Intelligent Traffic Management Dale O’Grady [email protected] Nortel Networks.

Intelligent Traffic Management

Dale O’[email protected]

Nortel Networks

Copyright

Copyright Nortel Networks 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Our Strategy business without boundaries

Our Vision the engaged enterprise for customers, partners and employees

One Network protocol, infrastructure, service and application convergence

A World of Choice private, managed and hosted solutions

Open extensible, agile and standards-based

AdaptiveClients

EngagedApplicationsS

ecurity

Management

CommunicationServices

Data Networking

Architecture for the Converged Enterprise (ACE)

Trends Driving Changes in Education Networks

Online collaboration Increasing number and variety of

devices requiring higher bandwidth

Increased security requirements New applications introducing new

traffic patterns

Challenges

Email

StreamingContent

WebContent

IPTelephony

CollaborativeTools

Devices– Which One– Capabilities

Networks– Capabilities– Transitions– Pre-determination– SIP Integration

Billing– Varied environments– Changing networks/carriers

IT What?A solution utilizing Alteon Application Switches and Alteon Software to inspect

application flows for pre-defined attributes for the purpose of classifying flows to apply policy and to report on usage.

Application: Any program, group of programs or subset of a program used in a computing environment ranging from well known business applications to network worms and attacks. If it sends and/or receives IP packets then it is an application. The operator defines the boundaries for an application.

Flow: An applications bi-directional communication between two devices (or uni-directional in the case of security attacks).

Attributes: One or more unique Layer 2 through 7 identifiers that when used on its own or in combination with others, uniquely identify the application.

Classifying: The act of associating one or more applications into a common entity.

Policy: The policy defines the action to take on the classified application flows such as deny, rate limit, monitor or prioritize.

Why Traffic Management?

Litigation Risks are High

Enterprises are exposed if their employees are indulging in the Illegal transfer of copyright material - Peer-to-Peer. Authorities have the right to seize/freeze company assets.

Abuse Management / Mitigation

Protect against Abuse in many forms such as network worms and attacks, P2P Spyware and Malware and overall excessive consumption.

Mitigate against running out of resources such as connection capacity for firewalls.

User ExperienceUsed as a means to Enhance User Experience by guarantying traffic levels and marking traffic for higher priority.

Cost ContainmentProvides a mechanism to Control Network Costs by limiting the traffic traversing expensive links.

Network PlanningKnowledge is Power. Traffic Management provides a detailed insight into traffic and traffic patterns.

Why Intelligent?

Shift to Layer 7

Greater shift to Layer 7 inspection as Layer 4 and below is much less reliable due to application masquerading or deviating from well-known ports for security reasons. Many new applications use non-registered dynamic ports making accurate Layer 4 detection impossible.

Flow Based vs Packet Based

The entire flow needs to be treated as an entity and not individual packets. This is mandatory for Layer 7 inspection as in the majority of cases only the signaling portion has unique identifiers while the bulk of the payload does not.

Defining Application Boundaries

Not everything is treated equal so you shouldn’t suffer with All or None. Application boundaries are defined by the operator to meet their specific needs. An application boundary can be as simple as single function from an application or even a group of multiple like applications.

Multiple OptionsThere is no ‘Silver Bullet’ – Traffic Shaping, Traffic Policing, Traffic Monitoring, Traffic Prioritizing, Traffic Steering … The more options, the better.

How Can it be Used?Alteon ITM is very flexible and its capabilities are virtually limitless. The following

identifies just a small sampling of how Alteon Intelligent Traffic Management can be used:

Deployed in the network to combat against high-profile network worms and viruses. Most notably the ability to stop the worms without stopping the entire application protocol.

Deployed in the network to identify and deny those dynamic, port-hopping Peer to Peer Applications being used in the Enterprise.

Deployed in the network to prevent Spyware applications from sending critical corporate data back to its recipient.

Deployed in the network to shape and prioritize Critical Business Application Traffic so that it is not impacted should a new network worm try to impact the network.

Deployed in the network to monitor all applications and network traffic to facilitate network and application planning initiatives.

Combine any or all of the above.

Why is P2P Traffic Special?Unattended Applications

– Applications run at all times so there is no standard peak time

Packet Sizes– Moving towards Equilibrium on upload and download traffic

Symmetry– Networks designed around asymmetry but this traffic is symmetrical

Geographically Agnostic– Applications concerned about content and not location of content,

resulting in increased transit costs

Impediments to Controlling P2PApplication Protocol Development

– Utilizes non-standard, non-registered, proprietary application protocols

Masquerading– Hiding within well known application ports such as port 80 HTTP to avert

detection

Multiple Connections– Advanced connection and splicing techniques potentially consuming

hundreds of TCP and UDP ports to obtain a single file

Port Hopping– Fixed vs Random vs Dynamic Ports– Extending non-registered ports to include random TCP or UDP ports not

only at application startup but potentially for each directory lookup or data transfer thereafter

