Pipeline Publishing, Volume 5, Issue 5

	This Month's Issue:
	What's New in Performance Management?

Gateway to Traffic Intelligence
Providing Intelligence for Traffic Management & Security

article page | 1 | 2 | 3 | 4 |

open south- and north-bound APIs to facilitate the collection and policy enforcement from and to a variety of different network elements.

GTI Demystified: Breakdown of Sources

Operators must collect and analyze data from a wide variety of sources in order to keep their networks secure and operating efficiently, including packet and flow statistics, SNMP statistics, firewall/NAT/AAA events, routing and topology events, and IP-SLA metrics. Each source of data brings immense value to a GTI system.

Telemetry and SNMP are two fundamental and rich sources of data for gaining a good understanding of the health of the traffic and network elements. They constitute the basic foundation of traffic intelligence. Telemetry from routers is a powerful source of information used today to gain a global view of the network activity at the Layer-4, or flow, level. Since operators can enable sampling, telemetry is the de-facto source of data used to monitor traffic activity across the entire network. The system that consumes telemetry data can provide the operators with details on the nature of the traffic flowing across the entire network and its overall composition. Only very recently, routers have been equipped with more powerful functionalities that go beyond the Layer-4 information. Indeed, such routers can export packet level records on demand for forensic analysis. SNMP statistics captured from routers and router interfaces enable a more accurate assessment of the impact of traffic abnormalities to network elements in terms of volume and element health.

Layer-7 data from DPI appliances is used for traffic management. It is indispensable for a very accurate breakdown of traffic into network protocols, services, and applications. When Layer-7 information is collected from many links, correlated and analyzed in a central location, the operators gain a unique network-wide perspective into their services and applications. DPI appliances can be used as intelligent and targeted mitigation devices in case the operator is willing to take surgical actions on a per-packet basis.

Routing (BGP, IGP) and topology information is fundamental to understanding how packets traveled into the network and which network elements they have traversed. Operators can pinpoint the network element that caused the problem and act on it. Routing information is essential to monitor the stability of the routing infrastructure, and to detect

Operators must collect and analyze data from a wide variety of sources in order to keep their networks secure and operating efficiently.

router misconfiguration and threats targeting the overall routing infrastructure.

SLAs determine the type of service the provider guarantees, and the monetary impact when the service level is violated. A GTI system can quantify the impact of security events on customers and service using the existing technology in network equipment.

Firewalls/NAT/AAA provide broad coverage of a variety of attacks either from legitimate sessions with unauthorized users or legitimate sessions that violate a customer's policies. A GTI system combined with a firewall/NAT/AAA will provide additional visibility into end-host and user credentials, beyond public IP to private IP (NAT translation) and user credentials. The integrated solution will enable the operator to understand the threat impact and intent.

Contextualization of Information

A side-effect of the increasing complexity and size of today's networks is the increase in the volume of alerts associated with anomalous or malicious traffic. In fact, a single malicious anomaly can generate up to 40 individual alerts, all of which are related to the same cause. An effective GTI system offers a way to group these related alerts into "meta-events" in an effort to slim down that mass of information into a manageable form. The individual alerts are still available, but with a GTI system, NOC/SOC personnel can maximize resources by focusing on the associated cause. This same logic is also applied to BGP updates, which are commonly reported in terms of their volumes over time. With a GTI system, BGP updates associated to the same cause of the problem are turned into "BGP events" that are addressed in groups and linked to the cause of the problem. As a result, the operator will have only tens of BGP events per day to review, rather than hundreds or thousands. At the same time, GTI provides deep insight into the cause of those events, alerting the operator as to which of those changes might affect the normal operation of their network. Overall, the ability to summarize information while still allowing for drill-down capability ensures that security groups are efficient in their analysis and effective in their mitigation practices.

article page | 1 | 2 | 3 | 4 |

© 2006, All information contained herein is the sole property of Pipeline Publishing, LLC. Pipeline Publishing LLC reserves all rights and privileges regarding
the use of this information. Any unauthorized use, such as copying, modifying, or reprinting, will be prosecuted under the fullest extent under the governing law.