Monitoring with FlowMon Probes - cesnet

Monitoring with FlowMon ProbesJiří Tobola, tobola@invea.czPetr Špringl, springl@invea.cz

Agenda●●●●●INVEA-TECH Introductionfrom academic project to commercial companyFlowMon Solution IntroductionFlowMon Probeswhat is it? how can be used?Customization of FlowMon Probes - Community Programhow can I use it for my special purposes?Examples of FlowMon plugins24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 2/28

Introduction● University spin-off company founded in June 2007●●Follow up to R&D on CESNET and universitiesTechnology transfer from CESNET to INVEA-TECH●●The foundersprivate personsUNIS technology partnerMasaryk UniversityBrno University of TechnologyThe main activitiesnetwork monitoring and securityhigh-speed network applicationprogrammable hardware24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 3/28

How it began...●●●●●CESNET started activities with programmable hardware in2002 - project LiberouterCooperation with Masaryk University and Brno University ofTechnologyTargets:acceleration of high-speed network application (IPv6 router)usage of programmable hardwaredevelopment of hardware accelerators COMBO based on FPGAtechnology for acceleration of critical tasks in data processingParticipation on EU project 6NET (IST-2001-32063)Continuous growth and formation of strong R&D team inarea of programmable hardware and high-speed networkapplication24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 4/28

...continues...●●●Successful end of 6NET projectCooperation on next EU projectsSCAMPI (IST-2001-32404)2002 – 2005, network monitoring of 10Gbps linesjoining to project in 2003 instead of commercial partnersfunctional prototype developed, successful reviewrecommendation – commercialize outputs in practice● GEÁNT2 (contract No. 511082)cooperation of 26 NRENs from 34 countriesactivity JRA2 – focus on network securityfunctional prototype of HW accelerated NetFlow probe - FlowMonfinal recommendation – monitor network by the NetFlow probeGEÁNT2 Security Toolset – FlowMon Probes & NfSen collector24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 5/28

...ended, and began●●June 2007 – INVEA-TECH was establishedTechnology transfer from CESNET to INVEA-TECHhard to find right modelfirst technology transfer from CESNET●INVEA-TECHlong way from prototype to productclose cooperation with academic area (CESNET, Czech andabroad universities, EU project Demons)24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 6/28

Products Portfolio●●Network solutions / appliancesFlowMon – flagship product, network traffic monitoring & securitysolution for all networks from 10 Mbps to 10 Gbps (flow based)NIFIC – appliance for wire speed packet filtering and forwardingon 10Gbps networksFPGA solutions / developmentCOMBO FPGA Boards - powerful PCI Express FPGA cards fornetwork applications accelerationNetCOPE Development Platform - FPGA platform for rapiddevelopment of your own hardware accelerated network solutionsTurnkey solutions24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 7/28

FlowMon●●●●Network monitoring solution using IP flowsBased on NetFlow v5/v9 and IPFIX technologyProvides information about who communicates with whom,how long, what protocol, traffic volume and moreIn the beginningprovided HW accelerated FlowMon Probes for 10Gbps networksbut it wasn't enough for customersso we “downgraded” and started to provide FlowMon Probes for1Gbps and 100Mbps networks for convenient priceand we integrated NfSen collector to each FlowMon Probe andstarted to provide also NfSen collector application as standaloneappliance24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 8/28

FlowMon Architecture●●●Passive standalone FlowMon Probes - source of networkstatistics - NetFlow / IPFIX dataFlow data collectors for visualization and evaluation ofnetwork statistics - based on NfSen collector applicationPlugins - additional functionality (NBA, security, reporting)24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 9/28

FlowMon Collector●●●Longterm storage of NetFlow statistics from multiple probesStand-alone server with NfSen collector applicationtuned and optimized NfSenmaintenance-free appliance (regular update packages)easy configurationProfessional solution for mid-size and large networksRAID, redundant power etcHDD capacity from 1TB up to 200TB24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 10/28

FlowMon Plugins●●Added functionality for FlowMon Probes/CollectorsIntegration to the FlowMon appliance web interfaceNBA (Network Behavior Analysis) system for anomaly andsuspicious behavior detectionintelligent reporting system – FlowMon ReporterSNMP-based monitoring systems – ZabbixURL logging, NAT detection and more24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 11/28

FlowMon Probe●●●●●●●High-performance standalone probe - source of IP flowrecords in NetFlow v5,9 and IPFIX formatL2/L3 invisible device - transparent for monitored networkStandard and hardware accelerated modelsRemote configuration via a user-friendly web GUI10/100/1000 Ethernet, 10 GE, IPv4, IPv6, MPLS, VLANMaintenance-free appliance with simple configurationBuilt-in collector for quick technology evaluation24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 12/28

