NetFlow Security Monitoring with Cisco Threat Defense Matthew Robertson, Security Technical Marketing Engineer BRKSEC-2073
|
|
- Melvin Eaton
- 8 years ago
- Views:
Transcription
1
2 NetFlow Security Monitoring with Cisco Threat Defense Matthew Robertson, Security Technical Marketing Engineer BRKSEC-2073
3 The world is full of obvious things which nobody by any chance observes. Sherlock Holmes, The Hound of the Baskervilles
4 Evolution of Cyber Conflict Manual Attacks (1980s) War Dialing, Phone Phreaking Mechanized Attacks (1988) Viruses, Worms Google, RSA Talented Human / Mechanized Attackers (2009) APT, Multi-Step Attacks Target, Neiman Marcus DIY Human / Mechanized Attackers (2011) Cyrptocurrency Ransoms, Store-bought Credentials... Manual Defenses Unplug Mechanized Defenses Firewall, IDS/IPS Targeted Human/Mechanized Defenders Reputation, App-aware Firewall Intelligence Driven Human Defenders
5 Agenda Introduction Understanding the Landscape Introduction to NetFlow Adding Context Flow Collection Flow Export Design and Deployment Working with NetFlow Discovery Identifying IOC s Responding Summary
6 About this session ecurity/cybersecurity/scyber_exam
7 About the Speaker Matthew Robertson Security Technical Marketing Engineer Partner Product Team Development and Technical Marketing Focused on advanced threat detection Author of 3 CVD s I am Canadian!
8 Thinking Beyond the Perimeter Allen Pace Dunbar Armored Facility Robbery: $18M
9 Case Study: Retailer
10 What do these stories have in common? The Insider Threat
11 Three Kinds of Insider Threats Negligent Insiders: Employees who accidentally expose data Malicious Insiders: Employees who intentionally expose data Compromised Insiders: Employees whose access credentials or devices have been compromised by an outside attacker
12 Managing the Insider Threat Data
13 Managing the Insider Threat Access Controls Control who and what is on the network Segmentation Define what they can do SGT
14 Managing the Insider Threat Control movement of malicious content through inspection points Content Controls Deep contextual visibility at inspection points
15 Once the walls are built monitor for security visibility
16 Agenda Introduction Understanding the Landscape Introduction to NetFlow
17 eth0/1 eth0/2 NetFlow port port 80 Start Time Interface Src IP Src Dest IP Dest Proto Pkts Bytes SGT DGT TCP Flags Port Port Sent Sent 10:20: eth0/ TCP SYN,ACK,PSH 10:20: eth0/ TCP SYN,ACK,FIN
18 NetFlow = Visibility A single NetFlow Record provides a wealth of information Router# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 1010 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33: timestamp last: 12:33: ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http
19 NetFlow Analysis can help: Discovery Identify business critical applications and services across the network Identify additional IOCs Policy & Segmentation Network Behaviour & Anomaly Detection (NBAD) Better understand / respond to an IOC: Audit trail of all host-to-host communication
20 Agenda Introduction Understanding the Landscape Introduction to NetFlow Flow Export Design and Deployment
21 NetFlow Deployment Architecture Management/Reporting Layer: Run queries on flow data Centralize management and reporting Flow Collection Layer: Collection, storage and analysis of flow records NetFlow Flow Exporting Layer: Enables telemetry export As close to the traffic source as possible
22 Considerations: Flow Exporting Layer 1. NetFlow support 2. Which version of NetFlow to use 3. How to configure/what to measure 4. Where in the network to enable NetFlow export
23 Cisco NetFlow Support Cisco 2800 Cisco 7200 VXR Cisco 2900 Cisco Catalyst 6500 Cisco 3560/3750-X/3850 Cisco NGA Cisco Nexus 1000v Cisco 1700 Cisco Catalyst 4500 Cisco ISR G2 Cisco XR Cisco 7600 Hardware Supported Cisco Nexus 7000 Cisco ASR Cisco ASA
24 NetFlow Version 5 Fixed format
25 Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 V9 Flexible NetFlow (FNF) IP Flow Information Export (IPFIX) AKA NetFlow V10 NSEL (ASA only) Defines 18 exported fields Simple and compact format Most commonly used format Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Standardized RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting IPv4 only Fixed fields, fixed length fields only Single flow cache IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume Even less common Only supported on a few Cisco platforms Missing many standard fields Limited support by collectors