Peer to Peer – Legal Issues?Not attempting to interpret any of

the on-going or forthcoming legal issues …

Number of court cases active – discussing the legality of P2P Networks

RIAA – Recording Industry Association of America initiates the majority of them

Regardless of liability, simply the threat of legal action can have a negative impact on the Corporation

http://www.riaa.com/news/newsletter/021303.asp

Future of Traffic Control Need for Traffic Control will continue to rise across many application

segments

Not only need to detect applications but specific attributes within application (i.e. specific Oracle DB)

Weight is shifting to pure Layer 7 inspection which is very taxing and processor intensive

Packet inspection devices and PC’s will not be able to compete with the shift to L7 – even at low bandwidth speeds. This functionality is processor intensive not network I/O intensive

Does P2P Have a Future?Myth: P2P Has So Many Legal

Issues That It Will Become Obsolete

P2P has faced numerous battles in the past and still continues

P2P Networks have created an enormous and efficient content distribution network

Imagine the power of delivering legal content over these vast networks without having to build the infrastructure (PeerEnabler sees the value in this)

At the end of the day, Content is King

2001 Remember Napster, shut down in 2001 – well life after Napster goes on

April 2003 Sharman (maker of FastTrack i.e. KaZaA) ruled in a Los Angeles court not to be held accountable for copyright material traversing their network

May 2003 Kazaa officially most downloaded internet application ever surpassing ICQ

June 2003 RIAA (Recording Industry Association of America) takes the Offensive

July 2003 Response to RIAA – CNN Poll shows 70% not reluctant to continue file sharing

July 2003 Madster lost appeal and must remain shut down indefinitely

July 2003 New file sharing applications are promising ‘User Anonymity’

Today Virtually all P2P Applications are promising upgrades

ITM Components

Policy Engine Reporting Engine

Processing Engine

Traffic Flow

1

2

3

Responsible for Device Management and Policy Provisioning

Network Device Responsible for Application Inspection and Policy Enforcement

Responsible for data storage, graphing and reporting

Application Signatures As packets flow through the switch, they are inspected for pre-

defined application identifiers

These identifiers can be any attribute from a Layer 2 MAC all the way to a complex Layer 7 pattern deep within the packet

Multiple identifiers are combined to make a Unique Application Signature

DSCP: 0x30Protocol: TCPTCP Source Port: 1024-1180TCP: PSH, ACKData1: 66EF2D0A0A @ 0x60 to 0x64Data2: 7753002E @ anywhere after 0x64

ALL of these attributes can be combined to create a Unique Application Signature

For Example:

Application Signature Sources

Nortel Networks

Application Vendors

Open Source Projects

Virus Vendors

Customers

IDS Vendors

Number of Signatures

• Number of Applications Supported NOT the measuring stick– No value including hundreds of obsolete applications (actually more

risky)

– No value including every iteration of every application simply to meet a number

– Multiple applications can use the same protocol so the actual number can be very deceiving

• Classification Rate Measures True Capabilities– Health Care Customer achieving 92% classification rate with

ITM– Large Cable Provider achieving 90% classification rate with ITM

April 1st Application List - Summary NACHIA Worm P2P Network FileTopia over SSL SQL Slammer over Microsoft SQL Monitor UDP Blat DoS Attack Cisco Enhanced Interior Gateway Protocol EIGP Cisco Interior Gateway Protocol IGP Encapsulated Security Protocol ESP General Routing Encapsulation GRE Internet Control Message Protocol ICMP Internet Group Management Protocol IGMP Open Shortest Path First OSPF Resource Reservation Protocol RSVP Virtual Router Redundancy Protocol VRRP AOL Instant Messenger AIM TCP BattleNet Network Gaming Domain Name Service DNS UDP Dynamic Host Configuration DHCP UDP File Transfer Protocol FTP TCP File Transfer Protocol FTP UDP Fraggle DoS Attack HalfLife Network Gaming UDP HyperText Transfer Protocol HTTP TCP Internet Message Access Protocol IMAP TCP Internet Relay Chat IRC TCP Kerberos TCP Kerberos UDP Key Exchange Security Protocol ISAK UDP Land DoS Attack Lightweight Directory LDAP TCP Lightweight Directory LDAP UDP Microsoft Media TCP Microsoft Media UDP Microsoft Messenger Chat MSN TCP Microsoft Messenger Voice_Data MSN TCP Microsoft SMB TCP Microsoft SQL Monitor UDP MS Terminal Services RDP TCP Multicast Domain Name Service MDNS UDP NetBIOS TCP NetBIOS UDP Network News Protocol NNTP TCP Network Time Protocol NTP UDP Nullscan DoS Attack

