Real Time Topology Based Flow gy Visualization John K. Smith - - PowerPoint PPT Presentation

real time topology based flow gy visualization
SMART_READER_LITE
LIVE PREVIEW

Real Time Topology Based Flow gy Visualization John K. Smith - - PowerPoint PPT Presentation

Oct 29, 2023 207 likes •634 views

Real Time Topology Based Flow gy Visualization John K. Smith jsmith@referentia.com Referentia Systems Incorporated y p Flocon 2011, Salt Lake City, UT Referentia Systems Incorporated Confidential Agenda Flow Visualization Tool

slide-1
SLIDE 1

Real Time Topology Based Flow gy Visualization

John K. Smith jsmith@referentia.com Referentia Systems Incorporated y p

Referentia Systems Incorporated ‐ Confidential

Flocon 2011, Salt Lake City, UT

slide-2
SLIDE 2

Agenda

  • Flow Visualization Tool Overview

Visualizations and Design Issues

  • Visualizations and Design Issues
  • Use Cases

NOTE: Networks shown in this presentation are simulated, not actual DoD networks, traffic or

Referentia Systems Incorporated ‐ Confidential 2

addresses.

slide-3
SLIDE 3

I iti l G l

Beginnings

  • Initial Goal
  • Network Quality of Service Monitor and Control
  • Tactical Military Networks

y

  • Easy to use for E3-E5 (Sergeant)
  • Working With
  • g

t

  • Office of Naval Research
  • U.S. Marines

Marine Forces Pacific (MARFORPAC)

  • Marine Forces Pacific (MARFORPAC)
  • 3rd Marine Expeditionary Force (III MEF)

Referentia Systems Incorporated ‐ Confidential 3

slide-4
SLIDE 4

Tool Overview

Quality of Service Routing Visualizations C fi ti Flow Service Level Agreement Monitoring Configuration Agreement Monitoring Historical A l i Analysis Visualization Network Situational Awareness Network Management Awareness Computer Network

Referentia Systems Incorporated ‐ Confidential 4

Defense

slide-5
SLIDE 5

Tool Overview

Quality of Service Routing Visualizations C fi ti Flow Service Level Agreement Monitoring Configuration Agreement Monitoring Historical A l i Analysis Visualization Network Situational Awareness Network Management Awareness Computer Network

Referentia Systems Incorporated ‐ Confidential 5

Defense

slide-6
SLIDE 6

Why Topology Based Visualization Model

UT IL S T A T DU P L E X S P E E D S Y S T E M R P S CA TA LYST 3550 2 1 1 1 2 1 4 1 6 1 8 2 0 2 2 4 1 3 1 5 1 7 1 9 2 1 2 3 1 1 9 2 4 6 8 7 5 3 1 UT IL S T A T DU P L E X S P E E D S Y S T E M R P S CA TA LYST 3550 2 1 1 1 2 1 4 1 6 1 8 2 0 2 2 4 1 3 1 5 1 7 1 9 2 1 2 3 1 1 9 2 4 6 8 7 5 3 1 UT I L S T A T DU P L E X S P E E D S Y S T E M RP S CATA LY S T 3550 2 1 1 0 1 2 1 4 1 6 1 8 2 2 2 2 4 1 3 1 5 1 7 1 9 2 1 2 3 1 9 2 4 6 8 7 5 3 1 UT I L S T A T DU P L E X S P E E D S Y S T E M R P S CA TA LYST 3550 2 1 1 1 2 1 4 1 6 1 8 2 0 2 2 2 4 1 3 1 5 1 7 1 9 2 1 2 3 1 1 9 2 4 6 8 7 5 3 1 VLAN 100 F0/0 F0/0 F0/1 F0/0/0 UT I L S T A T DU P L E X S P E E D S Y S T E M R P S CA TA LYST 3550 2 1 1 1 2 1 4 1 6 1 8 2 0 2 2 4 1 3 1 5 1 7 1 9 2 1 2 3 1 1 9 2 4 6 8 7 5 3 1 F0/0/0 .1 F0/0/0 .1 F0/0/0 .1 F0/0/0 .1

Hand Drawings

172.16.12.0 /24 1 7 2 . 1 6 . 1 3 . / 2 4 VLAN 21 VLAN 22 VLAN 23 VLAN 24 F 0/0 F 0/1 F 0/0/1 F 0/0/2 1 9 2 . 1 6 8 . 3 . 1 / 2 4 F / F / 1 1 9 2 . 1 6 8 . 3 1 . 1 / 2 4 F / / F 0/1 F / F 0/0/0

