Using flow-based IP traffic measurement for network security, discovery and inventory: a practical approcach on a satellite operator network
Software using TCP/IP model as an underlying layer for communication is very common in various large-scale production network. The behavior of software and its interaction within the network is very different following various aspect from software design, application operation to configuration. The analysis of the networked interactions from software components permits to better understand the operation of the software, design network structure, enforce a network security policy or debug communication. Prior to securing a network, crippled with legacy byzantine applications, a huge cartography work has to be undertaken to classify the network nodes and applications' behavior. Flow-based IP traffic measurement as popularized with Cisco NetFlow?, provides a solution to the discovery and inventory of these network interactions not a perfect approach but give already a starting technological tool. As the tool is only covering specific aspect of collection, a customized framework using FLOSS (Free/Libre and Open Source Software) tools has to be build on top to meet the expectation. Our expectation was to build a cartography of the operational network of the satellite operator infrastructure. Our approach is quite generic and could be applied to any other TCP/IP networks used for operational activities. By the use of the flow-based technology, we discovered some potential lacks on the technical and procedural aspects. Flow-based technologies for IP traffic measurement is still in the early stage of large adoption in the industry. Therefore the tools in use to mine the data collected with such technologies are often immature. From our practical point of view, we propose some tracks to improve flow-based analysis as well as the surrounding research.
What makes our status of satellites operators interesting to others regarding the subject ? I mean, NetFlow? analysis presented by a SP is interesting, due to the volume of traffic dealed with. What makes our experience on the SOC network interesting to others ? The pervasiveness of byzantine applications, using dynamic ports, not documented, and so on ? this is indeed a good playground to work on cartography problematics. Should we not cheat a bit and wear also a SP hat ? (which we have) . What worries me is that if we say "we work on 30 flows/s" this is not very spectacular, to say the least. Hell, we could as well use a full pcap capture, it would still be manageable on the SOC. And this is at best misleading, because our experience and knowledge go way beyond the problematics faced on the SOC
> We can find a way to mix both.
Alexandre Dulaunoy, email@example.com
flow-based IP traffic measurement, NetFlow?, Network Security, Network Analysis, Network Cartography
Prior to securing a network, crippled with legacy byzantine applications, a huge cartography work has to be undertaken to classify the network nodes and applications' behavior.
As traditional network capture does not play well on Gigabit Ethernet links, other approaches must be taken to fit the needs of the analysis.
flow-based technologies for IP traffic measurement is still in the early stage of large adoption in the industry. By that, the tools to use and mind the data provided by such technologies are still more younger.
1 paragraph of others flow-based technology.
A demonstration of the empirical approach.