DNS filtering to secure your network

CHALLENGE

DNS represents a complex database that resolves human-readable host names into machine-readable IP addresses and it is fundamental to ensure a reliable and secure connection to internet.

Since it represents a threat vector for attacking networks it is crucial to monitor it in order to identify anomalies or malicious attacks. These attacks often occur through the redirection of DNS queries and cache poisoning toward malicious sites, digital footprint, denial of service or even data pull out.

Except security, other reasons for analysing DNS is to measure performances and generate usage statistics. 

MICROTEL INNOVATION SOLUTION

Microtel Innovation Aster Packet Brokers, A-618, A-620, A-630C, A-640, A-648 represent the right solution: a powerful range of Network Packet Brokers, capable to filter the network traffic up to layer 4.                                      DNS traffic runs on UDP or TCP Port 53thanks to our Aster Packet Brokers it is possible to filter it and forward the target traffic to the analysis tools. 

This is how the whole DNS traffic can be easily identified and isolated for further analysis.

Achieve better network performances by eliminating duplicate packets

WHY PACKET DEDUPLICATION?

It is common that a single packet capturing device (such as a passive prove, or any other passive tool analyzing the network performances) may be fed by copies of the same data in the same network.

Usually this happens when customers use SPAN (also referred to as Port Mirror) technology to collect multiple VLANS or multiplied ports on a switch/router to the same packet capturing device. In this case, the packet capturing tool may see the exact same IP packet multiple times even though there was no poor network performances.

One simple example is in the figure below: PC-A in VLAN 1 sends IP packets to PC-C in VLAN 2. These packets are routed at the multilayer switch. At the mirror port of the switch, we obtain both the ingress and egress copies from every packet belonging to this stream, which constitute duplicate packets. Clearly, monitoring only the ingress traffic to this port avoids data duplication, but in this case, a packet coming from PC-B to PC- A or PC-C would not be captured.

Fig.1: Simple port mirroring scheme

If all this traffic is going to the same packet capturing tool, the device may sense that data is being retransmitted by the sender and may also over-count the volume of data associated with the conversation: this will hinder effective network monitoring, since duplicate packets reduce statistical accuracy, which leads to higher perceived levels of traffic or network errors.

MICROTEL INNOVATION SOLUTION

Remove duplicate packets at the monitoring tool level is not the solution. Monitoring tools are already overloaded in handling and processing network traffic, and they usually do not have the processing resources to handle in a proper way an additional task that is processing intensive.

Microtel Innovation has two different products that can easily solve this problem:

  • Aster A-XFE streamliner, top performances Network Packet Broker with 20X100Gbps ports, which may be used as:
    • advanced NPB which Packet Deduplication, slicing, header stripping, VLAN tagging capabilities
    • GTP Balancer with session based GTP filtering
    • One single device with both functionalities described above
  • Packet Deduplication DD1100, smart FPGA appliance specialized for Packet Deduplication, which can be used stand alone or as a Service Node with any Network Packet Brokers, for example to add this specific feature to an already installed device.

Drop GTP-U traffic to reduce probe workload

CHALLENGE

The customer, a European telecom operator, asked our support in order to reduce the amount of mobile traffic generated by a specific type of device. The device above-mentioned is a home station appliance, which grants internet services to customers through mobile network. This results in a significant increase of user data traffic within Telecom Operator mobile network.

The Operator’s request then was to filter home station GTP-U traffic at core level with no need to send it to the monitoring tools, while GTP-C traffic still proceeds to the monitoring probes for troubleshooting purposes.

MICROTEL INNOVATION SOLUTION

To solve customer’s needs the technical team proposed Microtel Aster A-630C, a powerful L2-L4 packet broker capable of filtering GTP-U Inner IP addresses, both IPv6  and IPv4 are supported.

By setting a simple filter on the management interface Microtel A-630C can identify the home station traffic, routing the user plane to a specific destination while the control plane can proceed to the usual troubleshooting probe.

Related products for this solution

APN and other GTP filtering

The Network Visibility Challenge in Mobile Core Networks

THE CHALLENGE

Mobile data traffic continues to grow at an exponential rate, driven by mobile video and OTT services. Also if 5G is coming, existing LTE mobile networks still have a high burden to carry, and it will continue to grow, waiting for the new 5G networks to settle up.

Monitoring this high volume traffic is a problem for the operators: they need it for troubleshooting and also for granting the best user experience to their customers, but the data traffic is growing at so high speed that they are not able to cope with it. One solution is to reduce the User Plane data which have to be monitored, and do that only for specific geographical area or type of traffic: this will highly reduce the monitoring tools load and also solve privacy and legal issues.

