Upload File

netflow monitoring

30
connect • communicate • collaborate NetFlow monitoring Ivan Ivanovic, RCUB/AMRES Banjaluka, novembar 2012.

Upload: destiny-butler

Post on 03-Jan-2016

59 views

Category:

Documents


2 download

Report

DESCRIPTION

NetFlow monitoring. Ivan Ivanovic, RCUB/AMRES Banjaluka, novembar 2012. Šta je NetFlow Tehnologija. Flow. NetFlow statistika. Router (Exporter). NetFlow Tehnologija. Razvijena od strane Cisco kompanije Standardizovana od strane IETF – novi naziv je IPFIX. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: NetFlow monitoring

connect • communicate • collaborate

NetFlow monitoring

Ivan Ivanovic, RCUB/AMRES

Banjaluka, novembar 2012.

Page 2: NetFlow monitoring

connect • communicate • collaborate

Šta je NetFlow Tehnologija

Flow

NetFlow statistikaRouter

(Exporter)

Page 3: NetFlow monitoring

connect • communicate • collaborate

NetFlow Tehnologija

• Razvijena od strane Cisco kompanije• Standardizovana od strane IETF – novi naziv je IPFIX.• Netflow V5 i V9 se danas najčešće koriste• IPFIX (Netflow V9) – Fleksibilni NetFlow.• Postoji definisano više od 100 NetFlow rekorda (većina se još uvek ne koristi)• Pruža nam uvid u informacije o statistici sa L3-L4 sloja.• Netflow V9 podržava i IPV6, MPLS, MAC….• U AMRESu se samo NetFlow koristi za monitoring IPV6 protokola• Drugi proizvođači takođe podržavaju NetFlow (Netstream, Jflow…).• Empirijski je pokazano da čini manje od 1% od ukupnog saobraćaja umreži

Page 4: NetFlow monitoring

connect • communicate • collaborate

Primer NetFlow statistike

Start time

End time

Src IP Dst IP Src port

Dst port

Protocol tos Packet Bytes

01:00 01:01 10.0.0.1 10.1.1.1 9733 80 TCP 0 7 376

Tcp flags

Exporter Interface IN

Interface OUT

Nex hop Src AS Dst AS

S 10.5.5.5 Gi0/1 Gi3/4 10.9.9.9 8756 6985

Page 5: NetFlow monitoring

connect • communicate • collaborate

Kako pokrenuti prikupljanje NetFlow statistike?

Dosta rutera koji prosleđuju pakete u “softveru” podržavaju NetFlow

Neki od L3 svičeva takođe podržavaju NetFlow (dodatni moduli)

Dva tipa podešavanja NetFlowa

Globalno

Na nivou interfejsa

Globalno podešavanje dopušta prikupljanje statistike jedino na svim interfejsima i to najčešće u jednom smeru (in/ingress)

Podešavanje na nivou interfejsa nam daje veću fleksibilnost i najčešće je moguće birati smer in/ingress ili out/outgress

Page 6: NetFlow monitoring

connect • communicate • collaborate

NetFlow podešavanje- IN smer

NetFlow Collector

Host A

Page 7: NetFlow monitoring

connect • communicate • collaborate

NetFlow podešavanje- IN smer

Host A

Page 8: NetFlow monitoring

connect • communicate • collaborate

NetFlow dupliranje statistike- IN smer

Host A

Gi0/1Gi0/1

Gi0/2

Gi0/3

Page 9: NetFlow monitoring

connect • communicate • collaborate

NetFlow dupliranje statistike- IN smer

Page 10: NetFlow monitoring

connect • communicate • collaborate

Dupliranje NetFlow statistike- Rešenje

Problem se lako može rešiti ako uređaj ima kontrolu eksporta NetFlow statistike na nivou svako pojedinačnog interfejsa.

Korišćenjem Ingress/Egress komande možemo kontrolisati prikupljanje NetFlow statistike.

Neke aplikacije koje prikupljaju NetFlow statistiku imaju mogućnost da provere da li dolazi do duplranja prikupljene statistike. (src ip, dst ip , src port, dst port, in/out interfaces, next hop…).

Veoma dobro rešenje predstavljaju kolektori NetFlow statistike koji imaju mogućnost filtriranja na osnovu NetFlow rekorda (polja)

Page 11: NetFlow monitoring

connect • communicate • collaborate

Dupliranje NetFlow statistike- Rešenje

Nećemo koristiti NetFlow statistiku koja ima IP adresu eksportera R2 i koja je prikupljena koristeći saobraćaj koji ulazi na interfejs Gi0/1 uređaja R2!

Host A

Host B

Koristiti! Ignorisati!

Gi0/1Gi0/1

Page 12: NetFlow monitoring

connect • communicate • collaborate

Dupliranje NetFlow statistike- Rešenje

Nećemo koristiti NetFlow statistiku koja ima IP adresu eksportera R1 i koja je prikupljena koristeći saobraćaj koji ulazi na interfejs Gi0/1 uređaja R1!

