1 / 43

Enhancing Network Management with Cisco Data

This article explores the use of Cisco data and various tools to enhance network management and identify traffic anomalies. It covers topics such as NetFlow versions, NetFlow toolkit, flow-capture, flow-print, flow-filter, flow-cat, and other useful scripts.

dstefanie
Télécharger la présentation

Enhancing Network Management with Cisco Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enhancing Network Management with Cisco Data Brian Borowski – brianb@uwo.ca Ed Gibson – egibson@uwo.ca

  2. Water’s Hardware • Debian Stable Release 2.4 Kernel • Dual P3 @1Gig CPU’s • 1.5 Gig RAM • Onboard IDE - • (2) 60 Gig IDE on Channel 0 • (1) CDROM on Channel 1 • Promise PD-2067 PCI - IDE Interface Card • (2) 60 Gig IDE on Channel 0 • (2) 60 Gig IDE on Channel 1 • Total of 360 Gig IDE Drive Space

  3. Water’s Partitions • 60 Gig - /, /usr • 60 Gig - /usr1 • 120 Gig (linear) - /nf1 {gate1, gate2, hse} • 120 Gig (linear) - /nf2 {nsc cat, uc cat} • /nf1 & /nf2 maintained at 90% capacity • gate2 - 65 days • hse - 60 days • cat's - 40 days

  4. NetFlow Versions

  5. Version 1 • Source Interface - SNMP Index of input interface • Source IP Address • Destination Interface - SNMP Index of output interface • Destination IP Address • Protocol - IP protocol type • (i.e, ICMP = 1, TCP = 6; UDP = 17) • Source Port - TCP/UDP source port number or equivalent • Destination Port - TCP/UDP destination port number or equivalent • Packets - Packets in the flow • Octets - Total number of Layer 3 bytes in the packets of the flow • Start Time - Unix time • Lifetime - flight time of the flow

  6. Netflow Toolkit • Utilize a netflow "toolkit" available at • http://www.splintered.net/sw/flow-tools/ • We have made some modifications • flow-capture • data collector - receives data from router • one instance per source (unique udp port) • we currently have 7 instances • zip compresses data in 16 blocks (4:1 compression) • one file per hour named rawflow.mm-dd-yyyy.hh • files >2GB required later kernel and current fileutils glibc, bash, ETC. • busy periods ~ 4-5GB/hr • custom -> filename format

  7. flow-print • Decompress and Display Data • Number of output formats • 0 short format • Sif SrcIPaddress Dif DstIPaddress Pr SrcP DstP Pkts Octets • 1 long format • Sif SrcIPaddress DIF DstIPaddress Pr SrcP DstP Pkts Octets StartTime EndTime Active B/Pk Ts Fl R1 CS MC • 6 custom format • Sif SrcIPaddress DIF DstIPaddress Pr SrcP DstP Pkts Octets start_time lifetime • generally used as a piped filter • cat ~/gate1flows/rawflow.05-14-2004.10 | flow-print -f6 | more • custom -> format type 6 (Unix time format) • custom -> display ports and protocols in decimal

  8. flow-stat • Library of predefined reports • Command Line Parameters of Interest • -P use percents instead of counters • -Sn sort descending on field n • -sn sort ascending on field n • -fn format n

  9. flow-stat(cont’d)) • 0 Overall Summary • 1 Average packet size distribution • 2 Packets per flow distribution • 3 Octets per flow distribution • 4 Bandwidth per flow distribution • 5 UDP/TCP destination port • 6 UDP/TCP source port • 7 UDP/TCP port • 8 Destination IP • 9 Source IP • 10 Source/Destination IP • 11 Source or Destination IP • 12 IP protocol • ……..

  10. flow-filter • Utility to filter traffic • Uses “kludge” of Cisco ACL format to filter IP’s (defaults file flow.acl) • Command parameters links to ACL reference • e.g. more flow.acl ip access-list standard uwoweb permit 129.100.2.71 ip access-list standard cuda permit host 129.100.1.101

  11. flow-filter (cont’d) • $ flow-filter -h Usage: flow-filter [-hko] [-a src_as_filter] [-A dst_as_filter] [-b big|little] [-C comment] [-D dstaddr_filter_name] [-d debug_level] [-f acl_fname] [-i input_filter] [-I output_filter] [-p srcport_filter] [-P dstport_filter] [-r ipprot_filter] [-S srcaddr_filter_name] [-t tos_filter] [-T tcp_flags_filter] [-x nexthop_filter_name] [-z z_level]

  12. Flow-Cat • Facilitates the concatenation of multiple flow files into a single pipe stream. • e.g. flow-cat rawflow.05-14-2004.* | flow-print -f6 | {some utility} • Other tools included in this toolkit but are beyond the scope of this presentation.

  13. flow-filter • clunky & limiting • flatten data with flow-print then process • Unix piping • grep, awk, sort • perl one liners • perl -ne '@a=split(“ “,$_);if(($a[4]==6)&&($a[6]==53)){print $_}'

  14. toolbox of scripts to perform repetitive functions • slice - pull particular time sections out of a particular day • eg. slice gate1 3 11 12 13 • flowcleaver - filter netflow output for a particular value or range in a specified column • eg. … | flow-print –f6 | flowcleaver –sip 129.100.87 | … • l3srcsum - total and index (flow,packet,octet) input stream by IP source • l3destsum - total and index (flow,packet,octet) input stream by IP destination • l4srcsum - total and index (flow,packet,octet) input stream by destination port • l4destsum - total and index (flow,packet,octet) input stream by source port • timefill – convert from Unix time to calendar time

  15. Identify Traffic Anomalies • Top N analysis • By octet • By conversations • By port • Focus analysis on anomalies • Identified by MRTG • Syslog • Netflow • IDP … • Scanner detection & BOTs

  16. Security Incident Verification • Complaint received associated with network activity two weeks ago • Netflow can verify conversation took place • What ports involved (web,smtp,IRC) • Irrefutable second source of transaction verification

  17. Protocol Distribution • Application analysis of network traffic • Percentage of Web Traffic • Locate ftp servers • Tracking BOT communication channels • Virus Infection Detection

  18. Traffic Distribution • What networks/users are hogging the Internet Pipe? • What hosts are seeing significant inbound traffic requests • Are there outside hosts dominating your outbound traffic?

  19. NetFlow Uses Access Distribution Core Distribution Access Network Layer • Attack Mitigation • User (IP) monitoring • Application monitoring • Billing • Chargeback • AS Peer Monitoring • Traffic Engineering • Traffic Analysis • Billing • Chargeback • AS Peer Monitoring • Attack Mitigation • User (IP) monitoring • Application monitoring Applications • Aggregation Schemes (v8) • “show ip cache flow” command • Arbor Networks • NetFlow MPLS Egress Accounting • BGP Next-hop (v9) • Multicast NetFlow (v9) • MPLS Aware NetFlow (v9) • BGP Next-hop (v9) • Sampled NetFlow • NetFlow MPLS Egress Accounting • BGP Next-hop (v9) • Multicast NetFlow (v9) • Aggregation Schemes (v8) • “show ip cache flow” command • Arbor Networks NetFlow Features

  20. Futures • …… • brianb@uwo.ca • egibson@uwo.ca

More Related