Here are a couple of Use Cases where GTP User Plane can be efficiently filtered: first example deals with filtering mobile subscribers based on where they are, the second one is related to filtering IoT traffic based on specific APN.

Fig. 1 Filtering mobile subscribers on a geographical basis

Fig. 2 Filtering IoT traffic on a APN basis

THE SOLUTION

Based on the information included in the GTP Control Plane, Microtel Innovation GTP Packet Brokers can easily identify and filter GTP User Plane traffic based on several parameters, like:

  • APN type, for example to identify IoT traffic
  • VoLTE traffic, to filter this specific traffic and feed VoLTE quality systems
  • Geographical parameters (ULI), for example to deeply monitor all the traffic coming from a specific area
  • QCI, for example to analyse video quality

The NPB configuration is easy and fast, based on the easy to use Microtel Innovation Graphical User Interface.

GTP User Plane Offloading

THE CHALLENGE

Mobile data traffic continues to grow at an exponential rate, driven by mobile video and OTT services. Also if 5G is going to be deployed in many Telecom Operators, existing LTE mobile networks still have a high burden to carry, and it will continue to grow.

Monitoring this high volume traffic is a problem for the operators: they need it for troubleshooting and also for granting the best user experience to their customers, but the data traffic is growing at so high speed that they are not able to cope with it. 

Using probes with higher capacity or adding additional probes is a costly solution that not all Operators may afford. Looking at the problem from a different perspective, another solution is to reduce the User Plane traffic, and send to the monitoring tools only the data they really need for their tasks, without overrunning their capacity.

The GTP protocol in LTE Core networks

In 2G, 3G and 4G/LTE technologies, GTP protocol is used to carry mobile data across mobile networks, both control (GTP-C) and user plane (GTP-U) information.

Fig. 1 GTP protocol in 4G networks

THE SOLUTION

A Network Packet Broker may be deployed to reduce the GTP User Plane traffic to be sent to the monitoring tools. Not all NPB may be used, since special capabilities, also very demanding from the computational point of view, are required to implement this task.

Main techniques to reduce the GTP User traffic are the following:  

  1. GTP-U traffic reduction using Inner IP filtering
  2. GTP-U traffic reduction by filtering the data based on different GTP-C parameters, such as IMSI, IMEI, APN, … or based on the geographic area where the subscriber is.

1. GTP-U traffic reduction using Inner IP Filtering

Inner IP filtering can be deployed when the intent is to filter specific users’ traffic using their IPs, and send to the tools only part of the initial traffic. 

It consists in doing the User Plane filtering based on the IP address of the device which started the communication, which is inside the GTP tunnel, hence it is also called ”Inner IP”.

Important to note, the Network Packet Broker to be used for this task has to provide the Inner IP filtering in hardware, to grant the needed performances.

Fig. 2 Inner IP in GTP frame (User IP=IP packet sent by the phone)

This technique can be effectively used in many Use Cases, represented in the table below.

USE CASE How Notes
GTP User Plane traffic statistical sampling Traffic is coherently reduced using inner IP filtering In this case all traffic related to a specific inner IP is sent to the tools, but the number of inner IPs is sampled in order to reduce the traffic. Several reduction percentage may be configured, based on Operator specific needs
GTP User Plane traffic reduction by sending to the tools only the subscribers belonging to a specific list (IMSI - Inner IP dynamic correlation) Use NPB Rest API to real time configure NPB Inner IP White List Inner IP address is dynamic, can change in each PDP context message and is typically managed by the network itself. Operators which are able to real time trace the correlation between IMSI (unique identifier of the subscriber) and inner IP may real time configure NPB Inner IP White List using NPB REST API.
GTP User Plane traffic reduction by sending to the tools only the subscribers belonging to a specific list (IMSI - Inner IP static correlation) Configure NPB Inner IP White List directly on the NPB In some specific cases Inner IP and IMSI correlation does not change over the time. This is the case for example of mobile Set Top Box: they take advantage from the high bandwidth provided by LTE, maybe in an area where it is not easy to provide fibre connection to the home, but they are not moving. Connection is always on and IP address in this case usually does not change, depending on Operator policies. Operator usually have the list of Set Top Box inner IPs in their Data Base, so they can easily configure NPB to filter them. Also in this case REST API may be an interesting tool for the NPB to integrate with the Operator Data Base.

