Flow Analysis

Introduction
Network flow analysis is the art of studying the traffic on a computer network. Understanding the ways to export flow and collect and analyse data. The detailed instructions in Network Flow Analysis teach the busy network administrator how to build every component of a flow-based network awareness system and how network analysis and auditing can help address problems and improve network reliability. The flow analysis is carried out at CIBER Coventry. The flow analysis of the main nodes of the network including both existing applications in the network as well as the new applications that will be included is done. The result of this analysis will show the current and future estimation of flows between the main nodes.

Methodology used to identify the flows

The flow analysis of the existing network at CIBER Coventry is carried out by using Netflow analysers and Professional Audit Expander. The Information within a flow is transmitted during a single session of an application. The flows are nothing but end-to end, between source and destination applications/devices/users. Since they can be recognised by their end-to-end statistics, they can be directly related to an application, device, or network, or associated with an end user. We can also examine flows on a link-by-link or network-by-network basis. This is useful when we want to combine flow requirements at the network or network-element levels.

Flows can usually be identified and developed from information in the requirements specification; user, application, device, and network requirements; user and application behaviour (usage patterns, models); user, application, and device location information; and performance requirements. The more thorough this information is, the better the resulting flows will be. Thus, flows are determined based on the requirements and locations of the applications and devices that generate (source) or terminate (sink) each traffic flow.

Existing network:
10base-T, 100base TX Devices Connected are network cards, switches using CAT-5 cables with a maximum speed of 10Mhz between workstations and switches and a 100MHz between the main switch, servers and other switches

Disadvantages:
The new network traffic would face congestion during peak hours at work and will require more bandwidth then the current one. The current existing network does not have ability to handle growing amount of work in a capable manner, so upgrading the bandwidth is very critical to maintain and to allow a congestion free traffic on the network.

VoIP places an additional load on infrastructures that may originally have been designed only for data. Because different VoIP systems use different CODECs -- and different bandwidths -- a full understanding of the voice traffic must exist before accurate bandwidth predictions can be made.

Issues with Network Traffic Monitoring

Bursty traffic
Example: Large file downloads such as FTP, multimedia content (.wmv, .swf, .mov files) and graphic content (.jpg, .gif files). Problem: Can result in spikes in bandwidth consumption, effectively starving other applications of bandwidth for a brief period of time. Interactive traffic and latency sensitive traffic are particularly susceptible to problems caused by bursty traffic. Solution: Set a maximum constraint to limit access to bandwidth.

Interactive traffic
Example: Secure Socket Layer (SSL) transactions, Instant Messenger and Telnet sessions all

consist of relatively short request/response, and generally support real-time interaction with end users. Problem: Susceptible to competition for bandwidth, which can result in poor and unpredictable application response time. Solution: Prioritize over less essential traffic and traffic that is less dependent on real-time response (such as e-mail).

Latency sensitive traffic

Example: Streaming applications, Voice over IP, and video conferencing all generate a steady stream of traffic, which consumes a significant amount of bandwidth. Problem: Susceptible to competition for bandwidth, which can result in poor and unpredictable application response time. These applications can also easily saturate available bandwidth, effectively starving other applications. Solution: Set minimum guarantees of access to bandwidth prioritized by business need, and set maximums to prevent any application from consuming too much bandwidth. 4

Non-real time traffic

Example: E-mail and batch processing applications are the predominant sources of non-real time traffic within the enterprise. Problem: Can consume bandwidth that could be used by more business-critical applications. Solution: Schedule bandwidth assignment for non-business hours; set a maximum bandwidth constraint and low prioritization during business hours.

Requirements
Cat5 vs Cat5e

Network support - CAT 5 cable will support 10BASE-T and 100BASE-T network standards, that is it supports networks running at 10 Mbps or 100 Mbps. CAT 5e is an enhanced version of Cat5 that adds specifications for crosstalk (see below). Cat5e cable is completely backwards compatible with Cat5, and can be used in any application in which you would normally use Cat5 cable. However, the added specifications of Cat5e enable it to support Gigabit Ethernet (1000BASE-T), or networks running at 1000 Mbps.

Crosstalk - Crosstalk is the "bleeding" of signals between one cable into another, due to a process called induction. This effect can result in slow network transfer speeds, and can even completely block the transfer of signals over the cable. Cat5e cable has been improved over Cat5 cable in this respect, and crosstalk has been greatly reduced.

