Using Argus to analyse network flows. David Ford OxCERT Oxford University Computer Services
|
|
- Gavin Wiggins
- 8 years ago
- Views:
Transcription
1 Using Argus to analyse network flows David Ford OxCERT Oxford University Computer Services
2 What are network flows? A convenient way of representing traffic on your network Contain a timestamp, the source/ destination IP, protocol/port, traffic volumes, and a status (eg RST, CON, TIM) One flow may represent many packets Do not contain the packet payloads
3 Why would I want to use them? Good for understanding network incidents Can help you to identify suspicious/abusive behaviour Can help in tracing other network issues (eg tracing the source of load on a particular link) Can help you ensure traceability of traffic
4 What is argus? Which Argus? we mean: ( - Audit Record Generation and Utilisation System It can capture from a live interface (eg a mirror/span port, or a fibre tap), or from a Cisco netflow source, or from a pcap file, and indirectly from other sources such as sflow (note some features require a live interface)
5 What is argus (2) It stores data in its own record format, and contains tools to extract data as required Most of the tools for using it are command line driven, but can easily be automated to produce useful reports, or to extract the data you need Syntax for extracting data is very similar to that used by tcpdump/wireshark
6 Where to capture? Depends largely on your network topology, what you want to see, and how much data you wish to collect Things to consider include: locations of NATs - do you want to see traffic before, or after NATing firewalling - do you want to see traffic that gets through the firewall, or traffic that doesn t router configuration - do you want flows between hosts on different subnets?
7 A warning about NATs even having flows from before and after NATing does not guarantee you can trace the source of a malicious flow If a single destination host has both malicious and non-malicious connections from behind the NAT, it may not be possible to distinguish these without logs of NAT translations Problem cases include IRCds, Virtual Hosted websites etc.
8 How much data Argus records can be compressed (using gzip) - our experience suggests this can cut the size requirements by a factor of 5-10 (or more in some cases - particularly for regular scanners) Data size will depend a lot on how many sources and how many flows you are recording - for our systems - based on a typical unit this might be around MB/day, so storage for around 60 days might take 18GB
9 Understanding your data sources It s important to understand how various different types of packet flows are handled by your flow capturing devices Dependent on network configuration, the equipment/protocol you are using to capture flows. For example a scan of unresponsive hosts may be recorded as INT, or TIM/RST this behaviour may make it easier or harder to distinguish successful connections
10 data sources (part 2) How do your capture devices cope if they receive too many flows to process, do they sample the data - if so, how?, do they stop passing packets in the case of a router, or do they stop recording flows Remember the point where you receive unexpectedly large numbers of flows is probably the point you want to have all the flows to work out why!
11 What can you do with the flows? Incident investigation - how did a machine get hacked, from where? Spotting malicious hosts, P2P, other rogue traffic Identifying hosts talking to known bad guys
12 Incident Investigation Starting point here is that we know that a particular machine has been compromised (possibly through other flow analysis, or possibly because we ve been alerted to it from elsewhere) We want to know: - how was it compromised, and when - did the attackers get in anywhere else? - which remote hosts are taking part, so that we can identify other hosts affected
13 Spotting malicious traffic as it happens We ve so far been looking at data that s been collected and archived We can also analyse live data to identify unexpected traffic patterns such as scanners, P2P users, botnets etc. Older Argus versions (2.0.5) came with an example perl script to do this - you may wish to write your own as it hasn t been updated for a while
14 The aim is to import argus data as it is recorded and to look for patterns such as repeated connections out to different hosts on a single port (scanning), or huge numbers of inbound connections The holy grail could be some way to track connection behaviour for hosts against past traffic patterns, however I m not aware of any such scripts for argus You could also check the flows against a list of known bad hosts - or this could be done overnight
15 Use of Argus You can read and process Argus data in one of a number of ways: - Connections via a TCP socket - Reading flat files - Processing compressed and archived files
16 Argus tools Argus server (typically called argus) collects argus data from a mirrored port or a pcap file ra - Read Argus a tool to read argus data from a socket, file or netflow, this can be used for filtering and basic processing
17 racount - a simple tool to count total packets, and bytes from an argus file ranonymize - a tool to make data anonymous (ie replace IPs that might be identifiable) rastrip - remove certain data from argus files to make file sizes smaller (eg MAC addresses) rasplit - split argus file into smaller files based on number of entries
