Understand the distribution of network traffic to find methods of optimizing network performance, network management technology to improve network performance, network traffic is also good protection of information security work, which is the main work of network traffic content.
■ Dr. Li Yang of China Mobile Research Institute
Over the last decade, the Internet has made rapid development. According to statistics, the Internet has become the most important human society, information infrastructure, accounting for 80% of human information exchange. In this background, the face of an increasingly complex network line and a growing network traffic, system and network managers must spend more time and effort to understand the operation status of network devices to maintain the normal operation of an enterprise network . In general, network managers need to understand the bandwidth usage of each segment, the network bottleneck problem occurs where the problem occurs when the network must be able to quickly analyze problems and determine the causes, these are the network traffic management's main tasks. So, when managing network traffic should be based on the basis of what, by what means and strategies to effectively identify the flow, analysis and management?
Network traffic management objectives
With the continuous growth of network traffic and network applications become increasingly numerous and complex, we can see, simple, unlimited increase in network bandwidth can not solve the fundamental problems of network traffic. We need to manage network traffic in order to ensure the health of the network and network applications, the normal service.
In the process of network traffic management, our primary goal of network management is necessary to define the problem. Network traffic management in four main goals: First, we need to understand network traffic usage; secondly, to find ways to optimize network performance; third, to network management technology to improve network performance; Finally, it requires good network traffic information security protection work.
To achieve these four objectives, the network administrator first through effective classification very clearly, we need the bandwidth, which is actually used in the end. Second, find the network performance bottleneck. There are two very important network performance indicator, one is throughput, that is, the network can transmit the maximum amount of data, and the other is the delay. Third, the application of sophisticated traffic monitoring and control software to improve network performance to meet different network applications. Finally, the network also can be integrated use of intrusion detection systems (IDS), firewalls, Unified Threat Management (UTM) devices on the network traffic for information security protection work.
In daily traffic management, network management in order to effectively achieve 4 objectives, we need to take appropriate steps. The steps include the capture and classification of network traffic, network traffic monitoring (statistics and analysis) and control strategies.
1. Network traffic capture and classification: This is the first step in the management of network traffic. Only by setting the capture point, on the capture and classification of network traffic in order to follow-up analysis and control. Here must be emphasized that the classification of network traffic can be very macro-oriented, can be refined. Such as TCP, UDP, ICMP, etc. and on the more macro, and HTTP, FTP or even such as Kazza, Skype and other P2P traffic classification and identification of a relatively refined. In their daily work, network administrators can use Wireshark, TCPDump other well-known packet capture and analysis software for traffic capture and classification.
2. Network traffic monitoring (analysis): monitor to display the flow of operating conditions, to help identify the problems and implement appropriate management strategies. Application and network management to collection, display and collection of information, including bandwidth utilization, active host and network efficiency, and active applications. The goal of the common market through the use of NTOP management tools such as visual analysis to help network administrators to implement in practice.
3. Control strategy: network traffic analysis, the next step is to allocate bandwidth according to priority. Can be based on the distribution of host, application, etc., in particular, attention will need to consider is the consumption of resources, P2P applications or delayed audio and video downloads, etc. to consider. Specific operation can be applied to popular tools for flow control and implementation, such as the classification of network traffic monitoring and control, so that we can effectively manage network traffic, it will be the original disordered up to become the order of network traffic.
The following describes how our specific network traffic management, including the identification of network traffic, network traffic analysis and control.
Identification of network traffic
Flow identification, also called service identification (Application Awareness), is the first step in the management of network traffic. Identification of network traffic flows through the business from the data link layer to application layer deep packet inspection and analysis, based on protocol type, port number, characteristics and flow behavior characteristics of the string parameters, for business types, business status, business content and user behavioral information, and statistical classification and storage. The basic purpose of business identification is to help network administrators access to the network layer on top of business layer flow of information, such as business type, business conditions, business distribution, traffic flow and other business.
Service identification is a relatively complex process that requires multiple functional modules work together, business process identification of the work briefly as follows:
1. Recognition processing module using multi-channel recognition processing, network traffic through the source / destination IP address and source / destination port number of the Hash algorithm, the network traffic evenly across multiple processing channels.
2. Multi-channel parallel processing network traffic of deep packet inspection, access to network traffic characteristics information, and identify characteristics of library and business features for matching.
3. To match the results sent to the recognition processing module, and identify a specific network traffic. If there are multiple matches, select high-priority matches are identified. Upon identification of a specific network traffic identification, follow-up to connect the network traffic will not be deep packet inspection, directly to its network layer and transport layer information and compare recognition results are known to increase the efficiency.
4. Recognition processing module to identify the business results of network traffic to identify the results stored in memory module for network traffic, provide the basis for statistical analysis.
5. Statistical analysis module results from the identification information storage module to read and to curve, pie chart, bar chart or text form to identify the result of information display or a document to the output.
