FlowMon ADS implementation case study

Transcription

1 FlowMon ADS implementation case study Kamil Doležel AdvaICT, a.s. Brno, Czech Republic Abstract FlowMon ADS implementation provides completely new insight into networks of all sizes. Its benefits have been already proven in many businesses, as well as in universities s networks. I will describe our experience with implementation of this solution, while focusing on challenges we were facing and problems we have solved. Keywords: FlowMon, ADS, AdvaICT, Invea-Tech, implementation, praxis, experience, NetFlow. 1 Introduction FlowMon ADS is a complex solution representing efforts of Invea-Tech, AdvaICT and Masaryk University. In contrast to other security solution at network level, it analyzes behavior of network devices instead of checking known sequence of bytes inside packet payload. FlowMon ADS can also analyze encrypted communication, where other solutions are useless. 2 Problems solved by FlowMon ADS 2.1 Veletrhy Brno Current solutions in place: By the date of the implementation Veletrhy Brno had implemented many standard security measures at the network including firewall, host antivirus, IDS Main challenge Any problems detected by firewall, IDS or antivirus were difficult to analyze further, gathering evidence was impossible. Their main pain was the identification of the device which initiated the attack, which was then spreading across network, infecting other computers. They lacked even basic network visibility FlowMon ADS implementation Proposed solution: FlowMon Probe FlowMon ADS Security and Protection of Information 2011

2 2.1.4 Points of monitoring Network infrastructure in Veletrhy Brno was configured as multiple star with 1 GB fibre interlinks. They have also been using many Wi-Fi routers to provide wireless connectivity to their customers. We had to identify where is or are the optimal points for NetFlow collection. Cisco backbone switch and DMZ switch were identified as optimal to cover most of the important traffic for behavioural analysis Actual connection Two Cisco switches, we had identified before, were configured to mirror traffic into one port, where we connected monitoring interface of FlowMon Probe Configuration It took 1 hour to fully configure FlowMon ADS to operational state. Additional fine-tuning of several specific detection methods was necessary to be performed a week later Benefits Benefits for Veletrhy Brno after 3 months They no longer need to manually analyze network to find which device originally initiated network scan or attack, they can visualize it through FlowMon ADS web interface. Any problem with loss of connection, overloaded Wi-Fi routers, etc. is immediately reported. They have history of every single flow that has been captured and stored, so they can use this as an evidence of incidents, which has happened. 2.2 Masaryk University Main Challenges Since any academical networks are open to outside world, they suffered from network scans, botnets, and especially from dictionary attacks to SSH service. They also tried other solutions like Enterasys DCC, but they were not suitable for such open environment, as the requirement was to provide all logs from SSH servers for further analysis. This was impossible since anyone can bring PC, plug in into university network and run SSH server. Another challenge was to identify what machines are acting as servers on their network and what machines are behaving as clients. Estimated number of network devices to monitor was estimated to be more than 10, Implementation Proposed solution MyNetScope ADS (more powerful version of FlowMon ADS) Point of monitoring We have started monitoring single faculty at the start to prove, that the solution really solves problems faced and to ensure it can handle massive amount of traffic (flows). Few months later MyNetScope ADS was monitoring all ingress and egress traffic for whole university. Security and Protection of Information

3 2.2.4 Benefits Benefits for Masaryk university after 1 ½ year Easy identification of servers and clients on the network by utilizing computation of long term behavioural profiles. Information about FTP, SFTP servers providing data to outside world as well as any other server types are reported, thanks to flow pairing (flow pairing: who initiated communication to particular network port is client and who responded on that port is server). SSH dictionary attacks are detected over whole network and attacker s IP s are reported. This method works even, if attack is distributed or performed with very low intensity in time. Again potentially compromised machines via SSH are reported. Network devices in university network, which are scanning, attacking or spreading botnets, are reported as well. (Chuck Norris botnet was first identified by Masaryk University). 2.3 Internet Service Provider ISP Main challenges This ISP has more than 3,500 clients, which connect their own computers. ISP has no control over them, while still have to provide reliable service. ISP had been trying to solve problems with many customers utilizing P2P networks for illegal data sharing 24/7. Additional pains included clients infected with viruses, botnets and computers sending SPAM. Generally ISP also needs to: Know real utilization of their infrastructure to plan peering bandwidth. Keep expenses low by eliminating customers, which are consuming too much bandwidth for illegal activities; to save costs Implementation Proposed solution FlowMon Probe Desktop 10/100/1000 TAP. FlowMon Collector R FlowMon ADS 102. Collector with 4TB of storage was used, as an average number of flow/second was around More memory and additional CPU was also needed to have enough computing power for anomaly detection Point of monitoring The link between perimeter router and accounting/policing system was identified as the most suitable place to monitor. We had to connect TAP between these devices, providing us complete mirror of all the traffic. The main advantage of the TAP was that we could easily identify which traffic was ingress and which was egress. We could also monitor private address area, as NAT was performed at perimeter router. 28 Security and Protection of Information 2011

