Novel Techniques for Monitoring Network Traffic at the Flow Level

Size: px
Start display at page:

Download "Novel Techniques for Monitoring Network Traffic at the Flow Level"

Transcription

1 Diss. ETH No TIK-Schriftenreihe Nr. 140 Novel Techniques for Monitoring Network Traffic at the Flow Level A dissertation submitted to ETH ZURICH for the degree of Doctor of Sciences presented by Eduard Glatz Dipl. El.-Ing. ETH born July 15, 1955 citizen of Zurich and Basel accepted on the recommendation of Prof. Dr. Bernhard Plattner, examiner Dr. Xenofontas Dimitropoulos, co-examiner Prof. Dr. Björn Scheuermann, co-examiner Dr. Walter Willinger, co-examiner 2013

2

3 Abstract Research in Internet measurement provides us with new ways to understand, operate and improve the Internet. Learning from network traffic data requires a well-chosen set of analysis techniques. We envision a rich toolbox available for this task, and delve into novel techniques and their application on large data sets to extend the choice of analysis schemes. In particular, we focus on traffic data at the network level that is readily available from commercial routers in the form of flow metadata (e.g. NetFlow) to enable analyzes of ever growing traffic volumes with low demands on the measurement infrastructure. This thesis consists of two major parts. In a first part, we explore a promising approach to study unsolicited traffic without the need to reserve unpopulated IP address ranges to this task, as has been done in the past. Our approach is to study one-way traffic, i.e., packets that never receive a reply in live networks. We introduce a novel scheme to classify one-way traffic at the flow level into interpretable classes. We validate this scheme based on a data set that we prepare using all informative details available from packet data (e.g. header and payload contents). We use our classifier to shed light on the composition of one-way traffic, and illustrate how the particular class of Unreachable Services can be used to passively detect network service outages by processing flow-level traffic data only. Moreover, to obtain a comprehensive view on one-way traffic, we

4 ii Abstract conduct a large-scale study covering eight years of traffic data leading to new insights about the evolution of this exotic piece of traffic over time and space. In part two, we present novel visualization methods following the well-known adage A picture is worth a thousand words. In particular,wetackletheproblemsofhowtosummarizedata to extract the most relevant information from big data sets, and how to visualize this information in an easy interpretable way. We envision a top-down workflow that in a first step identifies probably hidden patterns in a data set captured from a potentially large network, followed by a second step that involves a closer inspection of the traffic of individual end systems or subnets. Specifically, we use frequent itemset mining to obtain a list of most relevant patterns from the traffic data of a network that we then visualize through hypergraphs. Then we make use of a graph representation and a domain specific summarization scheme, which is based on the characteristics of typical host roles (e.g. client, server, P2P) to provide a quick overview of what roles a host assumes and what applications it runs. We demonstrate the usefulness of our approach by using proof-ofconcept implementations in a number of illustrative case studies.

5 Kurzfassung Forschung im Gebiet der Internet-Verkehrsdatenanalyse zeigt uns neue Ansätze, um das Internet zu verstehen, zu betreiben und zu verbessern. Der Gewinn neuer Erkenntnisse aus Verkehrsdaten bedingt jedoch den Einsatz gut ausgewählter Analysetechniken. Unser Ziel ist die Bereitstellung eines reichhaltigen Instrumentariums zu diesem Zweck, weswegen wir neue Analysetechniken und ihre Anwendung auf grossen Datenbeständen zur Entwicklung dieses Instrumentariums erforschen. Im Speziellen fokussieren wir uns auf Flowdaten auf der Netzwerkschicht (z.b. NetFlow), die von kommerziellen Routern einfach zur Verfügung gestellt werden, um die stets wachsenden Verkehrsvolumina mit geringem Infrastrukturaufwand zu analysieren. Diese Dissertationsschrift ist in zwei Hauptteile gegliedert. Im ersten Teil erforschen wir einen vielversprechenden Ansatz zur Analyse von unangefordertem Verkehr, ohne dass wir dazu einen ungenutzten IP-Adressbereich reservieren müssen, wie das bisher gemacht wurde. Wir studieren das Phänomen des Einwegverkehrs, d.h., von Netzwerkpaketen, die in operativen Netzen keine Antwort erhalten. Wir führen ein neuartiges Klassifizierungssschema ein, um Einwegverkehr auf der Flow-Ebene in interpretierbare Klassen einzuteilen. Wir validieren dieses Schema mittels zusätzlicher Detailinformationen (z.b. Rahmendaten aller Pakete, Nutzlastinhalte) die nur Paket-Verkehrsdaten liefern können. Wir benutzen unseren

