Until splitting into two companies in 2015 – Flowmon Networks and Netcope Technologies – INVEA-TECH was for nearly a decade recognized as a leader in packet flow monitoring and Field Programmable Gate Array (FPGA) solutions that helped law enforcement and intelligence agencies track targets on high-speed networks. With the rapid growth of each marketplace, whether for surveillance or commercial network performance requirements, the parent company felt it was time to dedicate separate corporate resources to each.
Here we will concentrate on the work of Flowmon Networks, delving into the union of technologies formerly considered technological adversaries, or at least incompatibles– flow monitoring and Deep Packet Inspection (DPI). While packet flow monitoring and DPI were for years considered polar opposites, the two have always borne a similarity. Now they are seen as complementary by companies like Flowmon Networks, which uses DPI to add greater depth to the data revealed by flow monitoring.
Flowmon Networks relies to a great extent on FPGAs, just like its sister company, Netcope Technologies. FPGAs remain an important part of the process as hardware accelerators that reduce CPU load during packet capture to help ensure comprehensive monitoring without packet loss on networks that operate at speeds as fast as 100G. See our analysis of Netcope for details.
A Close Look at DPI
Widely portrayed as a dystopian technology with the power to penetrate any/all IP communications and manipulate traffic, DPI is often cast as the “Big Brother” of modern society. There may be an element of truth to that assertion. DPI has a variety of key capabilities: the ability to target specific individuals or groups and identify IP address, MAC address, and location. But DPI’s primary benefit is the capture and analysis of packet payloads at the individual packet level. DPI is first and foremost a means of accessing IP content.
DPI is not infallible. A system is only as useful as the rules it is based on. In every instance where DPI is deployed, it must be programmed with predefined rules that determine the information elements (IEs) and trends the system should look for. Moreover, each DPI system must be continuously updated to stay current with evolving threat scenarios. DPI cannot find what it is not programmed to seek.
Variable parameters including operating systems and line speed scalability profoundly influence accuracy: In North America and Europe, for example, a DPI system’s level of accuracy in determining applications at Layer 7 might reach as high as 95 percent, but in Asian countries can drop as low as 60 percent.
In terms of OSI/TCP-IP stack penetration, DPI capability depends on what the user purchases. Some DPI solutions used for lawful intercept only penetrate as high as Layer 2, the Data Link, responsible for the reliable transfer of data across networks. In many instances, Layer 2 Access identifies packets only by originating and terminating hardware addresses: who’s sending and receiving data. Moving upstream to the packet payload held in Layers 4 – 7 involves greater sophistication and cost, particularly in a high-speed networking environment. A general rule of thumb with DPI is that the more bandwidth a network offers, the higher the cost of a DPI system elements that perform capture, storage and analysis. As networks reach to 100G and beyond, some would argue that such costs have become prohibitive for all but the largest LEAs and government intelligence agencies. Indeed the cost of massive DPI is one factor behind the rapid rise in popularity of flow monitoring, which more scalable at lower cost. But, as always, the user gets what he or she pays for. Flow monitoring alone cannot match the depth or detail provided by DPI.
Flow monitoring developed on a separate track from DPI as a method of sampling IP traffic flows with specific predesignated identifiers. Flow monitoring checks and analyzes the flows of traffic at the packer header level only, versus examining every packet. Given the scalability of flow monitoring, and the high speeds at which it processes data, Flow Monitoring is designed to operate in the “Big Data” realm of today’s networks.
Commercial flow monitoring works in four stages. First, an Observation Point is established using a probe powered by an FPGA line card or other high performance network interface controller (NIC) such as Application Specific Integrated Circuits (ASICs) hardware. FPGAs accelerate hardware performance in the packet capture process, are accurate to within 100 nanoseconds, and less costly and more flexible than ASICs — thus are the preferred method. Alternately, the user may opt for a forwarding device that is connected to a probe. Whatever the type of flow monitoring vehicle chosen, the results are the same: packets are captured and pre-processed using key flow monitoring protocols that encapsulate flow records into messsages. Cisco NetFlow v5 and v9, and IPFIX (Internet Protocol Flow Information Export) are the dominant protocols.
In the second stage, a metering and export process within the probe identifies flows by factors such as port numbers, IP addresses, packet and byte counters, and then time stamps the results.
The third stage is Data Collection, done by Flow Collectors that format and store data. Storage may be either “Volatile,” meaning done in real-time by flash memory, or “Persistent” for long term storage, a process that is more time-consuming.
