AlienVault talks to open source pioneer, Luca Deri, to learn more about his work on DPI. See how he's modifying the Linux Kernal to be able to catch-up with companies like Palo Alto Networks and more. Watch it on-demand http://ow.ly/kKWgU #TTTSec

1. A Quick Chat With
Luca Deri
(Creator of Ntop)
Luca Deri
Creator of Ntop, deri@ntop.org
#TTTsec @AlienVault
Your Host
Dominique Karg
Chief Hacking Officer,
AlienVault
@dkarg

2. 3 Things You Will Learn
From This Session
1. What ntop is doing and how the open-source
software can help you
2. How to increase network visibility by
characterizing network traffic though DPI (Deep
Packet Inspection)
3. Why real-time traffic correlation and availability
of a “network knowledge cloud database” can
help you understand what is happening on your
network
#TTTsec @AlienVault

3. About ntop.org [1/3]
• Private company devoted to development
of open source network traffic monitoring
applications.
• ntop (circa 1998) is
the first app we
released and it is a
web-based network
monitoring
application.
#TTTsec @AlienVault

4. About ntop.org [2/3]
• Our software is powering many
commercial products...
#TTTsec @AlienVault

5. • ...and allows packets to be received and
transmitted at 1/10 Gbit line rate with no
loss, any packet size on commodity NICs.
• So we accelerate not just our applications but
also third party open source solutions
including:
About ntop.org [3/3]
#TTTsec @AlienVault

6. Beyond Packet Headers
• Traditionally monitoring applications have
classified traffic using packet headers:
◦ Port 80 = HTTP.
◦ Network x.y.z.0/24 identifies users of factory site Rome.
◦ HTTPS is a secure connection to a web site.
• Unfortunately the above statements no longer hold:
◦ Protocols might use dynamic ports.
◦ Well known ports might not carry the traffic we expect (80 != http).
◦ Encryption does not always mean security (SSL vs OpenVPN).
◦ Users move, and often do not need to connect back to the home
network for carrying on their job.
#TTTsec @AlienVault

7. The need for DPI in Monitoring
[1/2]
• Limit traffic analysis at packet header level it
no longer enough (nor cool).
• Network administrators want to know the real
protocol without relying on the port being
used.
• Selected protocols can be “precisely
dissected” (e.g. HTTP) in order to extract
information, but on the rest of the traffic it is
necessary to tell network administrators what
is the protocol flowing in their network.
#TTTsec @AlienVault

8. The need for DPI in Monitoring
[2/2]
• DPI (Deep Packet Inspection) is a technique for
inspecting the packet payload for the purpose of
extracting metadata (e.g. protocol).
• There are many DPI toolkits available but they are
not what we looked for as:
– They are proprietary (you need to sign an NDA to use
them), and costly for both purchase and maintenance.
– Adding a new protocol requires vendor support (i.e. it has a
high cost and might need time until the vendor supports it) =
you’re locked-in.
• In a nutshell, DPI is a requirement but the market
does not offer an alternative for open-source.
#TTTsec @AlienVault

9. Say hello to nDPI
• ntop has decided to develop its own GPL DPI
toolkit in order to build an open DPI layer for
ntop and third party applications.
• Supported protocols (~170) include:
– P2P (Skype, BitTorrent)
– Messaging (Viber, Whatsapp, MSN, The Facebook)
– Multimedia (YouTube, Last.gm, iTunes)
– Conferencing (Webex, CitrixOnLine)
– Streaming (Zattoo, Icecast, Shoutcast, Netflix, Spotify)
– Business (VNC, RDP, Citrix, *SQL)
#TTTsec @AlienVault

10. What Can nDPI Do For You?
• See what application
protocols are really
used on your network.
• Block unwanted
traffic communications
through an application firewall (soon
available on Linux)
#TTTsec @AlienVault

11. We Need The Big Picture. In
Realtime.
• nDPI is good for analyzing single
communication flows, but it is very flow-
specific.
• Traffic correlation (e.g. VoIP signaling with
voice, long-living flows) is complex to
implement on collectors, and puts quite some
load on the DB and adds latency to
correlation.
• Users demand solutions for analyzing in
realtime what is happening on the network
(most network monitoring tools have a latency
of 5 mins or more)
#TTTsec @AlienVault

12. Welcome to the MicroCloud
[1/2]
#TTTsec @AlienVault

13. MicroCloud In Real Life
– Match a phone number with a VoIP call while the
call is in progress.
– Store user-data (e.g. Radius IP/User/IMSI/MSISDN
association) so that the probe, can report collectors
both the username who produced a given flow and
the symbolic flow hostnames.
– Create a federation of apps (e.g. IDS, network
probes, firewall logs) in order to create a realtime
aggregate view of the current network status: host
reputation is the sum of the reputation observed by
all network monitoring components.
#TTTsec @AlienVault

14. What’s Next?
• DPI is the first step: we need to build host
reputation (e.g. characterizing visited sites
and used network protocols) over time. As in
real life, not all hosts are alike, and some
need “better” monitoring.
• Microcloud is the place where “the current
network snapshot” can be found, all in
realtime, available to all network components
and to which all components contribute.
#TTTsec @AlienVault

15. References
• Web Site: http://www.ntop.org
• Blog: http://blog.ntop.org
• Software: http://packages.ntop.org
#TTTsec @AlienVault

16. • Download OSSIM, our free open-source SIEM:
http://communities.alienvault.com
• Download a Free 30-day trial of AlienVault USM:
http://www.alienvault.com/free-trial
• Subscribe to the AlienVault Labs blog:
http://labs.alienvault.com/labs/
• Visit the Open Minds Exchange:
http://www.alienvault.com/resource-center/open-
minds-exchange
Sponsored by: AlienVault
www.alienvault.com#TTTsec @AlienVault
HELPFUL TOOLS/REFERENCES

17. Questions?
#TTTsec @AlienVault

18. Thank You.
#TTTsec @AlienVault
Your Host
@dkarg
To learn more about AlienVault please visit:
www.alienvault.com