Network Security Monitoring with Flow Data

Similar documents
Flow-based Traffic Visibility

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

DDoS Protection in Backbone Networks

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Driving Network Visibility

Network Visibility or Advanced Security?

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Compare Security Analytics Solutions

Next Generation Network Traffic Monitoring and Anomaly Detection. Petr Springl

Rethinking Security: The Need For A Security Delivery Platform

Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER

Monitoring and Threat Detection

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

OpenFlow: What s it Good for?

F5 DDoS Hybrid Defender : Setup. Version

Data Sheet. DPtech Anti-DDoS Series. Overview. Series

FlowMon ADS implementation case study

Comprehensive datacenter protection

Visual TruView Unified Network and Application Performance Management Focused on the Experience of the End User

The Future of Threat Prevention

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Understanding Cisco Cybersecurity Fundamentals

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Flowmon. IPv6 Summit & SINOG mee=ng Andrej Vnuk, network&security

Implementing Cisco Cybersecurity Operations

SOLUTION BRIEF: AN END-TO-END DATA CENTER MONITORING SOLUTION VISIT

Seceon s Open Threat Management software

CIH

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

CompTIA Network+ Study Guide Table of Contents

Introduction to Netflow

Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions

Flows at Masaryk University Brno

DDoS Detection&Mitigation: Radware Solution

Network Management and Monitoring

Andrisoft Wanguard. On-premise anti-ddos solution. Carrier-grade DDoS detection and mitigation software. Product Data Sheet Wanguard 6.

Scrutinizer Flow Analytics

Security by BGP 101 Building distributed, BGP-based security system

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Cisco Day Hotel Mons Wednesday

Cisco Cyber Threat Defense Solution 1.0

Corrigendum 3. Tender Number: 10/ dated

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

McAfee Network Security Platform Administration Course

IBM Proventia Network Anomaly Detection System

IBM Security QRadar Version Architecture and Deployment Guide IBM

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Increase Threat Detection & Incident Response

Intelligent and Secure Network

ProCurve Network Immunity

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

ForeScout Agentless Visibility and Control

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Clean Pipe Solution 2.0

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Trisul Network Analytics - Traffic Analyzer

IBM Aurora Flow-Based Network Profiling System

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Automated Threat Management - in Real Time. Vectra Networks

Network Security. Thierry Sans

Host Identity Sources

Affordable High-Speed Sensors Everywhere. ntop Meetup Flocon 2016, Daytona Beach Jan 13th 2016

Cisco DDoS Solution Clean Pipes Architecture

Chapter 10: Denial-of-Services

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Cisco ISR G2 Management Overview

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

MULTINATIONAL BANKING CORPORATION INVESTS IN ROUTE ANALYTICS TO AVOID OUTAGES

Validation of the Network-based Dictionary Attack Detection

CCNA Exploration Network Fundamentals

Backscatter A viable tool for threat of the past and today. Barry Raveendran Greene March 04, 2009

Application Note. Microsoft OCS 2007 Configuration Guide

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

Master Course Computer Networks IN2097

ASA/PIX Security Appliance

Transforming the Cisco WAN with Network Intelligence

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Cubro Packetmaster EX12

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

1. Intrusion Detection and Prevention Systems

SD-WAN Deployment Guide (CVD)

Cisco Security Monitoring, Analysis and Response System 4.2

CHCSS. Certified Hands-on Cyber Security Specialist (510)

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Cisco Performance Routing

Paloalto Networks PCNSA EXAM

Imma Chargin Mah Lazer

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Transcription:

Network Security Monitoring with Flow Data

IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture for specialties What about security? Different technology Different tools Different vendors

NPMD and Security Volumetric DDoS detection Anomaly detection Incident reporting

Neil MacDonald, VP Distinguished Analyst Gartner Security & Risk Management Summit, London 2015

What is Flow Data? Modern method for network monitoring flow measurement Cisco standard NetFlow v5/v9, IETF standard IPFIX Focused on L3/L4 information and volumetric parameters Real network traffic to flow statistics reduction ratio 500:1 Flow data

Flow Monitoring Principle Flow Export Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes 9:35:24.8 0.1 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 12 40 80 9:35:25.0 0.9 0.7 0.3 0.5 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 54 21 3 1231 862 156 40 362

Flow Gathering Schemes Pros Probe on a SPAN port Probe on a TAP Flows from switch/router Accuracy Performance L2/L3/L4/L7 visibility Same as on a SPAN All packets captured Separates RX and TX Already available No additional HW Traffic on interfaces Cons Facts May reach capacity limit No interface number Fits most customers Limited SPANs number Additional HW 2 monitoring ports Usually inaccurate Visibility L3/L4 Performance impact Always test before use Use Enterprise networks ISP uplinks, DCs Branch offices (MPLS, )

Flow-Enabled Devices Network equipment (routers/switched) Traditional capability known for many years Firewalls, UTMs, load balancers, hypervisors Ongoing initiative of majority of vendors Packet brokers and matrix switches Convenient option

