Network Packet Broker

•  What Is a Network Packet Broker?

What is a network packet broker (NPB)? A network packet broker is a technology that implements a range of monitoring tools to access and analyze traffic (also known as “network packets”) across a network. Simply put, NPBs function as ‘brokers’ (or managers) of network traffic. The packet broker collects traffic from multiple network links, filtering and distributing each individual packet to the correct network monitoring tool. By doing so, network packet brokers ensure improved effectiveness from network monitoring and security tools, by delivering improved data from across the network

https://www.gigamon.com/campaigns/next-generation-network-packet-broker.html

• To avoid waste and blind spots, start by collecting data about what is taking place across

your network. Network taps and mirror ports on network equipment—also known as

switched port analyzer or SPAN ports—create access points for capturing traffic for analysis.

Why Do I Need a Network Packet Broker?

A Network Packet Broker (NPB) resides between taps and SPAN ports. They can access

network data and sophisticated security and monitoring tools that typically reside in data

centers. NPB’s do just what their name says: they broker network packet data to ensure every

analysis tool sees exactly the data it needs to perform at the highest possible level. The NPB

adds an increasingly critical layer of intelligence—one that reduces cost and complexity to help

you achieve the following:

Faster problem resolution

e. Ixia’s robust Security Fabric

leverages this intelligence to speed up troubleshooting by providing insight into the geographic

location of outages and the vendors that may be causing disruptions

Increased proactivity

The use of metadata, provided through NetFlow by intelligent NPBs, also aids

in accessing the empirical data used to manage bandwidth usage, trending,

and growth. That prevents problems from occurring in the first place.

What Exactly Does the NPB Do?

Conceptually, aggregating, filtering, and delivering data sounds simple

One way they do this is by load balancing traffic. For example, if you upgrade your data

center network from 1Gbps to 10Gbps, 40Gbps, or higher, NPBs can downshift speeds. That

allows you to distribute higher speed traffic across a pool of existing lower-speed 1G or 2G

monitoring tools for analysis.

Deduplicating redundant packets

Analysis and security tools stand to receive a slew of duplicate packets as multiple taps

forward traffic. NPBs can eliminate duplicates to keep tools from wasting processing capacity

by handling redundant data

SSL decryption

Secure Socket Layer (SSL) encryption is the standard technology used to safely send private

information. However, hackers can hide cyberthreats in encrypted packets.

Decryption is necessary to inspect this data, but unraveling code takes valuable processing

power. Leading packet brokers can offload decryption from security tools to ensure total

visibility while easing the burden on high-cost resources

Data masking

SSL decryption leaves data visible to anyone with access to security and monitoring tools.

NPBs can mask personally identifiable information such as credit card and Social Security

numbers, protected health information, and other sensitive data, before passing it on. That

means tools and their administrators cannot see it. 

Protocol header stripping

An NPB may strip out protocol headers such as VLAN, VXLAN, and L3VPN, allowing tools that

process these protocols to receive and process packet data. Context-aware visibility helps

in spotting rogue applications running on your network and footprints attackers leave as they

work their way through your systems and networks.

https://www.keysight.com/us/en/assets/3120-1272/brochures/What-Is-a-Network-Packet-Broker-And-Why-Do-You-Need-One.pdf

A baseboard management controller (BMC

•  For context, a BMC is a specialized controller embedded in servers. It often comes in the form of a system-on-chip (SoC), with its own CPU, memory, and storage and lots of IO. A BMC connects to sensors to read environmental conditions and to fans to control temperature. It also provides other system management functions, including remote power control, serial over LAN, and monitoring and error logging of the server host CPU and memory.

Until now, on the software side, the complete BMC software stack was closed. BMC software is usually developed by the hardware manufacturer during the hardware-development phase. Because the BMC software was closed, whatever was developed for the existing hardware could not be reused for the next generation. The long BMC software schedule directly affected new hardware development. When hardware development ended, the BMC software development stopped as well. Further bug fixes or new features had to wait for the hardware manufacturer.

