Using flow-based IP traffic measurement for network security, discovery and inventory: a practical approcach on a satellite operator network
Software using TCP/IP model as an underlying layer for communication is very common in various large-scale production network. The behavior of software and its interaction within the network is very different following various aspect from software design, application operation to configuration. The analysis of the networked interactions from software components permits to better understand the operation of the software, design network structure, enforce a network security policy or debug communication. Prior to securing a network, crippled with legacy byzantine applications, a huge cartography work has to be undertaken to classify the network nodes and applications' behavior. Flow-based IP traffic measurement as popularized with Cisco NetFlow?, provides a solution to the discovery and inventory of these network interactions not a perfect approach but give already a starting technological tool. As the tool is only covering specific aspect of collection, a customized framework using FLOSS (Free/Libre and Open Source Software) tools has to be build on top to meet the expectation. Our expectation was to build a cartography of the operational network of the satellite operator infrastructure. Our approach is quite generic and could be applied to any other TCP/IP networks used for operational activities. By the use of the flow-based technology, we discovered some potential lacks on the technical and procedural aspects. Flow-based technologies for IP traffic measurement is still in the early stage of large adoption in the industry. Therefore the tools in use to mine the data collected with such technologies are often immature. From our practical point of view, we propose some tracks to improve flow-based analysis as well as the surrounding research.
What makes our status of satellites operators interesting to others regarding the subject ? I mean, NetFlow? analysis presented by a SP is interesting, due to the volume of traffic dealed with. What makes our experience on the SOC network interesting to others ? The pervasiveness of byzantine applications, using dynamic ports, not documented, and so on ? this is indeed a good playground to work on cartography problematics. Should we not cheat a bit and wear also a SP hat ? (which we have) . What worries me is that if we say "we work on 30 flows/s" this is not very spectacular, to say the least. Hell, we could as well use a full pcap capture, it would still be manageable on the SOC. And this is at best misleading, because our experience and knowledge go way beyond the problematics faced on the SOC
> We can find a way to mix both.
Alexandre Dulaunoy, firstname.lastname@example.org
flow-based IP traffic measurement, NetFlow?, Network Security, Network Analysis, Network Cartography
Prior to securing a network, crippled with legacy byzantine applications, a huge cartography work has to be undertaken to classify the network nodes and applications' behavior.
As traditional network capture does not play well on Gigabit Ethernet links, other approaches must be taken to fit the needs of the analysis.
flow-based technologies for IP traffic measurement is still in the early stage of large adoption in the industry. By that, the tools to use and mind the data provided by such technologies are still more younger.
1 paragraph of others flow-based technology.
Industrial networks have often grown in an organic way regarding evolution of their topologies but also regarding the technologies used. Historicaly the topology of industrial networks were composed of very separated components with no or small interaction to the other networks. These separation were by effect creating various islands in the system and provided a kind of security due to the separation. The different proprietary network and bus protocols used were preventing the various systems to communicate by default. The effect was also the limitation of the risk associated of an open network.
Internet-based technologies (footnote : We mean by interned-based technologies using the TCP/IP model and application protocols often defined/standardzed by the IETF) were introduced in the industrial sector to optimize efficiency and interoperability of components. But sometimes, the security process is neglected and the ease of building interoperable compents are creating a (ref: www.hse.gov.uk/research/crr_pdf/2002/crr02408.pdf - Safety implications of industrial uses of internet technology) new security and safety risks. Flow-based IP traffic measurement plays an important role here to bring new tools and process in a highly connected environment.
Telecom side (industrial side + larger risks, volume of data to analyze, growing/instable networks, depends on interaction to others)…
-→ a satellite operator is often playing into the two fields : industrial and telecom. It's understood that the two fields are often not linked but it's generally accepted that's a company wide process this can be cross-linked on an operational interdependency perspective (e.g. in a satellite operator network, the need to get telemetry data from Satellites in order to provide Internet connectivity in the other services).
A demonstration of the empirical approach.
The use of nfdump. (why ? background of nfdump (ref: RIPE presentation support))
The use of time sliced storage, the nfdump data storage structure.
the use of nfsen. (why ?)