Network monitoring a..


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network monitoring a..

  1. 1. Network Monitoring and Measurement and its application in security field Miao Luo, Wei Jiang
  2. 2. Definition <ul><li>network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management. </li></ul><ul><li>network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. It is a subset of the functions involved in network management. </li></ul>
  3. 3. Motivation <ul><li>Needs of service providers: </li></ul><ul><li>-Understand the behavior of their networks </li></ul><ul><li>-Provide fast, high-quality, reliable service to satisfy customers and thus reduce churn rate </li></ul><ul><li>-Plan for network deployment and expansion </li></ul><ul><li>-SLA monitoring, Network security </li></ul><ul><li>-Usage-based billing for network users (like telephone calls) </li></ul><ul><li>-Marketing using CRM data </li></ul><ul><li>Needs of Customers: </li></ul><ul><li>-Want to get their money’s worth </li></ul><ul><li>-Fast, reliable, high-quality, secure, virus-free Internet access </li></ul>
  4. 4. Application <ul><li>Network Problem Determination and Analysis </li></ul><ul><li>Traffic Report Generation </li></ul><ul><li>Intrusion & Hacking Attack (e.g., DoS, DDoS) Detection </li></ul><ul><li>Service Level Monitoring (SLM) </li></ul><ul><li>Network Planning </li></ul><ul><li>Usage-based Billing </li></ul><ul><li>Customer Relationship Management (CRM) </li></ul><ul><li>Marketing </li></ul>
  5. 5. The General Traffic Flow Measurement Process Classification & Flow Recording Store (TCPdump) Observation Point Filtering Display (Ethereal) Sampling Visualize (FlowScan) Analysis by applications (TE, attack detect., QoS monitoring, accounting, …) … other … Filtering Sampling packets flow records PAYLOAD HEAD PAYLOAD HEAD PAYLOAD HEAD PAYLOAD HEAD Packet Capturing packets flow records flow records packets flow records
  6. 6. Problems <ul><li>Capturing Packets: </li></ul><ul><li>High-speed networks (Mbps ? Gbps ? Tbps) </li></ul><ul><li>High-volume traffic </li></ul><ul><li>Streaming media (Windows Media, Real Media, Quicktime) </li></ul><ul><li>P2P traffic </li></ul><ul><li>Network Security Attacks </li></ul><ul><li>Flow Generation & Storage: </li></ul><ul><li>What packet information to save to perform various analysis? </li></ul><ul><li>How to minimize storage requirements? </li></ul><ul><li>Analysis: </li></ul><ul><li>How to analyze and generate data needed quickly? </li></ul><ul><li>What kinds of info needs to be generated? -- Depends on applications </li></ul>
  7. 7. Goals <ul><li>Capture all packets </li></ul><ul><li>Generate flows </li></ul><ul><li>Store flows efficiently </li></ul><ul><li>Analyze data efficiently </li></ul><ul><li>Generate various reports or information that are suitable for various application areas </li></ul><ul><li>Develop a flexible, scalable traffic monitoring and analysis system for high-speed, high-volume, rich media IP networks </li></ul>
  8. 8. Network Monitoring Metrics <ul><li>CAIDA Metrics Working Group ( ) </li></ul><ul><li>-Latency </li></ul><ul><li>-Packet Loss </li></ul><ul><li>-Throughput </li></ul><ul><li>-Link Utilization </li></ul><ul><li>-Availability </li></ul><ul><li>IETF’s IP Performance Metrics (IPPM) Working Group </li></ul><ul><li>-Connectivity (RFC 2687) </li></ul><ul><li>-One-Way Delay (RFC 2679) </li></ul><ul><li>-One-Way Packet Loss (RFC 2680) </li></ul><ul><li>-Round Trip Delay (RFC 2681) </li></ul><ul><li>-Delay Variation </li></ul><ul><li>-Bulk transfer capacity </li></ul>
  9. 9. One way loss RT loss One way delay RT delay Capacity Bandwidth Throughput Delay variance Network Monitoring Metrics Availability Connectivity Functionality Loss Delay Utilization
  10. 10. <ul><li>Availability: The percentage of a specified time interval during which the system was available for normal use. </li></ul><ul><li>-Connectivity: the physical connectivity of network elements. </li></ul><ul><li>-Functionality: whether the associated system works well or not. </li></ul><ul><li>Latency: The time taken for a packet to travel from a host to another. </li></ul><ul><li>-Round Trip Delay = Forward transport delay + server delay + backward transport delay </li></ul><ul><li>-Ping is still the most commonly used to measure latency. </li></ul><ul><li>Link Utilization over a specified interval is simply the throughput for the link expressed as a percentage of the access rate. </li></ul>