 

https://engineering.fb.com/2015/03/10/open-source/introducing-openbmc-an-open-software-framework-for-next-generation-system-management/

netflow

•   how to manage the Internet user behavior? 

 How to distribute the various types of traffic? 

 In this case, you can use NetFlow, an effective tool to meet the needs of network traffic management.

 NetFlow was originally developed by Cisco.

 Cisco's NetFlow also has multiple versions, such as V5, V7, V8, and V9. Currently NetFlow V5 is the mainstream.

 the flow of an IP data package defines at least the following 7 key elements:

Source IP address;

Destination IP address;

Source port number;

Destination port number;

Type of the third layer agreement;

TOS field;

Logical port of network device input/output (if index)

Example 1: CodeRed's Flow features are destination port=80, packets=3, size=144bytes. Although on the Internet, normal behaviors that conform to the above characteristics exist (such as using ICQ), a host that is generally used normally will not send out a large number of these messages in a few consecutive periods of time.

take several different time periods, such as 5 minutes each, if the flow that meets the characteristics in each time period is greater than the upper limit, it can be judged as Code Red.

Example 2: A host infected with Nimda virus will initiate a large number of connections to external addresses (usually TCP port 80). The flow feature of Nimda is that each Flow represents a connection with destination port=80. If a normal client is in a period of time If the number of flows within (for example, 5 minutes) is too large, it is likely to be infected by viruses or have other attacks against HTTP.

if Apache Http Server is infected with Slapper Worm, a large number of Http packets will also be generated.

 

take several different time periods, each of 5 minutes, if the flow that meets the characteristics in each time period exceeds the upper limit, it can be judged as Nimda virus or other attack behavior.

Example 3: Worm.Sasser is characterized by an IP that initiates a TCP connection on port 445 to multiple randomly generated IPs at the same time.

the same source IP, a large number of different destination IPs, and the destination port is 445. When the flow meets the upper limit, it can be considered as an oscillator virus.

Example 4: the notorious Microsoft SQL-Server vulnerability caused a great impact. Its characteristic is a TCP stream with a destination port of 1433.

Example 5: Analyze DOS attack traffic with NetFlow

DOS can use the defects of the TCP protocol to open a half-open TCP connection through SYN, occupying system resources, so that legitimate users are excluded and cannot establish a normal TCP connection. 

the detection of ICMP attacks can be based on the following conditions: In several consecutive time periods, assuming that each time period is 5 minutes, ICMP packets in each time period are greater than 5000

another DDOS attack is SYN flooding, which is characterized by the SYN in the TCP header being set and a large number of SYN characteristic packets. The Flag bit is provided in the NetFlow output format, which creates conditions for us to judge SYN attacks

the condition for detecting SYN flooding is: in several consecutive time periods, assuming that each time period is 5 minutes, a large number of data packets with flag=2 are generated. Normal connections will not generate so many data packets with flag=2, so it can Set the threshold to 5000

If the number of data packets with flag=2 sent by the host exceeds 1000, it can be considered that the host is launching an attack. 

Case 6: Application of NetFlow in Network Forensics

Fprobe: Send data stream from remote host;

NfSen: NetFlow analysis graphical front end;

Nfdump: NetFlow acquisition module;

the network data is received at the network interface, and then the collected data is converted by the Fprobe program according to certain rules and formats (Netflow format), and then sent to the system's port 555 (check/etc/default/fprobe for details), 

Then the Nfdump program in the Nfsen system will store the converted data in the/var/cache/nfdump/flows/directory, 

and finally read it by the web front-end program Nfsen

 https://blog.birost.com/a?ID=01050-fc6121cf-d8ec-44a8-b796-8a023ac12588

 

•  When computers need to talk to one another, they establish communication channels, commonly referred to as connections. (Technically speaking, these communication channels can only be called connections when the TCP protocol is involved.) A flow refers to any connection or connection-like communication channel.

 a flow is defined by its 5-tuple, a collection of five data points:

    The source and destination IP addresses exchanging information

    The source and destination ports, if any (ICMP, for example, doesn’t use ports)

    The protocol

Flow identifies a communication channel, and all packets sharing the same 5-tuple fields belong to the same flow.

