INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Transcription

1 WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by capturing, aggregating and analyzing session flow details from around the network. 3Com s Intelligent Management Center (IMC) centralized network platform provides the intelligent collection, analysis and reporting services that maximize the insight that can be gleaned from flow data to circumvent issues, ensure quality of service (QoS) and expedite remediation. Introduction: What is a flow and what does it show? Networking equipment, including switches, routers and firewalls, are designed to handle enormous amounts of information in individual IP packets. While network infrastructure components can process these packets very efficiently, most network administrators and security teams are easily overwhelmed by trying to sort out what is really going on in their network by understanding packet-level details. For real network status, a much more useful way of correlating and analyzing network traffic events is to look at traffic flows, rather than at packet-level details. A network flow is essentially an entire session between a particular client and host (or any two network nodes) for a particular service or application, using a particular protocol, over an extended period of time. More specifically, a flow is defined as a series of packets between two systems that have virtually identical packet headers: IP source and destination addresses, source and destination ports, protocol, interface, and type of service. Flow data is commonly produced by routers, Layer 3 switches, and many other devices. In fact, the data is already being produced by your network the challenge is collecting, aggregating and analyzing flow data so it can become a valuable asset for your network management efforts. The H3C Intelligent Management Center (IMC) plays a pivotal role in making this a reality. Since a flow represents a particular network conversation consisting of potentially many thousands of packets, a network admin can look at flow statistics and frequently get more insight into what is happening in the network without being overwhelmed with a seemingly infinite amount of data. If a particular flow or a series of flows looks abnormal, the admin can drill down into the packet details as needed, with the flow data providing a mechanism for focusing a more detailed analysis towards suspicious areas. Typically, however, flow data can provide much more insight into network health status and operations in a much more intuitive fashion that can expedite remediation efforts. By correlating port and protocol statistics for individual sessions, flow data can also provide visibility to application activity to detect compliance breaches and implement QoS policies in the network.

2 2 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Figure- IMC can graphically display enterprisewide traffic statistics and analysis to quickly identify anomalies, suspicious behavior and security breaches based on data provided from the SecBlade NetStream module. Comparing NetFlow, sflow and NetStream data The flow data produced by networks generally comes in one of three common formats: NetFlow, sflow and NetStream. Standardization around these formats makes it possible for routers and switches to send their flow data to a wide variety of collectors and analysis tools, and to be combined with flows in multi-vendor networks for wider analysis. Flow data has now become an important part of network scalability and performance, particularly in busy router cores and edge devices that handle a large number of concurrent, short-duration flows. NetFlow is the oldest of the flow formats. It originally served as a caching algorithm in network devices, which helped optimize network efficiency. Since this data was already being collected, it made sense to eventually export it for analysis and reporting purposes, which could be done without much additional overhead to the network device. NetFlow has spawned various iterations it is now up to version 9 as well as similar formats that have been optimized for different purposes and processing. sflow was created as a standard in 2001 for high-speed networks based on sampled data rates, rather than 100 percent packet capture. Because it was developed exclusively as a monitoring technology, rather than NetFlow s initial design as a caching technology, sflow tends to be more scalable and can provide more detailed statistics on all layers L2-7 throughout the network. As a result, it has gained wide acceptance from network vendors. NetStream, a flow format created by 3Com for its H3C enterprise networking products, includes additional flow details and is compatible with NetFlow analysis tools. IMC, as the collection and analysis engine, can handle flow data in all of these formats from a wide range of devices from many manufacturers in order to provide network-wide visibility. Additionally, a new IETF standard based on the latest version of NetFlow and called IPFIX (IP Flow Information export) is emerging. IPFIX enables custom fields to be included in the flow format data, making the protocol flexible enough to accommodate future improvements, such as information that could facilitate measurement, accounting or billing of network usage. IPFIX and the most recent versions of NetStream and NetFlow are also suitable for IPv6 and other advanced protocols.