  11. 11. Monitoring Method <ul><li>Active Monitoring </li></ul><ul><li>Passive Monitoring </li></ul>
  12. 12. Active Monitoring <ul><li>Performed by sending test traffic into network </li></ul><ul><li>-Generate test packets periodically or on-demand </li></ul><ul><li>-Measure performance of test packets or responses </li></ul><ul><li>-Take the statistics </li></ul><ul><li>Impose extra traffic on network and distort its behavior in the process </li></ul><ul><li>Test packet can be blocked by firewall or processed at low priority by routers </li></ul><ul><li>Mainly used to monitor network performance </li></ul>
  13. 13. Passive Monitoring <ul><li>Carried out by observing network traffic </li></ul><ul><li>-Collect packets from a link or network flow from a router </li></ul><ul><li>-Perform analysis on captured packets for various purposes </li></ul><ul><li>-Network device performance degrades by mirroring or flow export </li></ul><ul><li>Used to perform various traffic usage/characterization analysis/intrusion detection </li></ul>
  14. 14. Comparison of Monitoring Approaches Large Small Data size Single or multi-point Multi-point Configuration High Low to Moderate CPU Requirement Throughput, traffic pattern, trend, & detection Delay, packet loss, availability Purpose - Device overhead - No overhead if splitter is used Additional traffic Network overhead Passive monitoring Active monitoring
  15. 15. Software in Network Monitoring and Management <ul><li>EPM </li></ul><ul><li>The ping program </li></ul><ul><li>SNMP servers </li></ul><ul><li>IBM AURORA Network Performance Profiling System </li></ul><ul><li>Intellipool Network Monitor </li></ul><ul><li>Jumpnode </li></ul><ul><li>Microsoft Network Monitor 3 </li></ul><ul><li>MRTG </li></ul><ul><li>Nagios (formerly Netsaint ) </li></ul><ul><li>Netdisco </li></ul><ul><li>NetQoS </li></ul><ul><li>NetXMS Scalable network and application monitoring system </li></ul>
  16. 16. Software in Network Monitoring and Management <ul><li>Opennms </li></ul><ul><li>PRTG </li></ul><ul><li>Pandora (Free Monitoring System) - Network and Application Monitoring System </li></ul><ul><li>PIKT </li></ul><ul><li>RANCID - monitors router/switch configuration changes </li></ul><ul><li>RRDtool </li></ul><ul><li>siNMs by Siemens </li></ul><ul><li>SysOrb Server & Network Monitoring System </li></ul><ul><li>Sentinet3 - Network and Systems Monitoring Appliance </li></ul><ul><li>ServersCheck Monitoring Software </li></ul><ul><li>Cacti network graphing solution </li></ul><ul><li>Zabbix - Network and Application Monitoring System </li></ul><ul><li>Zenoss - Network and Systems Monitoring Platform </li></ul><ul><li>Level Platforms - Software support for network monitoring </li></ul>
  17. 17. Security Monitoring and Management <ul><li>Attack detection and analysis </li></ul><ul><li>-detecting (high volume) traffic patterns </li></ul><ul><li>-investigation of origin of attacks </li></ul><ul><li>Intrusion detection </li></ul><ul><li>-detecting unexpected or illegal packets </li></ul>
  18. 18. Intrusion detection system <ul><li>An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers. </li></ul><ul><li>network intrusion detection system </li></ul><ul><li>protocol-based intrusion detection system </li></ul><ul><li>application protocol-based intrusion detection system </li></ul><ul><li>host-based intrusion detection system </li></ul><ul><li>hybrid intrusion detection system </li></ul>
  19. 19. Protection, Detection and Response <ul><li>Real-world security includes prevention, detection, and response. </li></ul><ul><li>No prevention mechanism is perfect. </li></ul><ul><li>Detection and response are not only more cost effective but also more effective than piling on more prevention. </li></ul>
  20. 20. Our problem <ul><li>The three parts of network security is comparably isolated from each other. </li></ul><ul><li>Can there be a closer combination of them? </li></ul><ul><li>A dynamic scheme between detection and prevention </li></ul>
  21. 21. <ul><li>detection: NIDS based on pattern recognition, neutral networks, Honeypots. </li></ul><ul><li>prevention: Filters </li></ul><ul><li>Reponse: traceback. </li></ul>
  22. 22. Our idea <ul><li>An alert-level system. </li></ul><ul><li>Example: As results from NIDS became more similar to some attack pattern, the alert level of the networks will gradually increase, prevention will be strengthen. </li></ul>