Visio Diagrams

  • Can’t interactively explore
  • No correlation to live network data

Referentia Systems Incorporated ‐ Confidential 6

  • Not always accurate or kept current
slide-7
SLIDE 7

Mental Model

  • Accuracy and fidelity of the model
  • Ability to explore the model

Referentia Systems Incorporated ‐ Confidential 7

y p

  • Interact with the model
slide-8
SLIDE 8

Mental Model and Situational Awareness

Referentia Systems Incorporated ‐ Confidential 8

slide-9
SLIDE 9

DMTF CIM Model

  • Very detailed model of network devices and protocols

Very detailed model of network devices and protocols

  • Vendor neutral
  • Currently we use
  • A simpler subset of CIM

p

  • Performance and flow data added

Referentia Systems Incorporated ‐ Confidential 9

slide-10
SLIDE 10

Tool Design

Referentia Systems Incorporated ‐ Confidential 10

slide-11
SLIDE 11

Topology Based Flow Visualization

  • Flow Collector
  • Not generator like Argus or YAF

Time series storage

  • Time series storage
  • Netflow v5-v9, sFlow, Jflow
  • Cisco Flexible Netflow setup
  • Flow Visualization

T l f l t k

  • Topology from real networks
  • Discovery
  • Model creation from config
  • Node and edge displays
  • Flow Projection
  • “Real Time” – as real time as NetFlow can be

Referentia Systems Incorporated ‐ Confidential 11

Real Time as real time as NetFlow can be

  • Projection of flows onto topology
slide-12
SLIDE 12

What is it for ?

  • Network Management
  • Its really hard to know what’s going on in a router

Let alone across routers in a network

  • Let alone across routers in a network
  • Where problem locations are, where to fix
  • Network SA
  • Knowing how flows are routed
  • Knowing direction, load sharing
  • Flow – Routing – QoS – SLA
  • Flow – Routing – QoS – SLA
  • CND
  • Doesn’t solve finding needle in haystack problem
  • Doesn’t do pattern analysis
  • Can be used with sensors to alert and monitor events
  • Response planning and actions

Referentia Systems Incorporated ‐ Confidential 12

Response planning and actions

  • Compliments forensic analysis
slide-13
SLIDE 13

Flow System View

Router

Subnets Egress Ingress

Referentia Systems Incorporated ‐ Confidential 13

slide-14
SLIDE 14

Flow System View

  • Panning

Panning

  • Zooming
  • Color Coding

A ti

  • Aggregation

Referentia Systems Incorporated ‐ Confidential 14

slide-15
SLIDE 15

Flow System View

  • Filtering
  • Tracing of Flows

So rce and Destination ID

  • Source and Destination ID
  • DNS Resolution
  • Historical Replay
  • Black Listed IP ID

Referentia Systems Incorporated ‐ Confidential 15

slide-16
SLIDE 16

Device Topology View

  • Device Level View
  • Process Flows in Real Time
  • Updates Display – 10 sec
  • Shows IP to IP, Port to Port
  • Switching Path

Referentia Systems Incorporated ‐ Confidential 16

slide-17
SLIDE 17

Individual Flow

  • Isolation down to particular source
  • Aggregation along shared path
  • Highlighting of black listed address

g g g

  • Tunnel to physical interface association
  • Indicators for policies such as ACL, QoS, PBR

Referentia Systems Incorporated ‐ Confidential 17

slide-18
SLIDE 18

Device Topology View

  • Table View
  • Using Flexible Netflow
  • IPv6
  • MAC, TCP
  • AS Number
  • Next Hop etc

Referentia Systems Incorporated ‐ Confidential 18

slide-19
SLIDE 19

Display Updates and NetFlow Behavior

  • Static display easier, real time* is harder
  • How long to leave flows displayed
  • Process flow records as they come in
  • Update/Refresh rate of the display – 10 sec
  • Aging of the flows out of the display
  • Router – active/inactive timer settings

Poll Aging Time 10 sec 2 min # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 40 sec flow real flow X Active Timer 1 min aging Inactive Timer10 sec 2 min flo real flo X X 2 min flow real flow X X aging aging 4 min flow real flow X X X X X aging X aging X aging X aging

Referentia Systems Incorporated ‐ Confidential 19

slide-20
SLIDE 20

Flow Display and Processing Issues

Referentia Systems Incorporated ‐ Confidential 20

slide-21
SLIDE 21

I

Flow Display and Processing Issues

  • Issues
  • Shear number of flows
  • Efficient storage and retrieval for display

T l t f fl

  • Temporal aspect of flows
  • Display layer performance
  • Top N or Bottom N Flows

R d t f di l d it

  • Reduce amount of displayed items
  • Aggregation of same flow records
  • Merging

M fl b d tt ib t

  • Merge flows based on attributes
  • DSCP, IP address, Rate, Bytes
  • Match based

Fil i

  • Filtering
  • Basic - src/dst ip, port, dscp etc
  • Advanced – BGP AS, next hop, ..