4 2.3.4 Benefits After 1 month of Proof of Concept Identification of p2p traffic, even when it was encrypted. Identification of 20+ computers which were part of botnet network, other were infected by virus scanning network. Several computers were hitting DNS server with enormous number of DNS request/second single IP issued more than 400 DNS requests per second. Some computers also sent malformed DNS requests without compliance with according RFC standard. Detection of one successful SSH attack to billing/policing server placed on backbone; in a few minutes this server started massive network scan completely blocking all the ISP bandwidth, which led to 3 hours outage. Unfortunately during PoC ADS technology was still not included into NOC (Network Operational Centre) processes, so no action was taken by ISP after breach over SSH was detected by FlowMon ADS. 2.4 Other benefits Many other customers reported following benefits: Problem at VMware ESX At 10:00 AM all virtual machines were slowed down. VMware was able to export NetFlow data directly into FlowMon Collector. FlowMon ADS identified very high traffic between two virtual machines. It was caused by incorrectly set backup time. Backup took place between 2 VM guests. Instead of 10:00PM, admin did set the backup to take place at 10:00AM Unable to monitor complex MPLS network Company with 80 locations connected using MPLS reported occasional network slow-downs in several offices, unable to use Cisco IP telephony. MPLS provider denied the problem. Gateway routers at all 80 locations were configured to generate NetFlow, which were collected in the head office by FlowMon ADS Collector. Since NetFlow bandwidth ratio to monitored traffic is 1:500, it did not create any problems with link speed. FlowMon provided real usage of all MPLS links, confirming that SLA was not fulfilled by the service provider. (high latencies for traffic, which had to be prioritized packets marked with correct IP Precedence 5 did arrive to other end at IP Precedence 0 sometimes; several MPLS links did not have bandwidth according to contract). Security and Protection of Information

5 2.4.3 Problems with outgoing SPAM Company was using MS Exchange for services with SMTP running for legacy applications. Several times they appeared on SPAM list, unable to identify the source of the problem. FlowMon ADS identified the source of SPAM by utilizing dedicated method. Problem had been identified as it was caused one notebook infected with yet unknown virus. Additionally they had configuration problem at firewall, where they set rule for port 25 blocking incorrectly Unexpectedly high link usage Very high Internet link usage was reported most of the time. One solution was to upgrade its speed. After the upgrade problem was still there. After 1 st day of monitoring was absolutely clear, that the excessive load was caused by 2 computers utilizing the link to 100% all the time downloading from rapidshare, hotfiles, etc. After corrective action average link utilization went down to 3% proving that the upgrade was not necessary Policy compliance Many companies forbid to use Instant messengers, Skype and other possibly dangerous software. It is not easy to check, if employees are not circumventing such policies. After 14 days run of FlowMon ADS, several computers running ICQ and Skype tunnelling through ports 80 and 443 were identified. Additionally 2 PC also used anomization services to browse inappropriate websites. 3 Conclusion This article proves that behavioural analysis of network traffic (NetFlow) can provide major benefit for organizations of all sizes. Above described solution is already being used by many different companies on daily basis. FlowMon ADS works as an independent solution, providing non intrusive, passive monitoring of the network. It significantly improves overall network security detecting many threats and incidents, which cannot be detected by any pattern based detection methods (IDS/IPS, antiviruses, etc.). FlowMon ADS can also analyze encrypted traffic (i.e. SSH attacks method), where classical systems fail. References [ 1 ] NetFlow, [ 2 ] FlowMon ADS and FlowMon Probes and Collectors specification, and [ 3 ] What is Network Behavioral Analysis?, 30 Security and Protection of Information 2011