6 iv Kurzfassung Klassifizierer um die Zusammensetzung von Einwegverkehr sichtbar zu machen, und illustrieren die Nützlichkeit der speziellen Klasse Unerreichbare Dienste um Dienstausfälle ausschliesslich aufgrund von Flow-Verkehrsdaten passiv zu detektieren. Darüber hinaus führen wir eine umfangreiche Studie durch, in der wir Einwegverkehr aus einem Zeitraum von acht Jahren analysieren und neue Einsichten in die Eigenschaften dieses exotischen Verkehrsanteils und seiner Entwicklung über Zeit und Raum hinweg gewinnen. Im zweiten Teil der Arbeit stellen wir neue Visualisierungsmethoden vor, dem Sprichwort Ein Bild sagt mehr als tausend Worte folgend. Insbesondere befassen wir uns mit Methoden für die Verdichtung sehr umfangreicher Daten, die Extraktion relevanter Informationen und entwickeln Verfahren für die Interpretation und Visualisierung solcher Informationen. Unsere Methodik ist ein Top-Down Vorgehen, bei dem in einem ersten Schritt die potenziell vorhandenen, versteckten Muster einer Verkehrs-Datensammlung, die in einem möglicherweise sehr grossen Computernetz erfasst wurde, identifiziert werden, gefolgt von einem zweiten Schritt, bei dem Verkehrsdaten einzelner Endsysteme oder Subnetze im Detail inspiziert werden. Im Speziellen benutzen wir Frequent- Itemset Mining um eine Liste der relevantesten Muster zu extrahieren, die wir in Form von Hypergraphen visualisieren. Anschliessend benutzen wir einen domänenspezifischen Ansatz der Datenverdichtung, der auf den Eigenschaften typischer Endsystemrollen (Client, Server P2P) basiert, um selektiv den Netzwerkverkehr eines einzelnen Rechners überblicksartig in einem Graphen darzustellen, so dass seine Rollen und die von ihm ausgeführten Applikationen unmittelbar erkennbar sind. Mit Proof-of-Concept Implementierungen zeigen wir anhand von illustrativen Fallstudien die Nützlichkeit unseres Ansatzes auf.

7 Contents Abstract Kurzfassung Contents List of Figures List of Tables i iii v xi xiii INTRODUCTION 1 Network Traffic Monitoring Relevance ApplicationAreas StateoftheArt DataSets ResearchProblems Contributions Traffic Data Visualization Relevance... 25

8 vi Contents 2.2 ApplicationAreas StateoftheArt ResearchProblems Contributions Outline 37 References 38 PART I: ANALYZING ONE-WAY TRAFFIC 4 Classifying Internet One-way Traffic 53 Abstract Introduction Preliminaries DatasetsandSanitization DataSanitization One-wayTrafficClassification Signs Classifier Validation ValidationSetup ValidationCriterias ValidationResults ImpactonFlowClassifier One-wayTrafficComposition ServiceAvailabilityMonitoring Methodology OutagesandMisconfigurations RelatedWork IBR Traffic in Network Telescopes

9 Contents vii IBRTrafficinLiveNetworks NetworkOutages Conclusions References A First Look Into IBR In A Large Greynet 101 Abstract Introduction RelatedWork IBRTrafficinDarkNets IBRTrafficinLiveNetworks DatasetsandSanitization NetFlowDataSanitization ITU Internet Penetration Data Sanitization TargetedServicesandHosts Top Target Ports of IBR Traffic Over 8 Years Persistently Targeted Ports Over Time Distribution of IBR Traffic Over Ports and Hosts SourceCharacterization SpacetimeAnalysis Evolution of Geographical Distribution of IBRTraffic Evolution of the Spatial Distribution of IBRTraffic Conclusions References...135

10 viii Contents PART II: VISUALIZING NETWORK TRAFFIC 6 Visualizing Big Network Traffic Data 143 Abstract Introduction RelatedWork VisualizationScheme FIM Visualization ScalingtoLargeDataSets UseCases Usecase1:TrafficProfiling Use case 2: Attacks and Misconfigurations Conclusions References Visualizing Host Traffic through Graphs 165 Abstract Introduction HAPviewer Host Traffic Representation HostRoleSummarization FlowClassificationandFiltering CaseStudies SituationalAwareness AnalysisofanIDSAlarm Discussion RelatedWork FutureWork Conclusions...183

