27FIWARE OpenSpecification Security Optional_Security_Enablers AndroidFlowMonitoring
Name
|
FIWARE.OpenSpecification.Security.Optional Security Enablers.AndroidFlowMonitoring
|
Chapter
|
Security,
|
|
|
Catalogue-Link to Implementation
|
Flowoid
|
Owner
|
Inria, Alexandre Boeglin
|
27.1Preface
Within this document you find a self-contained open specification of a FI-WARE generic enabler, please consult as well the FI-WARE_Product_Vision, the website on http://www.fi-ware.eu and similar pages in order to understand the complete context of the FI-WARE project.
27.2Copyright -
Copyright © 2012-2014 by Inria
27.3Legal Notice
Please check the following Legal Notice to understand the rights to use these specifications.
27.4Overview 27.4.1Description
The goal of the Android Flow Monitoring Optional Enabler is to allow Android devices users as well as their company's IT administrators to monitor the network usage of the devices. This allows users and administrators to determine which application make use of the network, and how often, as this might generate cost and cause faster battery drain.
The exported information can also be used to detect unusual network traffic, which might indicate that the device has been compromised, and is now leaking information.
Finally, in addition to the usual network related information that the probe reports, it also adds geolocation information to the exported data, which might be relevant, given the mobile nature of Android devices.
27.4.2Note on NetFlow Architecture
This Optional Security Enabler only covers the exporter part of the NetFlow architecture – the software that is intended to run on Android devices. To be able to gather and analyze the exported flow records, one also has to setup a NetFlow v9 capable collector, usually on a server that allows it to be reached by the exporters.
Many free software and proprietary NetFlow v9 Collectors are currently available, such as NfSen.
The exporter supports NetFlow v9, and uses the UDP protocol to transport Flow Export packets, and the IP address and port number of the Collector can be configured through the Android Netflow Probe. Please refer to the User Guide for detailed instructions.
27.4.3Architecture
The diagram above depicts the architecture of the Android Flow Monitoring software and its interactions with the Android platform. The Android Netflow Probe and the Native Capture Daemon are the two components of the Android Flow Monitoring tool, whereas the Dalvik VM and the Android Platform are part of the Android Operating System.
The Native Capture Daemon is a unix daemon, and it communicates with the Android Platform (actually, the Linux kernel) in order to capture traffic from other running applications, which it then sends to the Android Netflow Probe (it actually only sends the headers of the captured packets, not the application payload).
The Android Netflow Probe is an Android application written in Java and running on the Dalvik VM. It has the following roles:
-
it can start, configure and stop the Native Capture Daemon;
-
it receives packet headers from the Native Capture Daemon through a socket, and aggregates them into NetFlow records;
-
it sends NetFlow export packets to the configured collector (not depicted in this diagram).
27.4.4Use Case
In a typical installation, the NetFlow probe is installed on a 3G/4G capable Android device, and a NetFlow collector is installed on a server, which must be reachable by the device (public IPv4 address). The probe has to be configured to report to this particular collector, and then runs in the background, monitoring the network and periodically sending flow records to the collectors.
On the collector side, filters can be applied, to ease the analysis of data, and alarms can be set, to automatically warn administrators when certain conditions are met.
27.5Basic Concepts
NetFlow is a network protocol that allows monitoring network devices by generating network statistics, which is more efficient than completely mirroring the traffic. The version 9 of the protocol introduces templates, which allow to precisely define what data to export, based on device capabilities and/or network administrators requirements.
Its architecture is based on NetFlow Exporters (or Probes) running on the equipment to be monitored (typically routers and switches), and a NetFlow Collector, that aggregates and stores NetFlow information received from the Exporters, and offers visualization and analysis tools.
Network packets going through a network interface on a monitored device are classified using their source and destination IP addresses, their protocol number, and port numbers. Collected information includes packet count, total size, and timestamps of first and last packets. Once a connection is closed or has expired, the collected information is sent to the collector.
Share with your friends: |