18 racluster - merge data based on certain criteria - this is useful for reporting, graphing, and many other tasks - understanding the basics of racluster is key to getting the most out of argus data ragraph - a perl script designed to graph argus data - we ll see this later
19 rasort - sort a list of flows ratop - show top traffic - useful for live traffic (similar to iftop, but lower overhead if already using argus - you might wish to combine with multitail for nicely coloured output there are other tools included, these are the most common ones I use
20 Socket Based Argus Argus provides a socket based interface for reading live or near to live flow based data You can use this for live flow analysis, for example you might wish to identify when machines are connecting to a known malicious or forbidden site, or hosts generating certain traffic patterns
21 Processing Argus data from files There are command line argus tools that you can use to process argus data, and to extract the data you need We consider now a few common cases of data you may need
22 Extracting data for a particular host/port Often you will need to hunt for traffic flowing to/from a particular host to identify what traffic they have been generating. You may also need to know what traffic is flowing on a particular port: ra -nnr host
23 The arguments define whether to resolve IPs to hostnames (first n), whether to resolve protocols to names (second n), and instructs argus to read from a file The ra command is used for reading argus data The - indicates the argus filter begins here ra -nnr /var/log/argus.log - host host instructs argus what host to look at
24 Alternatively, for a port: ra -nnr /var/log/argus.log - port 6667
25 Aggregating data Argus stores the full set of flows generated by a system. For some purposes you may get more useful information by aggregating data together Argus can produce results aggregated by number of flows and by traffic volumes
26 Examples (Based on Argus 3) Top talkers (well, actually, traffic total by IP): racluster -M rmon -m saddr -r inputfle Top talkers using port 22 ra -r inputfile -w - - port 22 racluster -M rmon -m saddr -r -
27 If you store MAC addresses: racluster -M rmon -m smac -r inputfle Top ports in use: racluster -M rmon -m proto sport -r inputfle
28 Statistics by protocol: racluster -M rmon -m proto -r inputfile traffic by host pairs: racluster -M matrix -r inputfile to convert to top N: racluster -M matrix -r inputfile -w - rasort -m bytes -w - -r - ra -N 10
29 Traffic graphs Argus comes with some scripts designed to perform graphing functions Alternatively you can extract data and pass them to whatever graphing libraries you already use
30 ragraph a perl script supplied with Argus for aggregating data into a sensible format and then graphing it quite powerful, however be warned it can take lots of RAM - also there is often more than one way to get a particular graph, the earlier aggregation is performed the more efficient things will be
31 Simple examples: Traffic in a day ragraph bytes -M 30s -r /var/log/argus/argus.yesterday
32 Simple examples: Packets in a day ragraph pkts -M 30s -r /var/log/argus.yesterday
33 ragraph dbytes sbytes -M 30s -r /var/log/argus.yesterday
34 ragraph dbytes sbytes proto -fill -M 30s -r /var/log/argus.yesterday
35 Now lets go crazy: ragraph dbytes sbytes dport sport -fill -M 30s -r /var/log/argus.yesterday
36 Or perhaps not ragraph dbytes sbytes dport -fill -M 30s -r /var/log/argus.yesterday - dst port 80 and dst port 443
37 Performance In the latter examples, we re not being very efficient - we can add the option -m proto dport to speed them up - this means the aggregation of the data happens initially, rather than when the data is passed to rrdtool
38 Malicious DNS (a case study) I m sure lots of you have had notifications for hosts talking to malicious DNS servers Servers set up by malware authors to redirect legitimate sites to their own version malware, adverts, password stealing
39 Graphing traffic to the known malicious DNS servers is interesting:
40
41 The large spikes are noticeable, and correspond with malware setting up malicious DHCP servers Filtering by groups of DNS server is even more interesting:
42 We can start to suspect that the incidents are connected (especially when we take account timing of router blocks) In fact, we discover we can begin to see actual infected hosts, and collateral caused by the rouge DHCP server This fact only becomes clear after the malware has been analysed
43 How are graphs useful visualisation of traffic use at particular point on your network - if you re capturing flows from routers/switches you may have visibility at several places what proportion of traffic at a particular point is from what class of user what protocols/ports are generating most of the traffic
44 can help your planning for capacity upgrades visual check for sudden unexpected surges you may find abusive users are very visible on certain graphs visualisations of incidents - can tell us something new
45 Argus and Perl You can easily automate lots of tasks with Argus Here I will look at a short simple alerting script to read live argus data and alert every 100 flows (this script is designed to be over simplified)
46 #!/usr/bin/perl use strict; my $argus_host=' :8887'; open (RA, "/usr/bin/ra -c, -nn -S $argus_host ") die "Failed to start /usr/bin/ra"; while (<RA>) { chomp($_); my ($time,$opts,$proto,$sip,$sport,$dir,$dip,$dport,$pkts,$bytes,$stat) = split(',', $_); # do something clever and interesting here print "received a flow from $sip:$sport going to $dip:$dport, $bytes were transferred \n"; } close(ra);