Flow-Based Traffic Analysis Network as a sensor concept (and enforcer) blogs.cisco.com/enterprise/the-network-as-a-security-sensor-and-enforcer Bridges the gap left by signature-based security Key technology for incident response Designed for multi 10G environment DDoS Anomaly detection Statistical analysis Volumetric DDoS detection Advanced data analysis algorithms Detection of non-volumetric anomalies

How L3/L4 Data Helps Security? Myth 1: Flow is sampled and highly inaccurate. This is true for sflow and NetFlow Lite For NetFlow/IPFIX this depends on flow source Probes and new network equipment do just fine Myth 2: Flow is limited to L3/L4 visibility. This is the original design but today s flow data come with L2 and L7 extensions (usually using IPFIX) Myth 3: You need continuous packet capture. Flows with L7 visibility + on-demand or triggered packet capture is cost efficient option

Flow vs. Packet Analysis Flow data Packet analysis Strong aspects Works in high-speed networks Resistant to encrypted traffic Visibility and reporting Network behavior analysis Full network traffic Enough details for troubleshooting Supports forensic analysis Signature based detection Weak aspects No application layer data Sometimes not enough details Sampling (routers, switches) Useless for encrypted traffic Usually too much details Very resource consuming Solution? Take advantage of strong aspects in one solution Versatile and flexible Probes for visibility into all network layers Flowmon long-term strategy

Probes (by Flowmon Networks) Versatile and flexible network appliances Monitoring ports convert packets to flows Un-sampled export in NetFlow v5/v9 or IPFIX Wire-speed, L2-L7 visibility, PCAPs when needed L2 MAC VLAN MPLS GRE tunnel OVT L3/L4 Standard items NPM metrics RTT, SRT, TTL, SYN size, ASN Geolocation L7 NBAR2 HTTP DNS DHCP SMB/CIFS VoIP (SIP)

Use Case: Enterprise Security NBAD: On-demand Triggered Packet Capture

Fighting Advanced Threats Network visibility is essential component of new protection strategies against advanced attacks.

Flowmon ADS Flowmon ADS Principles Machine Learning Adaptive Baselining Heuristics Behavior Patterns Reputation Databases

Traffic Analysis (Using Flows) Bridges the gap left by endpoint and perimeter security solutions Behavior based Anomaly Detection (NBA) Detection of security and operational issues Attacks on network services, network reconnaissance Infected devices and botnet C&C communication Anomalies of network protocols (DNS, DHCP, ) P2P traffic, TOR, on-line messengers, DDoS attacks and vulnerable services Configuration issues

SIEM Integration Event exporting (syslog based) NetFlow IPFIX Collection and Behavior Analysis Flowmon Collector & ADS Network Traffic Monitoring Syslog SNMP Event Collection and Correlation SIEM system Links Flowmon <-> Log Management Special vendor relationships IBM QRadar (whitepaper, integration SW package) ArcSight native support through CEF

Traffic overview, anomalies detected

Attacker activity (port scan, SSH authentication attack)

Victim of the attack, source of anomalies

Attacker is looking for potential victims And starts SSH attack That turns out to be successful

Few minutes after that breached device starts to communicate with botnet C&C

Botnet identification using Flowmon Threat Intelligence

Flow data on L2/L3/L4

Including L7 visibility

Full packet capture and packet trace (PCAP file)

Analysis of PCAP file with botnet C&C communication in Wireshark

Data exfiltration command via ICMP

Command to discover RDP servers

ICMP anomaly traffic with payload present

PCAP available, what is the ICMP payload?

Linux /etc/passwd file with user accounts and hash of passwords

Looking for Windows servers with RDP Attack against RDP services

Network Against Threats Flow monitoring including L7 Network Behavior Analysis Full packet capture Triggered by detection

Use Case: DDoS Protection Volumetric DDoS Detection Traffic Redirection and Mitigation Control

Enterprise Protection Strategy Enterprise perimeter scheme Limited number of uplinks and capacity DMZ Internet CPE In-line DDoS mitigation appliance All-in-one detection & mitigation out of the box Volumetric + application (L3/L4/L7) attacks coverage Up to the uplink capacity! LAN

Backbone Protection Strategy Backbone perimeter specifics Multiple peering points routers & uplinks Large transport capacity tens of gigabits easily In-line protection is close to impossible! flow export 1. Flow collection 2. DDoS detection 3. Routing control 4. Mitigation control Flow-based detection and out-of-path mitigation Easy and cost efficient to deploy in backbone/isp Prevents volumetric DDoS to reach enterprise perimeter

Flow-Based DDoS Protection Define customers = protected segments Usually by network subnets (simple) Configure rules for DDoS detection Multiple types of baselines per protected segment Set alerts Notify about attacks (humans & systems) Configure traffic diversion = changes in routing Divert traffic for mitigation of DDoS attack Configure mitigation control = scrubbing Integration with scrubbing equipment or services

