Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digging Deeper Into DPI Network Visibility & Service Management Jay Klein May 2007.

Published byHarold Gaines Modified over 9 years ago

Similar presentations

Presentation on theme: "Digging Deeper Into DPI Network Visibility & Service Management Jay Klein May 2007."— Presentation transcript:

1 Digging Deeper Into DPI Network Visibility & Service Management Jay Klein May 2007

2 2 14 May 2015 Outline Origins of the Problem Complexity DPI for Security vs. DPI for Application Control DPI - Glance through the basics

3 3 14 May 2015 Market Trends and Drivers: Bandwidth Broadband becoming ubiquitous High penetration rates (over 50% in Korea, Taiwan, Holland and Canada) Over 50% of on-line households are BB Telcos are upgrading infrastructure: ADSL2+ (20-25Mbps) VDSL2 (20-30Mbps) FTTx Bandwidth per user is ramping up: BW expected to reach 20M by 2010 (source: IDC,2006) More Bandwidth More Applications

4 4 14 May 2015 Market Trends and Drivers: Applications Continue to be highly popular Average of 40-60% of overall BW More applications use encryption BitTorrent, eMule, Ares Content providers seem to adopt P2P Warner Bros to sell films via BitTorrent Scalability More Bandwidth More Applications P2PVoIPEnts. Online Gaming

5 5 14 May 2015 Market Trends and Drivers: Applications Numerous Internet VoIP providers: Skype, Vonage, GoogleTalk, Yahoo!Voice, Net2Phone VoBB subscribers increased rapidly in 2005/6 More SPs offer Voice & Data services bundled together More Bandwidth More Applications P2PVoIPEnts. Online Gaming

6 6 14 May 2015 Market Trends and Drivers: Applications Usage of streaming applications increasing dramatically YouTube – 100M videos/day Numerous new Web-TV services launched BBC, In2TV etc. Skype to launch Venice Project – a Web TV service Telcos launching IPTV services: Pay-TV and VOD More than just a service differentiator More Bandwidth More Applications P2PVoIPEnts. Online Gaming

7 7 14 May 2015 Market Trends and Drivers: Applications Consoles & PC offer “over the network” gaming experience Stringent Bandwidth & Latency requirements More Bandwidth More Applications P2PVoIPEnts. Online Gaming

8 8 14 May 2015 The Complexity Numerous Applications - Many Protocols Same Application – Different Implementations Bittorrent has more than 30 different client implementations IM or VoIP may deliver the same experience but don’t use similar protocols Evolving Architectures Skype evolved from Kazaa maintaining more or less the network topology Joost (Venice Project) has just done the same

9 9 14 May 2015 The Complexity Mixture of Technologies, Diverse deployment scenarios Various Clients: PC, Smartphone, Gaming Console Client’s network surroundings: Firewall/NAT, Proxy Monitor or Traffic Shape Symmetric vs. Asymmetric Frequent Updates Can vary from twice a year to every month Easy to enforce upgrade policy with quick reaction time Typically will affect protocol format

10 10 14 May 2015 The Complexity Use of Encryption (Obfuscation) Primarily designed for counter measuring operator’s throttling and monitoring efforts (eMule, Bittorrent) In some cases protect proprietary implementation (Skype) Cannot generalize - Need to differentiate use “Good” (legit streaming, SW updates) vs. “Bad” (pirated file sharing) P2P Need to recognize application subtleties for proper actions Example: MSN IM – block VoIP & Streaming, allow Chat

11 11 14 May 2015 DPI – Application Space vs. Security Space Comparable in the sense of “Deep”, “Packet” & “Inspection” Different Core Competence Similar tools yet different know-how Some “gray area” in the middle (e.g., basic DDoS) When DPI aimed at applications Applications = Services, typically “invited” by Operator, End- user or both When DPI is aimed at security risks Risks = Weaknesses in Network & OS behavior Need to deal with hostile “applications”, “services”

12 12 14 May 2015 DPI – Application Space vs. Security Space DPI for Security - Inspects L3/4 and complements with L7 info if required DPI for Security often samples the data stream, indicates on a trend & recommends on action When DPI is aimed at applications, starts at L7, track & learn the specific service DPI for Applications must examine each connection and accurately identify & classify for any action beyond monitoring

13 13 14 May 2015 13 Packet Inspection Analyze encapsulated content in packet’s header and payload Content may be spread over many packets Different research and analysis tools are combined The end result – a library of “signatures” For each protocol/application a “Unique” Fingerprint set is found Signatures may change over time

14 14 14 May 2015 14 False Positives The likelihood that application connections are caught by signatures of other applications Some traffic is misidentified / misclassified Signatures are too weak Reason: Different protocols exhibit similar behavior or data patterns Strengthen signature by combing several techniques leading to a complex & robust signature Target 0% FP for controlling purposes

