/22
Problems
Capturing Packets:High-speed networks (Mbps ? Gbps ? Tbps)High-volume trafficStreaming media (Windows Media, Real Media, Quicktime)P2P traffic
Network Security Attacks
Flow Generation & Storage:What packet information to save to perform various analysis?How to minimize storage requirements?
Analysis:How to analyze and generate data needed quickly?What kinds of info needs to be generated? -- Depends onapplications
-
8/10/2019 Network Monitoring and Measurement
7/22
Goals
Capture all packets
Generate flows
Store flows efficiently
Analyze data efficiently
Generate various reports or information that are suitablefor various application areas
Develop a flexible, scalable traffic monitoring and
analysis system for high-speed, high-volume, richmedia IP networks
-
8/10/2019 Network Monitoring and Measurement
8/22
Network Monitoring Metrics
CAIDA Metrics Working Group (www.caida.org)
-Latency
-Packet Loss
-Throughput
-Link Utilization
-Availability
IETFs IP Performance Metrics (IPPM) Working Group
-Connectivity (RFC 2687)
-One-Way Delay (RFC 2679)
-One-Way Packet Loss (RFC 2680)-Round Trip Delay (RFC 2681)
-Delay Variation
-Bulk transfer capacity
http://www.caida.org/http://www.caida.org/ -
8/10/2019 Network Monitoring and Measurement
9/22
One way loss
RT loss
One way delay
RT delay
Capacity
Bandwidth
Throughput
Delay variance
Network MonitoringMetrics
AvailabilityConnectivity
Functionality
Loss
Delay
Utilization
-
8/10/2019 Network Monitoring and Measurement
10/22
-
8/10/2019 Network Monitoring and Measurement
11/22
Monitoring Method
Active Monitoring
Passive Monitoring
-
8/10/2019 Network Monitoring and Measurement
12/22
Active Monitoring
Performed by sending test traffic into network-Generate test packets periodically or on-demand
-Measure performance of test packets or responses
-Take the statistics
Impose extra traffic on network and distort itsbehavior in the process
Test packet can be blocked by firewall orprocessed at low priority by routers
Mainly used to monitor network performance
-
8/10/2019 Network Monitoring and Measurement
13/22
Passive Monitoring
Carried out by observing network traffic
-Collect packets from a link or network flow from a router
-Perform analysis on captured packets for various purposes
-Network device performance degrades by mirroring or flow
export
Used to perform various trafficusage/characterization analysis/intrusion
detection
-
8/10/2019 Network Monitoring and Measurement
14/22
Comparison of Monitoring Approaches
Active monitoring Passive monitoring
Configuration Multi-point Single or multi-point
Data size Small Large
Networkoverhead
Additional traffic - Device overhead
- No overhead ifsplitter is used
Purpose Delay, packet loss,availability
Throughput, trafficpattern, trend, &detection
CPU Requirement Low to Moderate High
-
8/10/2019 Network Monitoring and Measurement
15/22
Software in Network Monitoring and
Management
EPM
The ping program
SNMP servers
IBM AURORA Network Performance Profiling System
Intellipool Network Monitor Jumpnode
Microsoft Network Monitor 3
MRTG
Nagios (formerly Netsaint)
Netdisco NetQoS
NetXMS Scalable network and application monitoringsystem
-
8/10/2019 Network Monitoring and Measurement
16/22
Software in Network Monitoring and
Management
Opennms PRTG Pandora (Free Monitoring System) - Network and Application
Monitoring System PIKT RANCID - monitors router/switch configuration changes RRDtool siNMs by Siemens SysOrb Server & Network Monitoring System Sentinet3 - Network and Systems Monitoring Appliance ServersCheck Monitoring Software Cacti network graphing solution Zabbix - Network and Application Monitoring System Zenoss - Network and Systems Monitoring Platform Level Platforms - Software support for network monitoring
-
8/10/2019 Network Monitoring and Measurement
17/22
Security Monitoring and Management
Attack detection and analysis
-detecting (high volume) traffic patterns
-investigation of origin of attacks
Intrusion detection
-detecting unexpected or illegal packets
-
8/10/2019 Network Monitoring and Measurement
18/22
Intrusion detection system
An intrusion detection system (IDS)generally detects unwanted manipulations of computersystems, mainly through the Internet. The manipulationsmay take the form of attacks by crackers.
network intrusion detection system
protocol-based intrusion detection system
application protocol-based intrusion detection
system host-based intrusion detection system
hybrid intrusion detection system
-
8/10/2019 Network Monitoring and Measurement
19/22
Protection, Detection and Response
Real-world security includes prevention,detection, and response.
No prevention mechanism is perfect.
Detection and response are not only morecost effective but also more effective thanpiling on more prevention.
-
8/10/2019 Network Monitoring and Measurement
20/22
Our problem
The three parts of network security iscomparably isolated from each other.
Can there be a closer combination of them?
A dynamic scheme between detection and
prevention
-
8/10/2019 Network Monitoring and Measurement
21/22
detection: NIDS based on patternrecognition, neutral networks, Honeypots.
prevention: Filters
Reponse: traceback.
-
8/10/2019 Network Monitoring and Measurement
22/22