Real Time Topology Based Flow gy Visualization John K. Smith jsmith@referentia.com Referentia Systems Incorporated y p Flocon 2011, Salt Lake City, UT Referentia Systems Incorporated ‐ Confidential
Agenda • Flow Visualization Tool Overview • Visualizations and Design Issues Visualizations and Design Issues • Use Cases NOTE : Networks shown in this presentation are simulated, not actual DoD networks, traffic or addresses. 2 Referentia Systems Incorporated ‐ Confidential
Beginnings I iti l G Initial Goal l • Network Quality of Service Monitor and Control • Tactical Military Networks y • Easy to use for E3-E5 (Sergeant) • Working With o g t • Office of Naval Research • U.S. Marines • Marine Forces Pacific (MARFORPAC) Marine Forces Pacific (MARFORPAC) • 3 rd Marine Expeditionary Force (III MEF) • 3 Referentia Systems Incorporated ‐ Confidential
Tool Overview Quality of Routing Service Visualizations C Configuration fi ti Service Level Flow Agreement Agreement Monitoring Monitoring Historical Analysis A l i Network Network Situational Management Visualization Awareness Awareness Computer Network Defense 4 Referentia Systems Incorporated ‐ Confidential
Tool Overview Quality of Routing Service Visualizations C Configuration fi ti Service Level Flow Agreement Agreement Monitoring Monitoring Historical Analysis A l i Network Network Situational Management Visualization Awareness Awareness Computer Network Defense 5 Referentia Systems Incorporated ‐ Confidential
Why Topology Based Visualization Model CATA S T 3550 LY TA LYST 3550 CA CA LYST 3550 TA 1 S RP M S T E S Y A T S T 4 3 2 7 8 5 6 1 9 1 0 1 1 2 4 1 3 1 5 1 6 7 1 1 8 2 0 1 9 2 1 2 2 2 4 2 3 1 A T R M S T E S Y P S S T 2 3 1 4 6 7 5 0 1 8 9 1 3 1 1 1 2 1 4 1 7 5 1 6 1 9 1 2 0 8 1 2 2 4 2 3 1 2 1 A T S Y P S S T S T E M R 2 1 4 6 5 3 7 8 9 0 1 2 1 3 1 1 1 1 6 1 1 4 5 8 9 1 1 7 1 2 0 2 2 1 2 3 4 2 1 UT I E E D L S P P L E X DU 2 E E D UT IL DU P L E S P X 2 P L E UT IL E E D S P X DU 2 VLAN 100 F0/0 LYST 3550 TA CA S Y S T E M 3 1 2 4 6 5 8 7 9 0 3 1 1 2 1 1 1 1 4 1 6 1 5 1 8 2 0 1 7 9 1 1 2 2 3 2 2 4 2 1 P S R A T S T L UT I 2 F0/0/0 E E D X P L E DU S P F0/0 F0/1 Hand Drawings F0/0/0 F0/0/0 F0/0/0 F0/0/0 .1 .1 .1 .1 CA LYST 3550 TA 1 S T E P S A T M S Y R S T 2 1 4 6 3 5 9 8 7 3 1 1 1 1 0 1 2 1 1 5 6 1 4 1 9 1 1 7 2 0 8 2 3 2 2 1 4 2 P L E UT I L DU S P X E E D 2 F 0/0/0 F 0 0 / 1 7 172.16.12.0 /24 2 1 . 6 . 1 3 . 0 / 2 4 F 0/0 F 0/0/2 0 F F 0/0/1 F 0/1 / 0 0 1 / VLAN 21 F F VLAN 22 0 4 1 VLAN 23 / 2 9 F 0/1 0 2 VLAN 24 / / . 0 1 1 . 6 0 8 3 . 3 . 8 1 6 1 1 . . 2 / 9 2 1 4 Visio Diagrams • Can’t interactively explore • No correlation to live network data • Not always accurate or kept current 6 Referentia Systems Incorporated ‐ Confidential
Mental Model • Accuracy and fidelity of the model • Ability to explore the model y p • Interact with the model 7 Referentia Systems Incorporated ‐ Confidential
Mental Model and Situational Awareness 8 Referentia Systems Incorporated ‐ Confidential
DMTF CIM Model • Very detailed model of network devices and protocols Very detailed model of network devices and protocols • Vendor neutral • Currently we use • A simpler subset of CIM p • Performance and flow data added 9 Referentia Systems Incorporated ‐ Confidential
Tool Design 10 Referentia Systems Incorporated ‐ Confidential
Topology Based Flow Visualization Flow Collector • Not generator like Argus or YAF • Time series storage Time series storage • Netflow v5-v9, sFlow, Jflow • Cisco Flexible Netflow setup • Flow Visualization • Topology from real networks T l f l t k • Discovery • Model creation from config • Node and edge displays • Flow Projection • “Real Time” – as real time as NetFlow can be Real Time as real time as NetFlow can be • Projection of flows onto topology • 11 Referentia Systems Incorporated ‐ Confidential