11 Contents ix 7.8 Acknowledgements References CONCLUSIONS 8 Summary and Conclusions One-way traffic Classification and Characterization Network Traffic Data Visualization Future Work and Outlook Automatic Inference of One-way Flow Classification Rules ClassifyingOutboundOne-wayTraffic CharacterizingOne-wayTrafficonIPv Subclassifying One-way Traffic linked to DoS Attacks A Long-term Study of the Reachability of Services Comparing One-way Traffic Analysis with NetworkTelescopes In-depth Analysis of the One-way Class Suspected Benign Extending the Host Application Profile Viewer Extending FIM Visualizations of Network Traffic. 214 References 215 APPENDIX 10 Data Sets 223

12 x Contents 11 Limitations NetFlowDataSet NetFlowPre-Processing One-wayFlowPerspective ClassificationRules Additional Measurements RoutingSymmetryTests One-wayTrafficSources References List of Publications Related Non-Related Acknowledgements 253

13 List of Figures 1.1 Networkmonitoringmethods Two- and one-way traffic illustrated Networktelescopetraffic Fiveflowtypesillustrated Exampleofacommunicationgraph Exampleofaparallelcoordinateplot Exampleofatreemapvisualization Impactoftimeintervalsizeonflowmetrics Mixtureofone-andtwo-wayflows Rulerefinementstages Evolutionofoneandtwo-wayflowcounts One-wayflowsasa(mean)fractionofall Compositionofone-waytraffic Coinciding outage on most university services Illustration that shows security-relevant events PersistencyofTCPdestinationports PersistencyofUDPdestinationports IBR flows received by a target port versus port rank IBR traffic flow volume over time decomposed

14 xii LIST OF FIGURES 5.6 IBR flows received by a target host Sourcehostactivitypatterns Average daily number of IBR flows per source One-way flows generated per host versus host rank IBRandregularflowsourcesandtargets Top-k persistence versus k (unnormalized) Top-k persistence versus k (normalized) IPv4 address space distributions of sources by ports Example of a parallel-coordinate plot ExampleofaFIMvisualization Runtimediagram Trafficprofilingexample Attacksandmisconfigurationsexample Illustrativegraphvisualizationexample Hostapplicationprofile(HAP)graphlet Exampleofaserverrolesummarization Hostrolesdefinitions ExampleofaHAPgraphlet Exampleshowingflowdirections Exampleofahostbrowselist Exampleofascantarget Exampleofascansource Exampleofaflowlist Exampleofascanpattern ExampleofaP2Phostpattern ExampleofaP2Pflowlist...179

15 List of Tables 4.1 Sizeofdatasetsperyear Overviewofdefinedsigns Rulesusedtoclassifyone-wayflows Resultsofvalidation Compositionofone-wayflowclasses Flowdatasetdescription List of top-10 target ports of one-way flows Top-10countriesofIBRscanflows Top-10countriesofIBRscan(normalized) Sizeofdatasetsperyear Fraction of pot. artificial inbound one-way flows UniqueOne-wayTrafficSources...242

16

17 INTRODUCTION 1

18

19 3 Research in Internet measurement provides us new ways to understand, operate and improve the Internet. Learning from network traffic data requires a well-chosen set of analysis techniques. We envision a rich toolbox available for this task, and delve into novel techniques and their application on large data sets to extend the choice of analysis schemes. In this introductory part we illustrate the relevance of network traffic monitoring and traffic data visualization. This includes a survey of application areas, a discussion of the state of the art and a description of the research problems investigated. We conclude with a summary of our contributions and provide an overview of how this thesis is organized.

20

21 Chapter 1 Network Traffic Monitoring 1.1 Relevance Today, the usage of the Internet penetrates most areas of our life making the Internet an important infrastructure for our society. According to the International Telecommunication Union (ITU) [100] average Internet penetration 1 has reached 35.7% for its member countries by the end of 2010 after a growth of 809% between 1998 and To operate such an infrastructure requires intimate knowledge of its working and its state at any moment. This is the task of network monitoring, as it is decentrally performed by network administrators of many organizations supervising the networks they are responsible for. 1 Internet penetration is measured as the percentage of inhabitants using the Internet. 2 Similar figures are reported by the Organization for Economic Cooperation and Development (OECD) for industrialized countries. In particular, OECD estimates the Internet penetration [101] for its member countries to be on average 25.2% by Q2/2011, and a growth between Q2/2002 and Q2/2011 of 582%.