26 Configuring Flexible NetFlow 1. Configure the Exporter Router(config)# flow exporter my-exporter Where do I want my data sent? Router(config-flow-exporter)# destination Configure the Flow Record Router(config)# flow record my-record Router(config-flow-record)# What data match do I want ipv4 to destination meter? address Router(config-flow-record)# match ipv4 source address Router(config-flow-record)# collect counter bytes 3. Configure the Flow Monitor Router(config)# flow monitor my-monitor How do I want to cache information Router(config-flow-monitor)# exporter my-exporter Router(config-flow-monitor)# record my-record 4. Apply to an Interface Router(config)# interface s3/0 Which interface do I want to monitor? Router(config-if)# ip flow monitor my-monitor input Best Practice: include all v5 fields
27 NetFlow Deployment Each network layer offers unique NetFlow capabilities Access Distribution & Core Edge Catalyst 3560/3750-X ISR Catalyst 4500 Catalyst 4500 ASA Catalyst 3650/3850 Catalyst 6500 ASR
28 NetFlow Deployment Access Catalyst 3560/3750-X Catalyst 4500 Catalyst 3650/3850 Access: New network edge Detect threats as the enter the network Detect threats inside the switch east-west Layer 2 traffic Fewer false positives Higher-granular visibility Identify the endpoint collect MAC Address
29 Catalyst 3650-X,3750-X Flow Record! flow record CYBER_3KX_FLOW_RECORD match datalink mac sourceaddress match datalink mac destination-address match datalink mac source-vlan-id match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect interface input snmp collect interface output snmp collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!
30 Catalyst 4500 Flow Record! flow record cts-cyber-4k match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!
31 NetFlow Deployment - Converged Access Converged Access: NetFlow for the first time on Wireless Visibility in BYOD environments Consistent configuration for wired and wireless Single flow monitor can be applied to wired ports and SSID Natively available in the UADP ASIC Can monitor East-West and North-South flows 48k flows on the 48 port model
32 Considerations: 3850! Ingress: SGT Sources: Derived from packet header DGT Sources: Derived based on destination IP lookup SGACL enforcement must be enabled Trunk link only Egress: SGT Sources: Incoming packet header Port configured SGT IP to SGT mapping DGT Sources: Derived based on destination IP lookup Requires SGACL enforcement to be enabled Trunk link only flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in!! flow monitor cts-cyber-monitor-out exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-out! interface GigabitEthernet1/0/1 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! vlan configuration 100 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output!
33 Catalyst 3850/3650 Flow Record! flow record cts-cyber-3k-in match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!! flow record cts-cyber-3k-out match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!
34 NetFlow Deployment Distribution & Core Catalyst 4500 Distribution & Core: Traditional deployment Minimal recommended deployment Enable at critical points/bottle necks Typically done on a Layer 3 boundary Detect threats internal to the VLAN When deployed on an SVI interface Detect threats as they traverse the internal network Move between subnets Catalyst 6500
35 Catalyst 6500 (Sup 2T) Flow Record! flow record cts-cyber-6k match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last!
36 NetFlow Deployment Edge ISR ASA Edge: Detect threats as they enter and leave the network Monitor communication between branches Gain context from edge devices Application - NBAR Events, NAT & User-ID - NSEL ASR
37 NetFlow Deployment: Edge with ASA NetFlow Security Event Logging: Provides visualization into policy enforcement points Monitor communication between branches Efficient event reporting mechanism: Syslog - Verbose, text based, single event per packet: ~30% processing overhead NetFlow - Compact, binary, multiple events per packet: ~7-10% processing overhead Context rich: Event driven: Flow Created, Denied, tear-down Network Address Translations User-ID
38 ISR Flow Record! flow record cts-cyber-ipv4 match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name! Enable NBAR
39 ASA NSEL Configuration! flow-export destination management <ip-address> 2055! policy-map global_policy class class-default flow-export event-type all destination <ip-address>! flow-export template timeout-rate 2 logging flow-export syslogs disable!
