intelligent traffic management dale o’grady [email protected] nortel networks
TRANSCRIPT
Copyright
Copyright Nortel Networks 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Our Strategy business without boundaries
Our Vision the engaged enterprise for customers, partners and employees
One Network protocol, infrastructure, service and application convergence
A World of Choice private, managed and hosted solutions
Open extensible, agile and standards-based
AdaptiveClients
EngagedApplicationsS
ecurity
Management
CommunicationServices
Data Networking
Architecture for the Converged Enterprise (ACE)
Trends Driving Changes in Education Networks
Online collaboration Increasing number and variety of
devices requiring higher bandwidth
Increased security requirements New applications introducing new
traffic patterns
Challenges
StreamingContent
WebContent
IPTelephony
CollaborativeTools
Devices– Which One– Capabilities
Networks– Capabilities– Transitions– Pre-determination– SIP Integration
Billing– Varied environments– Changing networks/carriers
IT What?A solution utilizing Alteon Application Switches and Alteon Software to inspect
application flows for pre-defined attributes for the purpose of classifying flows to apply policy and to report on usage.
Application: Any program, group of programs or subset of a program used in a computing environment ranging from well known business applications to network worms and attacks. If it sends and/or receives IP packets then it is an application. The operator defines the boundaries for an application.
Flow: An applications bi-directional communication between two devices (or uni-directional in the case of security attacks).
Attributes: One or more unique Layer 2 through 7 identifiers that when used on its own or in combination with others, uniquely identify the application.
Classifying: The act of associating one or more applications into a common entity.
Policy: The policy defines the action to take on the classified application flows such as deny, rate limit, monitor or prioritize.
Why Traffic Management?
Litigation Risks are High
Enterprises are exposed if their employees are indulging in the Illegal transfer of copyright material - Peer-to-Peer. Authorities have the right to seize/freeze company assets.
Abuse Management / Mitigation
Protect against Abuse in many forms such as network worms and attacks, P2P Spyware and Malware and overall excessive consumption.
Mitigate against running out of resources such as connection capacity for firewalls.
User ExperienceUsed as a means to Enhance User Experience by guarantying traffic levels and marking traffic for higher priority.
Cost ContainmentProvides a mechanism to Control Network Costs by limiting the traffic traversing expensive links.
Network PlanningKnowledge is Power. Traffic Management provides a detailed insight into traffic and traffic patterns.
Why Intelligent?
Shift to Layer 7
Greater shift to Layer 7 inspection as Layer 4 and below is much less reliable due to application masquerading or deviating from well-known ports for security reasons. Many new applications use non-registered dynamic ports making accurate Layer 4 detection impossible.
Flow Based vs Packet Based
The entire flow needs to be treated as an entity and not individual packets. This is mandatory for Layer 7 inspection as in the majority of cases only the signaling portion has unique identifiers while the bulk of the payload does not.
Defining Application Boundaries
Not everything is treated equal so you shouldn’t suffer with All or None. Application boundaries are defined by the operator to meet their specific needs. An application boundary can be as simple as single function from an application or even a group of multiple like applications.
Multiple OptionsThere is no ‘Silver Bullet’ – Traffic Shaping, Traffic Policing, Traffic Monitoring, Traffic Prioritizing, Traffic Steering … The more options, the better.
How Can it be Used?Alteon ITM is very flexible and its capabilities are virtually limitless. The following
identifies just a small sampling of how Alteon Intelligent Traffic Management can be used:
Deployed in the network to combat against high-profile network worms and viruses. Most notably the ability to stop the worms without stopping the entire application protocol.
Deployed in the network to identify and deny those dynamic, port-hopping Peer to Peer Applications being used in the Enterprise.
Deployed in the network to prevent Spyware applications from sending critical corporate data back to its recipient.
Deployed in the network to shape and prioritize Critical Business Application Traffic so that it is not impacted should a new network worm try to impact the network.
Deployed in the network to monitor all applications and network traffic to facilitate network and application planning initiatives.
Combine any or all of the above.