3 3 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Managing the Collection and Aggregation of Flow Data in Large Networks The number of flow types, differences between vendors, and the selection of a particular format shouldn t be a concern to enterprises, as long as they choose an aggregation and analysis system that can bring the information together from a wide range of network devices. IMC, for example, as the control center for enterprise-wide flow data, can collect and analyze all of the commercially available flow formats, including NetFlow, sflow, NetStream and IPFIX. As previously mentioned, these formats are similar, and reflect mainly specifics in the router and/or switch and what type of data they generate. Individual network devices are less flexible in what they produce in order to reduce overhead in generating flow data but IMC can collect and merge all of the commonly produced formats. The analysis process begins with the flow data generation in the network device. At this point, all of the individual packet information is already assembled into flows. As the flows expire in the network, they are exported to a collector along with the pertinent statistics for each flow. Each router or switch determines if an individual data packet should create a new flow or be added to an existing flow. These network devices use various algorithms to expire the flows based on timing and how they are terminated. Not all switches and routers can generate flows. If a particular network node requires flow analysis but doesn t generate flow data, it is possible to add network flow probes in-line with the network device, or more likely to collect the same data off a span port. In the case of select 3Com/H3C network devices, customers can add a NetStream monitoring module to the chassis; this serves to both generate flow data and collect data. Offloading flow tasks onto the module s separate processor can also improve device performance. Figure- IMC can graphically display enterprise-wide traffic statistics and analysis to quickly identify anomalies, suspicious behavior and security breaches based on data provided from the SecBlade NetStream module.

4 4 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Mining Flow Data to Detect Security Breaches Most network administrators rely on some combination of firewalls, IPS systems, spam filters or anti-virus system to detect and block security breaches. Flow data serves as an excellent complement to these systems, especially against zero-day attacks and many sophisticated worms and botnets. Flow analysis can also provide an additional means of protection to detect firewalls that are poorly configured and passing unintended traffic. Flow analyzers can provide such valuable insight to administrators because they are looking at data that has already been correlated. Firewalls and IPS systems are analyzing individual packets and enforcing security policies, but flow data can detect anomalies over longer periods of time. Behavioral anomalies indicative of worm propagation, denial of service (DoS) attacks and the like may only be detected over an extended period by analyzing many flows, not individual packets. Flow data is particularly useful for detecting worm propagation. Since we know that worm-infected systems attempt to spread to other hosts through specific ports on other hosts, and that they have virtually no prior knowledge of the networks they are on, they have to perform broad network scans looking for vulnerabilities that they are capable of exploiting. These blind scans tend to generate legitimate packets for service requests, but generate a high number of abnormally terminated flows indicative of the worm s random probes. The worm will send a SYN packet to attempt to find an appropriate host, and many hosts will reply with RST/ACK to acknowledge the request but deny the inappropriate connection. A flow analyzer showing a higher than normal percentage of flows terminating in this manner or an increasing number of particularly short-lived flows from a particular host could be the telltale sign that the host has been infected. If this is a zero-day threat for which anti-malware signatures have not been released, it may be unlikely that the IPS or antivirus system would detect this attack early enough to prevent infection. Among other attributes, the flow data should also be able to correlate quickly, exactly what ports this abnormal pattern was specific to, providing highly relevant information to analyze and diagnose the threat vectors, better diagnose infection and shore up other vulnerable systems in the future. Flow information can quickly identify spam, including spam generated internally by bot-infected hosts that could leave an organization blacklisted or worse. Acceleration in the rate of SMTP traffic from an unlikely host, or at an abnormal hour of the day, could signal a compromised host or at least pinpoint where further analysis would be warranted. Admittedly, with flow analysis, you lose the ability to perform deep packet inspection to look for tell-tale signatures of infection. Yet, this is exactly why flow data is an excellent complement to IPS systems such as Tipping Point, which blocks in real-time the threats it identifies. Flow data will highlight the network abnormalities that only expose themselves over extended periods of time when correlated with a high degree of traffic from many devices around the network.