15 15 14 May 2015 15 False Negatives The likelihood that application connections are not caught by their designated signatures End result – some portion of the suspected application traffic is not detected Why? Signatures don’t cover all protocol occurrences Examples: IM = Chat, Streaming, Gaming, VoIP… Environment – Proxy, NAT

16 16 14 May 2015 16 header info reveals communication intent Shallow (Standard) Packet Inspection

17 17 14 May 2015 17 information regarding connection state Signature over several packets found Deep Packet Inspection

18 18 14 May 2015 18 Analysis by Port Reasoning: Many applications and protocols use a default port Example: email Incoming POP3: 110 (995 if using SSL) Outgoing SMTP: 25 The Good - It’s easy, The Bad - It’s too easy Many applications disguise themselves (e.g., Port 80) Port hopping  large range, overlapping apps

19 19 14 May 2015 19 Analysis by String Match Reasoning: Many applications have pure textual identifiers Easy to search for Very easy if in a specific location within a packet Uniqueness not always guaranteed

20 20 14 May 2015 String Match Example

21 21 14 May 2015 21 Analysis by Numerical Properties Property is not only content: Packet size Payload/message length Position within packet In some cases sparse and spread over several packets

22 22 14 May 2015 22 358A277F 15829871 A580727F 95888A7F Connection #1 Connection #2 Connection #3 Connection #4 Example: Sparse Match Identifying John Doe Protocol

23 23 14 May 2015 23 Skype (Older Versions): Finding a TCP Connection 18 byte message 11 byte message 23 byte message Either 18, 51 or 53 byte message ClientServer UDP Messages N+8 N+8+ 5 Evolution

24 24 14 May 2015 24 Behavior and Heuristic Analysis Behavior = the way in which something functions or operates Heuristic = problem-solving by experimental and especially trial-and-error methods OK, but what does this mean? Examples: Statistics: on average payload size is between X to Y Actions: Login using TCP connection followed by a UDP connection on subsequent port number Extremely effective analysis when application uses encryption

25 25 14 May 2015 25 Example: HTTP vs. BitTorrent (Handshake)

26 26 14 May 2015 DPI in Real Life Network Visibility – The key for understanding how bandwidth is utilized Which application? Which user? When? Where? Traffic Management (Application Control) Block Shape (limit, QoS, QoE) Service Management (Subscriber Control) Associate connection (IP X.Y.Z.W) with a user and its service use policy

27 27 14 May 2015 Example - What’s Happening On the Network? Graph shows that eDonkey is congesting traffic Drill down to find out who is using this application Heavy bandwidth user identified precisely! P2P Virtual Channel congested Drill down to find out what’s creating excessive traffic

28 28 14 May 2015 Thank You

Download ppt "Digging Deeper Into DPI Network Visibility & Service Management Jay Klein May 2007."

Similar presentations

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
KISS: Stochastic Packet Inspection for UDP Traffic Classification

KISS: Stochastic Packet Inspection for UDP Traffic Classification
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
High Speed Networks Budapest University of Technology and Economics High Speed Networks Laboratory Monitoring Network.

High Speed Networks Budapest University of Technology and Economics High Speed Networks Laboratory Monitoring Network.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Review of a research paper on Skype

Review of a research paper on Skype
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.

Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Application Layer – Lecture.
CSE 190: Internet E-Commerce Lecture 16: Performance.

CSE 190: Internet E-Commerce Lecture 16: Performance.
SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.

SECURE CLOUD-READY DATA CENTERS AppSecure development IDC IT Security conference – 2011 Budapest.
A. Frank 1 Internet Resources Discovery (IRD) Peer-to-Peer (P2P) Technology (1) Thanks to Carmit Valit and Olga Gamayunov.

A. Frank 1 Internet Resources Discovery (IRD) Peer-to-Peer (P2P) Technology (1) Thanks to Carmit Valit and Olga Gamayunov.
Introduction to the Application Layer Computer Networks Computer Networks Spring 2012 Spring 2012.

Introduction to the Application Layer Computer Networks Computer Networks Spring 2012 Spring 2012.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Skype & its protocol Aaron Loar CPE 401. Introduction Skype’s Background Topology 3 Node Types Questions.

Skype & its protocol Aaron Loar CPE 401. Introduction Skype’s Background Topology 3 Node Types Questions.
Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.

Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Adding WAN Optimisation to Boost Storage Sales Success Blue Coat in a Virtual World.

Adding WAN Optimisation to Boost Storage Sales Success Blue Coat in a Virtual World.
Colombo, Sri Lanka, 7-10 April 2009 Multimedia Service Delivery on Next Generation Networks Pradeep De Almeida, Group Chief Technology Officer Dialog Telekom.

Colombo, Sri Lanka, 7-10 April 2009 Multimedia Service Delivery on Next Generation Networks Pradeep De Almeida, Group Chief Technology Officer Dialog Telekom.

Similar presentations

Ads by Google