What is it for ? Network Management • Its really hard to know what’s going on in a router • Let alone across routers in a network Let alone across routers in a network • Where problem locations are, where to fix • Network SA • Knowing how flows are routed • Knowing direction, load sharing • Flow – Routing – QoS – SLA Flow – Routing – QoS – SLA • • CND • Doesn’t solve finding needle in haystack problem • Doesn’t do pattern analysis • Can be used with sensors to alert and monitor events • Response planning and actions Response planning and actions • Compliments forensic analysis • 12 Referentia Systems Incorporated ‐ Confidential
Flow System View Router Egress Subnets Ingress 13 Referentia Systems Incorporated ‐ Confidential
Flow System View Panning Panning • Zooming • Color Coding • A Aggregation ti • 14 Referentia Systems Incorporated ‐ Confidential
Flow System View Filtering • Tracing of Flows • So rce and Destination ID Source and Destination ID • DNS Resolution • Historical Replay • Black Listed IP ID • 15 Referentia Systems Incorporated ‐ Confidential
Device Topology View Device Level View • Process Flows in Real Time • Updates Display – 10 sec • Shows IP to IP, Port to Port • Switching Path • 16 Referentia Systems Incorporated ‐ Confidential
Individual Flow Isolation down to particular source • Aggregation along shared path • Highlighting of black listed address g g g • Tunnel to physical interface association • Indicators for policies such as ACL, QoS, PBR • 17 Referentia Systems Incorporated ‐ Confidential
Device Topology View Table View • Using Flexible Netflow • IPv6 • MAC, TCP • AS Number • Next Hop etc • 18 Referentia Systems Incorporated ‐ Confidential
Display Updates and NetFlow Behavior Static display easier, real time* is harder • How long to leave flows displayed • Process flow records as they come in • Update/Refresh rate of the display – 10 sec • Aging of the flows out of the display • Router – active/inactive timer settings • Poll Aging Time 10 sec 2 min # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 40 sec flow real flow X Active Timer 1 min aging Inactive Timer 10 sec 2 min flo 2 min flow real flo real flow X X X X aging aging 4 min flow real flow X X X X X aging X aging X aging X aging 19 Referentia Systems Incorporated ‐ Confidential
Flow Display and Processing Issues 20 Referentia Systems Incorporated ‐ Confidential
Flow Display and Processing Issues Issues I • Shear number of flows • Efficient storage and retrieval for display • Temporal aspect of flows T l t f fl • Display layer performance • Top N or Bottom N Flows • R d Reduce amount of displayed items t f di l d it • Aggregation of same flow records • Merging • M Merge flows based on attributes fl b d tt ib t • DSCP, IP address, Rate, Bytes • Match based • Fil Filtering i • Basic - src/dst ip, port, dscp etc • Advanced – BGP AS, next hop, .. • 21 Referentia Systems Incorporated ‐ Confidential
NetFlow Specific Issues Flow Data • Router sourced or consumed flows • Index to interface number mapping Null/Local Index to interface number mapping, Null/Local • Not always correct, MIB issues • Differences • ASA vs Router vs Switch • Intra VLAN, Layer 3 • NetFlow and sFlow • SNMP based flow • Time Related • Flow time outs – active/inactive Fl ti t ti /i ti • Flow time stamps • NetFlow configuration g • Flexible NetFlow • 22 Referentia Systems Incorporated ‐ Confidential
Visualization - Scanning 23 Referentia Systems Incorporated ‐ Confidential
Visualization - VoIP Call Tracing 24 Referentia Systems Incorporated ‐ Confidential
Visualization - Multicast Traffic 25 Referentia Systems Incorporated ‐ Confidential
Visualization - Multicast Traffic Last Hop Router • Egress flows not showing Egress flows not showing • Traffic shown as going to Null but really router CPU 26 Referentia Systems Incorporated ‐ Confidential
Visualization - Load Sharing Referentia Systems 27 Referentia Systems Incorporated ‐ Confidential Incorporat
Visualization - Load Sharing Referentia Systems 28 Referentia Systems Incorporated ‐ Confidential Incorporat
Visualization - Load Sharing Referentia Systems 29 Referentia Systems Incorporated ‐ Confidential Incorporat
Interactions with Flows 1) Identify flow visually 2) Create ACL 3) ACL for PBR 3) ACL for PBR 30 Referentia Systems Incorporated ‐ Confidential
Recommend
More recommend