22 6 1 Network Traffic Monitoring However, measuring the Internet is not as easy as it might appear on first sight - there are many pitfalls to be avoided and problems to be solved [102]. Moreover, the extent to which a measurement infrastructure is established today is limited due to the decentralized organization of the Internet, trade-offs between cost of infrastructure and measurement support provided and privacy concerns. As a consequence, the Internet cannot precisely be characterized and we only have an incomplete view of its working and its state. Many quantitative measures of the Internet are still missing or at least are incomplete. Furthermore, to handle huge data sets resulting from ever growing traffic volumes asks for new ways to extract interesting information from summarized data as it is readily available in the form of flow metadata (e.g. NetFlow). 1.2 Application Areas There are many reasons why networks should be monitored. Network administrators want to know how well the network infrastructure is running and whether any traffic anomalies need further attention. At the same time they observe a traffic growth which routinely requires an extension of the network infrastructure to provide sufficient bandwidth to end users at any time. Additionally, emerging new applications can change the character of network traffic and therefore should not escape the attention of network administrators. As part of the quality assurance monitoring process, network traffic can help to check for compliance with service level agreements (SLA). Furthermore, privacy and availability concerns often ask for network monitoring to detect security incidents, preferably, at an early stage, or finally, as a part of forensic investigations to prosecute offenders and harden the infrastructure. Organizations offering network services to clients can use network traffic

23 1.2 Application Areas 7 data to measure the actual usage as input data for billing their services [103]. On the other hand, researchers seek for new insights into the operation of network infrastructure, of networked applications and protocols with the goal to improve them or to provide useful information to those in charge of this task. Network traffic can be monitored across protocol layers (see Fig. 1.1 for an overview). Lower level protocol data consists primarily of router and link-level data that commonly is collected Ati Active Measurements Passive Measurements (injecting traffic) (listening to traffic) traceroutete ping Inter domain path Router/Switch End host BGP data SNMP data IDS alerts Active responders Application instance i i Endpoint connection Deep packet inspection Log data Flow data Packet data Granularity Figure 1.1: Network monitoring methods can be grouped into active (on the left) and passive techniques (on the right). Furthermore, employed data sets can be ranked by increasing granularity of details they provide (top-to-bottom inside of the rectangle).

24 8 1 Network Traffic Monitoring by an infrastructure using the Simple Network Management Protocol (SNMP). A popular use of SNMP data is the monitoring of basic information such as packet loss, delay and throughput with tools such as Observium [104] or MRTG [105, 106]. SNMP data can be made available from virtually everywhere in a network making it an ubiquitous data source. But, SNMP data typically is aggregated information that does not provide details about sources and destinations of traffic. Besides, SNMP frequently is used to build up-to-date inventories of network infrastructure based on a Management Information Base (MIB). An alternative is the gathering of packet traces [107] as part of Deep Packet Inspection (DPI) that records packet contents at a configurable granularity of details. This granularity is set by the number of attributes supported and the amount of payload captured per-packet. Packet traces provide details at several protocol layers by the encapsulated nature of packets. This starts at the link layer going up to the application layer as recorded packets contain higher layer packet contents as payload data of the underlying layers. Packet traces support, e.g. the measurement of packet jitter and round-trip time (RTT) through very precise timestamps. But, gathering packet traces poses high demands on the infrastructure to store and process the collected data due to the immense volume of such data sets. A next alternative is the use of flow-level data, e.g. in the form of the popular NetFlow [108, 109]. Flow-level data sets provide per-connection metadata as summaries over all involved packets. This comprises e.g. the total packet and byte counts aside the source and destination addresses and used protocol at the network layer. Still, gathering flow-level data at highspeed links may impose a too high demand on infrastructure. In this situation often sampling is used that e.g. only includes every n-th packet in the traffic data (other sampling strategies exist). Finally, at the application layer the amount of traffic data typically is much smaller making this kind of network

25 1.2 Application Areas 9 monitoring a good choice for some monitoring tasks. Such data sets are created by application programs that log important information about their network communications. Applicationlayer data sets can be collected by client or server programs. Popular examples of such data sets are server logs provided by web and DNS servers. Besides, there are more specialized measurement techniques that e.g. focus on traffic routing by inspecting exterior gateway protocol data, e.g. created by the Border Gateway Protocol (BGP). BGP data can be used to infer the Internet inter-domain (AS-level) topology and to assess route stability [110, 111]. Security appliances such as firewalls and Intrusion Detection Systems (IDS) create log data entries that list e.g. permitted and denied connections or alerts about suspicious traffic. So far, we have surveyed monitoring techniques that work passively, i.e., non-intrusive on the network traffic. For some tasks active measurements are more helpful. A popular technique is the use of the ping command to test the reachability of a destination system and the packet round-trip time. The program traceroute allows to inspect the path packets travel from source to destination aside the transfer times experienced. A further source of information about selected details of network traffic are databases. To geo-locate a source or destination system by IP address the Domain Name System (DNS) can provide the registered name (if any) including the top-level domain name identifying a country (e.g. ch ). Some top-level domain names are ambiguous when a country should be identified, e.g. the name org. In this situation alternative geo-location databases give more detailed information. Such databases commonly are maintained by commercial companies and may provide a finer granularity e.g. at the region- or even city-level. To learn more about the size of the network where packets originate from or target at, BGP data can be valuable that is collected as part of BGP traffic monitoring. Such a data set can associate individual IP addresses with subnets (identified by their network address