P2P Network EDonkey TCP P2P Network EDonkey UDP P2P Network FastTrack-KaZaA TCP P2P Network Gnutella TCP P2P Network MP2P UDP P2P Network WinMX TCP P2P Network WinMX UDP Port to Port Tunneling Protocol PPTP PortZero DoS Attack Post Office Protocol POP3 TCP Proxy Services TCP Real Time Streaming Protocol RTSP TCP ScanSynFin DoS Attack Secure Shell SSH TCP Secure Socket Layer SSL TCP Simple Mail Transport SMTP TCP Simple Network Management SNMP UDP Smurf DoS Attack Squid Proxy TCP Telnet TCP Timbuktu TCP Trivial File Transfer TFTP UDP Voice Chat TCP Voice Chat UDP X11 X-Protocol TCP XMasScan DoS Attack Yahoo Instant Messenger YIM TCP Blaster Worm Code Red Worm HyperText Transfer Protocol HTTP Microsoft Messenger Data MSN Microsoft Messenger Voice MSN MS RPC-DCE NIMDA Worm P2P Network Ares P2P Network BitTorrent P2P Network Direct Connect P2P Network EDonkey P2P Network FastTrack-KaZaA P2P Network FileTopia P2P Network Gnutella P2P Network MP2P P2P Network Peer Enabler P2P Network Peer Enabler

• This summarized list does not include the breakdown of each application (i.e. control, query, upload, download etc.. which is present for each application as appropriate)

• Nortel will work directly with you to create any application signature required for your specific environment

ConfigurationEase-of-Use

Easy-to-use 3 Step Process for Configuration and Sustaining

Single view shows current Policy Deployment

Step 1: Pick your Ports Ability to distinguish

between Inbound and Outbound traffic

• many cases the policies will be different depending on direction

Supports individual ports or trunk groups

One-touch button to deny the most common DoS Attacks

Provides enhanced switch validation checks for data collection

Step 2: Select Applications Nortel supplies (and

updates) pre-canned signatures (OEM) for the most common applications and attacks

Allows user customization while permitting OEM rules

Permits re-prioritization of rules (precedence support)

Updated signatures available for download via www.nortelnetworks.com

Step 3: Define and Assign Policy Single page view for currently

deployed policies

Policy application granularity – Inbound vs Outbound

Embedded policy actions include:• Monitor• Rate Limit• Deny • Traffic Shape

Additional custom configured action policies include:

• Remark• TCP Connection Rate Limiting• UDP Rate Limiting• ICMP Rate Limiting• Redirect

FREE Reporting SystemRobust Reporting Capabilities

Report on application usage over time in Rate (Mbps, Kbps, KBps)

Report on individual and/or groups and/or aggregates of applications

Report on individual and/or groups and/or aggregates of application discards

Complete control over Reporting Period Time (down to the minute) and Time Zones

Multiple options for the y-axis• Mbps, Kbps, KBps• % Inbound, % Outbound, % All• % Application and Discards

Export formats to ASCII Table or CSV Pre-canned Reports for Top 5 and

Typical Hour, Day, Week

Linux/MySQL based back-end to store all the data

Web based front-end to generate usage reports

Fully automated database data injection

Open Sourced

Multiple PlatformsA World of Choice

Alteon 2208 (2xGE + 8xFE)

Alteon 2216 (2xGE + 16xFE)

Alteon 2424 (4xGE + 24xFE)

Alteon 2424SSL (4xGE + 24xFE+SSL)

Alteon 3408 (4xGE + 4xCopper Gig + 4xGE or Copper)

Alteon ITM is NOT a One-Trick Pony!

Integrated DoS Attack Prevention

UDP Blast Prevention

Management Shield

IP Access Control Lists

Traffic Shaping

Traffic Policing

SYN Attack Detection / Prevention

DSCP Support Active | Passive

Protocol Connection / Rate Limiting

Session Capping and Aging

IDS Load Balancing

Egress Bandwidth Management

Server Load Balancing

Advanced Filtering

Content Intelligence

Network Device Load Balancing

Application Redirection

Persistence Support

Embedded Security Svcs

Traffic Management

Network Services

ITM Parts ListSymbol denotes customer provided equipment

All Application Switch Models Support Intelligent Traffic Management

Both licenses are required.With 22.0 both licenses will be available at a discount in ITM bundle

Don’t forget the SFP GBIC’s for optical connectivity

Recommend running Management and Reporting on the same Linux Server

Customer must supply Linux server (and media) – Nortel does not distribute RedHat

Previous versions will NOT support ITM

Nortel Promotion thru 6-30-2004:Replace Your P2P with Alteon

Extended Promotion for Education: First 3 Customers purchasing NEW Application Switch receive Licenses for FREE! (expires June

30) First 3 Customers purchasing Licenses to UPGRADE existing Application Switch receive Licenses

for 33% of the List Price! (expires June 30)