5 5 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Detecting Applications and Ensuring Quality of Service with Flow Data Management and implementation of network QoS policies have become increasingly important and is one of the most challenging tasks for network architects. QoS can ensure sufficient bandwidth for high-priority application traffic, or guaranteed service levels for customers and applications that share a common network. Again, flow data analysis can greatly simplify policy design and validation. Since a flow is characterized by a single application between hosts, it is the optimum level of granularity at which to analyze network traffic and begin assigning policies. Among the information captured in the flow data are the port number and the protocol used for the flow session; this information can usually be mapped to a specific application being used in the transaction between hosts. The first step toward ensuring QoS policies is to understand the applications that are currently running on the network and establishing a baseline profile. IMC can certainly help with this traffic profiling, as well as assign discovered applications to policy groups. Enterprises may wish to assign highest priority for precious bandwidth to VoIP applications, missioncritical database applications or data center applications. Conversely, your QoS policy could reduce priority for video, Web traffic or peer-to-peer (P2P) applications as needed. By analyzing flow data in IMC, you can establish exactly how prevalent these applications are, where they are consuming bandwidth in the network and where policy adjustments are most required. IMC can also help verify QoS is implemented properly in the network. Since each router has to make its own decision about QoS, inconsistent router configurations can lead to unintended consequences. IMC can help ensure the desired QoS policies are deployed consistently through each hop of the network. Figure IMC gives tremendous insight into application usage on the network; this can be used to detect policy violations and make QoS decisions. In this chart, the amount of traffic for each of the identified applications is displayed in tabular form sorted by application as well as by graphical display of bandwidth usage compared to overall network traffic. In this case, the majority of the traffic is http (Web) application use.

6 6 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Improve Compliance and Network Health from the IMC Console Analyzing flow data, even though packet level details have already been greatly correlated and simplified, can still be a tedious and puzzling task. Much less so with IMC. IMC enables administrators to create customized reports, analytical queries, define data views and quickly highlight where anomalous behavior is originating. The first task IMC performs is to create a baseline of normal behavior that can be used to identify anomalous flow behavior in many areas future traffic flows that deviate from this normal pattern can be flagged to generate alarms. IMC analysis of flow data also provides deeper insight into application usage patterns, since we are correlating flows based on port numbers, protocols used and service types. This can not only identify potential policy breaches and inappropriate uses of the network, but it can also be used to improve QoS or reconfigure the network to accommodate current traffic patterns. IMC typically displays the following information graphically: Top 50 sessions (flows) by source: Which hosts are generating the most sessions? Top 50 sessions by destination: Which hosts are the destinations of the most sessions? Bandwidth consumption for each application: Which applications are consuming the most bandwidth and the highest number of session flows on the network? Top applications by host: Which applications are generating the most session flows and traffic on each host? Session trends by host over time: How are flow trends changing over time across the network or at a single node compared with baseline statistics?

7 7 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Conclusion Flow data is created by many network switches and routers, and can be used to your advantage to optimize your network s performance. Collecting and aggregating flow information can also lead to tremendous insight into network status and security trends. Although there are a number of flow formats and emerging standards, the key is to select a flow analysis tool that can collect information from the widest range of network devices and correlate information from a large heterogeneous environment. IMC is an ideal tool to capture and correlate all of your network s flow information to gain maximum visibility to network issues. The intuitive graphical interface and simple, but informative, reports quickly identify security issues that security appliances may have missed. IMC also provides statistics on application use to identify compliance issues, assist in capacity planning, as well as to help set and adhere to QoS policies.

8 8 INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Visit for more information about H3C enterprise solutions. 3Com Corporation, Corporate Headquarters, 350 Campus Drive, Marlborough, MA Com is publicly traded on NASDAQ under the symbol COMS. Copyright Com Corporation. All rights reserved. Comware, H3C, the H3C logo and SecPath are in various countries worldwide registered trademarks of 3Com Corporation or H3C Technologies Co., Ltd.. Intelligent Resilient Framework is a trademark of 3Com Corporation. All other company and product names may be trademarks of their respective companies. While every effort is made to ensure the information given is accurate, neither 3Com Corporation nor H3C Technologies Co., Ltd accepts liability for any errors or mistakes which may arise. All specifications are subject to change without notice /10