1NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

NETFLOW & NETWORK-BASED APPLICATION RECOGNITIONITD PRODUCT MANAGEMENT

NOVEMBER 2003

2NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 2NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

Overview of NetFlow and Network-Based Application Recognition

• NetFlow

Pioneering IP accounting technology

Invented and patented by Cisco

IETF export standard

• Network-Based Application Recognition (NBAR)

Intelligent application recognition

Analyzes and identifies application traffic in real time

3NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

NetFlow and NBAR Benefit Footprints

NetFlow

• User (IP) monitoring• Application monitoring• Traffic analysis• Attack Mitigation• Chargeback Billing

• Attack mitigation• Billing• AS Peer monitoring• Traffic engineering• Network Planning

NBAR

• Application classification• Precise Quality of Service (QoS) treatment• Application statistics for bandwidth provisioning

Top-n viewsThreshold settings

• Mapping applications to an SP’s service offering

Enterprise Backbone

Enterprise Premise Edge

Service Provider Aggregation Edge

Service Provider Core

4NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

NetFlow and NBAR Benefit Footprints

Enterprise Backbone

Enterprise Premise Edge

Service Provider Aggregation Edge

Service Provider Core

NetFlow

• Cisco Catalyst 4500, 5000, 6500, 7600 Series ASIC

• Cisco Catalyst 5000, 6500 Series HW Acceleration

• Cisco Catalyst 4500 Series ASIC• Cisco 7100, 7200, 7300, 75000

Series• Cisco AS5300,AS5400, AS5800

Series• Cisco 830, 1400, 1700, 2600, 3600,

and 3700 Series

• Cisco Catalyst 4500, 5000, 6500 Series; Cisco 7600 Series ASIC

• Cisco 7100, 7200, 7300, 75000 Series

• Cisco AS5300 and AS5800 Series

• Cisco MGX8000 Series

• Cisco 10000 and 12000 Series Internet Routers ASIC

• Cisco Catalyst 5000 and 6500 Series; Cisco 7600 Series ASIC

• Cisco 7500 Series

NBAR

• Cisco Catalyst 6500 and 7600 Series

MSFCPlanned ASIC

• Cisco Catalyst 6500 and 7600 Series

FlexWAN, MWAMPlanned ASIC

• Cisco 7100, 7200, and 7500 Series• Cisco 830, 1400, 1700, 2600, 3600,

and 3700 Series

• Cisco Catalyst 6500 and 7600 Series

FlexWAN, MWAMPlanned ASIC

• Cisco 7100, 7200, and 7500 Series

Cisco Catalyst 6500 and 7600 Series

FlexWAN, MWAM Planned ASIC

• Cisco 7500 Series

5NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 5NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Internal Use Only

NetFlow and NBAR: Main Objectives and Benefits

Main ObjectiveMain Objective Main BenefitMain Benefit

NetFlow

Flow Characterization Which users utilize the network

What types of traffic

When is the network utilized

Where does the traffic go

Network Usage IP accounting and Billing Technology

Capacity Planning, Traffic Engineering, Peering

Traffic & routing information analysis

Data Export Persistent Network Usage Record

NBAR

Identify & classify traffic based on payload attributes & protocol characteristics

Optimize application performance via QoS

Validation or reclassification of ToS marking based on packet inspection

6NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 6NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Internal Use Only

Main ObjectiveMain Objective Side BenefitsSide Benefits

NetFlow

Flow Characterization DDOS & Worm Detection

Network Usage Capacity Planning and Traffic Engineering

Billing Permanent Record of network activity

Capacity, Traffic Eng, Peering Optimized Edge Routing (OER)

Data Export IETF IPFIX WG Standard and NetFlow v.9 flexible extensible format

NBAR

Identify & classify traffic based on payload attributes & protocol characteristics

Detection & dropping/limiting of undesired traffic – peer-to-peer file sharing, worms, …

Application statistics for bandwidth provisioning

NetFlow and NBAR: Additional Objectives and Benefits

7NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 7NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

Uniqueness and Strengths of NetFlow and NBAR

NetFlowNetFlow

• IPv6, MPLS, Multicast, BGP NH technology integration

• Billing, Capacity Planning, Traffic Engineering

• Internet Access Monitoring: Peering & Traffic

• IETF Standard for Data Sampling and Export

• Security DDOS Monitoring Tool

• Flow timers, timing of network traffic types

• Who what where when in the network

• Large NMS partner community & open source tools

New

NBARNBAR

• Deep & Stateful Packet Inspection

• Protocol Discovery with application statistics

• Enables precise classification & QoS treatment

• Pre-defined protocol & application recognition

• User-Defined Custom Application Classification

• New application signatures w/o software upgrade

• Integration with IP Services (QoS, NAT, Firewall, IDS)

New

New

8NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 8NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

Interface

Source IP Address

IP Header

TCP/UDP Header

SourcePort

Data Packet

DestinationPort

NetFlow and NBAR Differentiation

Protocol

Link Layer Header

Deep Packet (Payload)

Inspection

TOS NetFlow

NBAR

NetFlow and NBAR both leverage Layer 3 and 4 Header Information

Destination IP Address

NetFlow • Monitors data in Layers 2 thru 4• Determines applications by port• Utilizes a 7-tuple for flow

NBAR• Examines data from Layers 3

through 7• Uses Layers 3 & 4 plus packet

inspection for classification• Stateful inspection of dynamic-

port traffic

9NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

NetFlow and NBAR useful for Security

9NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

Flow information is useful against attacksFlow information is useful against attacks

• NetFlow Mitigates Attacks

Identify the attack

Count the Flows

Inactive flows signal a worm attack

Classify the attack

Small size flows to same destination

What is being attacked and origination of attack

• NetFlow Security partners Arbor Networks and Mazu, Adlex

• Cisco IT prevented SQL slammer at Cisco by watching flows per port

• Signature-based detection

• Not historically a main focus for NBAR

Real-time loadable PDLMs could provide rapid-update mechanism for new signatures

Not staffed to react against malicious applications

• NBAR can detect worms based on payload signatures

Nimbda

Code Red

Slammer

• Cisco PSIRT provided customers with NBAR solution to combat Code Red & Nimbda

10NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 10NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved.

Summary of Benefits

NBARNBAR

• Deep & Stateful Packet Inspection

Protocol & Application Discovery

Standard protocols

Corporate applications(Citrix, ...)

Undesired traffic (peer-to-peer, worms, …)

• Real-time PDLM Signature Update

NetFlowNetFlow

• Internet Access Monitoring

Protocol distribution

Where traffic is going/ coming

• User Monitoring

• Application Monitoring

• Accounting and Billing

• DDOS Monitoring

• Peering Arrangements

• Network Planning

• Traffic Engineering

111111© 2003 Cisco Systems, Inc. All rights reserved.

NetFlow and NBAR, November 2003