Bandwidth - The bandwidth of a given conveyance media is essentially it's information carrying capacity. The greater the bandwidth of a system, the faster it is able to push data across a network. Cat5 is rated at 100Mhz while Cat5e is rated at 350Mhz. This coupled with other more stringent specifications makes Cat5e ideally suited for networks which plan to operate at Gigabit Ethernet speeds.

Bottom Line: If you plan on to implement Gigabit Ethernet, go with Cat5e. Also, the small increase in price of Cat5e over Cat5 is more than made up for by "future proofing" your network's cabling infrastructure.

Cat5e vs Cat6 There is a great deal of debate among people about whether new cabling installations should use Cat5e or Cat6. Many people incorrectly assume that by running Cat6 they will then have a Gigabit Ethernet. However, in order to achieve true Gigabit Ethernet speeds, every single component on a network must be gigabit rated, such as the switches, hubs and network interface cards. This isn't to say that there aren't differences between Cat5e and Cat6, however. The general difference between category 5e and category 6 is in the transmission performance. While Cat5e can support gigabit speeds, Cat6 is certified to handle gigabit Ethernet. Additionally, the Cat6 specification is better suited toward environments that are generally unfriendly to twisted pair cabling. This includes areas that have lots of interference from things like power lines, lights, and manufacturing equipment. Still, for most applications, Cat5e is

perfectly suitable and preferable to Cat6: it is more economical and performs almost as well. However, if you can be certain that all the components on your network are gigabit rated, and the volume of the data being transmitted calls for certified gigabit performance, then Cat6 is the way to go.

Bandwidth Requirements At a minimum, the ATMS should have demonstrated the ability to support the relevant NTCIP protocol. If there is a high degree of commitment or reasonable degree of use of the NTCIP protocol, then it should be specified for use. The central signal system software shall include communications support for the NTCIP protocol (Level 1 conformance). Traffic Signals The ATMS shall support controllers using the AB3418 protocol. The ATMS will communicate with each intersection once per second. The central signal system software shall support communication with the field controllers at rates from 1.2kbps to 38.4kbps. The communications system shall support the ability to monitor and download traffic signal timing plans to controller. Upload/download commands shall be executed immediately upon command at a communication rate of 1.2kbps to 38.4kbps between the central signal system software and the field controllers. The central signal system software shall monitor the traffic signal controllers on a second-bysecond basis.

CCTV The system shall support panning, tilting and zooming CCTV cameras. The communications system shall support the ability to view and control CCTV cameras.

Analog The communications system shall accommodate the standard NTSC bandwidth for video of 4.2 MHz based on a 6 MHz channel spacing for video signals. Digital Either motion JPEG or MPEG formats should be used.

Control Communications Analysis Report (Final) 2-8 Each camera will also require a camera control signal to control camera functions such as pan, tilt, zoom, etc. This control signal, ranging from 300 bps to 9600 bps will be accommodated over a common channel in a multi-dropped environment. In a twisted pair network, one pair can be used to address multiple cameras.

Reliability The field-to-centre communications shall have 99.5% availability. Redundancy The communications system shall have diverse routing options where feasible. Diversity Existing communications infrastructure shall be used wherever feasible.

Performance Requirements The field-to-centre communications shall be continuously available and not require an application to request connection. Data must arrive at the destinations at the same rate it is introduced to the network.

Process of Flow Identifying and developing flows:

Identify flows, flow requirements, and location from requirements specification

Determine where sources and sinks are located Apply flow models where needed

Combine performance requirements for flows into flow specification

Taking the sources and destinations from the case study, we can produce a list of flows that we want to audit. This list may change when we have completed the Flow Analysis.

Administrator to Server 1. Database Specialist to Server 1. Developer to Server 2. Graphics Designer to Server 2. Support Team to Server 3. Administrator to Web server. Administrator to internal web-site. Administrator to other Ciber site - this flow is only applicable after the new network is in place.

Tools Used To analyse network, Security, Availability, Performance, Capability, Integrity: Netflow Analyser NetFlow Analyser, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyser, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyser is a unified solution that collects, analyses and reports about what your network bandwidth is being used for and by whom. NetFlow Analyser is the

trusted partner optimizing the bandwidth usage of over a million interfaces worldwide apart from performing network forensics and network traffic analysis. Snap shot of

Using Netflow analysis application to measure

Professional Audit Expander

View, analyse and report on the system security (NTFS, audit and ownership) including security inconsistency, direct differences, changes through time, inheritance, group and user effective rights View the files and folders size and disk occupation View, analyse, monitor, inventory and report in real time on all the systems and network configurations

ncat(Network Config Audit Tool) This tool focuses on Cisco IOS systems, so would only provide information on those systems.

