real time topology based flow visualization
TRANSCRIPT
Real Time Topology Based Flow gyVisualization
John K. Smith [email protected] Systems Incorporatedy p
Referentia Systems Incorporated ‐ Confidential
Flocon 2011, Salt Lake City, UT
Agenda
• Flow Visualization Tool OverviewVisualizations and Design Issues• Visualizations and Design Issues
• Use Cases
NOTE: Networks shown in this presentation are simulated, not actual DoD networks, traffic or
Referentia Systems Incorporated ‐ Confidential 2
addresses.
I iti l G l
Beginnings
• Initial Goal• Network Quality of Service Monitor and Control• Tactical Military Networksy• Easy to use for E3-E5 (Sergeant)
• Working Witho g t• Office of Naval Research• U.S. Marines
Marine Forces Pacific (MARFORPAC)• Marine Forces Pacific (MARFORPAC)• 3rd Marine Expeditionary Force (III MEF)
Referentia Systems Incorporated ‐ Confidential 3
Tool Overview
Quality of Service
Routing Visualizations
C fi ti
Flow Service Level Agreement Monitoring
Configuration
Agreement Monitoring
Historical A l iAnalysis
Visualization
Network Situational Awareness
Network Management Awareness
Computer Network
Referentia Systems Incorporated ‐ Confidential 4
Defense
Tool Overview
Quality of Service
Routing Visualizations
C fi ti
Flow Service Level Agreement Monitoring
Configuration
Agreement Monitoring
Historical A l iAnalysis
Visualization
Network Situational Awareness
Network Management Awareness
Computer Network
Referentia Systems Incorporated ‐ Confidential 5
Defense
Why Topology Based Visualization Model
U T ILS TA T
D UP L EXS PE E D
S YS T EMRP S
C AT AL Y ST 3550
2
110 1 2 1 4 16 18 2 0 22 2413 15 1 7 19 21 2 31 192 4 6 87531
U T ILS TA T
D UP L EXS PE E D
S YS T EMRP S
C AT AL Y ST 3550
2
110 1 2 1 4 16 18 2 0 22 2413 15 1 7 19 21 2 31 192 4 6 87531
U T ILS TA T
D UP L EXS PE E D
S YS T EMR PS
CA T AL YS T 3550
2
11 0 1 2 14 1 6 1 8 20 2 2 241 3 1 5 17 1 9 21 2 31192 4 6 87531
U T ILS TA T
D UP L EXS PE E D
S YS T EMRP S
C AT AL Y ST 3550
2
110 1 2 1 4 16 18 2 0 22 2413 15 1 7 19 21 2 31 192 4 6 87531
VLA
N 1
00 F
0/0
F0/0
F0/1
F0/0
/0
U T ILS TA T
D UP L EXS PE E D
S YS T EMRP S
C AT AL Y ST 3550
2
110 1 2 1 4 16 18 2 0 22 2413 15 1 7 19 21 2 31 192 4 6 87531
F0/0
/0.1 F0
/0/0
.1 F0/0
/0.1 F0
/0/0
.1
Hand Drawings
172.
16.1
2.0
/24
172.16.13.0 /24
VLAN 21
VLAN 22
VLA
N 23
VLA
N 24
F 0/0F 0/1
F 0/0/1F 0/
0/2
192.
168.