Standard Model●●Compact rack mount (1U) NetFlow probesSuitable for most of the standard networks - performancemore than 500 000 packets per second for 1GE port, morethan 1.5 Mpps for 10GE port● FlowMon Probe 100/1000/2000/4000/6000/10000/20000models with copper, fiber or SFP/SFP+ interfaces●2x 10Gbps or up to 6x 10/100/1000 monitoring portsand 1 management port24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 13/28

Hardware-accelerated Model●●●●●●●Programmable hardware technology (FPGA)High-Speed class leaderWire-speed guaranteed - every packet is processedPerformance 15 million packets per secondSuitable for large networks and backbone linksFlowMon Probe 4000 Pro and 20000 Pro models2x 10Gbps or 4x 10/100/1000 monitoring interfaces24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 14/28

FlowMon Probe Web GUI●●●●User-friendly web interface with secure access (https)Probe parameters settings – FCCVisualization of statistics on built-in collector - FMCCommunication via the management port of the probe24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 15/28

FlowMon Config. Center●●Configuration and management of the probeNetFlow Exporters settings, users management etc.24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 16/28

FlowMon Monitoring Center●●●●●Built-in collector for NetFlow data storage and visualizationGraphs, tables and form for further data processingTop N statistics (users, sites, services)Predefined set of profiles (views) for standard protocolsUser defined profiles (based on IP address or ports)24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 17/28

FlowMon Probes Benefits●●●●●Suitable for any networkDo not affect the monitored networkHigher performance (against switches/routers)Higher flexibilityPossibility to customize monitoring process - Communityprogram24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 18/28

FlowMon - Community Program●●●Targetenable customers to make program changes to FlowMon solutiondon't provide closed NetFlow based solution, but also providepossibilities to use it for further R&D in area of traffic monitoring,customize according to needscooperation with new academic partnersOpen to any applicantjust ask for joining and get update package to FlowMon appliance(open the API)Main benefitsjoin to community around FlowMon solutionaccess to all plugins developed in the Community programknowledge base, share experience, discussions...24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 19/28

FlowMon - Community Program●●What can be customized?Collecting and analyzing partrealized through plugins to NfSen applicationusage of NfSen APIplugin examples – botnet detection, traffic visualization, detectionof traffic baseline deviation...24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 20/28

FlowMon - Community Program●Monitoring and exporting partFlowMon exporter provide API for users plugins which can directlyinfluence process of monitoring, generation and export of flow dataInput plugins – packets parsing, processing and storing to internalstructures (e.g. packet payloads storage, key fields)Application plugins – computations over the flow data (e.g.interpacket gaps, jitters)Output plugins – data storing and export to collector (e.g. customdata export to various formats)and combination of all above - e.g. VoIP traffic statisticsmeasurement (jitter, latency, drops, etc.), application detection24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 21/28

FlowMon - Community Program●●University of TwenteSURFmap plugin (http://sourceforge.net/p/surfmap/home/Home/)plugin to NfSen applicationadds a geographical dimension to network trafficbased on the Google Maps API24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 22/28

FlowMon - Community Program24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 23/28

FlowMon - Community Program● University of Twente for SURFnet (Research on Network 2011)●Monitoring Ethernet Networks Using IPFIXexporter plugin which enables to monitor Ethernet network (NGE)probes monitor traffic at Ethernet-layer and use a modified processof flow creation (SRC and DST MAC, VLAN ID and Ethernet typeare used as key-fields; non key-fields are Ethernet header length,ethernet payload length, etc.)measured statistics are exported to IPFIX collector for storage andanalysisprovide an overview of all the traffic protocols operating on top ofEthernet (ARP, LLDP, STP, Novell IPX, ...)24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 24/28

FlowMon - Community Program●●Masaryk UniversityTraffic measurement and analysis of Building Automation and ControlNetworks (http://dior.ics.muni.cz/~celeda/bacnet/index.html)flow-based monitoring for special networks (BMS - BuildingManagement Systems networks, SCADA - Supervisory ControlAnd Data Acquisition networks)24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 25/28

FlowMon - Community Programavailable as a plugin to FlowMon exporterBACnetFlow (SRC and DST MAC, VLAN ID, DNET, DADR, SNET,SADR.... are used as key-fields; non key-fields are Hop Count,Message Type, Timestamp etc.)24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 26/28

Summary●●●●FlowMon Probes provide data flows monitoringSuitable for any network (no need to have NetFlow-ready devices)Can be used for network operational monitoringto know what is happening in the networkmanagement, troubleshooting, optimization and securityCan be used for further R&D in area of flow monitoring andsecurity - Community program24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 27/28

ContactsHigh-Speed Networking Technology PartnerPetr Springlspringl@invea.cz+420 511 205 252INVEA-TECH a.s.U Vodárny 2965/2616 00 Brno, CZEwww.invea-tech.com24.4.2012 Monitoring with FlowMon Probes © INVEA-TECH 28/28