Network Classification

Network Classification is covered in the following topics:

• About Network Classification
• Network Classification Page
• Configuring Network Classification

General information about network classification is provided in the following topics:

• Network Classification Overview
• Network Classification Dimensions
• Network Directionality Use Case
• Host Directionality Use Case
• Network Classification Page

Network classification uses source and destination information related to IPs and ASes to determine the direction of network traffic with respect to your network. The following types of classification are supported:

• Network Directionality: Used to look for traffic based on the direction from which it enters the network and to which it leaves.
• Host Directionality: Used to look for host traffic captured by kprobe based on the direction it is flowing.

The two categories of Network Classification directionality listed above are supported by several Network Classification Dimensions that can be applied to each flow as it is ingested into the main tables of KDE:

• Traffic Origination: This dimension indicates whether the source for a given flow is inside or outside of your network.
• Traffic Termination: This dimension indicates whether the destination for a given flow record is inside or outside of the network.
• Host Direction: When the flow record has been generated on a host, this dimension indicates whether the direction of traffic is into or out of that host.
• Traffic Profile: Derived from Traffic Origination and Traffic Termination, this dimension categorizes traffic into the directionalities described in Traffic Profile.
• Simple Traffic Profile: A less granular version of the traffic profile, primarily used in Kentik v4 (e.g. Network Explorer, Insights & Alerting, etc.), with the possible values listed in Simple Traffic Profile.

The dimensions described above are available throughout Kentik Detect as:

• Group-by Dimensions
• Filter match criteria
• Alert keys (dimensions of an Alert Policy)
• Alert filter match criteria

Note: The use of Network Classification in Alerting enables you to monitor traffic that comes from outside the network separately from traffic that is internal to the network.

This dimension categorizes traffic into the following specific directionalities:

• Internal: Traffic originating and terminating inside the network.
• Through: Traffic coming from outside the network and terminating outside the network.
• From outside, terminated inside (ingress): Traffic coming from outside the network and terminating inside the network.
• Originated inside, to outside (egress): Traffic coming from inside the network and terminating outside the network.
• Internal Cloud: Traffic originating and terminating inside the same public cloud.
• From outside, to cloud: Traffic coming from outside the network and terminating in one of your organization's resources in a public cloud.
• From cloud to outside: Traffic coming from one of your organization's resources in a public cloud and terminating outside your network.
• From cloud to inside: Traffic coming from one of your organization's resources in a public cloud and terminating inside your network.
• From inside to cloud: Traffic coming from inside your network and terminating in one of your organization's resources in a public cloud.
• Multi-cloud: Traffic coming from one of your organization's resources in a public cloud and terminating in one of your organization's resources in a different public cloud.

This dimension, primarily used in Kentik v4 (e.g. Network Explorer, Insights & Alerting, etc.) categorizes traffic into the following general directionalities, which are illustrated in the diagram below:

• Inbound: Traffic that originates outside your network and terminates inside your network.
• Outbound: Traffic that originates inside your network and terminates outside your network.
• Internal: Traffic that both originates and terminates inside your network.
• Through: Traffic that both originates and terminates outside your network.
• Other: Traffic that is not classified by the above profiles (see Traffic Classified as Other).

The key to accurate assignment of a Simple Traffic Profile value is to thoroughly apply both Network Classification and Interface Classification. The table below shows how the values of other dimensions in the same flow record are evaluated to determine the Simple Traffic Profile value for a given flow.

Ideally most traffic flows are assigned a Simple Traffic Profile of Inbound, Outbound, Internal, or Through. The most common reasons for traffic to be assigned a profile of Other are as follows:

• Multiple internal hops: If the path of Inbound, Outbound, or Through traffic includes multiple hops within the customer’s network. This may be backbone traffic (Simple Traffic Profile does not currently include a special designation for backbone).
• Interface classification is incomplete or incorrect: If Interface Classification hasn't yet been run or the Network Boundary values assigned by a given rule are incorrect for the matching interfaces.
• Network classification is incomplete or incorrect: If internal IPs and ASNs haven't yet been specified on the Network Classification Page or have been entered incorrectly.
• Classification mismatch: If the settings for Interface Classification and Network Classification are inconsistent with each other, resulting in contradictory classifications.

One application of Network Classification is to use the Network Directionality dimensions to investigate spikes in traffic. Suppose, for example, that we used Data Explorer to run a query for top-X customers, and the resulting graph revealed a big spike in flows to a customer called Pear, Inc. (as shown below).

To dig deeper into this anomaly, we’d start in the table (not shown) beneath the graph in the Explorer display area. Clicking the Action menu at the right of the row corresponding to Pear, Inc., we choose Show By to open the Show By Dimensions dialog, then choose one of our new Network Classification dimensions, Traffic Origination (listed under Source). After closing the dialog by clicking the Show By Selected Dimensions button, we re-run the query. In the resulting graph (below) we can now see that the spike is made up of traffic that originated outside of our network (having a Traffic Origination value of “outside”). If we wanted to continue digging further, we would use Show By again, this time looking at source ASN or IP address.

Another use case for Network Classification is specific to host traffic captured by kprobe (Kentik’s software host agent). Since most hosts have only a single interface through which traffic can pass, kprobe captures both inbound and outbound traffic. Host directionality enables you to separate traffic that was coming in from traffic that was leaving. To do so, set the Devices pane of the Data Explorer sidebar to include the hosts that you want to check, then run a query with Host Direction (in the Full category) as the group-by dimension. As shown in the graph below, you can now see separately the flows in and out of your hosts.

Before using Network Classification you must first enable Kentik Detect to determine what is inside and what is outside of your network. Network classification is configured on the Network Classification page, which is accessed from the sidebar of the portal’s Admin section.

The Network Classification page is made up of the following UI elements:

• Internal IPs: An input field used to enter, with a comma-separated list, the IP CIDR blocks used inside the network.
• Automatically include RFC1918 IP Space: A checkbox used to specify whether the RFC1918 IP Space and other common private ranges are included along with the user-defined Internal IPs list. This option is checked by default.
• Internal ASNs field: An input field used to enter, with a comma-separated list, the ASNs used inside the network.
• Automatically Include Private ASNs: A checkbox used to specify whether private 16- and 32-bit ASNs are included along with the user-defined Internal ASNs list. This option is checked by default.
• Save button: Click to save any changes that have been made since arriving on the page.

To set up network classification:

1. Go to the Network Classification page (Admin » Network Classification).
2. In the Internal IPs field, enter a comma-separated list of the IPs that are internal to your network.
3. Using the checkbox below the field, choose whether to automatically include the RFC1918 IP space.
4. In the Internal ASNs field, enter a comma-separated list of the ASNs that are internal to your network.
5. Using the checkbox below the field, choose whether to automatically include private ASNs.
6. Click the Save button. You are now ready to start using network classification dimensions for group-by and filtering in queries and alerting.