Microtel Innovation Aster A-640 and Aster A-648 are the right solution for these Use Cases: they implement Inner IP Filtering in dedicated hardware, so there are no performance limitations regarding the load on the device and they may work full speed; moreover they make available powerful REST APIs for easy integration with Operators systems, where the correlation lists of IMSI and inner IP are elaborated.

Another advantage of this technique is that it does not need Control Plane information to work, so it can be used also in modern CUPS and 5G architectures, where GTP-C and GTP-U are deployed in different locations: in these cases traffic reduction based on inner IP is the most suitable solution to offload monitoring and security tools.

Fig. 3 Using Inner IP to filter S1-U (GTP User Plane)

2. GTP-U traffic reduction based on different GTP-C parameters 

Another way to filter GTP User Plane is based on using GTP-C parameters, like mobile phone identifiers (IMSI, IMEI, APN, …) or geographical parameters, which identify the area where the mobile phone is.

The challenge in this case is that such parameters are included only in the control plane packets (GTP-C), not in the user plane (GTP-U), and since GTP-C and GTP-U data are available through different interfaces, the correlation between them is not an easy task to implement.

Microtel Innovation Aster XGB A-818 and A-820 and Aster A-XFE are the right products to be used in this case: they are powerful appliances capable to interface to GTP-C and GTP-U packets at all speed, ranging from 1G to 100 G, and to make the correlation between them, so assuring that all the data flows belonging to the same subscriber are recognized and put together for further elaboration.

After the correlation is done, it is easy for the Aster NPB to filter the User Plane traffic based on any parameter included in the GTP-C packets, since the device knows at which subscriber the user plane belongs. 

With this technique many filters may be implemented:

Type of filter How it works
Mobile Phone IDs
IMSI (International Mobile Subscriber Identity) User and/or Control plane traffic generated by IMSIs which are listed in the White/Black Lists is forwarded to the tools or blocked
MSISDN (Mobile Station International Subscriber Directory Number) User and/or Control plane traffic generated by MSISDNs which are listed in the White/Black Lists is forwarded to the tools or blocked
IMEI (International Mobile Equipment Identity) User and/or Control plane traffic generated by IMEIs which are listed in the White/Black Lists is forwarded to the tools or blocked
Geographical location
User Location Information: ULI-CGI, ULI-SAI, ULI-RAI, ULI-TAI, ULI-LAI, ULI-ECG User and/or Control plane traffic coming from geographical areas identified by the ULI-CGI, ULI-SAI, ULI-RAI, ULI-TAI, ULI-LAI, ULI-ECG which are listed in the White/Black Lists is forwarded to the tools or blocked
Network type
APN (Access Point Name) User and/or Control plane traffic belonging to APNs which are listed in the White/Black Lists is forwarded to the tools or blocked
VoLTE (Voice over LTE) User and/or Control plane traffic belonging to subscribers using VoLTE service is forwarded to the tools or blocked
RAT (Radio Access Technology) User and/or Control plane traffic belonging to RATs which are listed in the White/Black Lists is forwarded to the tools or blocked
SER-NET (Serving Network) User and/or Control plane traffic belonging to SER-NETs which are listed in the White/Black Lists is forwarded to the tools or blocked
QCI (QoS Class Identifier) User and/or Control plane traffic which QCI is set with the values listed in the White/Black Lists is forwarded to the tools or blocked

Fig.4 Using GTP-C parameters to filter GTP User Plane

As a summary, the solution to efficiently and cost-effectively reduce the GTP User Plan depends on Operator needs and Use Cases: in all situations Microtel Innovation Aster Network Packet Brokers are the right solution to solve the customer problem.

Why to extend IP monitoring to TDM networks

THE CHALLENGE

Telecom Operators are migrating from Legacy network infrastructures to more scalable, flexible and efficient Internet protocol (IP) networks, to support the new IP services, but mixed architectures TDM (dedicated to rural areas or international connections) and IP still coexist in the telecommunication world, becoming a strong barrier to Service Providers who need to monitor end to end connection.

Monitoring this high volume traffic is a must for the Operators: they need it for troubleshooting and also for granting the best user experience to their customers, but often in some cases old TDM tools are going out of production, so creating a lack of visibility for TDM networks.

So, while on one side Telecom Operators have the strong need to monitor the legacy networks, at least in the critical points, on the other side they are reluctant to invest in TDM tools, which are gradually phasing out and have high maintenance costs, preferring to monitor the whole infrastructure using IP monitoring tools.

