gsf11 lazar obradovic_2-4_web_understanding_dpi
TRANSCRIPT
Understanding DPI and service control
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
service controlLazar Obradovic, Cisco Systems
• Service Control Engine
• Visibility
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Control
• Summary
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Stats of our network?What’s causing
congestion? Where?
Security: Obvious attacks? Malicious traffic? Suspicious
traffic?
Marketing: What are subscribers doing?
How do we monetize that?
SNMP Netflow Net Protocol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
SNMP
• Statistics
• Layer 2
Netflow
• Statistics
• Layer 3-4
Net security
• Details of critical points
• Semantics of details
• Layer 7
Protocol analyzers
• Details
• Semantics
• Layer 7
• Reference users by their IDs, not by IP addresses
• Go deeper into the packet and tell the application rather than ports it’s using
Application recognition
User awareness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• Full and comprehensive report about anything possible
• Breadth of techniques and mechanisms to influence and control traffic
Visibility and
reportingControl
SNMP Netflow DPI Security Protocol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
SNMP
• Statistics
• Layer 2
Netflow
• Statistics
• Layer 3-4
DPI
• Statistics and details
• Layer 3-7
Security
• Details of critical points
• Semantics of details
• Layer 7
Protocol analyzers
• Details
• Semantics
• Layer 7
Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Service Control Engine
• Cisco offers 2 generations of SCEs
SCE1010 / SCE2020 –fixed configuration, Gigabit Ethernet model
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
SCE8000 – modular configuration, Gigabit or TenGigabit Ethernet model
• All SCE platforms share some common properties:
Stand-alone appliances – can be inserted into any Ethernet/IP network
L2-L3 transparent – no MAC / IP address on data port
Data / Control plane separation – data and control planes are completely separate and don’t influence each others performance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
completely separate and don’t influence each others performance
Dedicated hardware – data plane is a combination of fast FPGAs and powerful CPU, backed up by lots of memory
IOS-like CLI – CLI for configuring low-level properties is based on IOS-like interpreter
Low latency – all platforms introduce low latency (~32µS) and almost no jitter. Hardware fast-path is separate hardware path for delay-sensitive traffic, ensuring very low latency (~10µS)
Open APIs – for integration into OSS/BSS/Security
SCE1010 SCE2020 SCE8000
Data plane
interfaces
2x GE 4x GE Modular
2x or 4x 10GE
8x or 16x GE
DPI
performance
2 Gbps 2.8 – 3.2
Gbps
15 Gbps 30 Gbps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
performance Gbps
Maximum
Concurrent
subscribers
40K – 200K 80K – 200K 250K – 1M
Maximum
open flows
1M – 400K 8M – 5M 16M – 10M
Insertion modes
Recv-onlyInline
MG-SCP
Recv-onlyInline
CascadeMG-SCP
Recv-onlyInline
CascadeMG-SCP
• Protocols Coverage
600 Protocols – 950 L7 based signatures.
900 Protocols - port-based.
• ~1200 customers, Multiple geographies, Multiple SP segments
• Application groups: Voice, Video, File-
• Classification engine supports customer generated signatures
• Supports classification modifiers:
Zones – collection of network side prefixes
Application parameters – URL, User-Agent, Calling/ Called Number, Domain name, Content-type…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Application groups: Voice, Video, File-Sharing, File-Hosting, Gaming, News-Groups, Instant-Messaging, Web-based services, etc.
• Zero Day Classification – Behavioral /Heuristic Algorithms
• SCE exports 30 types of Raw Data Records
Link Usage RDR
Zone RDR
Virtual Link RDR
Package Usage RDR
Subscriber Usage RDR
Real-time Subscriber Usage RDR
• Depending on the type, RDRs include:
Source / Destination IP/Port
Timestamp, duration, volume
Application ID
Requested URL, User-agent, Cookie
Delivered content type
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Real-time Subscriber Usage RDR
Transaction RDR
Transaction Usage RDR
HTTP / VoIP / Video Tran. Usage RDR
Flow RDR
Malicious Traffic RDR
SPAM RDR
Quota RDR
[…]
Delivered content type
Called / Calling Numbers
Video Codec and bitrate
Filename
P2P file hash
Attack type
List of email recipients
OS type*
[…]
• Policy decision can be made based on multiple criteria:
Application usage (all levels)
Subscriber quota
Priority (application or subscriber)
Time of day
State of attack
Presence of other applications
• Once decision is made, control can be established on many levels:
Link
Application per link
Subscriber group
Subscriber total bandwidth
Application per subscriber
Application flow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Presence of other applications
• Complex policies include multiple chained rules
• Actions can be chained too*
Application flow
• Connections can be:
Allowed
Dropped
Policed (CIR and PIR)
Redirected (Layer 2)
Redirected (Layer 7, HTTP and RTMP)
Mirrored
Captured
Subscriber
and Quota
manager
AAAData
retention
Cisco Insight SCA-BB
Console
Portal
Collection Manager
Event correlation
engine
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Service ControlEngineUsers
NetworkNetwork
1. SCE Applianceto view and act on the packets
2. Collection Manager to collect data records for Reporting & external DB’s
3. Subscriber Managerto coordinate sub info w/ AAA and control sub-level policies
4. Cisco Insightto provide business intelligence and network trending reports
• Cisco Insight is a next generation web based reporting tool that unlocks the
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
reporting tool that unlocks the SCE’s full traffic management potential
• New easy-to-use GUI leveraging Adobe FLEX™ technology to improve usability and maximize the user experience
• Advanced graphical
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Advanced graphical widgets (time sliders, tree views, dynamic selection controllers, etc.)
• Wizard-like guide through the process of report creation
• 150+ report types
• Custom dashboard
• Scheduled reports
• Email notification of reports
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Report comparison and trend analysis reports (Traffic analysis, trend studies, comparisons)
• Report export in different formats: pdf, excel, image
• Operators can create many users and assign different view rights
• Restrict access based on:
Report type
Topology
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Topology
Object type
• Full auditing
• Objects are organized in tree-like structure
Devices
Links
Parts of networks
Groups of subscribers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Groups of subscribers
Subscribers
• Graphical Topology View, customizable by user
SNMP Netflow DPI Security Protocol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
SNMP
• Statistics
• Layer 2
Netflow
• Statistics
• Layer 3-4
DPI
• Statistics and details
• Layer 3-7
Security
• Details of critical points
• Semantics of details
• Layer 7
Protocol analyzers
• Details
• Semantics
• Layer 7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Service Control Engine
Thank you.Thank you.