Finally, in the fourth stage flow monitoring performs high-level traffic analysis, looking for primary targets that appear with greater frequency and might indicate any behavior considered abnormal, e.g., a brute force attack or DDoS attack.
There are technical issues to consider before proceeding. Flow monitoring works almost flawlessly on wireline networks, as well as virtual networks, which act as wired LANS. However, wireless networks do present one challenge. While it is possible to use a NIC card interface for flow monitoring of a wireless network, such cards can only capture one frequency at a time. Therefore it is advisable when monitoring a wireless network via flow monitoring to place the NIC card or FPGA at the wireless LAN controller.
As mentioned, DPI and Flow Monitoring initially were viewed as diametrically opposed approaches to network monitoring. DPI was considered all-encompassing for its ability to access and analyze the full packet payload at Layers 2 – 7, and thus reveal not only the application used but the exact content. Flow Monitoring was seen as less comprehensive for its packet header-only focus, but as a direct result of such refinement — more scalable, faster and less expensive.
However, the two technologies have always borne similarities. Flow monitoring provides critical data on targeted flows including originating and terminating IP addresses, port numbers and metadata. Flow monitoring systems may be deployed in in-line mode to intercept traffic between two hosts, or in mirror mode to make exact copies of packets transiting between ports. DPI captures similar types of data (and more), and may be deployed in the same ways. But again, the sticking point with flow monitoring is its focus on “packet sampling,” not all-out capture of all packets or examination of packet payload as is the case with DPI. With flow monitoring, packet sampling is accomplished by means of filters that confine capture criteria.
While filtering certainly reduces the amount of information gathered, flow monitoring has grown more robust over time thanks to a key addition in the form of Deep Packet Inspection. For example, any flow monitoring system using the IPFIX protocol can work at Layer 7 of the OSI stack to gather data on applications used by a target. Such “application awareness” is made possible by integrating DPI with the flow monitoring platform.
As a result, today’s flow monitoring products can be programmed to provide the same user ID, location and metadata as DPI, and at Layer 7 use DPI itself to reveal applications and content.
One such device is the Flowmon probe originally developed by the Czech Republic’s INVEA-TECH and now offered in updated versions by Flowmon Networks.
Combining Flow Monitoring with DPI
The Flowmon Networks probe is a passive device that connects to a network and monitors all packets. At the outset, Flowmon uses Cisco NetFlow to collect information by ingress interface, source and destination IP addresses, IP protocol, source and destination ports, and type of service.
The solution is based on a pair of FPGA cards called “COMBO” that can process near-limitless amounts of data at wire speed with no input sampling required and zero packet loss. Flowmon inspects all packets, with DPI embedded captures the entire packet payload in Layers 4 – 7, creating complete flow records which are then ready for storage or analysis.
The first Flowmon probe, introduced in 2008, has evolved into a full-fledged suite used for commercial applications and lawful intercept. FPGA cards continue to be a key component in the product portfolio.
The probe is available in models that collect IP data at speeds beginning with 10 Mbps, and going up to 100G. Like its 2008 predecessor, the probe uses the NetFlow v 5/v 9 and IPFIX protocols and FPGA cards to generate a complete copy of packets traversing an IP network. Probes are deployed at locations in the network with the highest traffic, both ingress and egress, with connection made either by mirrored port or Ethernet splitter. Because the probe is a passive device, it operates invisibly and without detection.
Flowmon offers multiple versions of its probe, each tailored to meet the operational and budget requirements of the user. Pricing moves up a sliding scale in tandem with higher performance capabilities and the number of interface ports per unit. On the low end, the Flowmon 1000 Probe with a single 10/100/1000 Mb Ethernet interface can intercept 500,000 packets/second. At the top, the Flowmon Pro 100000 CFPR can capture 1.5 million packets/second via a single 100G Ethernet interface.
The models in-between offer significant choice, with a few other differentiators. For example, the comparatively high-end Flowmon 80000 comes with a Quad Small Form-Factor Pluggable (QSFP) transceiver that permits quick “hot swapping” to intercept traffic on fiber optic cables without changing the underlying intercept system. The tradeoff: In QSFP mode the unit does not support DPI capability to capture key application data at Layer 7 such as VoIP and HTTP stats.
