How to use Linux security to manage network traffic (1)

Bkjia.com exclusive Article]I. Scope of network traffic management

Over the past decade, the Internet has become an increasingly important demand. According to statistics, the Internet has become the most important information infrastructure in human society, accounting for 80% of human information exchanges. It is of great strategic significance for social progress, economic development, and national security. In this context, in the face of increasingly complex online networks and increasing network traffic, system and network managers must spend more time to understand the operation of these network devices, to maintain the normal operation of a system.

Generally, network managers need to know the usage of each network segment, the bandwidth usage, and the bottleneck of network problems. When a network problem occurs, you must be able to quickly analyze and determine the cause of the problem, which may be a line problem, a network device problem, or a router setting problem. Effective management of network traffic is the primary factor to maximize network efficiency. So what is the basis for managing network traffic and how to effectively identify, analyze, and manage traffic? This is the main problem to be solved in this topic.

Generally, we can divide network traffic management into the following categories:

1. Traffic Identification

Application Awareness: it is a new concept that emerges along with the vigorous development of network businesses, based on parameters such as protocol type, port number, feature string, and traffic behavior characteristics, this module performs In-depth packet inspection and analysis from the data link layer to the application layer, obtains information such as the business type, business status, business content, and user behavior, and performs classified statistics and storage. The basic purpose of business identification is to help network managers obtain traffic information at the business layer on the network layer, such as the business type, business status, business distribution, and business traffic flow. Business identification is a relatively complex process that requires collaboration between multiple functional modules. The business identification process is described as follows:

◆ The recognition and processing module uses multi-channel identification. It distributes network traffic evenly to multiple processing channels through the Hash algorithm of the source/destination IP address and source/destination port number of network traffic. Bytes

◆ The multi-processing channel performs In-depth packet inspection on network traffic in parallel to obtain the network traffic feature information and compare it with the features in the business identification feature library. Bytes

◆ Send the matching result to the identification processing module and identify the specific network traffic. If multiple matching results exist, the matching results with a higher priority are selected for identification. Once a specific network traffic is identified, subsequent connections of the network traffic will no longer carry out in-depth packet inspection. The network layer and transmission layer information will be directly compared with the known recognition results to improve the execution efficiency. Bytes

◆ The recognition processing module stores the business recognition results of network traffic to the recognition result storage module, providing a basis for statistical analysis of network traffic. Bytes

◆ The statistical analysis module reads relevant information from the recognition result storage module and displays the recognition result information in a curve, pie chart, bar chart, or text format, or outputs it as a file. Bytes

◆ The recognition results saved in the result storage module are output to the network traffic management function area to provide a basis for implementing network traffic management.

At present, common and typical business identification technologies are known as DPI and DFI technologies.

1) DPI Technology

PI is short for Deep Packet Inspection. It is a typical business recognition technology. DPI technology is called "deep" detection technology, which is relative to the traditional detection technology. The traditional traffic detection technology only obtains the basic information stored in the packet network layer and transport layer protocol header, including the source/destination IP address, source/destination transport layer port number, and Protocol Number, and the underlying connection status. With these parameters, it is difficult to obtain sufficient business application information. Currently, P2P, VoIP, and IPTV applications are widely used. The traditional traffic detection technology cannot meet the needs of network traffic management.

DPI technology expands the traditional traffic detection technology in depth. It scans the application layer protocol header and Protocol load of multiple related data packets while obtaining the basic information of data packets, obtain the feature information stored in the application layer to precisely check, monitor, and analyze network traffic.

DPI technology usually uses the following packet analysis method:

◆ Transport layer port analysis. Many applications use the default transport layer port number. For example, HTTP uses port 80. Bytes

◆ Feature Word matching analysis. Some applications include feature fields in the application layer protocol header or in a specific location of the application layer load. The feature fields are used for packet inspection, monitoring, and analysis. Bytes

◆ Communication interaction process analysis. Monitors and analyzes the transaction interaction process of multiple sessions, including the packet length and number of sent packets, to check, monitor, and analyze network services.

2) DFI Technology

DFI is short for Deep Flow Inspection and a typical business recognition technology. Compared with DPl technology, DFI technology is designed to solve DPI technology execution efficiency, encrypted traffic identification, and frequent upgrades. DFI is more concerned with the versatility of network traffic features. Therefore, DFI does not perform in-depth packet detection on network traffic, the service type and service status are obtained only through statistical analysis of parameters such as network traffic status, network layer and transport layer information, business flow duration, average stream rate, and byte length distribution.

The basic goal of the two technologies is to achieve business identification, but there are still large regions in terms of implementation focus and technical details. The comparison between the two technologies shows that they have advantages and weaknesses. DPI technology is applicable to environments that require precise and accurate identification and precise management. DFI technology is suitable for efficient identification, extensive management environment.

2. Traffic statistical analysis

The basic goal of network traffic management is to understand the usage of networks, services and user resources, locate performance bottlenecks, perform refined management, analyze and control user behavior, and protect information security.

Integrates service identification functions in network devices at multiple layers, such as backbone nodes, service provider nodes, International egress, man egress, and man access layers, alternatively, you can separately deploy a network device with the business identification function to perform statistical analysis and trend judgment on network traffic. Through Traffic statistical analysis, network administrators can know the type, bandwidth, time and space distribution, and flow of business traffic in the current network.

3. Traffic Management

Adding traffic identification capabilities to network traffic management can help network managers control bandwidth and schedule resources for network resources and business resources. Network Traffic Management with business identification capability will be able to manage P2P applications and improve the user experience of traditional data services by restraining P2P Traffic. Network Traffic Management with business identification capabilities can also suppress unauthorized businesses that seriously affect the income of business operators. Through the association detection and statistical analysis of VoIP Signaling traffic and media traffic, the VoIP service traffic is managed by truncation of media packets and disguised signaling packets. By using the network layer, transmission layer, and application layer detection technologies, you can manage unauthorized private broadband users by means of interrupted connections, active alarms, and time-sharing control, implements traffic management for unauthorized broadband private connections. Business identification can also help network traffic management to schedule business resources. Business identification can obtain real-time conditions of business resources usage and service status. When a business server has a large load, Global Service Resource load balancing can be performed to evenly handle business requests. At the same time, user service requests can also be scheduled, determine whether to continue to respond to new business requests of users, or prioritize response to business requests of high-priority users based on their priorities to improve business operation efficiency.

4. Other aspects

For network traffic management, the service identification function is integrated into network devices on multiple layers of the network, or a network device with the service identification function is deployed separately, works with network security devices such as firewalls to build an active security threat defense system to improve the security protection capability of the entire network.

Network Traffic Management with business identification capability has active traffic characteristics identification and analysis capabilities, and can actively detect abnormal traffic such as DDoS attacks, viruses, and Trojans, to better compensate for other network security devices, such as firewalls, intrusion protection systems (IPS), and unified Threat Management (UTM) to improve their ability to actively discover security threats, in addition, it can promptly send alerts to other network security devices to actively defend against security threats from the beginning.

In addition, network traffic management with business identification capabilities can also obtain and save network layer information of network traffic (for example, source/destination IP addresses, user ID, and other information, network administrators can trace and locate effective security threats.