26 10 1 Network Traffic Monitoring and prefix length) and the associated Autonomous System (AS) number. Finally, we note that traffic data in principle can be gathered at any level of the Internet topology and from infrastructure operated by any organization that participates in the Internet. In practice, there are many limitations for several reasons. For example it is hard to exchange traffic data between interested organizations due to privacy concerns and legal requirements. This frequently raises the question if the measurement results obtained from one network are applicable to another network. A more detailed description of network monitoring issues can be found in [102]. In summary, surveying the field of network monitoring we find a considerable diversity of data sources. Depending on the observation point and the measurement methodology a collected data set can be useful for multiple analysis purposes, but usually not for all. This requires a careful study about exactly what information can be inferred from a data set and as a consequence for what tasks it can be useful. Ignoring this preparatory step can lead to insights that are built on sand and finally are found to be misleading [112]. Network traffic can be decomposed into two-way traffic representing dialogs between end systems and one-way traffic, i.e., packets that never receive a reply (see Fig. 1.2 for examples). In this thesis we are interested in one-way traffic - a very specific and less known perspective onto network traffic. One-way traffic represents monologs resulting from a number of communication situations which are of utmost interest to operators and researchers as they are associated with interesting events. Examples of such events are unreachable services, misconfigurations, scanning, prefix hijacking, filtering by Network Address Translation (NAT) and firewalls, peer-topeer applications, congestion and routing loops. Besides, one-way traffic constitutes a large fraction of Internet traffic (in terms of the number of flows). In this work we focus on one-way traffic at

27 1.3 State of the Art 11 Figure 1.2: Two-way traffic is the regular case (A) when there are replies on sent messages. On the other hand, one-way traffic results whenever packets get lost or are blocked on their way to thereceiveroronthereturnpath(b,c).figure(c)illustrates another case of one-way traffic when the receiver is not responsive or does not even exist. the network layer and use flow-level data to classify and further characterize this exotic piece of traffic. The use of flow-level data for analyzing one-way traffic is particularly interesting for network operators as flow data can be collected from routers as a by-product of operation. In contrast, prior work used either packet traces or IDS connection logs. Both data types require extra-infrastructure that scales not well on large networks. 1.3 State of the Art In the past, one-way traffic has been studied in a number of different ways to gain insight into its nature and causes. We describe the most popular techniques next. A traditional instrument to study one-way traffic is a network telescope, i.e., an infrastructure which routes traffic targeted at an

28 12 1 Network Traffic Monitoring unpopulated IP address range to a measurement site [ ]. The idea of a network telescope is to observe traffic using destination IP addresses not assigned to any end system (IP darkspace). In this measurement setup incoming traffic stays unreplied as it targets otherwise unused IP addresses. A network telescope enables the monitoring of different kinds of unsolicited traffic. For example in scenario (A) in Fig. 1.3 an attacker sends a large number of requests to a victim system trying to create a Denial-of-Service (DoS) situation. To remain hidden the attacker forges the source IP addresses of these attack flows using random values that to some extent fall into the address space of the network telescope. Therefore the victim system sends replies towards the network telescope among other random destinations. Network telescopes are also known as a darknet, whileincontrast a live network can be designated a greynet in the context of oneway traffic analysis. Attacker Victim Scanner Network telescope (B) (A) (C) DoS attack Backscatter Scan flow Misdirected flow Figure 1.3: This figure illustrates three scenarios generating traffic that can be seen in a network telescope: backscatter traffic as a result of a Denial-of-Service (DoS) attack using spoofed source IP addresses (A), scanning of randomly chosen target hosts (B), and misdirected traffic due to configuration errors (C).