6. The result is stored in the module information will be stored in the recognition result output to the network traffic management functional areas, to provide the basis for the implementation of network traffic management.
Business recognition technology currently used in two, that DPI technology and DFI technology.
DPI technology is a deep packet inspection DPI (Deep Packet Inspection) for short. DPI technology is called "depth" of the detection technology, is relative to the traditional detection purposes. The traditional traffic detection technology only for those storage in the data packet network layer and transport layer protocol header in the basic information, including source / destination IP address, source / destination transport layer port number, protocol number, and the underlying connection status. These parameters is difficult to obtain enough information on business applications, especially for the current P2P applications, VoIP applications, IPTV applications has been widely carried out by the situation, the traditional traffic detection technology can not meet the needs of the network traffic.
DPI technology on the traditional traffic detection technology, the "depth" of expansion in access to basic information packets while data packets on a number of application layer protocol headers and protocol load are scanned and stored in the application layer of the feature information , fine network traffic inspection, monitoring and analysis.
DPI technology is usually used as the data packet analysis method:
● Analysis of the transport layer port. Many applications use the default transport layer port number, such as HTTP protocol uses port 80.
● features of word matching. Some applications at the application layer or application layer protocol header load characteristics in the field contains a specific location, by identifying characteristics of the field of data packet inspection, monitoring and analysis.
● communication interaction process analysis. Multiple sessions of the affairs of the interactive process of monitoring and analysis, including the packet length, the number of packets sent, achieve network service inspection, monitoring and analysis.
The technology, if a more detailed classification, the word can be divided into feature recognition technology, application layer gateway identification, behavioral pattern recognition, three types of identification were applied to different types of agreements can not replace each other, Only an integrated use of these three technologies can be effectively and flexibly recognize all kinds of applications on the network, enabling control and billing.
DFI DFI technology is popular for the detection of deep (Deep Flow Inspection) short, is a typical business identification. DFI technology is inadequate for DPl technology proposed, to address the implementation of the efficiency of DPI technology, encryption, traffic identification and frequent upgrades and other issues. DFI is more focused on general characteristics of network traffic, therefore, DFI technology is not the depth of the network traffic packet inspection, but only on the state of network traffic, network layer and transport layer information, business flow duration, average flow rate , byte length of the distribution parameters of the statistical analysis, to obtain the business type, business status.
Statistical analysis of network traffic
Through statistical analysis of traffic, network managers can know the current network service traffic types, bandwidth, time and spatial distribution, flow and other information.
In the management process, administrators can use common tools to assist in the completion of NTOP. NTOP tools and traditional such as tcpdump or ethereal to capture network traffic tool has a great difference, and it mainly provides network packet statistics, rather than the message content. In addition, NTOP do not need to use the Web server, which itself would support the HTTP protocol. First, it provides a fast and easy way to get accurate information on network activity, and do not use the network detection or listening devices. In most cases, the network fault detector to track the network is required, in some time because the probe is likely to be used in the monitoring of other equipment not available, you can use NTOP tools; Second, in some given network configuration may not be connected with the detector, such as two Unix systems via WAN interconnection, in this case, the user can apply NTOP tool.
In general, the use NTOP tool can assist the network administrator to complete the following tasks: automatically from the network to identify useful information; the intercepted data packets into a format easy to identify; on the network environment to analyze the situation of communication failure; detection communication bottlenecks in the network environment; record the time and process network communications.
NTOP tool can analyze network traffic to identify the various problems on the network can also be used to judge whether the hacker is attacking a network system, it can easily show that a particular network protocol, bandwidth-intensive host, various Communications of the target host, the data packet transmission time, transmitting the data packet delay and other details. By understanding this information, network administrators can make a timely response to the failure of network optimization and adjustment accordingly to ensure the efficiency and security of network operation.
Network traffic control
Traffic control will be added to the network traffic management, can help network managers to network resources and business resources, bandwidth control and resource scheduling, such as HTTP, FTP, SMTP, and to manage P2P applications, especially P2P traffic suppression traditional data services to enhance the user experience degree.
With traffic control network traffic management can also seriously affect the business operations of the income for other businesses to suppress unauthorized. For example, for VoIP services, we can flow through the VoIP signaling and media flows associated with testing and statistical analysis, and by truncating the media packets, disguised means of signaling messages on traffic management. Can also be integrated using the network layer, transport layer and application layer inspection technology, unauthorized user to take broadband to connect the disconnected, active alarm, time-control and other management actions.
Flow control can also help network traffic management to achieve business resource scheduling, and access to business resources and the use of real-time operational status of the situation. When a network application service server load is high, can the global business resource load balancing to evenly bear the service request; but also to request the user's business operation, decide whether to continue to respond to user requests for new business and the priority of priorities based on user response to high priority service request the user to improve the efficiency of business operations.