Attack Detection For each segment, a set of baselines is learned from monitored traffic. The attack is detected if the current traffic exceeds defined threshold. Baseline is learned for: TCP traffic with specific flags UDP traffic ICMP traffic

Attack Reporting Start/end time Attack target Type and status Traffic volumes during attack/peace time Attack targets (top 10 dst IPs, source subnets, L4 protocols, TCP flags combinations )

Response to Attack Alerting E-mail, Syslog, SNMP trap Routing diversion PBR (Policy Based Routing) BGP (Border Gateway Protocol) BGP Flowspec RTBH (Remotely-Triggered Black Hole) User-defined scripting Automatic mitigation With out-of-band mitigation devices With services of Scrubbing centers

DDoS Protection Scenario 1 Out-of-path Mitigation

Out-of-Path Mitigation Anomaly Detection Mitigation Enforcement Dynamic Protection Policy Deployment incl. baselines and attack characteristics Traffic Diversion via BGP Route Injection Scrubbing center Flow Data Collection Learning Baselines Attack Attack path Clean path Protected Object 1 e.g. Data Center, Organization, Service etc Internet Service Provider Core Protected Object 2

DDoS Protection Scenario 2 Mitigation with BGP Flowspec

BGP Flowspec Requires dynamic signature of the attack Provides specific action to take with network traffic BGP Flowspec rules are based on Destination Prefix Source Prefix IP Protocol Destination port ICMP type ICMP code

BGP Flowspec Rule BGP Flowspec rules are proposed based on dynamic attack signature Manual or automatic trigger is available Default action can be modified Rule is pushed to routers via BGP session

BGP Flowspec Scenario Anomaly Detection Mitigation Enforcement Sending specific Route advertisement via BGP FlowSpec Dynamic signature: Dst IP: 1.1.1.1/32 Dst Port: 135 Protocol IP: 17 (UDP) Discard Flow Data Collection Learning Baselines Attack Protected Object 1 e.g. Data Center, Organization, Service etc Internet Service Provider Core Protected Object 2 Dropped traffic for Dst IP: 1.1.1.1/32 Dst Port: 135 Protocol IP: 17 (UDP)

Flowmon Networks

Customer references is an international vendor devoted to innovative network traffic & performance & security monitoring 700+ customers 30+ countries First 100G probes in the world Strong R&D background European origin

Technology partner of premium vendors The only vendor recognized in both NetFlow related Gartner reports network visibility & security MAGIC QUADRANT

Flowmon Portfolio Network Visibility IT Operations Security Network Performance Monitoring and Diagnostics Application Performance Monitoring Network Behavior Analysis NPMD APM NBA DDoS Detection & Mitigation

Flowmon Architecture Flow export from already deployed devices Flow data export + L7 monitoring Flow data collection, reporting, analysis Flowmon modules for advanced flow data analysis

Flowmon Architecture Flowmon Probes & Collectors Flowmon extension modules Flowmon Anomaly Detection Flowmon DDoS Defender Application Performance Monitoring Flowmon Traffic Recorder Network Visibility Troubleshooting IPFIX/NetFlow export Flowmon Collector Network Security Anomaly Detection Application Performance Monitoring DDoS Protection

User Perspective Next Generation Network Monitoring (NetFlow/IPFIX) Full network traffic visibility Close to real-time and historical data for LAN & WAN & Internet communications Network operation & connectivity cost optimization Effective troubleshooting Next Generation Network Security (NBA, NBAD) Bridges the gap left by endpoint and perimeter and signature based security solutions Behavior-based Anomaly Detection Detection of polymorphic malwares, zero days attacks, suspicious data transfers, behavior changes and various operational and configuration issues

User Perspective Full Packet Capture On-demand packet capture for troubleshooting and forensic analysis producing PCAP files Traffic capture capabilities on 1G/10G/40G Distributed architecture Application Performance Monitoring Agent-less monitoring of all user transactions No influence on target application Designed for HTTP/HTTPS and SQL applications DDoS Protection Flow-based detection of volumetric attacks Universal deployment scenarios (stand-alone, integrated, with scrubbing center) Traffic diversion and control of mitigation process

Summary Make Use of Flow Data

Levels of Visibility SNMP monitoring Amount of transferred data, number of packet, insufficient Flow monitoring (based on IP flows) Traffic structure visibility, anomaly detection and reporting Packet analysis For forensics and to deal with specific issues Basic monitoring Flowmon

Using Flow Data for Security Keep in mind that there is no silver bullet Security is balanced combination of technology, people, processes Flow data & Probes can help you with Moving the infrastructure monitoring into next level Traffic visibility, engineering and troubleshooting Performance reporting and analysis Bridging the gap left by signature-based products Detection and mitigation control of volumetric DDoS Incident response and on-demand full packet capture

Thank you Flowmon Networks, a.s. U Vodarny 2965/2 619 00 Brno, Czech Republic www.flowmon.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback