Overview of NetFlow NetFlow and ITSG-33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A

Transcription

1

2 Overview of NetFlow NetFlow and ITSG-33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A

3 What is NetFlow? Network protocol originally developed by Cisco for collecting IP traffic information and monitoring network traffic. NetFlow looks at IP flows rather than counting bytes at interfaces. A flow is a stream of IP packets that have the following seven identical fields: A common source IP address A common destination IP address A common source port A common destination port Same layer 3 protocol Same type of service The same logical interface

4 NetFlow Benefits Network administrators can use NetFlow in many different ways to get valuable insights into their network: Bandwidth Monitoring and Traffic Analysis Network Forensics and Security Management Application Monitoring Tracking Application Migration Validating QoS Capacity Planning Identify worms and malware Analysis of VPN traffic and Teleworker behavior Calculating total cost of ownership for applications

5 Use of NetFlow for Security (Examples) Network Auditing - Tracking the flow of data to and from the systems that process the information. Informed Decisions - More and better information leads to better decisions. Availability Determining where more bandwidth is required as a result of the network s growth. Insiders Engaged in Malicious Actions, Data Exfiltration - Tracking how much data leaves the network and where is it going. Full History Attack Investigation Identification of lurking infections and determining exactly which systems are affected and require cleaning. Identification of Compromised Hosts Tracking computer systems behavior over time and determining when new behavior patterns are out of the ordinary. Anomalous Network Behavior Using the knowledge of the usual and expected to spot the unusual and unexpected. Policy Enforcement Identification of access attempts that violate policies.

6 ITSG-33 Overview ITSG-33 Document Structure: Annex 1 Departmental IT Security Annex 2 Information System Security Annex 3 Security Control Catalogue Annex 4-1,2,3 Security Control Profiles for PB/M/M, PA/L/L, Secret/M/M Annex 5 Glossary Purpose Support Compliance to GC Policy Instruments Provide a Catalogue of Security Controls Facilitate Consistent and Repeatable Selection of Security Controls Establish a Common Lexicon Audience IT Security Community Program and Project Managers System Architects and Designers

7 ITSG-33 Security Controls Library Security Control Definition: A management, operational, or technical security functional requirement prescribed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls are implemented using various types of security solutions that include security products, security policies, security practices, and security procedures. ITSG-33 Controls Catalog: 3 Security Control Classes 17 Security Control Families 194 Security Controls 442 Control Enhancements 636 Requirements

8 Infrastructure Resource Protection and Availability ITSG-33 To implement internal control, security and audit-ability measures during configuration, integration and maintenance for hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated. Applicable controls: CM-8 NetFlow Monitors host and traffic activity. Operates as an internal technical control that provides an added layer of network security and ensures continuous network availability. Used during times of change, such as in the case of mergers and acquisitions when disparate networks merge to provide a level of stability and control during unstable and uncertain network transition.

9 Capacity and Performance of IT Resources ITSG-33 To plan, review and model the performance and capacity of IT resources; forecast future needs to minimize the risk of service disruptions; monitor to maintain and tune current performance and to report on service availability. Applicable controls: CP-2 NetFlow baselines network traffic for historical trending, capacity planning as well as network security purposes: Traffic statistics include interface utilization in general, traffic composition, out of profile ports and services, QoS bandwidth utilization to name a few. By alarming on deviations from this baseline, it helps organizations retain control of resource consumption and assist with proactive and quantifiable network upgrade decisions as opposed to reactive and potentially unfounded bandwidth upgrades.

10 Security Testing, Surveillance and Monitoring ITSG-33 To ensure that IT security implementation is tested and monitored proactively. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. Applicable controls: AU-6, CA-2, CA-6, CA-7, CM-4, RA-5, SI-4 NetFlow: Not only provides network visibility and monitoring but also a quick clue as to what is actually happening on the network and where, expediting incident resolution. Security teams find tremendous value in this immediate contextual awareness because it enables them to focus their research on the records specific to the problem at hand.

11 Malicious Software Prevention, Detection and Correction ITSG-33 To ensure that preventive, detective and corrective measure are in place across the organization to protect information systems and technology from malware. Applicable controls: SC-18, SI-3, SI-7, SI-8 NetFlow: Helps detect malware, when oftentimes signature-based systems cannot do it. Moreover, some enterprises have also deployed NetFlow as a catch all for their Data Leakage Prevention (DLP) project to supplement traditional DLP tools.

12 Network Security ITSG-33 To ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation and intrusion detection) are used to authorize access and control information flows from and to networks. Applicable controls: AC-4, SC-7, SI-4 NetFlow: Helps detect unauthorized access, firewall misconfiguration, and third-party integration issues.

13 Infrastructure Monitoring ITSG-33 To define and implement procedures to monitor the IT infrastructure and related events. Ensure sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations. Applicable controls: AU-13, CA-7, IR-5, SI-4 NetFlow: Host-centric view of the network provides broader context around network activity not available with packet-centric technologies. Helps to quickly focus incident resolution efforts on only those security event logs pertinent to the problem at hand.

14 While full network visibility is needed at all times, achieving deep, selective and continuous monitoring goals is difficult, if not impossible, with the current market offerings: Too many tools, not enough SPAN/Mirror ports or network taps for access. SPAN port contention and limited network access. Time-consuming change order and configuration management processes. High management overhead. Lack of scalability resulting in multiple gaps in the monitoring coverage. Security tools being over- or undersubscribed, and not being used at capacity, i.e., not cost effective.

15 Network monitoring may take many forms: Software-based monitoring Network monitoring and capture hardware Security monitoring hardware Some techniques are more operationally focused, while others were put in place for security and compliance reasons (e.g., monitoring traffic for attacks vs. to ensure throughput is adequate)

16 SPAN Port Monitoring Most switches cannot feasibly support more than two SPAN ports. SPAN ports can create: Additional performance issues Changes in the architecture that also introduce performance and potential security gaps Network Taps for Monitoring Many taps do not have port density necessary for advance deployment Multiple management requirements increase operational overhead Lack of granularity High cost

17 IT trends drive scale and complexity Network discontinuity impacts network operations Enterprises deploy more network mgmt. and security tools Network mgmt, and security tools need network visibility Visibility requirements lead to greater use of SPAN/mirror ports and taps Greater use of SPAN/mirror ports and taps leads to scaling/visibi lity issues Next Generation of Network Monitoring Devices

18 Small and inexpensive, inline taps installed at the end point equipment that help improve the overall efficiency within the environment. Remotely configurable and administered. Intelligent taps that make sense economically and simplify the implementation and ongoing maintenance of network monitoring. Devices that integrate well with existing network and security tools and vendors, and provides ample functionality for various IT teams to leverage for improved efficiencies and operations.

19 Network Security & IT Operations: Self-discovering network layer Limitless network visibility Defence in depth Reduced time to protection and lower cost Support for different data reporting standards, e.g., Syslog, NetFlow, IPFIX, JFlow, SFlow, etc. Senior Management: Increased tool ROI Reduced tool cost Lower cost of ownership

20 Alexander Zakharov Robert Venczel WAW Technologies Inc

21 Q&A