Why is P2P Traffic Special?Unattended Applications
– Applications run at all times so there is no standard peak time
Packet Sizes– Moving towards Equilibrium on upload and download traffic
Symmetry– Networks designed around asymmetry but this traffic is symmetrical
Geographically Agnostic– Applications concerned about content and not location of content,
resulting in increased transit costs
Impediments to Controlling P2PApplication Protocol Development
– Utilizes non-standard, non-registered, proprietary application protocols
Masquerading– Hiding within well known application ports such as port 80 HTTP to avert
detection
Multiple Connections– Advanced connection and splicing techniques potentially consuming
hundreds of TCP and UDP ports to obtain a single file
Port Hopping– Fixed vs Random vs Dynamic Ports– Extending non-registered ports to include random TCP or UDP ports not
only at application startup but potentially for each directory lookup or data transfer thereafter
Peer to Peer – Legal Issues?Not attempting to interpret any of
the on-going or forthcoming legal issues …
Number of court cases active – discussing the legality of P2P Networks
RIAA – Recording Industry Association of America initiates the majority of them
Regardless of liability, simply the threat of legal action can have a negative impact on the Corporation
http://www.riaa.com/news/newsletter/021303.asp
Future of Traffic Control Need for Traffic Control will continue to rise across many application
segments
Not only need to detect applications but specific attributes within application (i.e. specific Oracle DB)
Weight is shifting to pure Layer 7 inspection which is very taxing and processor intensive
Packet inspection devices and PC’s will not be able to compete with the shift to L7 – even at low bandwidth speeds. This functionality is processor intensive not network I/O intensive
Does P2P Have a Future?Myth: P2P Has So Many Legal
Issues That It Will Become Obsolete
P2P has faced numerous battles in the past and still continues
P2P Networks have created an enormous and efficient content distribution network
Imagine the power of delivering legal content over these vast networks without having to build the infrastructure (PeerEnabler sees the value in this)
At the end of the day, Content is King
2001 Remember Napster, shut down in 2001 – well life after Napster goes on
April 2003 Sharman (maker of FastTrack i.e. KaZaA) ruled in a Los Angeles court not to be held accountable for copyright material traversing their network
May 2003 Kazaa officially most downloaded internet application ever surpassing ICQ
June 2003 RIAA (Recording Industry Association of America) takes the Offensive
July 2003 Response to RIAA – CNN Poll shows 70% not reluctant to continue file sharing
July 2003 Madster lost appeal and must remain shut down indefinitely
July 2003 New file sharing applications are promising ‘User Anonymity’
Today Virtually all P2P Applications are promising upgrades
ITM Components
Policy Engine Reporting Engine
Processing Engine
Traffic Flow
1
2
3
Responsible for Device Management and Policy Provisioning
Network Device Responsible for Application Inspection and Policy Enforcement
Responsible for data storage, graphing and reporting
Application Signatures As packets flow through the switch, they are inspected for pre-
defined application identifiers
These identifiers can be any attribute from a Layer 2 MAC all the way to a complex Layer 7 pattern deep within the packet
Multiple identifiers are combined to make a Unique Application Signature
DSCP: 0x30Protocol: TCPTCP Source Port: 1024-1180TCP: PSH, ACKData1: 66EF2D0A0A @ 0x60 to 0x64Data2: 7753002E @ anywhere after 0x64
ALL of these attributes can be combined to create a Unique Application Signature
For Example:
Application Signature Sources
Nortel Networks
Application Vendors
Open Source Projects
Virus Vendors
Customers
IDS Vendors
Number of Signatures
• Number of Applications Supported NOT the measuring stick– No value including hundreds of obsolete applications (actually more
risky)
– No value including every iteration of every application simply to meet a number
– Multiple applications can use the same protocol so the actual number can be very deceiving
• Classification Rate Measures True Capabilities– Health Care Customer achieving 92% classification rate with
ITM– Large Cable Provider achieving 90% classification rate with ITM
April 1st Application List - Summary NACHIA Worm P2P Network FileTopia over SSL SQL Slammer over Microsoft SQL Monitor UDP Blat DoS Attack Cisco Enhanced Interior Gateway Protocol EIGP Cisco Interior Gateway Protocol IGP Encapsulated Security Protocol ESP General Routing Encapsulation GRE Internet Control Message Protocol ICMP Internet Group Management Protocol IGMP Open Shortest Path First OSPF Resource Reservation Protocol RSVP Virtual Router Redundancy Protocol VRRP AOL Instant Messenger AIM TCP BattleNet Network Gaming Domain Name Service DNS UDP Dynamic Host Configuration DHCP UDP File Transfer Protocol FTP TCP File Transfer Protocol FTP UDP Fraggle DoS Attack HalfLife Network Gaming UDP HyperText Transfer Protocol HTTP TCP Internet Message Access Protocol IMAP TCP Internet Relay Chat IRC TCP Kerberos TCP Kerberos UDP Key Exchange Security Protocol ISAK UDP Land DoS Attack Lightweight Directory LDAP TCP Lightweight Directory LDAP UDP Microsoft Media TCP Microsoft Media UDP Microsoft Messenger Chat MSN TCP Microsoft Messenger Voice_Data MSN TCP Microsoft SMB TCP Microsoft SQL Monitor UDP MS Terminal Services RDP TCP Multicast Domain Name Service MDNS UDP NetBIOS TCP NetBIOS UDP Network News Protocol NNTP TCP Network Time Protocol NTP UDP Nullscan DoS Attack
