Network Based Application Recognition (NBAR)
Network Based Application Recognition (NBAR) is the mechanism used by some Cisco routers and switches to recognize a dataflow by inspecting some packets sent. The networking equipment which uses NBAR does a deep packet inspection on some of the packets in a dataflow, to determine which traffic category the flow belongs to. Used in conjunction with other features, it may then program the internal application-specific integrated circuits (ASICs) to handle this flow appropriately. The categorization may be done with Open Systems Interconnection (OSI) layer 4 info, packet content, signaling, and so on but some new applications have made it difficult on purpose to cling to this kind of tagging. The NBAR approach is useful in dealing with malicious software using known ports to fake being "priority traffic", as well as non-standard applications using dynamic ports. That's why NBAR is also known as OSI layer 7 categorization. On Cisco routers, NBAR is mainly used for quality of service and network security purposes.[1]
Applications in today's enterprise networks require different levels of service based upon business requirements. These requirements can be translated into network policies. The resources provided here assist you in configuring your network to provide the appropriate level of service to these applications. Mission critical applications including ERP and workforce optimization applications can be intelligently identified and classified using Network Based Application Recognition (NBAR). Once these mission critical applications are classified they can be guaranteed a minimum amount of bandwidth, policy routed, and marked for preferential treatment. Non-critical applications including Internet gaming applications and MP3 file sharing applications can also be classified using NBAR and marked for best effort service, policed, or blocked as required.[2]
Next Generation NBAR or NBAR2 is a backward compatible re-architecture of NBAR, designed with several new advantages that give greater granular control over network traffic while addressing new technologies and emerging security threats. Features include advanced classification techniques to identify new IP protocols, evasive applications (for example, Tor), cloud applications, and mobile applications. Further improvements include traffic accuracy techniques, custom protocols, common protocol library, and a new signature delivery using protocol packs that allow distribution of protocol updates outside of the Cisco operating release train enabling rapid response to market trends.
How NBAR Works[3]
NBAR provides intelligent network classification for network infrastructure. It has the ability to recognize a wide variety of applications, including those that dynamically assign Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port numbers. Upon recognition of the application, the network assigns it specific services. Using quality-of-service (QoS) features, NBAR helps ensure network bandwidth is being used to meet enterprise objectives. This means:
- guaranteed bandwidth for critical applications;
- limited bandwidth for non-critical applications;
- avoiding congestion by dropping specific packets; and
- marking specific packets to enable end-to-end QoS from.
While many network administrators are using monitoring tools to oversee network link usage, these tools only provide a partial view – the volume of traffic, but not type of traffic. NBAR examines traffic on a designated router interface, identifying it by the application. This is done by mapping traffic ports to standard and non-standard protocols – much more manageable than access control lists (ACLs) that require precise matching of protocols and ports. NBAR supports a wide range of network protocols, including some of these stateful protocols that were difficult to classify before NBAR:
- HTTP classification by URL, host, and Multipurpose Internet Mail Extensions (MIME) type
- Oracle SQL*Net
- Sun RPC
- Microsoft Exchange
- UNIX r commands
- VDOLive
- RealAudio
- Microsoft Netshow
- FTP
- StreamWorks
- Trivial File Transfer Protocol (TFTP)
NBAR2 provides support for an even greater number of protocol types, including non-TCP and non-UDP IP protocols, statically assigned TCP and UDP port numbers, dynamically assigned TCP and UDP port numbers, and subport classification or classification based on deep packet inspection. Network administrators can obtain new protocol support by downloading protocol packs from Cisco Connection Online.
See Also
Network
Network Address Translation (NAT)
Network Architecture
Network Control Program (NCP)
Network Data Representation (NDR)
Network Diagram
Network Effect
Network Infrastructure
Network Management
Network Map
Network Mapping
Network Monitoring
Network Motif
Network News Transfer Protocol (NNTP)
Network Operations Center (NOC)
Network Organization
Network Performance Management (NPM)
Network Protocol
Network Security
Network Structure
Network Topology