GSF 2011 Lazar Obradovic 2-4 Understanding DPI

642 views

Published on

Understanding DPI and Service Control

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
642
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

GSF 2011 Lazar Obradovic 2-4 Understanding DPI

  1. 1. Understanding DPI andservice controlLazar Obradovic, Cisco Systems© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  2. 2. • Service Control Engine • Visibility • Control • Summary© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. Marketing: What are subscribers Obvious Security: doing? attacks? Malicious How do we monetize Stats of our network? traffic? Suspicious that? What’s causing traffic? congestion? Where?© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. SNMP Netflow Net Protocol • Statistics • Statistics security analyzers • Layer 2 • Layer 3-4 • Details of • Details critical • Semantic points s • Semantic • Layer 7 s of details • Layer 7© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. • Go deeper into the • Reference users packet and tell the by their IDs, not by application rather IP addresses than ports it’s using Application User recognition awareness Visibility Control and reporting • Breadth of • Full and techniques and comprehensive mechanisms to report about influence and anything possible control traffic© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. SNMP Netflow DPI Security Protocol • Statistics • Statistics • Statistics • Details of analyzers • Layer 2 • Layer 3-4 and critical • Details details points • Semantic • Layer 3-7 • Semantic s s of • Layer 7 details • Layer 7© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. Service Control Engine© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. • Cisco offers 2 generations of SCEs SCE1010 / SCE2020 – fixed configuration, Gigabit Ethernet model SCE8000 – modular configuration, Gigabit or TenGigabit Ethernet model© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. • All SCE platforms share some common properties: Stand-alone appliances – can be inserted into any Ethernet/IP network L2-L3 transparent – no MAC / IP address on data port Data / Control plane separation – data and control planes are completely separate and don’t influence each others performance Dedicated hardware – data plane is a combination of fast FPGAs and powerful CPU, backed up by lots of memory IOS-like CLI – CLI for configuring low-level properties is based on IOS-like interpreter Low latency – all platforms introduce low latency (~32µS) and almost no jitter. Hardware fast-path is separate hardware path for delay-sensitive traffic, ensuring very low latency (~10µS) Open APIs – for integration into OSS/BSS/Security© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. SCE1010 SCE2020 SCE8000 Data plane 2x GE 4x GE Modular interfaces 2x or 4x 10GE 8x or 16x GE DPI 2 Gbps 2.8 – 3.2 15 Gbps 30 Gbps performance Gbps Maximum 40K – 200K 80K – 200K 250K – 1M Concurrent subscribers Maximum 1M – 400K 8M – 5M 16M – 10M open flows Insertion Recv-only Recv-only Recv-only modes Inline Inline Inline MG-SCP Cascade Cascade MG-SCP MG-SCP© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. • Protocols Coverage • Classification engine supports 600 Protocols – 950 L7 based customer generated signatures signatures. • Supports classification modifiers: 900 Protocols - port-based. Zones – collection of network side prefixes• ~1200 customers, Multiple geographies, Application parameters – URL, User- Multiple SP segments Agent, Calling/ Called Number, Domain name, Content-type…• Application groups: Voice, Video, File- Sharing, File-Hosting, Gaming, News- Groups, Instant-Messaging, Web-based services, etc.• Zero Day Classification – Behavioral /Heuristic Algorithms© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. • SCE exports 30 types of Raw Data • Depending on the type, RDRs Records include: Link Usage RDR Source / Destination IP/Port Zone RDR Timestamp, duration, volume Virtual Link RDR Application ID Package Usage RDR Subscriber Usage RDR Requested URL, User-agent, Cookie Real-time Subscriber Usage RDR Delivered content type Transaction RDR Called / Calling Numbers Transaction Usage RDR Video Codec and bitrate HTTP / VoIP / Video Tran. Usage RDR Filename Flow RDR P2P file hash Malicious Traffic RDR Attack type SPAM RDR List of email recipients Quota RDR OS type* […] […]© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. • Policy decision can be made based • Once decision is made, control can on multiple criteria: be established on many levels: Application usage (all levels) Link Subscriber quota Application per link Priority (application or subscriber) Subscriber group Time of day Subscriber total bandwidth State of attack Application per subscriber Presence of other applications Application flow• Complex policies include multiple • Connections can be: chained rules Allowed Dropped• Actions can be chained too* Policed (CIR and PIR) Redirected (Layer 2) Redirected (Layer 7, HTTP and RTMP) Mirrored Captured© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. Event Portal Data correlation AAA retention engine SubscriberCollection and Quota Manager manager Cisco Insight SCA-BB Console Network Service Control Users Engine 1. SCE Appliance 2. Collection 3. Subscriber Manager 4. Cisco Insight to view and act Manager to to coordinate sub to provide business on the packets collect data info w/ AAA and intelligence and records for control sub-level network trending Reporting & policies reports external DB’s© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. • Cisco Insight is a next generation web based reporting tool that unlocks the SCE’s full traffic management potential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. • New easy-to-use GUI leveraging Adobe FLEX™ technology to improve usability and maximize the user experience• Advanced graphical widgets (time sliders, tree views, dynamic selection controllers, etc.)• Wizard-like guide through the process of report creation© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. • 150+ report types• Custom dashboard• Scheduled reports• Email notification of reports• Report comparison and trend analysis reports (Traffic analysis, trend studies, comparisons)• Report export in different formats: pdf, excel, image© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. • Operators can create many users and assign different view rights • Restrict access based on: Report type Topology Object type • Full auditing© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. • Objects are organized in tree-like structure Devices Links Parts of networks Groups of subscribers Subscribers• Graphical Topology View, customizable by user© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  21. 21. SNMP Netflow DPI Security Protocol • Statistics • Statistics • Statistics • Details of analyzers • Layer 2 • Layer 3-4 and critical • Details details points • Semantic • Layer 3-7 • Semantic s s of • Layer 7 details • Layer 7© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  22. 22. Service Control Engine© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  23. 23. Thank you.

×