Your SlideShare is downloading. ×
0
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Network monitoring a..
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Network monitoring a..

525

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
525
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Network Monitoring and Measurement and its application in security field Miao Luo, Wei Jiang
  • 2. Definition <ul><li>network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management. </li></ul><ul><li>network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. It is a subset of the functions involved in network management. </li></ul>
  • 3. Motivation <ul><li>Needs of service providers: </li></ul><ul><li>-Understand the behavior of their networks </li></ul><ul><li>-Provide fast, high-quality, reliable service to satisfy customers and thus reduce churn rate </li></ul><ul><li>-Plan for network deployment and expansion </li></ul><ul><li>-SLA monitoring, Network security </li></ul><ul><li>-Usage-based billing for network users (like telephone calls) </li></ul><ul><li>-Marketing using CRM data </li></ul><ul><li>Needs of Customers: </li></ul><ul><li>-Want to get their money’s worth </li></ul><ul><li>-Fast, reliable, high-quality, secure, virus-free Internet access </li></ul>
  • 4. Application <ul><li>Network Problem Determination and Analysis </li></ul><ul><li>Traffic Report Generation </li></ul><ul><li>Intrusion & Hacking Attack (e.g., DoS, DDoS) Detection </li></ul><ul><li>Service Level Monitoring (SLM) </li></ul><ul><li>Network Planning </li></ul><ul><li>Usage-based Billing </li></ul><ul><li>Customer Relationship Management (CRM) </li></ul><ul><li>Marketing </li></ul>
  • 5. The General Traffic Flow Measurement Process Classification & Flow Recording Store (TCPdump) Observation Point Filtering Display (Ethereal) Sampling Visualize (FlowScan) Analysis by applications (TE, attack detect., QoS monitoring, accounting, …) … other … Filtering Sampling packets flow records PAYLOAD HEAD PAYLOAD HEAD PAYLOAD HEAD PAYLOAD HEAD Packet Capturing packets flow records flow records packets flow records
  • 6. Problems <ul><li>Capturing Packets: </li></ul><ul><li>High-speed networks (Mbps ? Gbps ? Tbps) </li></ul><ul><li>High-volume traffic </li></ul><ul><li>Streaming media (Windows Media, Real Media, Quicktime) </li></ul><ul><li>P2P traffic </li></ul><ul><li>Network Security Attacks </li></ul><ul><li>Flow Generation & Storage: </li></ul><ul><li>What packet information to save to perform various analysis? </li></ul><ul><li>How to minimize storage requirements? </li></ul><ul><li>Analysis: </li></ul><ul><li>How to analyze and generate data needed quickly? </li></ul><ul><li>What kinds of info needs to be generated? -- Depends on applications </li></ul>
  • 7. Goals <ul><li>Capture all packets </li></ul><ul><li>Generate flows </li></ul><ul><li>Store flows efficiently </li></ul><ul><li>Analyze data efficiently </li></ul><ul><li>Generate various reports or information that are suitable for various application areas </li></ul><ul><li>Develop a flexible, scalable traffic monitoring and analysis system for high-speed, high-volume, rich media IP networks </li></ul>
  • 8. Network Monitoring Metrics <ul><li>CAIDA Metrics Working Group ( www.caida.org ) </li></ul><ul><li>-Latency </li></ul><ul><li>-Packet Loss </li></ul><ul><li>-Throughput </li></ul><ul><li>-Link Utilization </li></ul><ul><li>-Availability </li></ul><ul><li>IETF’s IP Performance Metrics (IPPM) Working Group </li></ul><ul><li>-Connectivity (RFC 2687) </li></ul><ul><li>-One-Way Delay (RFC 2679) </li></ul><ul><li>-One-Way Packet Loss (RFC 2680) </li></ul><ul><li>-Round Trip Delay (RFC 2681) </li></ul><ul><li>-Delay Variation </li></ul><ul><li>-Bulk transfer capacity </li></ul>
  • 9. One way loss RT loss One way delay RT delay Capacity Bandwidth Throughput Delay variance Network Monitoring Metrics Availability Connectivity Functionality Loss Delay Utilization
  • 10. <ul><li>Availability: The percentage of a specified time interval during which the system was available for normal use. </li></ul><ul><li>-Connectivity: the physical connectivity of network elements. </li></ul><ul><li>-Functionality: whether the associated system works well or not. </li></ul><ul><li>Latency: The time taken for a packet to travel from a host to another. </li></ul><ul><li>-Round Trip Delay = Forward transport delay + server delay + backward transport delay </li></ul><ul><li>-Ping is still the most commonly used to measure latency. </li></ul><ul><li>Link Utilization over a specified interval is simply the throughput for the link expressed as a percentage of the access rate. </li></ul>
