ISPs have provided Internet access to customers for years and the only goal was to connect their users to the Internet. Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) deliver network, services and infrastructure on customer premises and have become relatively popular in the past few years. Over time customers started to ask new services, including traffic monitoring, security (here MSSP come into the scene) and visibility.
So if you as a MSP, MSSP or ISP and you are wondering how to monitor customer traffic using ntop tools, this post can be your starting point.
Solution 1: Central Location with Static and Non Overlapping IPs
The simplest solution you can think of is depicted below:
For every service provided network, a mirror/TAP is used to duplicate traffic. One nProbe per network is used to monitor the mirrored customer traffic (note that the network cn be distributed hence nProbe instances can run on different hosts and locations) and the flows are delivered to the central ntopng via ZMQ. ntopng can be configured to collect flows on various ZMQ interfaces, one per probe, and aggregated via the view interface. This way you maximize the overall performance as every interface is independent. In order to limit every user to see its own traffic, you need to configure in ntopng one user per customer by restricting it to the IPs he owns. Example: supposing to have a user whose server has IP 192.168.160.10, then this is the configuration to use.
This solution works if customers do not have overlapping IPs and they are assigned statically (i.e. they do not change overtime).
In this case you will need one ntopng license and one nProbe license per host. Note that licenses bound to the host, so you do not have to pay multiple licenses if you start multiple nProbes per host. Configuration example (ntopng is active on host 172.16.100.10 and nProbes at 192.168.1.2-192.168.1.4 capturing traffic on interface eno1):
- ntopng -i tcp://192.168.1.2:1234 -i tcp://192.168.1.3:1234 -i tcp://192.168.1.4:1234 -i view:all
- nprobe -i eno1 -n none –zmq tcp://192.168.1.2:1234 (for 192.168.1.2, replicate it for all other nProbes)
Solution 2: Remote Sites and Overlapping IPs
This solution applies to service providers who have remote customer sites with routers/firewalls able to generate NetFlow/IPFIX (e.g. Mikrotik is a popular device used by many companies). As provides often “replicate” the same network for every customer, it is likely that inside the customer network the address plan is the same and thus that you need to divide the traffic per customer and not merge it with he view interface. In this case you need to configure on a central host where ntopng is running, one ZMQ interface per customer (i.e. each customer will have a ZMQ interface so we do not mix traffic of different customers). nProbe instances collecting flows can run on the same host where ntopng is active, each collecting traffic of an individual customer.
In this case, supposing to run both nProbe and ntopng on the same host, you will need one ntopng Enterprise L Bundle license (able to support up to 32 ZMQ interfaces and thus 32 customers) that includes both nProbe and ntopng licenses. Configuration example (ntopng and nProbe are active on host 172.16.100.10):
- ntopng -i tcp://127.0.0.1:1234 -i tcp://127.0.0.1:1235 -i tcp://127.0.0.1:1236
- nprobe -3 2055 -n none –zmq tcp://127.0.0.1:1234 (customer A flows are collected on 172.16.100.10:2055)
- nprobe -3 2056 -n none –zmq tcp://127.0.0.1:1235 (customer B flows are collected on 172.16.100.10:2056)
- nprobe -3 2057 -n none –zmq tcp://127.0.0.1:1236 (customer C flows are collected on 172.16.100.10:2057)
In this case each customer will be configured to restrict its view to its ZMQ monitored interface
Of course if you have more than 32 customers, you can replicate the above solution until all customers are monitored.
Final Remarks
This post shows the main options you have to address monitoring needs of your customers. Note that ntopng has the ability to deliver alerts remotely or on messaging systems, so you can also configure this feature per customer to have a complete monitoring experience. Now it’s time to play with ntop tools and have fun bringing visibility to your customers in a cheap and effective way.
Enjoy !