30.1
/24
F 0
/0
F 0/1 192.168.31.1 /24
F 0/0/0
F 0/
1
F 0/0
F 0/
0/0
Visio Diagrams
• Can’t interactively explore• No correlation to live network data
Referentia Systems Incorporated ‐ Confidential 6
• Not always accurate or kept current
Mental Model
• Accuracy and fidelity of the model• Ability to explore the model
Referentia Systems Incorporated ‐ Confidential 7
y p• Interact with the model
Mental Model and Situational Awareness
Referentia Systems Incorporated ‐ Confidential 8
DMTF CIM Model
• Very detailed model of network devices and protocolsVery detailed model of network devices and protocols• Vendor neutral • Currently we use
• A simpler subset of CIMp• Performance and flow data added
Referentia Systems Incorporated ‐ Confidential 9
Tool Design
Referentia Systems Incorporated ‐ Confidential 10
Topology Based Flow Visualization
• Flow Collector• Not generator like Argus or YAF
Time series storage• Time series storage• Netflow v5-v9, sFlow, Jflow• Cisco Flexible Netflow setup
• Flow VisualizationT l f l t k• Topology from real networks
• Discovery• Model creation from config• Node and edge displays
• Flow Projection • “Real Time” – as real time as NetFlow can be
Referentia Systems Incorporated ‐ Confidential 11
Real Time as real time as NetFlow can be• Projection of flows onto topology
What is it for ?
• Network Management• Its really hard to know what’s going on in a router
Let alone across routers in a network• Let alone across routers in a network• Where problem locations are, where to fix
• Network SA• Knowing how flows are routed• Knowing direction, load sharing• Flow – Routing – QoS – SLA• Flow – Routing – QoS – SLA
• CND • Doesn’t solve finding needle in haystack problem• Doesn’t do pattern analysis• Can be used with sensors to alert and monitor events• Response planning and actions
Referentia Systems Incorporated ‐ Confidential 12
Response planning and actions• Compliments forensic analysis
Flow System View
RouterSubnetsEgress
Ingress
Referentia Systems Incorporated ‐ Confidential 13
Flow System View
• PanningPanning• Zooming• Color Coding
A ti• Aggregation
Referentia Systems Incorporated ‐ Confidential 14
Flow System View
• Filtering• Tracing of Flows
So rce and Destination ID• Source and Destination ID• DNS Resolution• Historical Replay• Black Listed IP ID
Referentia Systems Incorporated ‐ Confidential 15
Device Topology View
• Device Level View• Process Flows in Real Time• Updates Display – 10 sec• Shows IP to IP, Port to Port• Switching Path
Referentia Systems Incorporated ‐ Confidential 16
Individual Flow
• Isolation down to particular source• Aggregation along shared path• Highlighting of black listed addressg g g• Tunnel to physical interface association• Indicators for policies such as ACL, QoS, PBR
Referentia Systems Incorporated ‐ Confidential 17
Device Topology View
• Table View• Using Flexible Netflow
• IPv6• MAC, TCP• AS Number• Next Hop etc
Referentia Systems Incorporated ‐ Confidential 18
Display Updates and NetFlow Behavior
• Static display easier, real time* is harder• How long to leave flows displayed
• Process flow records as they come in• Update/Refresh rate of the display – 10 sec• Aging of the flows out of the display• Router – active/inactive timer settings
Poll Aging Time10 sec 2 min # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #40 sec f low real f low X
Active Timer 1 min agingInactive Timer10 sec
2 min flo real f lo X X2 min f low real f low X Xaging aging
4 min f low real f low X X X XX aging X aging X aging X aging
Referentia Systems Incorporated ‐ Confidential 19
Flow Display and Processing Issues
Referentia Systems Incorporated ‐ Confidential 20
I
Flow Display and Processing Issues
• Issues• Shear number of flows• Efficient storage and retrieval for display
T l t f fl• Temporal aspect of flows• Display layer performance
• Top N or Bottom N FlowsR d t f di l d it• Reduce amount of displayed items
• Aggregation of same flow records• Merging
M fl b d tt ib t• Merge flows based on attributes• DSCP, IP address, Rate, Bytes• Match based
Fil i• Filtering• Basic - src/dst ip, port, dscp etc• Advanced – BGP AS, next hop, ..
