NETFLOW & NETWORK-BASED APPLICATION RECOGNITION ITD PRODUCT MANAGEMENT NOVEMBER 2003

Overview of NetFlow and Network-Based Application Recognition Pioneering IP accounting technology Invented and patented by Cisco IETF export standard Network-Based Application Recognition (NBAR) Intelligent application recognition Analyzes and identifies application traffic in real time Identifies application/protocols from layer 4 to layer 7. The applications that NBAR can classify include applications that use the following: ·         Statically assigned TCP and UDP port numbers ·         Non-UDP and non-TCP IP protocols ·         Dynamically assigned TCP and UCP port numbers during connection establishment. Classification of such applications/protocols requires stateful inspection, that is, the ability to discover the data connections to be classified by parsing the control connections over which the data connection port assignments are made. ·         Sub-port classification or Classification based on deep inspection – that is classification by looking deeper into the packet. For example classification based on HTTP urls, mime or host names and RTP Payload Type classification – where NBAR looks for the RTP Payload Type field within the RTP header amongst other criteria to identify voice and video bearer traffic. NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on Citrix published applications. NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests to the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application. NBAR ensures that network bandwidth is used efficiently by working with QoS features to provide: Guaranteed bandwidth Bandwidth limits Traffic shaping Packet coloring NBAR introduces several new classification features: Classification of applications which dynamically assign TCP/UDP port numbers Classification of HTTP traffic by URL, host, or MIME type Classification of Citrix ICA traffic by application name Classification of application traffic using subport information NBAR can also classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs. NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 2

NetFlow and NBAR Benefit Footprints Enterprise Backbone Enterprise Premise Edge Service Provider Aggregation Edge Service Provider Core NetFlow User (IP) monitoring Application monitoring Traffic analysis Attack Mitigation Chargeback Billing Attack mitigation Billing AS Peer monitoring Traffic engineering Network Planning NBAR Application classification Precise Quality of Service (QoS) treatment Application statistics for bandwidth provisioning Top-n views Threshold settings Mapping applications to an SP’s service offering Complete Differentiated Services Solution Uniform Provisioning of IP QoS on any media and all certified platforms (Modular QoS Command Line Interface) Advanced QoS. Flexible guaranteed bandwidth solution (QoS Based Routing) QoS Intelligence and Automation. Intelligent, automatic QoS (AutoQoS/NBAR) for rapid, low cost deployment High-End QoS. Highly-Scalable per-user and per-application QoS with uniform provisioning and feedback on network state

NetFlow and NBAR Benefit Footprints Enterprise Backbone Enterprise Premise Edge Service Provider Aggregation Edge Service Provider Core NetFlow Cisco Catalyst 4500, 5000, 6500, 7600 Series ASIC Cisco Catalyst 5000, 6500 Series HW Acceleration Cisco Catalyst 4500 Series ASIC Cisco 7100, 7200, 7300, 75000 Series Cisco AS5300,AS5400, AS5800 Series Cisco 830, 1400, 1700, 2600, 3600, and 3700 Series Cisco Catalyst 4500, 5000, 6500 Series; Cisco 7600 Series ASIC Cisco AS5300 and AS5800 Series Cisco MGX8000 Series Cisco 10000 and 12000 Series Internet Routers ASIC Cisco Catalyst 5000 and 6500 Series; Cisco 7600 Series ASIC Cisco 7500 Series NBAR Cisco Catalyst 6500 and 7600 Series MSFC Planned ASIC FlexWAN, MWAM Cisco 7100, 7200, and 7500 Series FlexWAN, MWAM Planned ASIC Complete Differentiated Services Solution Uniform Provisioning of IP QoS on any media and all certified platforms (Modular QoS Command Line Interface) Advanced QoS. Flexible guaranteed bandwidth solution (QoS Based Routing) QoS Intelligence and Automation. Intelligent, automatic QoS (AutoQoS/NBAR) for rapid, low cost deployment High-End QoS. Highly-Scalable per-user and per-application QoS with uniform provisioning and feedback on network state

NetFlow and NBAR: Main Objectives and Benefits Main Benefit NetFlow Flow Characterization Which users utilize the network What types of traffic When is the network utilized Where does the traffic go Network Usage IP accounting and Billing Technology Capacity Planning, Traffic Engineering, Peering Traffic & routing information analysis Data Export Persistent Network Usage Record NBAR Identify & classify traffic based on payload attributes & protocol characteristics Optimize application performance via QoS Validation or reclassification of ToS marking based on packet inspection Identifies application/protocols from layer 4 to layer 7. The applications that NBAR can classify include applications that use the following: ·         Statically assigned TCP and UDP port numbers ·         Non-UDP and non-TCP IP protocols ·         Dynamically assigned TCP and UCP port numbers during connection establishment. Classification of such applications/protocols requires stateful inspection, that is, the ability to discover the data connections to be classified by parsing the control connections over which the data connection port assignments are made. ·         Sub-port classification or Classification based on deep inspection – that is classification by looking deeper into the packet. For example classification based on HTTP urls, mime or host names and RTP Payload Type classification – where NBAR looks for the RTP Payload Type field within the RTP header amongst other criteria to identify voice and video bearer traffic. NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on Citrix published applications. NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests to the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application. NBAR ensures that network bandwidth is used efficiently by working with QoS features to provide: Guaranteed bandwidth Bandwidth limits Traffic shaping Packet coloring NBAR introduces several new classification features: Classification of applications which dynamically assign TCP/UDP port numbers Classification of HTTP traffic by URL, host, or MIME type Classification of Citrix ICA traffic by application name Classification of application traffic using subport information NBAR can also classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs. NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NetFlow and NBAR, November 2003 Cisco Internal Use Only © 2003 Cisco Systems, Inc. All rights reserved. 5