29 1.3 State of the Art 13 An often used term for traffic seen in a network telescope is Internet Background Radiation (IBR) based on a definition of traffic sent to unused addresses [116, 117] or unsolicited one-way Internet traffic [118]. Network telescopes have been shown to be useful to study major worm outbreaks [ ], scanning and probing [116], misconfigurations [117], botnets [118, 122] and major network disruptions [123]. Typically, traffic towards a network telescope can be recorded with all packet details as this setup does not suffer from the same privacy concerns and accompanied restrictions than production networks carrying sensitive information of a company or organization. At a few places [114, 124] parts of incoming traffic towards a network telescope are used to actively probe the sources of this traffic through manual exploration or so-called active responders which are small programs that answer to predefined application protocols [113,114] with the goal of verifying the kind of targeted service. However, this active approach is considered problematic as it can reveal the location of the network telescope in IP address space to the attacker [125]. If the location of a network telescope cannot be kept secret then it might be avoided by attackers thereby jeopardizing its value for the analysis of attack traffic. But, even if an operator of a network telescope is running it passively it can be detected by attackers when analysis results are published [126]. Network telescopes are blind for targeted attacks that use lists of previously identified victim systems and, therefore, network telescopes provide an incomplete picture of the attack scene. Besides, a network telescope requires the availability of a substantial IP address range dedicated to this purpose which is hard to achieve for those not yet in possession of one. An extension of the idea of active responders is the use of socalled honeypots [127] that mimic an important end system, e.g. a web server to attract attacks with the goal to analyze them. In practice, such systems are measurement sites isolated from pro-

30 14 1 Network Traffic Monitoring duction networks that help operators and researchers to collect information about emerging attacks and to test counter measures. A honeypot can be built as a dedicated computer system or as a guest on top of a system virtual machine [128] which makes it easy to run a farm of honeypots (a honey farm) with reasonable hardware cost. In contrast to network telescopes, honeypots allow to analyze attacks that are specifically tailored to exploit server-type applications [129]. Moreover, they do not occupy a large number of IPv4 addresses that likely cannot be reserved in the future for pure research purposes. But, honeypots will miss attacks trying to exploit vulnerabilities of client applications, e.g. web browsers. Similar to network telescopes, honeypots can be avoided by attackers at the moment their purpose is recognized and their exact IP address is identified [126]. Honeypots can be very useful to analyze particular attacks in-depth. But they are less useful to create macroscopic statistics on malicious traffic. A third source of information about the failure or success of connection attempts is the use of dedicated intrusion detection systems (IDS) that create connection logs such as the Bro system [130]. Connection logs are text files that describe each observed connection with a text line containing connection information and success or failure details. This data source is useful to analyze TCP traffic [116, 131, 132], and with extensions also UDP and ICMP traffic. But, Bro and any similar system are resource-intensive as they require the processing of packet traces. A fourth approach makes use of IDS alerts to identify malicious or otherwise unwanted traffic. IDS alerts are text files that describe each suspicious observation with a text line comprising an estimated threat priority, connection details and threat characterization. An interesting source of such IDS alert data is the Dshield project [133] that involves many sites contributing their alert data providing a globally distributed perspective [134]. On the other hand, IDS alerts are limited by the employed ruleset that relies on the characteristics of

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Enhancing Network Monitoring with Route Analytics

Enhancing Network Monitoring with Route Analytics with Route Analytics Executive Summary IP networks are critical infrastructure, transporting application and service traffic that powers productivity and customer revenue. Yet most network operations departments

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

Avaya ExpertNet Lite Assessment Tool

Avaya ExpertNet Lite Assessment Tool IP Telephony Contact Centers Mobility Services WHITE PAPER Avaya ExpertNet Lite Assessment Tool April 2005 avaya.com Table of Contents Overview... 1 Network Impact... 2 Network Paths... 2 Path Generation...

More information

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

Introduction to Network Traffic Monitoring. Evangelos Markatos. FORTH-ICS markatos@ics.forth.gr

Introduction to Network Traffic Monitoring. Evangelos Markatos. FORTH-ICS markatos@ics.forth.gr Introduction to Network Traffic Monitoring -ICS markatos@ics.forth.gr http://www.ics.forth.gr/~markatos Institute of Computer Science (ICS) Foundation for Research and Technology Hellas () Roadmap Motivation

More information

Introducing IBM s Advanced Threat Protection Platform

Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM

More information

Detection of illegal gateways in protected networks

Detection of illegal gateways in protected networks Detection of illegal gateways in protected networks Risto Vaarandi and Kārlis Podiņš Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia firstname.lastname@ccdcoe.org 1. Introduction In this

More information

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Edge Configuration Series Reporting Overview

Edge Configuration Series Reporting Overview Reporting Edge Configuration Series Reporting Overview The Reporting portion of the Edge appliance provides a number of enhanced network monitoring and reporting capabilities. WAN Reporting Provides detailed

More information

On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

Network Level Multihoming and BGP Challenges

Network Level Multihoming and BGP Challenges Network Level Multihoming and BGP Challenges Li Jia Helsinki University of Technology jili@cc.hut.fi Abstract Multihoming has been traditionally employed by enterprises and ISPs to improve network connectivity.