  • 11. Monitoring Method <ul><li>Active Monitoring </li></ul><ul><li>Passive Monitoring </li></ul>
  • 12. Active Monitoring <ul><li>Performed by sending test traffic into network </li></ul><ul><li>-Generate test packets periodically or on-demand </li></ul><ul><li>-Measure performance of test packets or responses </li></ul><ul><li>-Take the statistics </li></ul><ul><li>Impose extra traffic on network and distort its behavior in the process </li></ul><ul><li>Test packet can be blocked by firewall or processed at low priority by routers </li></ul><ul><li>Mainly used to monitor network performance </li></ul>
  • 13. Passive Monitoring <ul><li>Carried out by observing network traffic </li></ul><ul><li>-Collect packets from a link or network flow from a router </li></ul><ul><li>-Perform analysis on captured packets for various purposes </li></ul><ul><li>-Network device performance degrades by mirroring or flow export </li></ul><ul><li>Used to perform various traffic usage/characterization analysis/intrusion detection </li></ul>
  • 14. Comparison of Monitoring Approaches Large Small Data size Single or multi-point Multi-point Configuration High Low to Moderate CPU Requirement Throughput, traffic pattern, trend, & detection Delay, packet loss, availability Purpose - Device overhead - No overhead if splitter is used Additional traffic Network overhead Passive monitoring Active monitoring
  • 15. Software in Network Monitoring and Management <ul><li>EPM </li></ul><ul><li>The ping program </li></ul><ul><li>SNMP servers </li></ul><ul><li>IBM AURORA Network Performance Profiling System </li></ul><ul><li>Intellipool Network Monitor </li></ul><ul><li>Jumpnode </li></ul><ul><li>Microsoft Network Monitor 3 </li></ul><ul><li>MRTG </li></ul><ul><li>Nagios (formerly Netsaint ) </li></ul><ul><li>Netdisco </li></ul><ul><li>NetQoS </li></ul><ul><li>NetXMS Scalable network and application monitoring system </li></ul>
  • 16. Software in Network Monitoring and Management <ul><li>Opennms </li></ul><ul><li>PRTG </li></ul><ul><li>Pandora (Free Monitoring System) - Network and Application Monitoring System </li></ul><ul><li>PIKT </li></ul><ul><li>RANCID - monitors router/switch configuration changes </li></ul><ul><li>RRDtool </li></ul><ul><li>siNMs by Siemens </li></ul><ul><li>SysOrb Server & Network Monitoring System </li></ul><ul><li>Sentinet3 - Network and Systems Monitoring Appliance </li></ul><ul><li>ServersCheck Monitoring Software </li></ul><ul><li>Cacti network graphing solution </li></ul><ul><li>Zabbix - Network and Application Monitoring System </li></ul><ul><li>Zenoss - Network and Systems Monitoring Platform </li></ul><ul><li>Level Platforms - Software support for network monitoring </li></ul>
  • 17. Security Monitoring and Management <ul><li>Attack detection and analysis </li></ul><ul><li>-detecting (high volume) traffic patterns </li></ul><ul><li>-investigation of origin of attacks </li></ul><ul><li>Intrusion detection </li></ul><ul><li>-detecting unexpected or illegal packets </li></ul>
  • 18. Intrusion detection system <ul><li>An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers. </li></ul><ul><li>network intrusion detection system </li></ul><ul><li>protocol-based intrusion detection system </li></ul><ul><li>application protocol-based intrusion detection system </li></ul><ul><li>host-based intrusion detection system </li></ul><ul><li>hybrid intrusion detection system </li></ul>
  • 19. Protection, Detection and Response <ul><li>Real-world security includes prevention, detection, and response. </li></ul><ul><li>No prevention mechanism is perfect. </li></ul><ul><li>Detection and response are not only more cost effective but also more effective than piling on more prevention. </li></ul>
  • 20. Our problem <ul><li>The three parts of network security is comparably isolated from each other. </li></ul><ul><li>Can there be a closer combination of them? </li></ul><ul><li>A dynamic scheme between detection and prevention </li></ul>
  • 21. <ul><li>detection: NIDS based on pattern recognition, neutral networks, Honeypots. </li></ul><ul><li>prevention: Filters </li></ul><ul><li>Reponse: traceback. </li></ul>
  • 22. Our idea <ul><li>An alert-level system. </li></ul><ul><li>Example: As results from NIDS became more similar to some attack pattern, the alert level of the networks will gradually increase, prevention will be strengthen. </li></ul>

×