47 Perl (or other similar language) scripts that use argus are very helpful to automate repetitive or boring tasks You may wish to write scripts to output graphs, or to produce summaries, or determine flows with certain patterns (eg certain types of P2P traffic)
48 GUIs It can be helpful to use a GUI for some sorts of interactive analysis one of the great benefits of Argus in our opinion is the ability to easily combine interactive and automated analysis
49 The tool ArgusEye allows an Argus 3 user to use a graphical interface to process and filter argus data The interface is superficially like wireshark, however it is distinctly less powerful, and earlier in development The version on the web has some critical bugs - I have a version with some fixes (also to be sent upstream)
50
51
52 Argus Issues Dataformat issues in argus designed for 32-bit platforms only - don t switch platform and expect data to be reliably readable, and don t use argus on AMD64 For a new deployment you almost certainly want to use argus 3 - the datafiles are much saner IPv6?
53 Argus Issues (2) With large amounts of data, such as OxCERT s monitoring, processing the logs is slow If we discover a new host we need to investigate it could take minutes to get all the flows extracted we need some data is commonly accessed for many types of incident
54 Use of a database We find it helpful to put some of our argus data into a relational database Tables can get quite large so being selective as to what is most useful is important We are using a system with Postgres as an SQL backend, with some perl/php scripts to import/extract data
55 Our model is to use one table per day Even with these restrictions expect large tables - We find 4-6GB to be typical (but only include certain data), yours will undoubtedly be smaller You may wish to consider removing UDP as it generates lots of noise We import data every 30 minutes (when we rotate argus data files), and index only when the day s table is filled (indexed on ip and port) if you wish to do daily reporting, you can do it once the indexes are built
56 Once indexed tables exist you can extract other data and do other analysis eg. packet counts, volumes per IP you may wish to store this data in your database for longer than the full flow data graphing, trend analysis etc. (we will post notes about this on the web)
57 In fact, the Argus developers have been working on SQL support. Initial code was released in early March 2009 Their code deals with some potential issues with ICMP flows (which we ve never dealt with in our DB) Their code currently targets MySQL however in either case the benefits of using a database should be similar
58 Other potentially useful Argus related tools/features Flowscan - can produce graphs from various types of network flow sources. Reportedly supports Argus GeoIP/AS based matching - new in Argus 3.0.2
59 Conclusions Network flow analysis is useful for both security and other purposes Argus can help capture, collate and process flow data For large volumes of data you may find storing your data in a database improves performance
60 Questions? Thanks to: Robin Stevens (OUCS, OxCERT) Jonathan Ashton (OUCS, OxCERT) Oliver Gorwits (OUCS) Patrick Green (Warwick)
WATCHFUL EYE. data for all of your network connections,
Keeping an eye on the network with WATCHFUL EYE helps you monitor the flow of data on your network, detect trends, discover worms and viruses, and analyze bandwidth usage. BY RALF SPENNEBERG Many administrators
More informationnfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH
18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH Some operational questions, popping up now and then: Do you see this peek on port 445 as well? What caused this peek on your
More informationWatch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag
Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag 2005 SWITCH What I am going to present: The Motivation. What are NfSen and nfdump? The Tools in Action. Outlook
More informationNetwork forensics 101 Network monitoring with Netflow, nfsen + nfdump
Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow
More informationNFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag
NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag 2004 SWITCH NFSEN ( NetFlow Sensor ) 12th TF-CSIRT Meeting Hamburg: 2004 SWITCH 2 NFSEN http://www.terena.nl/tech/task-forces/tf-csirt/meeting12/nfsen-haag.pdf
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationNetwork Traffic Analysis
2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing
More informationLooking for Trouble: ICMP and IP Statistics to Watch
Looking for Trouble: ICMP and IP Statistics to Watch Laura Chappell, Senior Protocol Analyst Protocol Analysis Institute [lchappell@packet-level.com] www.packet-level.com www.podbooks.com HTCIA Member,
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationFlow Analysis. Make A Right Policy for Your Network. GenieNRM
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
More informationNetwork Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org
1.pcap - File download Network Security: Workshop Dr. Anat Bremler-Barr Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org Downloading a file is a pretty basic function when described
More informationHow To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)
Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationTools for penetration tests 1. Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus.