Network flow analysing audit: The network flow analysing audit is usually based on key performance indicators such as:
Connectivity: which is necessary to open communication channels (see IETF RFC2678, "Measuring Connectivity", http://tools.ietf.org/html/rfc2678). Performance: speed of data transfer achieved over the IP network (see IETF RFC2330, http://tools.ietf.org/html/rfc2330) Capacity: volume of data transfer achieved.

Latency
It is an accepted practice to use ping to measure latency. It is recommended that ping is run a number of times to achieve a suitable average. The output given by ping provides an average roundtrip time.

Uptime/Downtime
This KPI can only really be measured over a long period of time. Ideally the existing Network Administrators have this data for the existing network. The same long-term data will also need to be collected once the new network has been installed.

A Map of Device Locations for CIBER Coventrys Network

Focusing on Applications
When focusing on an application, application group, device, or function, the idea here is to consider one or more applications that will likely drive the architecture and designnamely, those that are high performance, mission-critical, rate-critical, real-time, interactive, predictable, and/or guaranteed. By focusing on few main important applications, we can determine their flows of applications by selecting the relevant information from the requirements and application list specification. Server Description:

Server 1 (Ground Floor): Exchange Server, MS active directory (Domain Control) and Web Server Hosting Internet Sevices Server 2 (First Floor): File Server Hosting Code Repositories, Microsoft SQL Server 2000, Microsoft Source safe server. Server 3 (Second Floor): Microsoft Windows Virtual Server 2005, Company Website on a Virtual Machine. The below table briefs some main applications used by the companies various departments.
Application 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 OS System tools Security Applications Database manegment application Monitoring, Management & Performance Virtualization Software Data recovery software Software distribution and metering Management resources applications Graphic Dsign Applications VoIP applications and tools Microsoft Office Suite Sales Management Software Programming tool Planning and desinging Softwares Training Management Softwares

The below table shows the access to the servers by different departments of the company to the with the list of applications used by them.

1 2 3 4 5 6 7 8 9 10 11

SERVER SERVER SERVER SERVER SERVER SERVER SERVER SERVER SERVER SERVER SERVER

1,2,3 1,2,3 1 1 2 2 2 2 3 3 3

Administrator Database Specialists Management staff Sales management staff Graphics Designer Business analytics staff Customer support and services Developers Project and development managers Maintenance and security staff Training specialists Technical consultants

1,10,11,3,5 1,10,11,6,4, 1,10,11,8 1,10,11,12 1,10,11,9 1,10,11,12 1,10,11,12 1,10,11,14,13 1,10,11,14 1,10,11,2 1,10,11,15

Esitmated Values
Using a network tool, we can measure how much data can be sent over a given period of time between two end-points. Lots of ways to get evidence from the network SNMP data from routers and switches Raw packet captures Auditing information from existing network infrastructure (IDS, Firewalls, VPN gateways etc.) Network Flows

For example:

CISCO ROUTER
# Assume that fe 0/1 is the inbound from the Internet and fe0/2 is the LAN facing interface
router(config)#interface FastEthernet 0/1 router(config-if)#ip route-cache flow router(config-if)#exit

#since by default this is only for inbound, repeat for the other interface router(config)#interface FastEthernet 0/2 router(config-if)#ip route-cache flow router(config-if)#exit

CISCO ROUTER
#configure the netflow collector IP and port router(config)#ip flow-export destination 192.168.90.10 9996 #by default, the flows will be sourced from lo0.. change if needed router(config)#ip flow-export source FastEthernet 0/1 router(config)#ip flow-export version 5 #super aggressive timeout for active to keep data flowing into the collector (mins) router(config)#ip flow-cache timeout active 1 #also aggressive (seconds) router(config)#ip flow-cache timeout inactive 15

CHECKING UP
show ip cache flow IP packet size distribution (489639251 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .992 .000 .003 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .003 .000 .000 .000 .000 .000 .000

CHECKING UP
IP Flow Switching Cache, 8913408 bytes
5088 active, 125984 inactive, 1843766371 added 805412120 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

