Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Definition
is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.
network monitoring
describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. It is a subset of the functions involved in network management.
Motivation
Needs of Customers:
-Want to get their moneys worth -Fast, reliable, high-quality, secure, virus-free Internet access
Application
Network Problem Determination and Analysis Traffic Report Generation Intrusion & Hacking Attack (e.g., DoS, DDoS) Detection Service Level Monitoring (SLM) Network Planning Usage-based Billing Customer Relationship Management (CRM) Marketing
Analysis
Filtering
Packet Capturing
PAYLOAD HEAD PAYLOAD HEAD PAYLOAD HEAD PAYLOAD HEAD
packets
Visualize
(FlowScan)
Store
flow records
Observation Point
(TCPdump)
Sampling
flow records
Display
(Ethereal)
Filtering
flow records
other
Problems
Capturing Packets:
High-speed networks (Mbps ? Gbps ? Tbps) High-volume traffic Streaming media (Windows Media, Real Media, Quicktime) P2P traffic Network Security Attacks
What packet information to save to perform various analysis? How to minimize storage requirements?
Analysis:
How to analyze and generate data needed quickly? What kinds of info needs to be generated? -- Depends on applications
Goals
Capture all packets Generate flows Store flows efficiently Analyze data efficiently Generate various reports or information that are suitable for various application areas
Develop a flexible, scalable traffic monitoring and analysis system for high-speed, high-volume, rich media IP networks
Connectivity
Availability
Functionality One way loss
Loss
RT loss
Utilization
Bandwidth Throughput
Availability: The percentage of a specified time interval during which the system was available for normal use.
-Connectivity: the physical connectivity of network elements. -Functionality: whether the associated system works well or not.
Latency: The time taken for a packet to travel from a host to another.
-Round Trip Delay = Forward transport delay + server delay + backward transport delay -Ping is still the most commonly used to measure latency.
Link Utilization over a specified interval is simply the throughput for the link expressed as a percentage of the access rate.
Monitoring Method
Active Monitoring Passive Monitoring
Active Monitoring
Impose extra traffic on network and distort its behavior in the process
Test packet can be blocked by firewall or processed at low priority by routers Mainly used to monitor network performance
Passive Monitoring
EPM The ping program SNMP servers IBM AURORA Network Performance Profiling System Intellipool Network Monitor Jumpnode Microsoft Network Monitor 3 MRTG Nagios (formerly Netsaint) Netdisco NetQoS NetXMS Scalable network and application monitoring system
Opennms PRTG Pandora (Free Monitoring System) - Network and Application Monitoring System PIKT RANCID - monitors router/switch configuration changes RRDtool siNMs by Siemens SysOrb Server & Network Monitoring System Sentinet3 - Network and Systems Monitoring Appliance ServersCheck Monitoring Software Cacti network graphing solution Zabbix - Network and Application Monitoring System Zenoss - Network and Systems Monitoring Platform Level Platforms - Software support for network monitoring
Attack detection and analysis -detecting (high volume) traffic patterns -investigation of origin of attacks Intrusion detection -detecting unexpected or illegal packets
generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.
network intrusion detection system protocol-based intrusion detection system application protocol-based intrusion detection system host-based intrusion detection system hybrid intrusion detection system
Our problem
The three parts of network security is comparably isolated from each other. Can there be a closer combination of them? A dynamic scheme between detection and prevention
Our idea
An alert-level system. Example: As results from NIDS became more similar to some attack pattern, the alert level of the networks will gradually increase, prevention will be strengthen.