NANOG36-NOTES 2006.02.14 talk 2 Netflow Visualization Tools
Vicky Røde
vickyr at socal.rr.com
Wed Feb 15 04:13:08 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
thanks for taking notes.
comments in-line:
Matthew Petach wrote:
> 2006.02.14 talk 2 Netflow tools
>
> Bill Yurcik
> byurcik at ncsa.uiuc.edu
>
> NVisionIP and VisFlowConnect-IP
>
> probably a dozen tools out there, this is just
> two of them. Concenses is there's something to
> this.
>
> They're an edge network, comes into ISP domain,
> their tools are used by entities with many
> subnet blocks.
>
> Overview
> Project Motifivation
> Netflows for Security
> Two visualization tools
> NVisionIP
> VisFlowConnect-IP
> Summary
>
> Internet Security:
> N-Dimensional Work Space
>
> large--already lots of data to process
> complex--combinatorics explode quickly
> time dynamics--things can change quickly!
> Visualizations can help!
> in near-realtime
> overview-browse-details on demand
>
> People are wired to do near-realtime processing
> of visual information, so that's a good way to
> present information for humans.
> HCI says use overview-browse-details paradigm.
>
> Netflows for security
> can identify connection-oriented stats to see
> things like attacks, DoS, DDoS, etc.
> Most people don't use the data portion of the
> flow field, the first 64 bytes, they just look
> at header info or aggregated flow records.
>
> Can spot how many users are on your system at
> a given time, to schedule upgrades.
>
> Who are your top talkers?
>
> How long do my users surf? What are people using
> the network for?
>
> Where do users go? Where did they come from?
>
> Are users following the security policy?
>
> What are the top N destination ports?
> Is there traffic to vulnerable hosts?
>
> Can you identify and block scanners/bad guys?
>
> This doesn't replace other systems like syslog, etc.;
> it integrates and works alongside them.
>
> architecture slide for NCSA.
>
> Can't really do sampled view for security, so probably
> need distributed flow collector farm to get all the
> raw data safely.
>
> Two visualization tools:
> NVisionIP, VisFlowConnect-IP
>
> focus on quick overview of tools
> security.ncsa.uiuc.edu/
>
> 3 level hierarchical tool;
> galaxy view (small multiple view) ((machine view))
>
> Galaxy is overview of the whole network.
> color and shape of dots is each host in a network.
> settable parameters for each dot.
>
> Animated toolbar and clock show changes over time
> in the galaxy.
> Lets you get high-level content quickly and easily.
>
> Domain view lets you drill in a bit more; small
> multiple view looks at the traffic within the
> block.
> upper histogram is lower, well known ports; lower
> histogram is ports over 1024
>
> You can click on a given multiple view entry to
> delve into one machine.
> Many graphs for each machine in the most detailed
> view.
>
> well known ports first, then rest of ports (sorted)
> then source and destination traffic broken out.
>
> Designed for class Bs.
>
> http://security.ncsa.uiuc.edu/distribution/VisFlowConnectDownload.html
>
> 3 vertical lines, comes from edge network perspective;
> middle line is edge network to manage. You set range
> of networks you care about. Outside lines are people
> sourcing or sinking traffic to you, from outside
> domains.
>
> There's a time axis, traffic only shown for the slice
> of time currently under consideration.
> Uses VCR-like controls to move time forward/backward
>
> Lets you see traffic/interactivity, drill into that
> domain, see host level connectivity flows.
>
> Shows MS Blaster virus traffic as an example.
>
> Example 2, a scan example. Just because it looks
> like one IP hitting many others doesn't mean it's
> really a security incident, though; could be a
> cluster getting traffic.
>
> web crawlers hitting NCSA web servers make for
> a very charateristic pattern over time.
>
> Summary
> Netflows analysis is non-trivial,
>
> NVisionIP
> VisFlowConnect-IP
>
> lots of references listed in very fine blue font.
>
> http://security.ncsa.uiuc.edu/distribution/NVisionIPDownload
>
> Avi Freedman, Akamai, Argus was mentioned a lot; it
> lets you grab symmetric netflows, but also does TCP
> analysis, shows some performance data as well. not
> sure if people are studying the impact of correlating
> argus data with flow data.
>
> Roland Douta? of Cisco; many people are using netflow
> to track security issues. They now have ingress and
> egress flow data on many of their platforms.
> In reading paper describing it, there's data conversion
> that needs to happen into an internal format that
> nVision can understand. It reads log files at the
> moment, takes about 5 minutes to process files. Lets
> them take different file data sources, make the tool
> for visualization independent of the input format.
> They can read large files, but there is a performance
> hit when doing it.
> Are they planning on doing further work on the tool
> to collect TCP flags, for frags, drop traffic, etc?
> They've looked at it, but they leave it to IDS tools
> for flag activity. Might be of interest to consider
> for future versions of the tools.
>
> Last question came up, echoed about argus.
> Question about interactivity, they are working on
> feedback through tools. Question about alarming
> on patterns; but once you start alarming or putting
> up visual indicators, it distracts from rest of
> the overall pattern, you tend to miss other information.
- ----------------
the last part was me, virendra rode from riverdomain. my question was
mostly related to a possibility of setting priority bit(s) in order to
control (rate-limit, if you will) session(s) that could lead to congestion.
since argus is already integrated and performs traffic auditing (i
think) setting priority bit(s) would be a nice feature to integrate down
the path. then again, i understand this is a performance monitoring tool.
that's all.
regards,
/virendra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFD8qpUpbZvCIJx1bcRAnzaAKCsI29SetdMSJaLr3LR01MGp87CmACgnCEf
7RDnyaGsad++GevXjt2MIQY=
=/55T
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list