December Cover


Cabling Infrastructure

American Power Conversion

Berk-Tek

CommScope

General Cable

Hyperline Systems Canada Ltd.

OFS

Panduit Corp.

Testing Equipment

Fiber Instrument Sales Inc.

Wireless/Optical

Canon Broadcast

Power Management

Eaton

Switches/Converters

Transition Networks

Network Security

Barracuda Networks

Network Services

BlackBox Network Services

Network Management

American Power Conversion

Remote Monitoring

Network Technologies Inc.

Sensaphone Inc.

Voice over IP

Microsoft

VoIP Testing/Analysis

TC Communications

Features

November 2007

SPECIAL FOCUS: TESTING & MONITORING

Recapture network visibility

by Adam Powers

The popularity of multiprotocol label switching (MPLS) is driven by the need for more point-to-point communications to support voice over IP and videoconferencing, as well as other time-sensitive technologies. MPLS is less expensive and more versatile than traditional network architectures, since it can carry many types of traffic, including IP packets, native ATM, Ethernet frames and SONET. There is a significant price to pay for this convenience, performance and flexibility, however: the loss of visibility into network performance and the difficulty in securing every location in the MPLS mesh.

Prior to MPLS, hub-and-spoke network architectures were secured with firewalls, DMZs and centrally managed intrusion-detection/prevention systems (IDS). In this model, the IDS at the hub inspects all traffic passing between facilities. Security is achieved through the strategic location of packet-sniffing technology, and visibility is maintained as long as traffic passes reliably through the central hubs.

MPLS introduces the potential for the “spokes” to communicate directly with one another, bypassing the hub and associated packet-capture security appliances. This means that with traffic traveling freely from one facility to another, most traffic will bypass the centrally located packet-sniffing security appliances.

One solution to attain both traffic visibility and security throughout the network is to enable and collect NetFlow, which is natively available from within the existing network infrastructure, in order to monitor all MPLS traffic. NetFlow resides in just about every Layer 3 router from major networking equipment makers, an IP accounting technology designed to run in a small footprint aboard network routers and Layer 3-enabled switches.

As packets transit the router, a “flow cache” keeps track of the communications occurring across the router. Dozens of statistics are stored until the end of the communications, at which time the contents of the flow cache are sent across the network in a specially formatted user datagram protocol (UDP) packet called a NetFlow protocol data unit (PDU).” A “flow collector” receives the PDU and analyzes its contents, reconstructing a full picture of the flows occurring on all routers.

The only new application needed is a suitable flow collector for network behavior analysis (NBA). The NBA flow collector is capable of aggregating, analyzing and deduplicating NetFlow data. NBA systems provide both network and security monitoring through the use of NetFlow. NBA collectors are available from vendors that specialize in analyzing flow-based traffic telemetry, as well as some network system performance-monitoring vendors.

Once NetFlow has been enabled, the NBA flow collector collects and analyzes traffic patterns, during which the NBA system learns normal traffic patterns. Organizations should choose an NBA system that is capable of identifying known bad traffic patterns, such as denial-of-service attacks, Trojan communications or worm propagation patterns, in order to avoid potentially bad traffic behavior being learned as normal.

By employing an NBA system that utilizes NetFlow, greater insight into security and performance information is possible, such as how many SYNs a device sends and receives, its normal rates of bits and packets per second, or the total number of bytes during a 24-hour period. Anomalous traffic can be identified quickly.

In addition, with a baseline of normal network behavior in place, along with full visibility into all of the spokes within the MPLS mesh, the NBA system can sound alarms, send alerts and generate reports reliably in response to such anomalous network conditions as worm outbreaks, oversubscribed links, denial-of-service attacks and covert communications channels found in bot infections.

NBA not only strengthens security, but also consolidates many homegrown and low-end network traffic-monitoring point products. The historical network data and traffic behavioral analysis provides the insight that network administrators need to spot and correct potential service interruptions

Adam Powers is the chief technology officer for Lancope, Alpharetta, Ga.

For more information (click here)