Host A

Host B

Koristiti!Ignorisati!

Gi0/1Gi0/1

Page 13: NetFlow monitoring

connect • communicate • collaborate

NetFlow tajmeri i agregacija

Većina administratora ih ne koristi

Neke od aplikacija koje prikupljaju NetFlow statistiku ne koriste timestap polje koje NetFlow eksportuje

Problem se javlja kod velike količine NetFlow podataka

Rešenje je agregacija podataka

Prednosti agregacije su manje baze i brži rad aplikacija

Mana agregacije je nedostatak detalja

Šta su NetFlow tajmeri (aging)?

Npr. Cisco

Normal

Long

Short (threshold ~100packets)

Page 14: NetFlow monitoring

connect • communicate • collaborate

NetFlow Agregacija

Page 15: NetFlow monitoring

connect • communicate • collaborate

NetFlow Tajmeri– Long aging

Receiving application is using 5 minute aggregation

Page 16: NetFlow monitoring

connect • communicate • collaborate

NetFlow Tajmeri– Fast aging(Detekcija napada!)

Page 17: NetFlow monitoring

connect • communicate • collaborate

NetFlow tajmeri I popunjavanje lokalne memorijee ksportera

Eksporter prikuplja statistiku lokalno u svojoj memoriji

Kada se memorija prepuni kolektor označi sve prikupljene podatke kao zastarele i eksportuje. Zatim se lokalna memorija oslobađa.

Specijalni slučaji mogu dovesti do zauzimanja memorije

Ping sweep

DNS lookups

Kod protokola koji uspostavljaju sesiju postoji mehanizam otkrivanja kraja sesije – TCP flegovi

Kod protokoli koji ne uspostavljaju sesiju ne postoji mogućnost detekcije kraja sesije - UDP

Preterano zauzimanje memorije može dovesti do opterećenja eksportera

Tajmeri su jedini način da se “zastari” i eksportuje NetFlow statistika

Page 18: NetFlow monitoring

connect • communicate • collaborate

Netflow Sonda

Veoma koristan alat!

Dosta korisnih informacija se može naći na web stranici SWITCH NRENa

http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html

Šta je NetFlow sonda?

Kako se koristi?

Gde se koristi?

Šta se dobija sa tim?

Šta se gubi ako je koristimo?

Problemi?

Page 19: NetFlow monitoring

connect • communicate • collaborate

Netflow Sonda- L2 segment mreže!

L2 Svičevi ne podržavaju NetFlow protokol

L2 Svičevi obično podržavaju port mirroring (SPAN)!

E.g. softflowd

http://www.mindrot.org/projects/softflowd/

http://code.google.com/p/softflowd/

Page 20: NetFlow monitoring

connect • communicate • collaborate

Netflow Sonda– Port mirroring zahtevi!

Dodatni server (desktop pc).

Dve NIC kartice.

Dva porta na sviču.

Gubi se informacija o

IN/OUT portovima.

eth0eth1

Page 21: NetFlow monitoring

connect • communicate • collaborate

Netflow Sonda– Port mirroring zahtevi!

Institucija koja je na L2 segmentu.

Page 22: NetFlow monitoring

connect • communicate • collaborate

NetFlow Sonde– Virtuelizacija

Testirano na Citrix XenServeru

Starije verzije VmWare-a (3.5) podržavaju NetFlow protokol.

eth0 eth0 eth0 eth0

Page 23: NetFlow monitoring

connect • communicate • collaborate

AMRES konfiguracija

Page 24: NetFlow monitoring

connect • communicate • collaborate

Budućnost NetFlow-a

Raste popularnost novih NetFlow rekorda

Cisco je počeo da koristi dodatna NetFlow polja za media saobraćaj

(Cisco -Medianet)

NetFlow media rekordi:packet delay, packet loss, jitter…

Page 25: NetFlow monitoring

connect • communicate • collaborate

Analiza sigurnosti u mreži - I

Page 26: NetFlow monitoring

connect • communicate • collaborate

Analiza sigurnosti u mreži - I

Page 27: NetFlow monitoring

connect • communicate • collaborate

Analiza sigurnosti u mreži - II

Page 28: NetFlow monitoring

connect • communicate • collaborate

Analiza sigurnosti u mreži - II

Page 29: NetFlow monitoring

connect • communicate • collaborate

Analiza sigurnosti u mreži - II

Page 30: NetFlow monitoring

connect • communicate • collaborate

Q&A

KRAJ


Configuring NetFlow Aggregation Caches · Configuring NetFlow Aggregation Caches ThismodulecontainsinformationaboutandinstructionsforconfiguringNetFlowaggregationcaches.The