Referentia Systems Incorporated ‐ Confidential 21

slide-22
SLIDE 22

NetFlow Specific Issues

  • Flow Data
  • Router sourced or consumed flows
  • Index to interface number mapping Null/Local

Index to interface number mapping, Null/Local

  • Not always correct, MIB issues
  • Differences
  • ASA vs Router vs Switch
  • Intra VLAN, Layer 3
  • NetFlow and sFlow
  • SNMP based flow
  • Time Related

Fl ti t ti /i ti

  • Flow time outs – active/inactive
  • Flow time stamps
  • NetFlow configuration

Referentia Systems Incorporated ‐ Confidential 22

g

  • Flexible NetFlow
slide-23
SLIDE 23

Visualization - Scanning

Referentia Systems Incorporated ‐ Confidential 23

slide-24
SLIDE 24

Visualization - VoIP Call Tracing

Referentia Systems Incorporated ‐ Confidential 24

slide-25
SLIDE 25

Visualization - Multicast Traffic

Referentia Systems Incorporated ‐ Confidential 25

slide-26
SLIDE 26

Visualization - Multicast Traffic

Last Hop Router

  • Egress flows not showing

Referentia Systems Incorporated ‐ Confidential 26

Egress flows not showing

  • Traffic shown as going to Null but really router CPU
slide-27
SLIDE 27

Visualization - Load Sharing

Referentia Systems Incorporated ‐ Confidential Referentia Systems Incorporat 27

slide-28
SLIDE 28

Visualization - Load Sharing

Referentia Systems Incorporated ‐ Confidential Referentia Systems Incorporat 28

slide-29
SLIDE 29

Visualization - Load Sharing

Referentia Systems Incorporated ‐ Confidential Referentia Systems Incorporat 29

slide-30
SLIDE 30

Interactions with Flows

1) Identify flow visually 2) Create ACL 3) ACL for PBR 3) ACL for PBR

Referentia Systems Incorporated ‐ Confidential 30

slide-31
SLIDE 31

Correlating Flow with & QoS and Flow Based Graphs Investigating Inbound Traffic Spike Investigating Inbound Traffic Spike

  • FA0 interface showed spike in flows
  • Inbound flow graphed

C l t d t Q S t ti ti h

  • Correlated to QoS statistics graph

Referentia Systems Incorporated ‐ Confidential 31

slide-32
SLIDE 32

Flow with other Network Visualization

Service Level Agreement Flow Routing Routing Quality of Service

Referentia Systems Incorporated ‐ Confidential 32

slide-33
SLIDE 33

Flow Layer Visualization

Referentia Systems Incorporated ‐ Confidential 33

slide-34
SLIDE 34

Routing Layer VIsualization

Referentia Systems Incorporated ‐ Confidential 34

slide-35
SLIDE 35

Quality of Service and Ping Visualization

Referentia Systems Incorporated ‐ Confidential 35

slide-36
SLIDE 36

Service Level Agreement Visualization

Referentia Systems Incorporated ‐ Confidential 36

slide-37
SLIDE 37

Flow with other Network Visualization

Service Level Agreement Latency Jitter Loss MOS Flow Actual Path Load Sharing Latency, Jitter, Loss, MOS Routing Route Path Asymmetric Actual Path, Load Sharing Quality of Service Route Path, Asymmetric, Summarization Quality of Service Priority, BW, Queues, Drops

Referentia Systems Incorporated ‐ Confidential 37

slide-38
SLIDE 38

Usage : Talisman Saber Exercises US Marines

SIPR

TL TL

SIPR

SIP R SIP R

TL TL

SIPR SIPR

TL

R

TL

CFE RIPR CFE

TL TL TL

CFE

CFE CFE CFE CFE CFE CFE

Australia Scholfield Hawaii

CFE CFE CFE CFE

Okinawa

Referentia Systems Incorporated ‐ Confidential

Marines III MEF

slide-39
SLIDE 39

Usage: US Navy Exercises

Shore NOC NNOC

Edge Routers

RIPR

Fleet Router

  • Fleet monitoring of operational traffic

ff

  • Traffic over satcom
  • Voice from ship to shore
  • CND exercise

M i i d k

Referentia Systems Incorporated ‐ Confidential 39

  • Monitoring red team attacks
  • Working with sensors
slide-40
SLIDE 40

Issues and Limitations

  • Not Good At
  • Showing large quantities of flows

Showing large quantities of flows

  • Finding needle in hay stack
  • Pattern or algorithm analysis
  • Usage Issues
  • Access to routers
  • Over WAN usage

Fl f lti l t

  • Flow from multiple routers
  • Bandwidth in monitoring

Referentia Systems Incorporated ‐ Confidential 40

slide-41
SLIDE 41

Summary

  • Future Work
  • Additional Network SA
  • Distributed Architecture
  • Cisco Flexible Netflow
  • For More Information
  • jsmith@referentia.com
  • www.actionpacked.com

p

Referentia Systems Incorporated ‐ Confidential 41