More information

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

Internet Traffic Measurement

Internet Traffic Measurement Internet Traffic Measurement Internet Traffic Measurement Network Monitor Placement Measurement Analysis Tools Measurement Result Reporting Probing Mechanism Vantage Points Edge vs Core Hardware vs Software

More information

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring

More information

Firewalls Overview and Best Practices. White Paper

Firewalls Overview and Best Practices. White Paper Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not

More information

Network-Wide Class of Service (CoS) Management with Route Analytics. Integrated Traffic and Routing Visibility for Effective CoS Delivery

Network-Wide Class of Service (CoS) Management with Route Analytics. Integrated Traffic and Routing Visibility for Effective CoS Delivery Network-Wide Class of Service (CoS) Management with Route Analytics Integrated Traffic and Routing Visibility for Effective CoS Delivery E x e c u t i v e S u m m a r y Enterprise IT and service providers

More information

Network Monitoring Using Traffic Dispersion Graphs (TDGs)

Network Monitoring Using Traffic Dispersion Graphs (TDGs) Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George

More information

Introduction. The Inherent Unpredictability of IP Networks # $# #

Introduction. The Inherent Unpredictability of IP Networks # $# # Introduction " $ % & ' The Inherent Unpredictability of IP Networks A major reason that IP became the de facto worldwide standard for data communications networks is its automated resiliency based on intelligent

More information

Intelligent Routing Platform White Paper

Intelligent Routing Platform White Paper White Paper Table of Contents 1. Executive Summary...3 2. The Challenge of a Multi-Homed Environment...4 3. Network Congestion and Blackouts...4 4. Intelligent Routing Platform...5 4.1 How It Works...5

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

How Cisco IT Protects Against Distributed Denial of Service Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN

More information

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of

More information

Detecting UDP attacks using packet symmetry with only flow data

Detecting UDP attacks using packet symmetry with only flow data University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to:

Inter-domain Routing Basics. Border Gateway Protocol. Inter-domain Routing Basics. Inter-domain Routing Basics. Exterior routing protocols created to: Border Gateway Protocol Exterior routing protocols created to: control the expansion of routing tables provide a structured view of the Internet by segregating routing domains into separate administrations

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands The Ecosystem of Computer Networks Ripe 46 Amsterdam, The Netherlands Silvia Veronese NetworkPhysics.com Sveronese@networkphysics.com September 2003 1 Agenda Today s IT challenges Introduction to Network

More information

Nemea: Searching for Botnet Footprints

Nemea: Searching for Botnet Footprints Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech

More information

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Guideline on Firewall

Guideline on Firewall CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June

More information

C. Universal Threat Management C.4. Defenses

C. Universal Threat Management C.4. Defenses UTM I&C School Prof. P. Janson September 2014 C. Universal Threat Management C.4. Defenses 1 of 20 Over 80 000 vulnerabilities have been found in existing software These vulnerabilities are under constant

More information

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Flow Analysis. Make A Right Policy for Your Network. GenieNRM Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do

More information

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1 Table of Contents 1. REQUIREMENTS SUMMARY... 1 2. REQUIREMENTS DETAIL... 2 2.1 DHCP SERVER... 2 2.2 DNS SERVER... 2 2.3 FIREWALLS... 3 2.4 NETWORK ADDRESS TRANSLATION... 4 2.5 APPLICATION LAYER GATEWAY...

More information

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan

More information

Module 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur

Module 7. Routing and Congestion Control. Version 2 CSE IIT, Kharagpur Module 7 Routing and Congestion Control Lesson 4 Border Gateway Protocol (BGP) Specific Instructional Objectives On completion of this lesson, the students will be able to: Explain the operation of the

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

Outline. Outline. Outline

Outline. Outline. Outline Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved. Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

NetFlow Analytics for Splunk

NetFlow Analytics for Splunk NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with

More information

BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project

BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project Advisor: Sharon Goldberg Adam Udi 1 Introduction Interdomain routing, the primary method of communication on the internet,

More information

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

FIREWALLS VIEWPOINT 02/2006

FIREWALLS VIEWPOINT 02/2006 FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way

More information

Advanced Computer Networks IN2097. 1 Dec 2015

Advanced Computer Networks IN2097. 1 Dec 2015 Chair for Network Architectures and Services Technische Universität München Advanced Computer Networks IN2097 1 Dec 2015 Prof. Dr.-Ing. Georg Carle Chair for Network Architectures and Services Department