THE SOLUTION

Microtel’s Ethernizer family products are the solution to this challenge, enabling operators to manage mixed infrastructures with the same IP probe, bringing all-locations and all-layers visible to the Centralized Monitoring System.

The solution allows to convert both TDM Signalling and Voice to IP, so giving a general solution capable to feed different types of IP probes, used for several purposes like troubleshooting, customer experience, performance management, security, … 

Important to note, Ethernizer does not require any customization to the IP tool it interface with, since it uses standard SIGTRAN and RTP output protocols.

Ethernizer capabilities:

  • It works with several type of links: E1, T1, STM-1
  • It performs SS7 Signalling (MTP-2 or ATM) convertion to SIGTRAN (M2UA or M3UA)
  • It performs ISDN E1/PRI (LAPD-Channel D) convertion to SIGTRAN (IUA)
  • It performs VOICE (MTP-2) over STM-1 links convertion to RTP
  • It performs L2GRE/NVGRE tunnel encapsulation/decapsulation, so allowing to backhaul converted IP traffic to geographically remote IP probes

Additionally, the connection to the TDM network is not a problem, since the Ethernizers have several possibilities for doing that, by using specific Microtel tools such as:

IMSI filtering and subscribers visibility

How to offload the GTP User Plane traffic which does not belong to a list of subscribers?

THE CHALLENGE

Mobile data traffic continues to grow at an exponential rate, driven by mobile video and OTT services. Also if 5G is going to be deployed in many Telecom Operators networks, existing LTE mobile networks still have a high burden to carry, and it will continue to grow.

Monitoring this high volume traffic is a problem for the operators: they need it for troubleshooting and also for granting the best user experience to their customers, but the data traffic is growing at so high speed that they are not able to cope with it. 

In particular, for troubleshooting issues, sometime the information which are available in the GTP control plane is not enough: this is the case for example of a customer where the connection works perfectly, but OTT services, like skype, whatsapp, video, …, have some issues. 

In this case Telecom Operators need to analyse the User Plane traffic too: but they should do only for those subscribers who have the problems, otherwise they will kill probe processing capabilities. How to do that? The solution is to filter the User Plane traffic and forward it to the probes only for the subscribers who need that, and who belong to a specific list.

To identify uniquely the subscriber, the IMSI code may be used: IMSI is a unique number rigidly tied to the subscriber SIM card, and the operator can easily refer to its subscriber data base to identify such code.

This way the monitoring tools load will be highly reduced, and also privacy and legal issues will be solved.

THE SOLUTION

The solution which Microtel Innovation provides is robust, and do not require any difficult operator tasks: our Aster GTP Packet Brokers may filter the GTP User Plane traffic based on IMSI White and Black lists, by correlating GTP Control and User plane data. 

One specific Use Case is related to do User Plane troubleshooting, and in the same time to grant the compliance with the privacy regulations: some Operators, due to GDPR rules, have put in place a strict process which prevent them from forwarding subscribers User Plane traffic to the Monitoring Probes, without subscribers’ approval. User Plane traffic analysis can be done only if and when the subscriber authorizes such activity.

Using Microtel Innovation Aster GTP Packet Brokers, this is a very easy task to implement. While all Control Plane traffic is send to the monitoring tools for generic troubleshooting purposes, the following process can be used for the User Plane data:

  • Customer approval is required before sending the User Plane data to the tools, for troubleshooting or any other agreed purpose 
  • Through the Operator’s customer portal such approval is registered in the Operator’s data base
  • At this point, the customer IMSI may be added to the Aster GTP Packet Broker White List: just few clicks on our seamless and easy to use Graphical User Interface, and this is done
  • From now on, the Aster GTP Packet Broker send the customer user data to the tools
  • It will stop when the IMSI is removed from the Aster White List.

Fig1: How to make GDPR and user data analysis coexist: an existing implementation

Why Header Stripping?

THE CHALLENGE

In IP data communication networks, router and switches may create a tunnel between two points on a network that can securely transmit any kind of data between them. Tunnelling involves the encapsulation of an IP packet within another packet, adding a packet header. This encapsulation enables the packet to reach its destination through intermediary networks that do not support the packet’s protocol.

Different type of header may be used, depending on the place in the network and / or on the type of the network. A few examples are GRE, VLAN, MPLS, VN-Tag, VXLAN and GTP-U headers.

One example in telecommunication networks is GTP-U tunnel: it is used for efficiently carrying large volumes of user data within the mobile core network and between the radio access network and the core network.