Tools for penetration tests 1 Carlo U. Nicola, HT FHNW With extracts from documents of : Google; Wireshark; nmap; Nessus. What is a penetration test? Goals: 1. Analysis of an IT-environment and search
More informationPresenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013
Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013 Outline Genesis - why we built it, where and when did the idea begin Issues
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationHost Discovery with nmap
Host Discovery with nmap By: Mark Wolfgang moonpie@moonpie.org November 2002 Table of Contents Host Discovery with nmap... 1 1. Introduction... 3 1.1 What is Host Discovery?... 4 2. Exploring nmap s Default
More informationSOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013
SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and
More informationNfSen Plugin Supporting The Virtual Network Monitoring
NfSen Plugin Supporting The Virtual Network Monitoring Vojtěch Krmíček krmicek@liberouter.org Pavel Čeleda celeda@ics.muni.cz Jiří Novotný novotny@cesnet.cz Part I Monitoring of Virtual Network Environments
More information1:1 NAT in ZeroShell. Requirements. Overview. Network Setup
1:1 NAT in ZeroShell Requirements The version of ZeroShell used for writing this document is Release 1.0.beta11. This document does not describe installing ZeroShell, it is assumed that the user already
More informationICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration
ICS 351: Today's plan IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration IP address exhaustion IPv4 addresses are 32 bits long so there
More informationHow To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)
Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.
More informationTrack 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT
Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationAn Experience of Monitoring University Network Security Using a Commercial Service and DIY Monitoring
An Experience of Monitoring University Network Security Using a Commercial Service and DIY Monitoring Masato Masuya Kagoshima University 1-21-35 Korimoto, Kagoshima Kagoshima 890-0065, Japan +81-99-285-7474
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationIP Address: the per-network unique identifier used to find you on a network
Linux Networking What is a network? A collection of devices connected together Can use IPv4, IPv6, other schemes Different devices on a network can talk to each other May be walls to separate different
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More information19. Exercise: CERT participation in incident handling related to the Article 13a obligations
CERT Exercises Handbook 223 223 19. Exercise: CERT participation in incident handling related to the Article 13a obligations Main Objective Targeted Audience Total Duration This exercise provides students
More informationSNARE Agent for Windows v 4.2.3 - Release Notes
SNARE Agent for Windows v 4.2.3 - Release Notes Snare is a program that facilitates the central collection and processing of the Windows Event Log information. All three primary event logs (Application,
More informationFirewalls 1 / 43. Firewalls
What s a Firewall Why Use? Tradttional by Analogy Should We Fix the Network Protocols Instead? Firewall Advantages Schematic of a Firewall Conceptual Pieces The DMZ Positioning Why Administrative Domains?
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationHow To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More informationEKT 332/4 COMPUTER NETWORK
UNIVERSITI MALAYSIA PERLIS SCHOOL OF COMPUTER & COMMUNICATIONS ENGINEERING EKT 332/4 COMPUTER NETWORK LABORATORY MODULE LAB 2 NETWORK PROTOCOL ANALYZER (SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK)
More informationDesign and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System
Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System 1 Hyun-chul Kim, 2Jihoon Lee Dept. of Computer Software Engineering, Sangmyung Univ., hyunchulk@gmail.com
More informationSetting up pfsense as a Stateful Bridging Firewall.