More information

ICMP Protocol and Its Security

ICMP Protocol and Its Security Lecture Notes (Syracuse University) ICMP Protocol and Its Security: 1 ICMP Protocol and Its Security 1 ICMP Protocol (Internet Control Message Protocol Motivation Purpose IP may fail to deliver datagrams

More information

IBM. Vulnerability scanning and best practices

IBM. Vulnerability scanning and best practices IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration

More information

Barracuda Intrusion Detection and Prevention System

Barracuda Intrusion Detection and Prevention System Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques

More information

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Assignment One ITN534 Network Management Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Unit Co-coordinator, Mr. Neville Richter By, Vijayakrishnan Pasupathinathan

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

The flow back tracing and DDoS defense mechanism of the TWAREN defender cloud

The flow back tracing and DDoS defense mechanism of the TWAREN defender cloud Proceedings of the APAN Network Research Workshop 2013 The flow back tracing and DDoS defense mechanism of the TWAREN defender cloud Ming-Chang Liang 1, *, Meng-Jang Lin 2, Li-Chi Ku 3, Tsung-Han Lu 4,

More information

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...

More information

Distributed Denial of Service Attack Tools

Distributed Denial of Service Attack Tools Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

More information

Understanding and Optimizing BGP Peering Relationships with Advanced Route and Traffic Analytics

Understanding and Optimizing BGP Peering Relationships with Advanced Route and Traffic Analytics Understanding and Optimizing BGP Peering Relationships with Advanced Route and Traffic Analytics WHITE PAPER Table of Contents Introduction 3 Route-Flow Fusion 4 BGP Policy Visibility 5 Traffic Visibility

More information

Dell SonicWALL report portfolio

Dell SonicWALL report portfolio Dell SonicWALL report portfolio Table of contents Dell SonicWALL Global Management System (GMS ) and Analyzer reports I. Sample on-screen reports II. Sample PDF-generated reports Dell SonicWALL Scrutinizer

More information

Securing and Monitoring BYOD Networks using NetFlow

Securing and Monitoring BYOD Networks using NetFlow Securing and Monitoring BYOD Networks using NetFlow How NetFlow can help with Security Analysis, Application Detection and Traffic Monitoring Don Thomas Jacob Technical Marketing Engineer ManageEngine

More information

Availability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013

Availability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013 the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered

More information

A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS

A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS Dr. Jensen J. Zhao, Ball State University, jzhao@bsu.edu Dr. Allen D. Truell, Ball State University, atruell@bsu.edu Dr. Melody W. Alexander,

More information

Advanced Honeypot Architecture for Network Threats Quantification

Advanced Honeypot Architecture for Network Threats Quantification Advanced Honeypot Architecture for Network Threats Quantification Mr. Susheel George Joseph M.C.A, M.Tech, M.Phil(CS) (Associate Professor, Department of M.C.A, Kristu Jyoti College of Management and Technology,

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

Troubleshooting Network Performance with Alpine

Troubleshooting Network Performance with Alpine Troubleshooting Network Performance with Alpine Jeffrey Papen As a Network Engineer, I am often annoyed by slow Internet performance caused by network issues like congestion, fiber cuts, and packet loss.

More information

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security

More information

Firewalls & Intrusion Detection

Firewalls & Intrusion Detection Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion

More information

Flow Analysis Versus Packet Analysis. What Should You Choose?

Flow Analysis Versus Packet Analysis. What Should You Choose? Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation

More information

UNMASKCONTENT: THE CASE STUDY

UNMASKCONTENT: THE CASE STUDY DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...

More information

Routing & Traffic Analysis for Converged Networks. Filling the Layer 3 Gap in VoIP Management

Routing & Traffic Analysis for Converged Networks. Filling the Layer 3 Gap in VoIP Management Routing & Traffic Analysis for Converged Networks Filling the Layer 3 Gap in VoIP Management Executive Summary Voice over Internet Protocol (VoIP) is transforming corporate and consumer communications

More information

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more

More information

Gaining Operational Efficiencies with the Enterasys S-Series

Gaining Operational Efficiencies with the Enterasys S-Series Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction

More information

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent? What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

HoneyBOT User Guide A Windows based honeypot solution

HoneyBOT User Guide A Windows based honeypot solution HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

More information

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013 SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud

MPLS WAN Explorer. Enterprise Network Management Visibility through the MPLS VPN Cloud MPLS WAN Explorer Enterprise Network Management Visibility through the MPLS VPN Cloud Executive Summary Increasing numbers of enterprises are outsourcing their backbone WAN routing to MPLS VPN service

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information