TCP-Telnet 28084 0.0 1 45 0.0 0.1 11.7 TCP-FTP 172835 0.0 1 47 0.0 2.4 13.7 TCP-FTPD 2818 0.0 1 40 0.0 0.2 11.3 TCP-WWW 5551226 1.2 1 53 1.3 0.1 5.0 TCP-SMTP 4179 0.0 1 42 0.0 1.0 12.2 TCP-X 2594 0.0 1 40 0.0 0.6 11.2 TCP-BGP 2546 0.0 1 40 0.0 0.2 11.5 TCP-NNTP 2554 0.0 1 40 0.0 0.1 11.2 TCP-Frag 177 0.0 2 269 0.0 1.7 16.8

TCP-other 528636 0.1 1 40 65.5 0.6 35.5 UDP-DNS 11596 0.0 1 54 0.0 0.8 17.2 UDP-NTP 723 0.0 2 40 0.0 9.0 16.8 UDP-TFTP 763 0.0 3 37 0.0 10.2 16.9 UDP-Frag 25 0.0 1 40 0.0 251.4 15.0 UDP-other 169720402 39.5 1 40 46.2 0.6 11.3 ICMP 275131 0.0 10 759 0.6 7.7 14.2 IGMP 36 0.0 1789 1246 0.0 15.2 16.9 IP-other 7 0.0 19 64 0.0 18.9 17.5 Total: 176304332 41.0 2 44 113.9 0.6 11.2

CHECKING UP
SrcIf Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 Hs9/1/0 etc. . . SrcIPaddress DstIf DstIPaddress 192.168.2.51 Null 1.1.1.1 192.168.47.72 Null 1.1.1.1 192.168.49.52 Null 1.1.1.1 192.168.32.18 Null 1.1.1.1 192.168.208.20 Null 1.1.1.1 192.168.77.66 Null 1.1.1.1 192.168.184.15 Null 1.1.1.1 192.168.22.48 Null 1.1.1.1 192.168.22.48 Null 1.1.1.1 192.168.7.44 Null 1.1.1.1 192.168.7.44 Null 1.1.1.1 192.168.54.208 Null 1.1.1.1 192.168.248.90 Null 1.1.1.1 192.168.201.17 Null 1.1.1.1 192.168.201.17 Null 1.1.1.1 Pr 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 SrcP DstP Pkts 04A9 0017 614K 05F9 0017 281K 08EA 0017 65K 08EC 0017 1463K 0411 0017 8351K 126F 0017 1763K 0609 0017 191K 0885 0017 1520K 0883 0017 66K 0F07 0017 97K 0F09 0017 2084K 040C 0017 3018K 0521 0017 201K 060C 0017 171K 054C 0017 107K

The below table shows the estimated bandwith values by using network analysing tools.
APPLICATIONS:

User

Application
OS-Operating system ( Linux, Windows, MacOSetc.) and other application providing by OS(i.e. web browser, mail.. etc), other software Required by all users. VoIP applications and tools (i.e. Skype, AIM's .etc). Required by all users Microsoft Office Suite, Required by all users Network administrator software such as IP Address Management, network administrator tools, Network Configuration Management, Network inventory software, Network Mapping, Network monitoring / management, Network Traffic Monitoring etc. are required by Technical and Security Staff

Bandwidth

Server

all users

Up to 10Kbps

SERVER 1,2,3

all users

Up to 500Kps Up to 100Kbps

SERVER 1,2,3 SERVER 1,2,3

all users

Technical and Security Staff

100 to 500

SERVER 1

Database specialist
Technical and Security Staff

Data recovery software

Up to 500Kbps Up to 500Kbps

SERVER 3 SERVER 3

Monitoring, Management, & Performance Virtualization Software

Technical and Security Staff

Software distribution and metering

100Kbps/500

SERVER 1,2

Sales managers

Sales Management Software (i.e. CRM (customer relationship management), Business Management & Accounting Suiteetc). Required by Users Sales

100Kbps/500

SERVER 1

managers Management resources applications (i.e. SAP Enterprise Resource Planning, Microsoft Package... etc.) Required by Management and human resources

Management and human resources

100Kbps / 500Kbps

SERVER 1,3

Customer Support and Services

Customer relationship management applications.. etc.