Setting up pfsense as a Stateful Bridging Firewall. Contents Contents Setting up pfsense as a Stateful Bridging Firewall.... 1 What king of system these directions will try and help you create.... 1 Selecting
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationLog Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M
Log Management with Open-Source Tools Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M Outline Why do we need log collection and management? Why use open source tools? Widely used logging protocols and recently
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationDecoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs
Decoding DNS data Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs The Domain Name System (DNS) is a core component of the Internet infrastructure,
More informationMiddleboxes. Firewalls. Internet Ideal: Simple Network Model. Internet Reality. Middleboxes. Firewalls. Globally unique idenpfiers
Ideal: Simple Network Model Middleboxes Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101 hgp://www.cs.princeton.edu/courses/archive/spr12/cos461/ Globally unique
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationFirewalls (IPTABLES)
Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context
More informationNetwork Management Deployment Guide
Smart Business Architecture Borderless Networks for Midsized organizations Network Management Deployment Guide Revision: H1CY10 Cisco Smart Business Architecture Borderless Networks for Midsized organizations
More informationInternet Ideal: Simple Network Model
Middleboxes Reading: Ch. 8.4 Internet Ideal: Simple Network Model Globally unique identifiers Each node has a unique, fixed IP address reachable from everyone and everywhere Simple packet forwarding Network
More informationImplementing and Managing Security for Network Communications
3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication
More informationCover. White Paper. (nchronos 4.1)
Cover White Paper (nchronos 4.1) Copyright Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced
More informationGregSowell.com. Mikrotik Security
Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.
More informationNetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.
NetFlow use cases ICmyNet / NetVizura, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic Patterns NREN
More informationDigital Forensics. Module 7 CS 996
Digital Forensics Module 7 CS 996 Outline of Module #7 Review of labs (Kulesh) Review of module #6: sniffer tools Network Forensics Overview of tools Motivations Log Logic Appliance overview 3/22/04 Module
More informationARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table
ARP and DNS Both protocols do conversions of a sort, but the distinct difference is ARP is needed for packet transfers and DNS is not needed but makes things much easier. ARP Address Resolution Protocol
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationHUNTING ATTACKERS WITH NETWORK AUDIT TRAILS
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com Charles Herring cherring@lancope.com 1 CREATING THE AUDIT TRAIL 2 Creating the Trail Logging Provides user and application details
More informationCSCI 7000-001 Firewalls and Packet Filtering
CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On
More informationDos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
More informationSecurity Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC
Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC Background and Overview The Computer Security Incidents Internet2 (CSI2) working group organizes activities to better identify
More informationHow To Set Up Foglight Nms For A Proof Of Concept
Page 1 of 5 Foglight NMS Overview Foglight Network Management System (NMS) is a robust and complete network monitoring solution that allows you to thoroughly and efficiently manage your network. It is
More informationCisco AnyConnect Secure Mobility Solution Guide
Cisco AnyConnect Secure Mobility Solution Guide This document contains the following information: Cisco AnyConnect Secure Mobility Overview, page 1 Understanding How AnyConnect Secure Mobility Works, page
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationConfiguring Logging. Information About Logging CHAPTER
52 CHAPTER This chapter describes how to configure and manage logs for the ASASM/ASASM and includes the following sections: Information About Logging, page 52-1 Licensing Requirements for Logging, page
More informationWireshark Developer and User Conference
Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST
More informationNetwork Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)
Network Security ICMP, TCP, DNS, Scanning Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Agenda A couple of examples of network protocols that
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide
AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationAn overview of traffic analysis using NetFlow
The LOBSTER project An overview of traffic analysis using NetFlow Arne Øslebø UNINETT Arne.Oslebo@uninett.no 1 Outline What is Netflow? Available tools Collecting Processing Detailed analysis security
More informationTable of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others
Cisco IOS Firewall to Allow Java Applets From Known Sites w Table of Contents Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others...1 Introduction...1 To Deny Java
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationWhen Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING. www.pecb.com
When Recognition Matters THE COMPARISON OF PROGRAMS FOR NETWORK MONITORING www.pecb.com Imagine a working environment comprised of a number of switches, routers, some terminals and file servers. Network
More informationPLUMgrid Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure
Toolbox: Tools to Install, Operate and Monitor Your Virtual Network Infrastructure Introduction The concept of Virtual Networking Infrastructure (VNI) is disrupting the networking space and is enabling
More informationNetwork Agent Quick Start
Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense
More informationUltraFlow -Cisco Netflow tools-
UltraFlow UltraFlow is an application for collecting and analysing Cisco Netflow data. It is written in Python, wxpython, Matplotlib, SQLite and the Python based Twisted network programming framework.