40 Flow Monitor Configuration! flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 cache timeout inactive 15! record CYBER_RECORD Inactive Timeout: How long a flow can be inactive before being removed from cache Recommended 15 seconds All exporters should have the same timeout Active Timeout: Longest amount of time a flow can be in cache without exporting a Flow Record Recommended 60 seconds All exporters should have the same timeout
41 Aside: Myths about NetFlow Generation Myth #1: NetFlow impacts performance Hardware implemented NetFlow has no performance impact Software implementation is typically significantly <15% processing overhead Myth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly <1% of total traffic per exporting device
42 Agenda Introduction Understanding the Landscape Introduction to NetFlow Flow Collection Flow Export Design and Deployment
43 Components for NetFlow Security Monitoring StealthWatch Management Console Management and reporting Up to 25 FlowCollectors Up 6 million fps globally StealthWatch FlowCollector Collect and analyze Up to 2000 sources Up to sustained 240,000 fps UDP Director UDP Packet copier Forward to multiple collection systems NetFlow Cisco Network Best Practice: Centralize collection globally StealthWatch FlowSensor (VE) Generate NetFlow data Additional contextual fields (ex. App, URL, SRT, RTT)
44 eth0/1 eth0/2 NetFlow Collection: Flow Stitching Uni-directional flow records port 1024 Start Time Interface Src IP Src Port Dest IP Dest Port Proto port 80 Pkts Sent Bytes Sent 10:20: eth0/ TCP :20: eth0/ TCP SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis
45 NetFlow Collection: De-duplication Start Time port 1024 Sw1 ASA port 80 Client IP Client Port Server IP Server Port Prot o Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20: TCP HTTP Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw3
46 Conversational Flow Record Who What Who When Where How More context Highly scalable (enterprise class) collection High compression => long term storage Months of data retention
47 Conversational Flow Record: Exporters Path the flow is taking through the network
48 Agenda Introduction The Insider Threat Concepts and Attribution Adding Context Flow Collection Flow Export NetFlow Design and Deployment
49 Context is Critical
50 Host Groups: Applied Situational Awareness Virtual container of multiple IP Addresses/ranges that have similar attributes Lab servers Best Practice: classify all known IP Addresses in one or more host groups
51 ISE as a Telemetry Source Monitor Mode Open Mode, Multi-Auth Unobstructed Access No impact on productivity Profiling, posture assessment Gain Visibility StealthWatch Management Console Maintain historical session table Correlate NetFlow to username Build User-centric reports syslog Cisco ISE Authenticated Session Table
52 Configuration: Logging on ISE 1 1. Create Remote Logging Target on ISE 2. Add Target to Logging Categories 2 Required Logging categories: Passed Authentications RADIUS Accounting Profiler Administrative and Operational Audit
53 Configuration: Add ISE to SMC 1. (Not Shown) Create Admin User on ISE 2. (Not Shown) Configure ISE or CA certificate on SMC 3. Add Cisco ISE nodes to SMC Configuration
54 Global Intelligence Known C&C Servers Tor Entrance and Exits
55 Conversational Flow Record NBAR Geo-IP mapping ISE Telemetry Applied situational awareness Threat feed FlowSensor
56 Agenda Introduction The Insider Threat Concepts and Attribution Adding Context Flow Collection Flow Export NetFlow Design and Deployment Working with NetFlow
57 Agenda Introduction The Insider Threat Concepts and Attribution Adding Context Flow Collection Flow Export NetFlow Design and Deployment Working with NetFlow Discovery
58 There is nothing like first hand evidence Sherlock Holmes, A Study in Scarlett
59 Flow Query Basics The Flow Table Filter Filter conditions Details More details
60 Flow Query Basics - Filtering Select host to investigate All flows in which this host was a client or server
61 Flow Query Basics - Filtering All flows for in the last hour
62 Flow Table: Visibility across NAT User Inside local Outside global Server
63 Host Groups Application Report Applications inbound Applications outbound
64 Host Groups Targeted Reporting Geo-IP-based Host Group Summary chart of traffic inbound and outbound from this Host Group
65 Host Groups Targeted Reporting Traffic inbound Traffic outbound
66 Host Groups Discovering Rogue Hosts Catch All: All unclassified RFC1918 addresses Table of all individual hosts
67 Host Groups Discovering Rogue Hosts Rogue Hosts
68 Agenda Introduction The Insider Threat Concepts and Attribution Adding Context Flow Collection Flow Export NetFlow Design and Deployment Working with NetFlow Discovery Identifying IOC s
69 Concept: Indicator of Compromise an artifact observed on a network or in operating system that with high confidence indicates a computer intrusion IDS/IPS Alert IP Addresses File hashes Log analysis (SIEM) Raw flow analysis Outside notification Anomaly detection Behavioural analysis Activity monitoring
70 Attack Lifecycle Model Exploratory Actions Theft Initial Recon Initial Compromise Infiltration (C&C) Footprint Expansion Execution Staging Disruption
71 IoC s from Traffic Analysis Behavioural Analysis: Leverages knowledge of known bad behaviour Policy and segmentation Anomaly Detection: Identify a change from normal