NetFlow is functionality built into network devices that collects measurements for each flow and exports them to another system for analysis. NetFlow captures a number of details, including the timestamp of a flow’s first and last packets (and therefore its duration), the total number of bytes and packets exchanged, and a summary of the flags used in TCP connections.

By collecting and analyzing this flow data, we can learn details about how the network is being used. Flow analysis is helpful in troubleshooting network issues, identifying bandwidth hogs, and tracking which external IPs or countries you’re exchanging data with

Having this information is important, but what you can do it is what really matters. This data can help you answer questions like:

    Who’s using banned applications, like BitTorrent?

    Who’s hogging bandwidth and slowing down the network?

    Why your web server is receiving so many connections from North Korea?

    What was a hacked server connected to during an infection?

Why use NetFlow?

Simply stated, you should use NetFlow because it gives you deep network visibility.

configuring NetFlow on the main router connected to the internet (R1) lets you monitor all the traffic in and out of the company, and to watch for any attacks on the servers in the DMZ. This is typically referred to as north-south traffic.

If you enable NetFlow on the main switch connecting the different departments (S1), you also gain instant visibility into all internal network traffic as well, typically referred to as east-west traffic.

NetFlow vs. SNMP

Similar to NetFlow, SNMP has a concept of agents (analogous to a flow exporter) and managers (analogous to a flow collector).

NetFlow and SNMP have some similarities, but it’s where they differ that’s most interesting. While they can both be used to monitor the throughput of a network, only NetFlow provides visibility into the what and the where of the traffic

There is a bit of a difference however with data collection. With NetFlow, there is only one way to get data from the flow exporter to the flow collector. The flow exporter actively sends data to the flow collector. SNMP, on the other hand, has two ways of getting data from an agent to a manager. SNMP can utilize traps, a push notification from the agent to the manager, or SNMP polls, a pull request to the agent, initialized from a manager. SNMP polling is the primary way most network management systems collect performance data.

Another major difference between NetFlow and SNMP is that NetFlow focuses only on traffic passing through a network device. SNMP allows network administrators to collect data on other device performance metrics, such as CPU and memory utilization, and even into hardware health information – like fan speed and temperature.

Where SNMP falls short on giving network admins visibility into the what and the where of the traffic, NetFlow is there to fill in that gap.

Limitations of NetFlow

NetFlow identifies the device but not necessarily the user

NetFlow records the IP address at the time of data collection

 if you use Network Address Translation (NAT) in your network, and do the NetFlow collection after you’ve NAT’d the traffic (on the ‘outside’ interface of a firewall), you won’t see the internal IPs associated with that traffic. I’ve been in this spot once or twice, trying to troubleshoot who is consuming all that bandwidth when every flow says “it’s the firewall!” You’ll want to ensure you’re always collecting flow traffic from an interface where you’ll see your internal IPs, before it is NAT’d.

NetFlow doesn’t see inside the flows

The 5-tuple of information collected by NetFlow is actually extracted out of the header of an IP packet.

The solution? Many organizations look to Deep Packet Inspection (DPI), including TLS inspection, as a way of peering inside the network traffic to analyze it for security threats and policy compliance

    The inspection appliances need to sit in-line with the traffic and adds an additional failure point.

    There are privacy implications to doing DPI on all traffic.

    It can be cost prohibitive for some organizations.

NetFlow can be used for monitoring, but not active management

NetFlow doesn’t tell you where a device is connected

 

https://www.auvik.com/franklyit/blog/netflow-basics/