In IP networks, one key application for MPLS tunnelling is switching traffic for a large enterprise across the service provider backbone, where MPLS labels keep the traffic distinct from other enterprises. In this case we may be in the following condition, when tapping MPLS tunnels between two routers, where they may be also the case that multiple stacked tags or labels might be present:

Tools that are not MPLS–aware nor VLAN-aware will not be able to analyse traffic received

The problem is that monitoring tools do usually not recognize tunnel headers, and the consequence is that they discard these packets as wrong packets, making impossible to properly analyse such networks. 

Header stripping is a useful feature also if the monitoring tools are able to recognize the tunnels and do the stripping, because doing that in an external appliance may provide greater efficiency for the tool where this process would degrade performances.

WHAT WE DO

Microtel Innovation NPB and Visibility Appliances analyses the input traffic, identifies specific headers such as MPLS, VLAN, VXLAN, VN-TAG, GTP-U and GRE, and removes them before sending the packets to the appropriate security and analysis tools. 

In this way analysis and monitoring tools are able to process traffic flows that they otherwise could not recognize because of an unreadable header type.

The solution is highly performant and scalable. Moreover, Microtel Innovation header stripping restores the inner frames: after this manipulation the resulting frame is a valid IP packet with a correct checksum.

Here is an example on how our system works: 

  • In Fig1 GTP-U header stripping is enabled, using the NPB GUI
  • Fig2 shows the result of the operation on the output traffic: since only frame 360 is GTP-U, this is the only one de-tunneled by the device.

Fig1: GTP-U header stripping is configured in the NPB GUI

Fig2: GTP-U frame header is stripped and the de-tunneled frame is sent to the NPB output port

5G User Plane Balancing

THE CHALLENGE

Mobile networks are experiencing a continues traffic growth in last years: data traffic continues to grow at an exponential rate, driven by mobile video and OTT services. 

This is creating challenges for mobile operators, as they seek to keep up with traffic analysis and monitoring of all of the data on their network that needs to be processed and analysed.

Furthermore, the disaggregation of the control plane and physical separation of the control and user planes, actually used in modern networks like LTE CUPS and 5G deployments, adds additional complexity. 

For mobile carriers, efficiently and effectively monitor performance, Quality of Experience (QoE) and security for their services and subscribers, as well as identify and monetize new offerings is critical to success. But actual network probes that provide visibility into wireless core networks have limited capacity and may not cope with the exploding mobile subscriber traffic. Additional probes need to be added, and GTP User Plane traffic has to be balanced between them, granting that the whole subscriber session is sent to the same tool.

THE SOLUTION

Microtel Innovation Aster A-640 and A-648 gives the solution to this problem.

Balancing the GTP User Plane is not an easy task: it needs to be done in a way that grant that all the Subscriber traffic is sent to the same probe, and assure best performances, so that the solution is future proof, ready for the growing data traffic that will be in the coming years.

How to do that? This can be achieved balancing the User Plane traffic using Inner IP filtering, and doing that in hardware to avoid performances problems.

In fact, in GTP protocol the Inner IP is the Subscriber IP address, and balancing the traffic using such key will create User Plane traffic flows belonging to the same subscriber.

Fig. 1 Inner IP in GTP frame (inner IP=IP packet sent by the phone)

Since the Control Plane traffic consists usually in a small percentage than the User Plane, there is no need to balance it. It can be forwarded to the Probes in different ways, depending on how the probe works: 

  • some monitoring systems have a Control Plane dedicated probe, in this case the Control Plane traffic is separated and sent only to the Control Plane probe (see fig2).
  • In other cases, User Plane probes require the Control Plane data too: in this situation the Network Packet Broker can replicate the Control Plane traffic and send it (all the Control Plane data) to each probe for further elaboration.

Fig. 2 GTP User Plane balancing using inner IP - example with 400G Input Traffic

Important to note, the solution described above makes no use of Control Plane-User Plane correlation, which is a very heavy activity to be done, and is in same cases difficult to implement, due to the fact that in modern networks, for example CUPS and 5G, Control Plane signalling and User Plane data are not always in the same location. 

To summarize, using Aster A-640 and Aster A-648 to balance User Plane traffic is the perfect solution when:

  • High performances are needed: Aster A-640 can cope with up to 3,2 TB traffic, with 32×40/100G input/output ports, each one of them can be used as 4×10/25G
  • Control Plane and User Plane data are not available in the same location, as it happens for example with CUPS and 5G Networks