72 Behaviour Analysis Leverages knowledge of known bad behaviour
73 Segmentation Monitoring Forbidden relationship Host Groups Relationship
74 Unauthorized Access Attempted communication in violation of policy Flow denied by firewall rule
75 Custom Security Events and Host Locking Object conditions Peer conditions Connection conditions Time range
76 Policy Violations Communication in violation of policy Active alarm monitoring adherence to policy
77 Anomaly Detection Identify an change from normal
78 Anomaly Detection Identify an change from normal
79 Anomaly Detection Identify an change from normal
80 Anomaly Detection Identify an change from normal
81 Anomaly Detection Identify an change from normal This is weird. Very curious. What up, dude?
82 StealthWatch NBAD Model Track and/or measure behaviour/activity Notification of security event generated Algorithm Security Event Alarm Suspicious behaviour observed or anomaly detected
83 Alarm Categories Each category accrues points.
84 Example Alarm Category: Concern Index Concern Index: Track hosts that appear to compromising network integrity Security events. Over 80 different algorithms.
85 StealthWatch: Alarms Alarms Indicate significant behaviour changes and policy violations Known and unknown attacks generate alarms Activity that falls outside the baseline, acceptable behaviour or established policies
86 Policy Tuning Policies can be created for individual host groups Tune alarm thresholds Default policy for Inside and Outside hosts
87 Internal Reconnaissance Concern Index Events Scanning on TCP-445 across multiple subnets
88 High Concern Index Baseline deviated by 2,432%!
89 Watching for Data Theft Data Exfiltration Identify suspect movement from Inside Network to Outside Single or multiple destinations from a single source Policy and behavioral
90 Data Hoarding
91 Data Hoarding Suspect Data Hoarding: Unusually large amount of data inbound from other hosts Target Data Hoarding: Unusually large amount of data outbound from a host to multiple hosts
92 Suspect Data Hoarding Data Hoarding Unusually large amount of data inbound to a host from other hosts Policy and behavioral
93 Agenda Introduction The Insider Threat Concepts and Attribution Adding Context Flow Collection Flow Export NetFlow Design and Deployment Working with NetFlow Discovery Identifying IOC s Responding
94 Responding Exploratory Actions Theft Initial Recon Initial Compromise Infiltration (C&C) Footprint Expansion Execution Staging Disruption IOC Found: Investigate forwards and backward
95 The Science of Deduction. Chapter 1: The Sign of the Four
96 The Science of Deduction Gathering Evidence What did they get? IOC Where did they go? Data Element When did they get it? Who is they? Are they still here?
97 Responding to an IOC IOC: Security vendor publishes list of IP addresses identified as BlackPOS servers Create a Host Group for BlackPOS Servers IP Addresses
98 BlackPOS Host Locking Violation Alarm Set client hosts to POS terminals Create a Host Lock Violation Alarm for communication to BlackPOS servers Set server hosts to BlackPOS Servers Alarm on FTP traffic Trigger alarm on unsuccessful connections
99 BlackPOS - Investigate You know today what you didn t know yesterday Run a Flow Query Over the last 90 days Configure application to be FTP Server or client includes the known bad BlackPOS IP Addresses
100 BlackPOS Returned Flows Infected hosts FTP Transfers BlackPOS Servers
101 Investigating a Host Host report for Summary information Behavior alarms Quick view of host group communication IOC: IDS Alert indicating a known worm operating inside your network