NetFlow and NBAR: Additional Objectives and Benefits Main Objective Side Benefits NetFlow Flow Characterization DDOS & Worm Detection Network Usage Capacity Planning and Traffic Engineering Billing Permanent Record of network activity Capacity, Traffic Eng, Peering Optimized Edge Routing (OER) Data Export IETF IPFIX WG Standard and NetFlow v.9 flexible extensible format NBAR Identify & classify traffic based on payload attributes & protocol characteristics Detection & dropping/limiting of undesired traffic – peer-to-peer file sharing, worms, … Application statistics for bandwidth provisioning Identifies application/protocols from layer 4 to layer 7. The applications that NBAR can classify include applications that use the following: ·         Statically assigned TCP and UDP port numbers ·         Non-UDP and non-TCP IP protocols ·         Dynamically assigned TCP and UCP port numbers during connection establishment. Classification of such applications/protocols requires stateful inspection, that is, the ability to discover the data connections to be classified by parsing the control connections over which the data connection port assignments are made. ·         Sub-port classification or Classification based on deep inspection – that is classification by looking deeper into the packet. For example classification based on HTTP urls, mime or host names and RTP Payload Type classification – where NBAR looks for the RTP Payload Type field within the RTP header amongst other criteria to identify voice and video bearer traffic. NBAR can classify Citrix Independent Computing Architecture (ICA) traffic and perform subport classification of Citrix traffic based on Citrix published applications. NBAR can monitor Citrix ICA client requests for a published application destined to a Citrix ICA Master browser. After the client requests to the published application, the Citrix ICA Master browser directs the client to the server with the most available memory. The Citrix ICA client then connects to this Citrix ICA server for the application. NBAR ensures that network bandwidth is used efficiently by working with QoS features to provide: Guaranteed bandwidth Bandwidth limits Traffic shaping Packet coloring NBAR introduces several new classification features: Classification of applications which dynamically assign TCP/UDP port numbers Classification of HTTP traffic by URL, host, or MIME type Classification of Citrix ICA traffic by application name Classification of application traffic using subport information NBAR can also classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs. NBAR can classify application traffic by looking beyond the TCP/UDP port numbers of a packet. This is subport classification. NetFlow and NBAR, November 2003 Cisco Internal Use Only © 2003 Cisco Systems, Inc. All rights reserved. 6

Uniqueness and Strengths of NetFlow and NBAR Deep & Stateful Packet Inspection Protocol Discovery with application statistics Enables precise classification & QoS treatment Pre-defined protocol & application recognition User-Defined Custom Application Classification New application signatures w/o software upgrade Integration with IP Services (QoS, NAT, Firewall, IDS) NetFlow IPv6, MPLS, Multicast, BGP NH technology integration Billing, Capacity Planning, Traffic Engineering Internet Access Monitoring: Peering & Traffic IETF Standard for Data Sampling and Export Security DDOS Monitoring Tool Flow timers, timing of network traffic types Who what where when in the network Large NMS partner community & open source tools New New New NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 7

NetFlow and NBAR Differentiation Link Layer Header Interface NetFlow and NBAR both leverage Layer 3 and 4 Header Information NetFlow TOS Protocol IP Header Source IP Address NetFlow Monitors data in Layers 2 thru 4 Determines applications by port Utilizes a 7-tuple for flow NBAR Examines data from Layers 3 through 7 Uses Layers 3 & 4 plus packet inspection for classification Stateful inspection of dynamic-port traffic Destination IP Address Source Port TCP/UDP Header Destination Port Tuple -- a data object containing two or more components. Deep Packet (Payload) Inspection Data Packet NBAR NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 8

NetFlow and NBAR useful for Security Flow information is useful against attacks NetFlow Mitigates Attacks Identify the attack Count the Flows Inactive flows signal a worm attack Classify the attack Small size flows to same destination What is being attacked and origination of attack NetFlow Security partners Arbor Networks and Mazu, Adlex Cisco IT prevented SQL slammer at Cisco by watching flows per port Signature-based detection Not historically a main focus for NBAR Real-time loadable PDLMs could provide rapid-update mechanism for new signatures Not staffed to react against malicious applications NBAR can detect worms based on payload signatures Nimbda Code Red Slammer Cisco PSIRT provided customers with NBAR solution to combat Code Red & Nimbda NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 9

Summary of Benefits NetFlow NBAR Internet Access Monitoring Protocol distribution Where traffic is going/ coming User Monitoring Application Monitoring Accounting and Billing DDOS Monitoring Peering Arrangements Network Planning Traffic Engineering NBAR Deep & Stateful Packet Inspection Protocol & Application Discovery Standard protocols Corporate applications (Citrix, ...) Undesired traffic (peer-to-peer, worms, …) Real-time PDLM Signature Update NetFlow and NBAR, November 2003 © 2003 Cisco Systems, Inc. All rights reserved. 10

NetFlow and NBAR, November 2003 11 11 11 © 2003 Cisco Systems, Inc. All rights reserved. 11 11 11