P2P Network EDonkey TCP P2P Network EDonkey UDP P2P Network FastTrack-KaZaA TCP P2P Network Gnutella TCP P2P Network MP2P UDP P2P Network WinMX TCP P2P Network WinMX UDP Port to Port Tunneling Protocol PPTP PortZero DoS Attack Post Office Protocol POP3 TCP Proxy Services TCP Real Time Streaming Protocol RTSP TCP ScanSynFin DoS Attack Secure Shell SSH TCP Secure Socket Layer SSL TCP Simple Mail Transport SMTP TCP Simple Network Management SNMP UDP Smurf DoS Attack Squid Proxy TCP Telnet TCP Timbuktu TCP Trivial File Transfer TFTP UDP Voice Chat TCP Voice Chat UDP X11 X-Protocol TCP XMasScan DoS Attack Yahoo Instant Messenger YIM TCP Blaster Worm Code Red Worm HyperText Transfer Protocol HTTP Microsoft Messenger Data MSN Microsoft Messenger Voice MSN MS RPC-DCE NIMDA Worm P2P Network Ares P2P Network BitTorrent P2P Network Direct Connect P2P Network EDonkey P2P Network FastTrack-KaZaA P2P Network FileTopia P2P Network Gnutella P2P Network MP2P P2P Network Peer Enabler P2P Network Peer Enabler
• This summarized list does not include the breakdown of each application (i.e. control, query, upload, download etc.. which is present for each application as appropriate)
• Nortel will work directly with you to create any application signature required for your specific environment
ConfigurationEase-of-Use
Easy-to-use 3 Step Process for Configuration and Sustaining
Single view shows current Policy Deployment
Step 1: Pick your Ports Ability to distinguish
between Inbound and Outbound traffic
• many cases the policies will be different depending on direction
Supports individual ports or trunk groups
One-touch button to deny the most common DoS Attacks
Provides enhanced switch validation checks for data collection
Step 2: Select Applications Nortel supplies (and
updates) pre-canned signatures (OEM) for the most common applications and attacks
Allows user customization while permitting OEM rules
Permits re-prioritization of rules (precedence support)
Updated signatures available for download via www.nortelnetworks.com
Step 3: Define and Assign Policy Single page view for currently
deployed policies
Policy application granularity – Inbound vs Outbound
Embedded policy actions include:• Monitor• Rate Limit• Deny • Traffic Shape
Additional custom configured action policies include:
• Remark• TCP Connection Rate Limiting• UDP Rate Limiting• ICMP Rate Limiting• Redirect
FREE Reporting SystemRobust Reporting Capabilities
Report on application usage over time in Rate (Mbps, Kbps, KBps)
Report on individual and/or groups and/or aggregates of applications
Report on individual and/or groups and/or aggregates of application discards
Complete control over Reporting Period Time (down to the minute) and Time Zones
Multiple options for the y-axis• Mbps, Kbps, KBps• % Inbound, % Outbound, % All• % Application and Discards
Export formats to ASCII Table or CSV Pre-canned Reports for Top 5 and
Typical Hour, Day, Week
Linux/MySQL based back-end to store all the data
Web based front-end to generate usage reports
Fully automated database data injection
Open Sourced
Multiple PlatformsA World of Choice
Alteon 2208 (2xGE + 8xFE)
Alteon 2216 (2xGE + 16xFE)
Alteon 2424 (4xGE + 24xFE)
Alteon 2424SSL (4xGE + 24xFE+SSL)
Alteon 3408 (4xGE + 4xCopper Gig + 4xGE or Copper)
Alteon ITM is NOT a One-Trick Pony!
Integrated DoS Attack Prevention
UDP Blast Prevention
Management Shield
IP Access Control Lists
Traffic Shaping
Traffic Policing
SYN Attack Detection / Prevention
DSCP Support Active | Passive
Protocol Connection / Rate Limiting
Session Capping and Aging
IDS Load Balancing
Egress Bandwidth Management
Server Load Balancing
Advanced Filtering
Content Intelligence
Network Device Load Balancing
Application Redirection
Persistence Support
Embedded Security Svcs
Traffic Management
Network Services
ITM Parts ListSymbol denotes customer provided equipment
All Application Switch Models Support Intelligent Traffic Management
Both licenses are required.With 22.0 both licenses will be available at a discount in ITM bundle
Don’t forget the SFP GBIC’s for optical connectivity
Recommend running Management and Reporting on the same Linux Server
Customer must supply Linux server (and media) – Nortel does not distribute RedHat
Previous versions will NOT support ITM
Nortel Promotion thru 6-30-2004:Replace Your P2P with Alteon
Extended Promotion for Education: First 3 Customers purchasing NEW Application Switch receive Licenses for FREE! (expires June
30) First 3 Customers purchasing Licenses to UPGRADE existing Application Switch receive Licenses
for 33% of the List Price! (expires June 30)