102 Investigating: Host Drilldown User information Applications
103 Investigating: Applications A lot of applications. Some suspicious!
104 Investigating: Behaviour Alarms Significant network activity
105 Investigating: Security Events associated with host Touched hosts.
106 Investigating: View all Flows Network behavior retroactively analyzed
107 It Could Start with a User Username View Flows Active Directory Details Alarms Devices and Sessions
108 Audit Trails Network behavior retroactively analyzed
109 Agenda Introduction The Insider Threat Concepts and Attribution Adding Context Flow Collection Flow Export NetFlow Design and Deployment Working with NetFlow Discovery Identifying IOC s Responding Summary
110 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions
111 Related Sessions BRKSEC-2026 Network as a Sensor and Enforcer Darrin Miller, Matt Robertson Monday, Jun 8 1:00-3:00 BRKCRS Threat Defense for Enterprise Networks with Unified Access Vaibhav Katkade Tuesday, Jun 9, 3:30-5:00 PCSZEN Network as a Sensor: Using NetFlow for Incident Response Gavin Reid, Matt Valites Wednesday, Jun 10, 9:15 9:45 BRKSEC Detecting Adversarial Threats - Tools, Techniques, and Infrastructure to Find the Bad Guys Matt Healy, Paul Eckstein Monday, Jun 8, 1:00 3:00 BRKSEC-3068 Intermediate - Red Team, Blue Team: Lessons Learned for Real World Attacks Jamey Heary, Nick Hitchcock Monday Jun 8, 10:00-12:00
112 Links and Recommended Reading More about the Cisco Cyber Threat Defense Solution: Recommended Reading Cyber Threat Defense Cisco Validated Design Guide: Cyber Threat Defense for the Data Center Cisco Validated Design Guide: Securing Cisco Networks with Threat Detection and Analysis (SCYBER)
113 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could Be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at
114 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
115 Key Takeaways Insider threats are operating on the network interior Threat detection and response requires visibility and context into network traffic NetFlow and the Lancope StealthWatch System provide actionable security intelligence
116 Q & A
117 The game is afoot! Sherlock Holmes, The Adventure of the The Abbey Grange
118 Thank you
119
Cisco dan. 31. 3. 2016. Hotel Crowne Plaza Beograd, Srbija. www.ciscoday.com
Cisco dan 31. 3. 2016. Hotel Crowne Plaza Beograd, Srbija www.ciscoday.com Three Friends in Security : Identity, Visibility and Enforcement Stop the bad guys immediately György Ács IT Security Consulting
More informationThe Critical Role of Netflow/IPFIX Telemetry in the Next- Generation Network Security Infrastructure
The Critical Role of Netflow/IPFIX Telemetry in the Next- Generation Network Security Infrastructure Ken Kaminski, Technical Solutions Architect Northeast Cisco Systems CISSP, GAWN, GPEN, GCIA, GCFA, GMOB
More informationInvisible attacks visible in your network. How to see and follow the tracks?
Invisible attacks visible in your network. How to see and follow the tracks? Jochen Belke - Regional Technical Director at Lancope, CISSP Mariusz Sawczuk - Manager of Technical Sales Support Team at Sevenet
More informationNetwork as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats
Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Dragan Novaković Consulting Systems Engineer Security November 2015. New Networks Mean New Security Challenges
More informationHUNTING ATTACKERS WITH NETWORK AUDIT TRAILS
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com Charles Herring cherring@lancope.com 1 CREATING THE AUDIT TRAIL 2 Creating the Trail Logging Provides user and application details
More informationCyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1
C b Th Cyber Threatt Defense D f S Solution l ti Moritz Wenz, Lancope 1 The Threat Landscape is evolving Enterprise Response Antivirus (Host-Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing
More informationNetwork as an Sensor & Enforcer
Network as an Sensor & Enforcer Leveraging the network to control threats Jaromír Pilař jpilar@cisco.com May, 2016 Agenda Overview of Network as a Sensor and Enforcer Network as a Sensor Network as an
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationAbout the Authors. About the Authors
Cisco Cyber Threat Defense for the Data Center Solution: Cisco Validated Design Last Updated: March 3, 2014 About the Authors About the Authors Matt is a Technical Marketing Engineer at Lancope focused
More informationNetFlow-Lite offers network administrators and engineers the following capabilities:
Solution Overview Cisco NetFlow-Lite Introduction As networks become more complex and organizations enable more applications, traffic patterns become more diverse and unpredictable. Organizations require
More informationThreat Defense with Full NetFlow
White Paper Network as a Security Sensor Threat Defense with Full NetFlow Network Security and Netflow Historically IT organizations focused heavily on perimeter network security to protect their networks
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationNetwork as a Sensor and Enforcer. Matthew Robertson - Technical Marketing Engineer