100Kbps

SERVER 2

Technical and Security Staff

Authentication / Smart cards, Security Scanners, Network Security Tools, Event Log Monitoring required by Technical and Security Staff Training Management Software, Tools for building presentations such as MS PowerPoint, Visio.. etc. Business analysis tools like SAP Enterprise Resource Planning, Microsoft Package... CRM Suites..etc. Virtualization Software such as Backup & Recovery, High availability, Hypervisors, Monitoring, Management & Performance,P2V & V2V Conversion, Security, Storage Virtualization, VDI (Virtual Desktop Infrastructure required by Server Planning and Designing application such as Microsoft Project and Microsoft Project Server, the Microsoft Office Enterprise Project Management (EPM) product. Microsoft Project 2010 . Required by Project and Development managers

10Kbps / 100Kbps

SERVER 2,3

Training Management

Staff
Business Analysts

10Kbps to 500Kbps

SERVER 3

10Kbps

SERVER 2

Administration Staff

Up to 500Kbps

SERVER 1,3

Project and development managers

100 to 500Kpbs

SERVER 3

Choosing the Top N Applications

These applications are the top N in terms of helping with the success of that organization, which may be inferred by their degrees of usage, number of users, number of devices/servers, or performance requirements.

Developing a profile
To simplify this issue, we can rename the other applications under one title according to their locations and flows. When this is the case, a profile or template can be developed for those applications, and each flow that fits the profile is identified with that profiles tag. So far, we will assign a tag to each set of applications and their flows.

The below table displays set of application profiles

Application Profile Application Profile 1: Application Profile2 Application Profile3 Application Profile3 OS VoIP applications and tools Microsoft Office Suite Management resources applications Sales Management Software Graphic Design Applications Programming tool System tools Planning and designing Software Training Management Softwares Database management application Software distribution and metering Data recovery software Monitoring, Management & Performance Virtualization Software Security Applications

Application Profile4

Application Profile5

Data Sources and Sinks

Data sources and sinks can help provide directionality to flows. A data source generates a traffic flow, and a data sink terminates a traffic flow. Data sources are represented as a circle with a dot in the centre, and a data sink is represented as a circle with a cross (i.e., star or asterisk) in the centre. Almost all devices on a network produce and accept data, acting as both data sources and sinks, and there are some devices that typically act as either a source or sink. In addition, a device may be primarily a data source or sink for a particular application. Data Sink Data Source Example for Data Sink: Disks or tape devices Display devices Video editing devices Projectors

Example for Data Source: Computing servers Mainframes Parallel systems Computing clusters Cameras Video production equipment Application servers Scanners

The map below describes various data sink and data source points. The data migration applications with Server-Server flows are shown. The different data sink and data source nodes and devices are displayed.

Bandwidth is calculated from each application depending upon the users among each server.

Users
Technical and Security Staff
Graphics Designer

Bandwidth 100Kbps 500Kbps 10Kbps 500Kbps 100Kbps 100Kbps 100Kbps 10Kbps 100Kbps 500Kbps 500Kbps 500Kbps

Protocol overhead High Low High Low Medium Medium Medium High Medium High High Low

Project and development managers Maintenance and security staff Training specialists Management staff Sales management staff Business analytics staff Customer support and services Administrator Developers DATABASE SPECIALIST

Suggestions to carry out the test and Network flow analysis

To obtain a good cross section of Key Performance Indicators measurements it is recommended that the tests are run at different times of the day.

When?

At a quiet time. o Suggest that this is during the night, but not when any back-up, archiving or overnight batch processes are running. o This is to ascertain the maximum performance and capacity figures, with (presumably) the lowest latency. At a peak busy time. o During the office day. Suggested to be run first thing in the morning or last thing in the evening when everyone is logging on or off. o This is to determine how well the network performance when it is under the most strain. Throughout the day. o Suggest that some 24-hour tests are carried out. o These would help to determine what the actual peak times are on the network and what the effect is on performance, capacity and latency.

Required Output
The ideal output would be a series of 24-hour profiles, one for each flow tested, showing how the network supports the flow throughout the day and night. This may not be feasible for all flows. As a minimum we would need performance, capacity and latency during a busy period for all the tested flows.

Observation
In the process of creating the flow analysis tables various assumptions were made as to what applications and services will be utilised on the network. From this derived data a flow tables is mapped showing how the network flows were interconnected to devices on the network from the three servers. The various main applications services were identified to observe the flows from the relevant department and its users.

The diagram shows an unusually high reliance on the web server and should this be correct can

potentially identify something that may become a bottleneck or choke point in the network and a major failure should anything happen to this service. It would be a reasonable assumption to make based on the diagram that this should be considered a critical service and adequate risk mitigation is in place for this service.

Flow ID

Performance Requirements Reliability N/A 99.5% 99.5% 99.95

Number of Users Capacity 500Kpbs 10Kpbs 100Kpbs 100 ms Delay 10 ms 7 35 17

F1 F2 F3 CF1 CF2 CF3

Developer to server 2 : F1 Graphic Designers to server 2: F2