NetFlow use cases ICmyNet / NetVizura Milo Zekovi, - - PowerPoint PPT Presentation

netflow use cases
SMART_READER_LITE
LIVE PREVIEW

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, - - PowerPoint PPT Presentation

Oct 02, 2023 353 likes •634 views

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief Customer Officer Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic

slide-1
SLIDE 1

NetFlow use cases

ICmyNet / NetVizura

Miloš Zeković,

milos.zekovic@soneco.rs ICmyNet Chief Customer Officer Soneco d.o.o. Serbia

slide-2
SLIDE 2

2 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Agenda

ICmyNet / NetVizura overview Use cases / case studies

Statistics per exporter/interfaces Traffic Patterns – NREN case study DoS Attack – case study Statistics with no netflow capable device – case study Other use cases

Questions

slide-3
SLIDE 3

3 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

ICmyNet / NetVizura

ICmyNet → NetVizura: Rebranding in progress NetFlow Analyzer (ICmyNet.Flow)

Statistics per Traffic Patterns and subnets Statistics per exporter/interfaces (v4) Statistics for each node, IP hierarchy More at www.icmynet.com

Free Academic Network Program

slide-4
SLIDE 4

4 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Exporter/interface statistic

NetFlow enabled:

All significant exporters and their interfaces All on ingress or egress

Top exporters and interfaces Top talkers by interface, host, service, …

Throughput and Volume Bit/s, packet/s, flow/s In/Out + dst/src (host, services, AS)

slide-5
SLIDE 5

5 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Exporter/interface statistic (2)

slide-6
SLIDE 6

6 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS - challenge

AMRES, Serbian NREN

150+ member organisations 150 000 active users

Traffic Analysis per member

Geographically dispersed Hierarchical network: regions, cities, institutions IP address/subnet != member

Archive network logs for 1 year

slide-7
SLIDE 7

7 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS - Solution

Deployment

Cisco NetFlow enabled on 2 central routers ICmyNet.Flow installed on 1 server

Configuration of ICmyNet.Flow

Members = subnets and Subnet Sets Specific traffic isolated with Traffic Patterns

NetFlow records in Raw Data

slide-8
SLIDE 8

8 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS - Solution (2)

Traffic Pattern Specific traffic between two networks

slide-9
SLIDE 9

9 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS - Solution (3)

slide-10
SLIDE 10

10 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS – solution (4)

slide-11
SLIDE 11

11 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS – Solution (3)

slide-12
SLIDE 12

12 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

NREN CS - Results

Two NetFlow devices – full network statistic Statistic per member

Statistic independent to network topology Bandwidth utilization understanding

Increased security awareness

slide-13
SLIDE 13

13 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

DoS Attack CS

slide-14
SLIDE 14

14 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

DoS Attack CS (2)

slide-15
SLIDE 15

15 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

DoS Attack CS (3)

slide-16
SLIDE 16

16 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

DoS Attack CS (4)

slide-17
SLIDE 17

17 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

DoS Attack CS (5)

Charts:

Bits and packets traffic looks normal Flows traffic shows an anomaly Anomaly related to UDP protocol and DNS service Host identified (top talker for DNS flows)

Raw Data:

Filtered by host, protocol and service port Grouped by destination IP addresses

slide-18
SLIDE 18

18 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

DoS Attack CS – results (6)

Isolated destinations with large number of DNS conversations In several clicks:

Attacker discovered Type of attack determined Victims identified

slide-19
SLIDE 19

19 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

No NetFlow devices CS - challenge

DZ Palilula, primary healthcare center, Serbia

One main clinic with local clinic network Centralized Healthcare software system Access through server in main clinic

Leased network devices (L3VPN)

No NetFlow enabled devices No device access

Privacy issues - patient medical data

slide-20
SLIDE 20

20 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

No NetFlow devices CS - solution

NetFlow probe - SoftFlowd

installed on two server interfaces: to clinics and to database Netflow data exported to ICmyNet Server Privacy - NetFlow only monitors statistic, not traffic content

Local clinics identified by IP addresses

Subnets for each clinic and their department

Service/Application monitor

Traffic Pattern for each service/application of interest

slide-21
SLIDE 21

21 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

No NetFlow devices CS - Results

NetFlow statistics without NetFlow devices

No devices purchased Statistics per clinic and department Statistics per service of interest

Better planning for future leased links and speed

Most active personnel and departments identified Periods of most activity identified L3VPN link speed optimization per clinic

Better service reliability

slide-22
SLIDE 22

22 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Other use cases

Alarms

Threshold based Faster reaction Reaction when needed

Conversations

Identify top End to end talkers

Bandwidth management

Monitor specific services or traffic (Viber, YouTube etc.) Implement QoS policies

slide-23
SLIDE 23

23 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Other use cases (2)

Blocked traffic

Interface out is 0 (traffic pattern) Firewall check Mitigated attacks check

“Rare” protocols

Monitor protocols other than TCP and UDP (99%)

Specific ports

Most attacks utilize open ports on several applications

slide-24
SLIDE 24

24 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Question time

Questions?

slide-25
SLIDE 25

25 / 26 Miloš Zeković

ICmyNet Chief Customer Officer

Soneco, d.o.o. Serbia 8th September 2014

Thank you

slide-26
SLIDE 26

NetFlow use cases

ICmyNet / NetVizura

Miloš Zeković,

milos.zekovic@soneco.rs ICmyNet Chief Customer Officer Soneco d.o.o. Serbia