Network as a Sensor and Enforcer Matthew Robertson - Technical Marketing Engineer Why are we here today? Managing the Insider Threat Insider Threats About This Session: Building Security into the Network
More informationConfiguring Flexible NetFlow
CHAPTER 62 Note Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X. Flow is defined as a unique set of key fields attributes, which might include fields
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationThreat Defense with Full NetFlow
White Paper Network as a Security Sensor Threat Defense with Full NetFlow Network Security and Netflow Historically IT organizations focused heavily on perimeter network security to protect their networks
More informationConfiguring NetFlow Secure Event Logging (NSEL)
75 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationSTEALTHWATCH MANAGEMENT CONSOLE
System STEALTHWATCH MANAGEMENT CONSOLE The System by Lancope is a leading solution for network visibility and security intelligence across physical and virtual environments. With the System, network operations
More informationSTEALTHWATCH MANAGEMENT CONSOLE
STEALTHWATCH MANAGEMENT CONSOLE The System by Lancope is a leading solution for network visibility and security intelligence across physical and virtual environments. With the System, network operations
More informationCisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software
LiveAction Application Note Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software January 2013 http://www.actionpacked.com Table of Contents 1. Introduction... 1 2. ASA NetFlow Security
More informationLumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks
IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationConfiguring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to nexus7k-docfeedback@cisco.com. CHAPTER
CHAPTER 16 This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices. This chapter includes the following sections: Information About NetFlow, page 16-1 Licensing Requirements
More informationHow-To Configure NetFlow v5 & v9 on Cisco Routers
How-To Configure NetFlow v5 & v9 on Cisco Routers Share: Visibility into the network is an indispensable tool for network administrators. Network visibility can be achieved through daily troubleshooting,
More informationWhatsUpGold. v14.4. Flow Monitor User Guide
WhatsUpGold v14.4 Flow Monitor User Guide Contents ingress egress egress ingress enable configure terminal ip flow-export version ip flow-export destination interface
More informationNetFlow Analytics for Splunk
NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationNetFlow The De Facto Standard for Traffic Analytics
NetFlow The De Facto Standard for Traffic Analytics A Webinar on NetFlow and its uses in Enterprise Networks for Bandwidth and Traffic Analytics Don Thomas Jacob Technical Marketing Engineer ManageEngine
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationUsing Lancope StealthWatch for Information Security Monitoring
Cisco IT Case Study February 2014 How CSIRT uses StealthWatch Using Lancope StealthWatch for Information Security Monitoring How the Cisco Computer Security Incident Response Team (CSIRT) uses Lancope
More informationHow To Mirror On An Ipfix On An Rspan Vlan On A Pc Or Mac Or Ipfix (Networking) On A Network On A Pnet 2.2.2 (Netnet) On An Uniden (Netlan
Content Content CHAPTER 1 MIRROR CONFIGURATION... 1-1 1.1 INTRODUCTION TO MIRROR... 1-1 1.2 MIRROR CONFIGURATION TASK LIST... 1-1 1.3 MIRROR EXAMPLES... 1-2 1.4 DEVICE MIRROR TROUBLESHOOTING... 1-3 CHAPTER
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More informationCisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats
Solution Overview Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats What You Will Learn The network security threat landscape is ever-evolving. But always
More informationRecommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document
Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.
More informationConfiguring NetFlow. Information About NetFlow. NetFlow Overview. Send document comments to nexus7k-docfeedback@cisco.com. CHAPTER
CHAPTER 19 This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices. This chapter includes the following sections: Information About NetFlow, page 19-1 Licensing Requirements
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationFlow Monitor for WhatsUp Gold v16.2 User Guide
Flow Monitor for WhatsUp Gold v16.2 User Guide Contents Table of Contents Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 System
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationCisco EXAM - 500-451. Enterprise Network Unified Access Essentials. Buy Full Product. http://www.examskey.com/500-451.html
Cisco EXAM - 500-451 Enterprise Network Unified Access Essentials Buy Full Product http://www.examskey.com/500-451.html Examskey Cisco 500-451 exam demo product is here for you to test the quality of the
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationSolarWinds Technical Reference
SolarWinds Technical Reference Configuring Devices for Flow Collection Introduction... 3 Cisco... 3 Cisco Catalyst 3560/3750... 4 Cisco Catalyst 4500... 7 Cisco Catalyst 6500... 9 Cisco Nexus 7000/7010...
