Recent Events for foo.be MainPageDiary (Blog)

mcetech2006

TODO

Using flow-based IP traffic measurement for network security, discovery and inventory: a practical approcach on a satellite operator network

Abstract

Software using TCP/IP model as an underlying layer for communication is very common in various large-scale production network. The behavior of software and its interaction within the network is very different following various aspect from software design, application operation to configuration. The analysis of the networked interactions from software components permits to better understand the operation of the software, design network structure, enforce a network security policy or debug communication. Prior to securing a network, crippled with legacy byzantine applications, a huge cartography work has to be undertaken to classify the network nodes and applications' behavior. Flow-based IP traffic measurement as popularized with Cisco NetFlow?, provides a solution to the discovery and inventory of these network interactions not a perfect approach but give already a starting technological tool. As the tool is only covering specific aspect of collection, a customized framework using FLOSS (Free/Libre and Open Source Software) tools has to be build on top to meet the expectation. Our expectation was to build a cartography of the operational network of the satellite operator infrastructure. Our approach is quite generic and could be applied to any other TCP/IP networks used for operational activities. By the use of the flow-based technology, we discovered some potential lacks on the technical and procedural aspects. Flow-based technologies for IP traffic measurement is still in the early stage of large adoption in the industry. Therefore the tools in use to mine the data collected with such technologies are often immature. From our practical point of view, we propose some tracks to improve flow-based analysis as well as the surrounding research.

Authors

Introduction

An intro "Netflow-technologies" correct term ?

What we want ? by doing the analysis

Research track to be explored

Conclusion

Misc metaphysical questions

What makes our status of satellites operators interesting to others regarding the subject ? I mean, NetFlow? analysis presented by a SP is interesting, due to the volume of traffic dealed with. What makes our experience on the SOC network interesting to others ? The pervasiveness of byzantine applications, using dynamic ports, not documented, and so on ? this is indeed a good playground to work on cartography problematics. Should we not cheat a bit and wear also a SP hat ? (which we have) . What worries me is that if we say "we work on 30 flows/s" this is not very spectacular, to say the least. Hell, we could as well use a full pcap capture, it would still be manageable on the SOC. And this is at best misleading, because our experience and knowledge go way beyond the problematics faced on the SOC

> We can find a way to mix both.

Official abstract structure

1. A tentative title

2. Authors, and their affiliation

3. Author for correspondence

Alexandre Dulaunoy, adulau@foo.be

4. Keywords that best describe the contents of the paper. Make sure to include the industry, and the problem area (e.g., “automative industry, e-procurement”)

flow-based IP traffic measurement, NetFlow?, Network Security, Network Analysis, Network Cartography

5. A description of the problem

Prior to securing a network, crippled with legacy byzantine applications, a huge cartography work has to be undertaken to classify the network nodes and applications' behavior.

6. A description of existing approaches and of their adverstised benefits

As traditional network capture does not play well on Gigabit Ethernet links, other approaches must be taken to fit the needs of the analysis.

7. A description of the challenges you faced when applying existing approaches, or of the benefits you realized (or losses you incurred) when adopting such approaches

flow-based technologies for IP traffic measurement is still in the early stage of large adoption in the industry. By that, the tools to use and mind the data provided by such technologies are still more younger.

8. A description of the contents of your paper

Paper structure

An introduction to flow-based technologies for IP traffic measurement

NetFlow as a use case
Other "for information"

1 paragraph of others flow-based technology.

Particularisms from an analyst's point of view

Situation of industrial and telecom networks

Technical approach used with flow-based technologies

A demonstration of the empirical approach.

Outcome from the analysis

Evolution needed in the flow-based technologies

Conclusion