| Product Profile |
 With the widespread of Internet service, bandwidth taken on the network becomes larger. The bandwidth of international entrances and of Internet among national operators is growing rapidly. Most bandwidth of Metropolitan Area Network (MAN) entrances exceeds 10Gbps, and that of IDC entrances exceeds 5Gbps. The growth of bandwidth not only happens to operators’ networks, but also to networks of other industries and governments. Applications and services on the network become richer, including audio and video services based on the stream media, and MPLS-based VPN services.
Problems in network security occur with the development of network infrastructure and Internet services. Since the cost and the technique requirement in network attack decline immensely, various attacks and anomaly traffic overwhelm the network. In such a situation, it is imperative to analyze network traffic so as to get a clear view of traffic distribution and their tendencies.
COLLAPSAR Network Traffic Analyst (COLLAPSAR NTA for short) is designed to analyze traffic on the backbone network based on the flow technology. With two main functions as anomaly traffic detection and traffic statistic analysis, COLLAPSAT NTA can analyze most anomaly traffic such as DDoS traffic, network abuse and overuse, worm flood, and P2P traffic. NTA can be separately deployed as a traffic analysis product, or be deployed together with Collapsar Defender series as an anomaly traffic detection product to constitute the solution of anti-DDoS attacks. |
| |
| Features |
 Advanced baseline generation algorithm |
As indexes for anomaly detection are diverse, different baselines should be adopted in the traffic analysis system for comparison to ensure the accuracy of traffic detection. NTA adopts two baseline algorithms. One is the periodic baseline used to check the traffic index that is obviously periodic in tendency, such as total traffic on a given port, total traffic of an application and traffic tendency of an IP address group; the other is the portable window baseline used to check the traffic index that does not change periodically. The baseline value is calculated based on a group of history data of traffic and the algorithm of weighted values as well as confidence intervals. The history data out of the trusted range is not taken in baseline calculation, which ensures the validity of the baseline. |
| Rich anomaly detection algorithm |
COLLAPSAR NTA provides up to 17 categories (50 types) of detection indexes. Each detection index corresponds to a detection algorithm. These indexes cover the detection of all anomaly traffic on backbone network. The following seven types of network anomaly traffic can be detected correctly through these algorithms:
- DDoS Attack
• SYN Flood
• UDP Flood
• ICMP Flood
• ACK Flood
• DNS Query Flood
• Http Get Flood
• LAND Flood
• IGMP Flood
• TCP Flag NULL
• TCP Flag Misuse
• Protocol NULL
- Worms
• Code Red
• Opasoft
• SQL Slammer
• WelChia
• Worm. WelChia
• Sasser
• Mail Worm
• WinNuke Attack
- Network Misuse
• Private IP Anomaly
• Dark IP Anomaly
- Traffic Anomaly
• bps Anomaly
• pps Anomaly
• Session Anomaly
- Protocol Proportion Anomaly
• TCP Proportion Anomaly
• UDP Proportion Anomaly
• ICMP Proportion Anomaly
• IGMP Proportion Anomaly
- Traffic Distribution Anomaly
• Source Address Dispersion Anomaly
• Target Address Dispersion Anomaly
• Port Dispersion Anomaly
- P2P Traffic
• BitTorrent
• eMule
• Xunlei
• pplive
• P2P Traffic (unknown application)
|
| Flexible and effective detection |
The calculation engine of COLLAPSAR NTA adopts the mode of frame plus plug-in that ensures the flexibility and effectiveness of the system. In application, each plug-in corresponds to one or more detection algorithms. Users can choose the most appropriate plug-in to upload according to the network structure and service features. In addition, the system provides some predefined plug-in templates for different types of typical users. In the case of the operation and maintenance of the operators’ backbone network, less attention is paid to the application layer; however, the situation is contrary in the IDC environment. Therefore, users can flexibly decide whether to upload detection plug-ins in these two environments. |
| Powerful processing capability |
With the hardware platform of high performance and the optimized underlying algorithm, COLLAPSAR NTA has the capability of processing 80,000 flows per second, satisfying requirements for traffic analysis in backbone networks of the telecommunication field. |
| Plug-and-play |
Only simple configuration is required to get the system online. During the configuration of the range of monitored IP addresses, it’s not necessary to enter the address manually. Instead, the system can give a list of IP address segments as options in the route table. Maintenance personnel just need to choose the IP address segment to be monitored from the list. Lots of similar automatic processes are provided. |
|
| |
| Functions |
| Index |
Collapsar-NTA-SP2000 |
| Alert Monitor |
Display alert figures and events list in real time; details will be displayed about an alert event just by clicking it. |
| Traffic Analysis |
Monitor the current traffic in real time or give a time scope for replaying the history of the traffic; penetrate network traffic from different perspectives such as network, router, port, subnet, and IP address group. |
| Device Monitor |
Monitor the SNMP-collected information about the operation status of the device and about the port traffic, and the flow packet information received by traffic analysis device from net element device. |
| Statistic Report |
Allow users to choose some conditions, such as time scope, statistic cycle, report type, and report template, from the interface to generate reports in a flexible way; reports of RTF, PDF, HTML, and EXCEL formats are supported. |
| Route Analysis |
Come to a conclusion about the stability and rationality of the router by analyzing information about the route and route table. |
| Operation Configuration |
Configure the operation parameters of the system, including device management, engine operation parameter, autonomy domain list, alert configuration, storage policy, traffic group, route parameter configuration, IP configuration detection, IP cluster configuration, application/port configuration, and Collapsar diversion configuration. |
| System Management |
Manage the traffic analysis system itself, including user management, basic system information, network configuration, license management, and system upgrade. |
| Log Management |
Query and browse detailed information about logs. Logs are divided into two types: audit logs and diversion logs. Audit logs record history operations on the system; diversion logs record history diversion suggestions sent by NTA device to anti-DDoS device. |
|
|
|
|
Pre-Sale Consultation |
Contact NSFOCUS sales
|
|