More informationHUNTING ATTACKERS WITH NETWORK AUDIT TRAILS
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS John Pierce jpierce@lancope.com 1 CREATING THE AUDIT TRAIL 2 Network Auditing Basics Maximize Visibility Don t trust the host Store audit data in a central location
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationSolarWinds Technical Reference
SolarWinds Technical Reference Configuring Devices for Flow Collection Introduction... 3 Cisco... 3 Cisco Catalyst 3560/3750... 4 Cisco Catalyst 4500... 7 Cisco Catalyst 6500... 9 Cisco Nexus 7000/7010...
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationConfiguring NetFlow Secure Event Logging (NSEL)
73 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter
More informationPassguide 500-451 35q
Passguide 500-451 35q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 18.5 Cisco 500-451 Cisco Unified Access Systems Engineer Exam 100% Valid in US, UK, Australia, India and Emirates.
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationCisco Cyber Threat Defense - Visibility and Network Prevention
White Paper Advanced Threat Detection: Gain Network Visibility and Stop Malware What You Will Learn The Cisco Cyber Threat Defense (CTD) solution brings visibility to all the points of your extended network,
More informationFlow Monitor for WhatsUp Gold v16.1 User Guide
Flow Monitor for WhatsUp Gold v16.1 User Guide Contents Table of Contents Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 System
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationWireshark Developer and User Conference
Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationConfiguring NetFlow-lite
CHAPTER 55 Note NetFlow-lite is only supported on Catalyst 4948E Ethernet Switch. This chapter describes how to configure NetFlow-lite on the Catalyst 4948E switch. NetFlow-lite provides traffic monitoring
More informationCisco IOS Flexible NetFlow Command Reference
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationCIRA s experience in deploying IPv6
CIRA s experience in deploying IPv6 Canadian Internet Registration Authority (CIRA) Jacques Latour Director, Information Technology Ottawa, April 29, 2011 1 About CIRA The Registry that operates the Country
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationGaining Operational Efficiencies with the Enterasys S-Series
Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide
AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationNetFlow v9 Export Format
NetFlow v9 Export Format With this release, NetFlow can export data in NetFlow v9 (version 9) export format. This format is flexible and extensible, which provides the versatility needed to support new
More informationLOG INTELLIGENCE FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
More informationIBM. Vulnerability scanning and best practices
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
More informationTake the NetFlow Challenge!
TM Scrutinizer NetFlow and sflow Analysis Scrutinizer is a NetFlow and sflow analyzer that provides another layer of cyber threat detection and incredibly detailed network utilization information about
More informationForeScout CounterACT. Device Host and Detection Methods. Technology Brief
ForeScout CounterACT Device Host and Detection Methods Technology Brief Contents Introduction... 3 The ForeScout Approach... 3 Discovery Methodologies... 4 Passive Monitoring... 4 Passive Authentication...
More informationMonitoring and analyzing audio, video, and multimedia traffic on the network
Monitoring and analyzing audio, video, and multimedia traffic on the network Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia AMRES Academic Network of Serbia RCUB - Belgrade University
More informationComprehensive Advanced Threat Defense
1 Comprehensive Advanced Threat Defense June 2014 PAGE 1 PAGE 1 1 INTRODUCTION The hot topic in the information security industry these days is Advanced Threat Defense (ATD). There are many definitions,
More informationPROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationNetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6
(Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationCISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationWhatsUpGold. v15.0. Flow Monitor User Guide
WhatsUpGold v15.0 Flow Monitor User Guide Contents CHAPTER 1 Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 System requirements...
More informationCatalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting
Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting Document ID: 70974 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationBlackRidge Technology Transport Access Control: Overview
2011 BlackRidge Technology Transport Access Control: Overview 1 Introduction Enterprises and government agencies are under repeated cyber attack. Attacks range in scope from distributed denial of service
More informationFlow Analysis. Make A Right Policy for Your Network. GenieNRM
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
More informationCISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY
CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand
More informationSecurity Technology: Firewalls and VPNs
Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up
More informationClassic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1
Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationHow To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationGetting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export
Getting Started with Configuring Cisco IOS NetFlow and NetFlow Data Export Last Updated: November 28, 2011 This module contains the minimum amount of information about and instructions necessary for configuring
More informationOverview. Summary of Key Findings. Tech Note PCI Wireless Guideline
Overview The following note covers information published in the PCI-DSS Wireless Guideline in July of 2009 by the PCI Wireless Special Interest Group Implementation Team and addresses version 1.2 of the
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More information