Flow control is common practice in the output port Office to establish a queue for traffic control, control approach is based on routing, which is based on objective or purpose of the IP address of the subnet network number. The basic functions of flow controller module queue, sorting and filters. As the variety of current network traffic, network administrators in the management of commonly used classification manner.
For network traffic management, in addition to the flow should have the identification, traffic analysis and traffic control features, we generally also want to have a firewall and other network security devices and build an active collaborative security threat defense system features to enhance the capacity of the entire network security in order to better ensure the network traffic.
For example, the flow of feature recognition is a necessary means of traffic management. It can take the initiative to find, such as DDoS attacks, viruses and Trojans such as abnormal traffic, better make up for other network security devices such as firewalls, intrusion prevention system (IPS) and Unified Threat Management (UTM) and other deficiencies, to upgrade their initiative to find a security threat capacity, and can promptly send to other network security equipment alarm, the source of security threats from the beginning to active defense. In addition, the ability to identify the network with traffic flow management can also access and save network traffic, network layer information (eg, source / destination IP address, application port, user ID and other identification information), through which information, network managers can secure Origin of the threat orientation.
Links 1
Comparison of DFI technology and DPI technology
DFI and DPI basic design of both technologies to achieve business goals are identified, but both the focus and in the realization of the technical details or the existence of large differences. From the comparison of two techniques to see, both have their respective advantages, also have weaknesses, DPI technology is applicable to require precise and accurate identification, fine management of the environment, DFI technology is applicable and efficient identification of needs, extensive management environment.
From the processing perspective: DFI relatively fast processing speed, while the use of DPI technology package due to be unpacked by operation, and compared with the background to match the database, processing speed will be slower. As a result of DFI technology for traffic analysis only the flow characteristics compared with the background traffic model can, therefore, the current majority of DPI-based bandwidth management system is only wire-speed processing power 1Gbit / s compared to DFI-based system can achieve wire-speed 10Gbit / s, fully meet the needs of enterprise network traffic management.
Maintenance costs from the perspective: DFI maintenance costs are relatively low, based on DPI technology always lags behind the new bandwidth management system applications, need to keep up with new protocols and new applications continue to upgrade the production and application of database background, otherwise it can not effectively identify, bandwidth management under the new technology affect the efficiency of pattern matching; the DFI-based technology management and maintenance on the system workload to be less than the DPI system, because the same types of new applications and the flow characteristics of the old applications will not be major changes Therefore, traffic behavior model does not require frequent upgrades.
Recognition accuracy from the view: their own strong points of both technologies. As the DPI used by-packet analysis, pattern matching techniques, therefore, can flow in the specific application types and protocols to achieve more accurate recognition; the DFI only traffic behavior analysis, therefore only general categories of application types, such as P2P traffic to meet the uniform application of the model identified as P2P traffic, VoIP traffic model that meets the type of unity is classified as VoIP traffic, but can not determine whether the traffic using H.323 or other protocols. If the data packet is encrypted transmissions, using DPI way flow control technology can not identify their specific applications, while DFI way flow control technology will not be affected, because the application of current state of behavioral characteristics and fundamental change will not be encrypted.
Link 2
Several common network traffic
Current as the network constantly enrich and develop the application, network traffic are becoming complex and a wide range of them, the following is the most common types of network traffic:
1. HTTP traffic: HTTP is the most widely used Internet protocol, already has replaced the traditional paper downloads the main application layer protocol FTP, now, with YouTube and other video sharing site pull, HTTP protocol network traffic in the past four years in the first P2P application traffic over.
2. FTP traffic: From the beginning of advent of the Internet, FTP has been a user of the applications most frequently used one, second in importance only HTTP and SMTP. With the emergence of P2P applications, although the status of its importance decreased, but still the users download the application and an irreplaceable one way.
3. SMTP traffic: e-mail is the important part of Internet business. According to statistics, 3 / 4 or more users access the main purpose is to send and receive mail, every day billions of emails in the global relay. Particularly because of the cheap and simple e-mail, to induce people to disseminate their information as a large number of tools, eventually led to the Internet world, the proliferation of spam.
4. VoIP traffic: IP phone users in 2006 increased from 10.3 million to 18.7 million, an increase of 83%. VoIP call volume in 2007 reached 75% of total call volume. Therefore, the Internet, VoIP traffic is also very worthy of the administrator concerned.
5. P2P traffic: the current network bandwidth "big spending" is a P2P file sharing accounted for 49% in the Middle East, Central and Eastern Europe accounted for 84%. Globally, the night-time network bandwidth occupied 95% of P2P.
6. Streaming Flow: With such as PPLive, PPStream, etc. The emergence of video software, video, live and on-demand viewing as the general Internet users and online entertainment, the best way of life, so the traffic is also increasing.