Referentia Systems Incorporated ‐ Confidential 21
NetFlow Specific Issues
• Flow Data• Router sourced or consumed flows• Index to interface number mapping Null/LocalIndex to interface number mapping, Null/Local• Not always correct, MIB issues
• Differences• ASA vs Router vs Switch• Intra VLAN, Layer 3• NetFlow and sFlow• SNMP based flow
• Time RelatedFl ti t ti /i ti• Flow time outs – active/inactive
• Flow time stamps
• NetFlow configuration
Referentia Systems Incorporated ‐ Confidential 22
g• Flexible NetFlow
Visualization - Scanning
Referentia Systems Incorporated ‐ Confidential 23
Visualization - VoIP Call Tracing
Referentia Systems Incorporated ‐ Confidential 24
Visualization - Multicast Traffic
Referentia Systems Incorporated ‐ Confidential 25
Visualization - Multicast Traffic
Last Hop Router
• Egress flows not showing
Referentia Systems Incorporated ‐ Confidential 26
Egress flows not showing• Traffic shown as going to Null but really router CPU
Visualization - Load Sharing
Referentia Systems Incorporated ‐ Confidential
Referentia Systems
Incorporat27
Visualization - Load Sharing
Referentia Systems Incorporated ‐ Confidential
Referentia Systems
Incorporat28
Visualization - Load Sharing
Referentia Systems Incorporated ‐ Confidential
Referentia Systems
Incorporat29
Interactions with Flows
1) Identify flow visually2) Create ACL3) ACL for PBR3) ACL for PBR
Referentia Systems Incorporated ‐ Confidential 30
Correlating Flow with & QoS and Flow Based Graphs
Investigating Inbound Traffic SpikeInvestigating Inbound Traffic Spike
• FA0 interface showed spike in flows• Inbound flow graphed
C l t d t Q S t ti ti h• Correlated to QoS statistics graph
Referentia Systems Incorporated ‐ Confidential 31
Flow with other Network Visualization
Service Level Agreement
Flow
RoutingRouting
Quality of Service
Referentia Systems Incorporated ‐ Confidential 32
Flow Layer Visualization
Referentia Systems Incorporated ‐ Confidential 33
Routing Layer VIsualization
Referentia Systems Incorporated ‐ Confidential 34
Quality of Service and Ping Visualization
Referentia Systems Incorporated ‐ Confidential 35
Service Level Agreement Visualization
Referentia Systems Incorporated ‐ Confidential 36
Flow with other Network Visualization
Service Level Agreement
Latency Jitter Loss MOS
Flow
Actual Path Load Sharing
Latency, Jitter, Loss, MOS
Routing
Route Path Asymmetric
Actual Path, Load Sharing
Quality of Service
Route Path, Asymmetric, Summarization
Quality of Service
Priority, BW, Queues, Drops
Referentia Systems Incorporated ‐ Confidential 37
Usage : Talisman Saber Exercises US Marines
SIPR TL TL SIPR SIPRSIPR
TL TL SIPR
SIPRTL
RR
TL
CFERIPRCFE TL TL TL CFE
CFECFE
CFECFE
CFECFE
AustraliaScholfieldHawaii
CFECFE CFECFE
Okinawa
Referentia Systems Incorporated ‐ Confidential
Marines III MEF
Usage: US Navy Exercises
Shore NOC
NNOCEdge
RoutersRIPRFleetRouter
• Fleet monitoring of operational trafficff• Traffic over satcom
• Voice from ship to shore• CND exercise
M i i d k
Referentia Systems Incorporated ‐ Confidential 39
• Monitoring red team attacks• Working with sensors
Issues and Limitations
• Not Good At• Showing large quantities of flowsShowing large quantities of flows• Finding needle in hay stack• Pattern or algorithm analysis
• Usage Issues• Access to routers• Over WAN usage
Fl f lti l t• Flow from multiple routers• Bandwidth in monitoring
Referentia Systems Incorporated ‐ Confidential 40
Summary
• Future Work• Additional Network SA• Distributed Architecture• Cisco Flexible Netflow
• For More Information• [email protected]• www.actionpacked.comp
Referentia Systems Incorporated ‐ Confidential 41