More informationLog Management with Open-Source Tools. Risto Vaarandi SEB Estonia
Log Management with Open-Source Tools Risto Vaarandi SEB Estonia Outline Why use open source tools for log management? Widely used logging protocols and recently introduced new standards Open-source syslog
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More information1. Whatdo you use? 2. Speed Tests?
Session Title: Network Traffic Analysis -- It's not just for fun anymore. Session Type: 50 Min. Breakout Session Presentation Day: Tuesday, February 11 Network Traffic Analysis It s not just for fun anymore.
More informationIP addressing and forwarding Network layer
The Internet Network layer Host, router network layer functions: IP addressing and forwarding Network layer Routing protocols path selection RIP, OSPF, BGP Transport layer: TCP, UDP forwarding table IP
More informationFirewall implementation and testing
Firewall implementation and testing Patrik Ragnarsson, Niclas Gustafsson E-mail: ragpa737@student.liu.se, nicgu594@student.liu.se Supervisor: David Byers, davby@ida.liu.se Project Report for Information
More informationMissing the Obvious: Network Security Monitoring for ICS
Missing the Obvious: Network Security Monitoring for ICS If ICS are so vulnerable, why haven t we seen more attacks? We aren t looking! Two Key Reasons Intent Visibility Intent Why are targeted attacks
More informationBest of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye
Best of Breed of an ITIL based IT Monitoring The System Management strategy of NetEye by Georg Kostner 5/11/2012 1 IT Services and IT Service Management IT Services means provisioning of added value for
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationPacket filtering and other firewall functions
Packet filtering and other firewall functions Martin Krammer mk@sbox.tugraz.at Martin Krammer Graz, May 25, 2007 1 Overview Firewalls Principles Architectures Security aspects Packet filtering Principles
More informationThe Advantages of a Firewall Over an Interafer
FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection
More informationChapter 4 Customizing Your Network Settings
Chapter 4 Customizing Your Network Settings This chapter describes how to configure advanced networking features of the RangeMax Dual Band Wireless-N Router WNDR3300, including LAN, WAN, and routing settings.
More informationMake a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
More informationNetwork Traffic Evolution. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig
Network Traffic Evolution Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig 1 Example trace Name port % bytes % packets bytes per packet world-wide-web 80???????????? netnews 119???????????? pop-3 mail 110????????????...
More informationSolarWinds Log & Event Manager
Corona Technical Services SolarWinds Log & Event Manager Training Project/Implementation Outline James Kluza 14 Table of Contents Overview... 3 Example Project Schedule... 3 Pre-engagement Checklist...
More informationHow to Secure RHEL 6.2 Part 2
How to Secure RHEL 6.2 Part 2 Motivation This paper is part of a multi-part series on securing Redhat Enterprise Linux 6.2. This paper focuses on implementing IPtables as a host based firewall. If you
More informationLog files management. Katarzyna KAPUSTA
Log files management Katarzyna KAPUSTA CERN openlab 07 September 2012 CERN openlab otn-2012-01 openlab Summer Student Report Log files management Katarzyna KAPUSTA Giacomo TENAGLIA 07 September 2012 Version
More informationManuale Turtle Firewall
Manuale Turtle Firewall Andrea Frigido Friweb snc Translator: Emanuele Tatti Manuale Turtle Firewall by Andrea Frigido Translator: Emanuele Tatti Published 2002 Copyright 2002, 2003 by Friweb snc, Andrea
More information