Flexible NetFlow - Cisco · 10 Flexible NetFlow collect. collect counter Toconfigurethenumberofbytesorpacketsinaflowasanon …

Application Monitoring Using NetFlow - · PDF fileApplication Monitoring Using NetFlow Technology Design Guide August 2014 Series

NetFlow Field Types and Database Formats · Appendix A NetFlow Field Types and Database Formats NetFlow Field Types for NF_INI_VALUES Table: Table A-5 NetFlow Field Types for NF_INI_VALUES

Monitoring and securing BYOD networks using NetFlow

netflow (1)

Using WhatsUp Gold NetFlow Monitor - Ipswitch Gold v12.3.1/04_Plug-ins... · CHAPTER 3 Navigating WhatsUp Gold NetFlow Monitor About the NetFlow Home page ... About the NetFlow Bandwidth

nflow export sctp · NetFlow Reliable Export With SCTP Information About NetFlow Reliable Export With SCTP 3 NetFlow Benefits NetFlow can capture a rich set of traffic statistics

NetFlow Integrator Standard · NetFlow Integrator Standard Edition Administrators Guide NetFlow Logic Confidential 3 Overview How NetFlow Integrator Works NetFlow Integrator (NFI)

Cisco ASA and NetFlow - Using ASA NetFlow with LiveActioncdnx.liveaction.com/knowledgeBase/Configuration-Cisco-ASA-and-NetFlow... · 1-1 Cisco ASA and NetFlow – Using ASA NetFlow

Netflow White

Network Traffic Monitoring & Security - CESNET · Network Traffic Monitoring & Security ... final recommendation –monitor network by the NetFlow probe ... •Several workstations

Augmenting Netflow with the Honeypot Data for Internal Breach Monitoring and Detection

goProbe: A Scalable Distributed Network Monitoring Solution · 2020. 8. 19. · NetFlow NetFlow Exporter NetFlow Exporter Network A NetFlow Network B Collector Source IP Destination

Cisco ASA and NetFlow - liveaction.com ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software. April 2014

IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer

NetFlow Feature

Performance Routing - Cisco · •Performance monitoring – Active, Passive or Both – Active Monitoring provided by IPSLA – Passive Monitoring uses NetFlow – Most users will

Understanding NetFlow Monitoring, Security, and … · Understanding NetFlow Monitoring, Security, and Forensics By: Dr. Vincent Berk and Dr. John Murphy ... botnet? Compromised hosts

INF526: Secure Systems Administration Network Monitoring ... · PDF fileSecure Systems Administration. Network Monitoring. And. ... LiveAction (LiveNX) • Combines ... QoS, NetFlow,

Quick start guide · 2020-02-24 · INTRODUCTION NetFlow Analyzer is a complete traffic analysis and network performance monitoring tool that leverages flow technologies like NetFlow,

Application Monitoring Using NetFlow Deployment … that specify a value for a variable appear as ... Application Monitoring Using Netflow ... NetFlow is an embedded capability within

NetFlow Optimizer™ - Network Monitoring & Analysis · Botnet Command and Control Traffic Monitor ... NetFlow Optimizer Modules and Converters are designed to provide solutions for

SonicOS 5.8: NetFlow Reporting - Questsupport-public.cfm.quest.com/cc910f70-9ed2-496e-a848-25b...NetFlow Reporting Overview SonicOS 5.8 NetFlow Reporting Feature Guide 3 NetFlow Export

Configuring NetFlow and NDE - Cisco · Understanding How NetFlow and NDE Work NetFlow and NDE Overview NetFlow collects statistics about traffic that flows through the router. NetFlow

NetFlow Analyzer InterMapper Live Network Maps Scalable ... · NetFlow Analyzer InterMapper™ Live Network Maps Scalable Monitoring InterMapper Flows collects and reports on NetFlow

Network Monitoring using MonALISA and NetFlow

NetFlow Analytics for Splunk · PDF fileMarch, 2016 . NetFlow Analytics for Splunk App User Manual NetFlow Logic Confidential 1 Contents Introduction

NetFlow Monitoring for Cyber Threat Defense

CisCo Validated design Intelligent WAN NetFlow Monitoring ......sys-uptime last Example flow record Record-FNF-IWAN description Flexible NetFlow for IWAN Monitoring match flow direction

Network-Monitoring using ntop and SNMP - … · Network-Monitoring using ntop and SNMP 26. November 2003 1. ... Report Engine Webserver NetFlow ... Network-Monitoring using ntop 26

AdventNet ManageEngine NetFlow Anayzer :: Help Docuementationmanageengine.pt/products/netflow/NetFlowAnalyzer_UserGuide.pdf · AdventNet ManageEngine NetFlow Anayzer :: Help Docuementation

Rethinking NetFlow : A Case for a Coordinated “RISC” Architecture for Flow Monitoring

netflow security monitoring for dummies

TEIN2 Measurement and Monitoring Workshop Netflow