Complementing the probe is the The Flowmon Collector, a single-purpose server that provides data retention. Each Collector takes in NetFlow and IPFIX-formatted data collected from probes connected to the network . The Collector comes with 500 Gbs of resident storage capability supplemented by virtual storage from RAID multiple disk drive components. Note that with the “smaller” Flowmon probes, which collect lower volumes of data, storage is not part of the package and is sold as an add-on.
In addition to hardware-based flow monitoring/DPI, Flowmon also offers a selection of six virtual Flowmon products that take packet capture “to the cloud.” Flowmon virtual appliances are designed for a VMware environment. Performance is significantly lower than that of the hardware versions, beginning with the Flowmon VA 1000 which provides 0.3 Mps packet capture and capping out with the top-of-the line Flowmon VA 20000 with 0.7 Mps. Another caveat with these virtual appliances is that the Collector function is available only as an add-on.
The key takeaway with Flowmon is choice. In addition to hardware and virtual Flowmon products, buyers can opt to go the do-it-yourself route by purchasing and building on the COMBO-100G, an FPGA card that delivers full throughput of data transfers. With the Collector added, users also can leverage Flowmon analytics tools or those developed by third party analytics systems vendors such as InterSystems.
INVEA LI System
For law enforcement agents, Flowmon Networks provides a specific package that meets the full requirements of ETSI standards-based lawful intercept: the INVEA LI System. With three exceptions – absence of the standard Flowmon 40,000 Pro and the two virtual systems with the highest throughput in that class – the LI probes are identical to units offered for commercial clients. The key differentiator of the Lawful Intercept System is the addition of a mediation device. Flow data is routed from the probe to the mediation device for standard formatting prior to forwarding to a law enforcement agency’s (LEA) monitoring center.
In instances where the LEA or government agency already knows the IP address of the target, or up to 100 targets in a single location, Flowmon offers a tactical version of the Lawful Intercept System. The tactical system may be deployed for finite interception needs and quickly removed when the intercept is completed. While in operation the tactical unit provides both probe and mediation functionality, capturing call data and content through either a 1G or 10G interface, then converting the data to the correct LEA format.
For data retention, LEAs may use one or more Flowmon Collectors. As on the commercial side, Collectors store every byte of data collected, for real time or subsequent analysis. Flowmon’s data retention system can be designed to comply with the data collection rules of any country/client, and to provide stored data in the formats required by different LEAs and government agencies.
Speed-wise, INVEA LI System does not disappoint – Using FPGA-powered flow monitoring it can monitor 100G IP networks and deliver the right flows to Flowmon’s IP engine in the probe for analysis, thence onward to mediation and a law enforcement monitoring center.
One big differentiator for 2017: Flowmon Networks has switched to DPI solutions by Ixea, which has a proven record in the field.
Which Shall it Be – Netcope Technologies or Flowmon Networks?
Now that we’ve reviewed both INVEA-TECH offspring – Netcope Technologies and Flowmon Networks – which is best at delivering specified data intelligence off of 100G networks? Both can do 100G network monitoring and filtering, and use quite similar tools: FPGAs, Flow Monitoring and DPI. It’s not an either-or scenario, really, but one driven by client need.
Netcope focuses on FPGA Adaptors, the hardware that directly offloads traffic from any network – 10G, 40G or 100G – and filters it to eliminate irrelevant streams such as Netflix or Youtube that might consumer precious CPU dedicated to DPI analysis. Netcope uses Xilinx FPGAs, but otherwise is tech agnostic on the IP Flow Monitoring or DPI that the customer might wish to use. The Netcope Session Filter for Lawful Intercept comes with filters that can perform either conventional stateless interception on IP networks to determine packet headers at Level 3 and Level 4, or stateful IP Flow monitoring at Level 4 for network flows. Netcope’s LI solution provides a wide array of flexibility, but because reprogramming FPGAs requires certain expertise in writing code, may not be for the novitiate.
Flowmon Networks’ INVEA LI uses FPGAs to accelerate packet capture and analysis by its own proprietary Flowmon Probe and IP flow monitoring software, with final analysis conducted by Ixea DPI. Flowmon probe performs network monitoring and interception at 100G wirespeed. INVEA also includes a mediation device. It’s a classic lawful intercept solution, with the hardware for configuring a court-ordered intercept and formatting collected evidence in the correct protocols. INVEA-LI is more user friendly.
Insider Surveillance rating of Flowmon Networks: 4.5 Stars.