Scribd Logo
Upload

Welcome to Scribd!

  • NBAR and NetFlow 2003 Ccmigration - 09186a00801da7de

    Uploaded by

    davidrbernstein
    6 views11 pages

    Original Title

    NBAR and NetFlow 2003 Ccmigration_09186a00801da7de

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views11 pages

    NBAR and NetFlow 2003 Ccmigration - 09186a00801da7de

    Uploaded by

    davidrbernstein

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    NETFLOW & NETWORK-BASED

    APPLICATION RECOGNITION
    ITD PRODUCT MANAGEMENT
    NOVEMBER 2003

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 1
    Overview of NetFlow and
    Network-Based Application Recognition

    • NetFlow
    Pioneering IP accounting technology
    Invented and patented by Cisco
    IETF export standard

    • Network-Based Application Recognition (NBAR)


    Intelligent application recognition
    Analyzes and identifies application traffic in real time

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 2
    NetFlow and NBAR Benefit Footprints
    Enterprise Enterprise Service Provider Service Provider Core
    Backbone Premise Edge Aggregation Edge

    NetFlow
    • User (IP) monitoring • Attack mitigation
    • Application monitoring • Billing
    • Traffic analysis • AS Peer monitoring
    • Attack Mitigation • Traffic engineering
    • Chargeback Billing • Network Planning

    NBAR
    • Application classification
    • Precise Quality of Service (QoS) treatment
    • Application statistics for bandwidth provisioning
    Top-n views
    Threshold settings
    • Mapping applications to an SP’s service offering

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 3
    NetFlow and NBAR Benefit Footprints
    Enterprise Enterprise Service Provider Service Provider Core
    Backbone Premise Edge Aggregation Edge

    NetFlow
    • Cisco • Cisco Catalyst 5000, 6500 Series • Cisco Catalyst 4500, • Cisco 10000 and 12000
    Catalyst 4500, HW Acceleration 5000, 6500 Series; Series Internet Routers
    5000, 6500, • Cisco Catalyst 4500 Series ASIC Cisco 7600 Series ASIC ASIC
    7600 Series • Cisco 7100, 7200, 7300, 75000 • Cisco 7100, 7200, 7300, • Cisco Catalyst 5000 and
    ASIC 75000 Series 6500 Series; Cisco 7600
    Series
    • Cisco AS5300,AS5400, AS5800 • Cisco AS5300 and Series ASIC
    Series AS5800 Series • Cisco 7500 Series
    • Cisco 830, 1400, 1700, 2600, 3600, • Cisco MGX8000 Series
    and 3700 Series

    NBAR
    • Cisco • Cisco Catalyst 6500 and 7600 • Cisco Catalyst 6500 and Cisco Catalyst 6500 and
    Catalyst Series 7600 Series 7600 Series
    6500 and FlexWAN, MWAM
    FlexWAN, MWAM FlexWAN, MWAM Planned ASIC
    7600 Series Planned ASIC Planned ASIC
    MSFC • Cisco 7500 Series
    • Cisco 7100, 7200, and 7500 Series • Cisco 7100, 7200, and
    Planned • Cisco 830, 1400, 1700, 2600, 3600, 7500 Series
    ASIC
    NetFlow and NBAR, November 2003and 3700© Series
    2003 Cisco Systems, Inc. All rights reserved. 4
    NetFlow and NBAR: Main Objectives and
    Benefits

    Main Objective Main Benefit


    NetFlow

    Flow Characterization Which users utilize the network


    What types of traffic
    When is the network utilized
    Where does the traffic go

    Network Usage IP accounting and Billing Technology

    Capacity Planning, Traffic Engineering, Traffic & routing information analysis


    Peering

    Data Export Persistent Network Usage Record

    NBAR

    Identify & classify traffic based on Optimize application performance via


    payload attributes & protocol QoS
    characteristics
    Validation or reclassification of ToS
    marking based on packet inspection
    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
    Cisco Internal Use Only 5
    NetFlow and NBAR:
    Additional Objectives and Benefits

    Main Objective Side Benefits


    NetFlow

    Flow Characterization DDOS & Worm Detection

    Network Usage Capacity Planning and Traffic


    Engineering

    Billing Permanent Record of network activity

    Capacity, Traffic Eng, Peering Optimized Edge Routing (OER)

    Data Export IETF IPFIX WG Standard and NetFlow


    v.9 flexible extensible format

    NBAR

    Identify & classify traffic based on Detection & dropping/limiting of


    payload attributes & protocol undesired traffic – peer-to-peer file
    characteristics sharing, worms, …

    Application statistics for bandwidth


    provisioning
    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.
    Cisco Internal Use Only 6
    Uniqueness and Strengths
    of NetFlow and NBAR

    NetFlow NBAR

    • IPv6, MPLS, Multicast, BGP NH


    technology integration • Deep & Stateful Packet Inspection
    • Billing, Capacity Planning, • Protocol Discovery with
    Traffic Engineering application statistics
    • Internet Access Monitoring: • Enables precise classification
    Peering & Traffic & QoS treatment
    • IETF Standard for Data Sampling • Pre-defined protocol & application
    and Export recognition
    • Security DDOS Monitoring Tool New • User-Defined Custom Application
    • Flow timers, timing of network Classification New
    traffic types • New application signatures w/o
    • Who what where when in the software upgrade
    network • Integration with IP Services
    • Large NMS partner community (QoS, NAT, Firewall, IDS) New
    & open source tools

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 7
    NetFlow and NBAR Differentiation
    Link Layer
    Interface
    Header
    NetFlow NetFlow and NBAR both
    TOS
    Protocol
    leverage Layer 3 and 4
    IP
    Source
    Header Information
    Header
    IP Address
    Destination NetFlow
    IP Address • Monitors data in Layers 2 thru 4
    • Determines applications by port
    Source
    TCP/UDP Port • Utilizes a 7-tuple for flow
    Header Destination
    Port NBAR
    • Examines data from Layers 3
    through 7
    • Uses Layers 3 & 4 plus packet
    Data Deep Packet inspection for classification
    Packet
    (Payload) NBAR • Stateful inspection of dynamic-
    Inspection
    port traffic

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 8
    NetFlow and NBAR useful for Security

    Flow information is useful against attacks


    • Signature-based detection
    • NetFlow Mitigates Attacks
    • Not historically a main focus
    Identify the attack
    for NBAR
    Count the Flows
    Real-time loadable PDLMs could
    Inactive flows signal a worm provide rapid-update mechanism
    attack for new signatures
    Classify the attack Not staffed to react against
    Small size flows to same malicious applications
    destination • NBAR can detect worms based on
    What is being attacked and payload signatures
    origination of attack
    Nimbda
    • NetFlow Security partners Arbor Code Red
    Networks and Mazu, Adlex
    Slammer
    • Cisco IT prevented SQL slammer at
    Cisco by watching flows • Cisco PSIRT provided customers
    per port with NBAR solution to combat
    Code Red & Nimbda

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 9
    Summary of Benefits

    NetFlow NBAR

    • Internet Access Monitoring


    Protocol distribution • Deep & Stateful Packet
    Where traffic is going/ coming Inspection
    • User Monitoring Protocol & Application
    Discovery
    • Application Monitoring Standard protocols
    • Accounting and Billing Corporate applications
    (Citrix, ...)
    • DDOS Monitoring Undesired traffic
    (peer-to-peer, worms, …)
    • Peering Arrangements
    • Real-time PDLM Signature
    • Network Planning Update
    • Traffic Engineering

    NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 10
    NetFlow and NBAR,
    November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 11

    You might also like