Automatic Network Protection Scenarios Using NetFlow

Similar documents

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Detecting Botnets with NetFlow

Flow-based detection of RDP brute-force attacks

NfSen Plugin Supporting The Virtual Network Monitoring

Revealing Botnets Using Network Traffic Statistics

Cisco Network Foundation Protection Overview

Network Security Monitoring and Behavior Analysis Best Practice Document

Distributed Systems. Firewalls: Defending the Network. Paul Krzyzanowski

Firewalls and System Protection

Building A Secure Microsoft Exchange Continuity Appliance

Monitoring backbone networks

Introduction of Intrusion Detection Systems

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

Nemea: Searching for Botnet Footprints

Radware s Attack Mitigation Solution On-line Business Protection

CERT-GOV-GE Activities & International Partnerships

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Load Balancing Security Gateways WHITE PAPER

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

nfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH

Denial of Service Attacks

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Security Event Management. February 7, 2007 (Revision 5)

HoneyBOT User Guide A Windows based honeypot solution

System Specification. Author: CMU Team

Comprehensive IP Traffic Monitoring with FTAS System

Network Monitoring and Management NetFlow Overview

Fortigate Features & Demo

FortiWeb for ISP. Web Application Firewall. Copyright Fortinet Inc. All rights reserved.

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Security Toolsets for ISP Defense

DDoS Mitigation Techniques

CERT-GOV-GE Activities & Services

Advanced approach to network security and performance monitoring

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Unified Security Management and Open Threat Exchange

Introduction to Netflow

High Speed Data Transfer from the APS. Kenneth Sidorowicz September 27, 2006

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Firewalls, Tunnels, and Network Intrusion Detection

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Second-generation (GenII) honeypots

Stephen Coty Director, Threat Research

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

TELCO challenge: Learning and managing the network behavior

Installing and Configuring Nessus by Nitesh Dhanjani

Intego Enterprise Software Deployment Guide

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Introducing FortiDDoS. Mar, 2013

DOCUMENT REFERENCE: SQ EN. SAMKNOWS TEST METHODOLOGY Web-based Broadband Performance White Paper. July 2015

Reducing the impact of DoS attacks with MikroTik RouterOS

How To Set Up Foglight Nms For A Proof Of Concept

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

SANS Top 20 Critical Controls for Effective Cyber Defense

Lecture 02b Cloud Computing II

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Traffic Monitoring : Experience

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

FlowMon. Complete solution for network monitoring and security. INVEA-TECH

Description: Objective: Attending students will learn:

DLP Detection with Netflow

Intrusion Detection Systems (IDS)

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

NETWORK SECURITY (W/LAB) Course Syllabus

Netflow Collection with AlienVault Alienvault 2013

CYBER SECURITY. Overview This event provides recognition for FBLA members who understand security needs for technology.

Connecting North Carolina s Future Today. Application Monitoring: ClassScape Case Study. NCSU Centennial Networking Lab

On and off premises technologies Which is best for you?

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Nfsight: NetFlow-based Network Awareness Tool

Network Security Administrator

Cheap and efficient anti-ddos solution

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Windows Remote Access

Network Security: A Practical Approach. Jan L. Harrington

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Protecting Critical Infrastructure

SysAid IT On-Demand Architecture Including Security and Disaster Recovery Plan

Lesson 5: Network perimeter security

CaptIO Policy-Based Security Device

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

SESA Securing with Cisco Security Appliance Parts 1 and 2

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Array Networks & Microsoft Exchange Server 2010

Transcription:

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krmí ek, Jan Vykopal {krmicek vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas

Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 2 / 23

Goals and Components Goals of Network Protection Using NetFlow data to protect network. Defending perimeter against attacks from outside. Automated attack detection. Suitable for high speed networks (10 Gbps+). System Parts Sensors ( NetFlow data). Control center ( commands). Active network components ( blocking/filtering). HAMOC platform both sensor and active component. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 3 / 23

General Architecture of Network Protection Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 4 / 23

NfSen/NFDUMP Collector Toolset Architecture Web Front-End User Plugins Command-Line Interface Periodic Update Tasks and Plugins NetFlow v5/v9 NFDUMP Backend NfSen NetFlow Sensor http://nfsen.sf.net/ NFDUMP NetFlow display http://nfdump.sf.net/ Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 5 / 23

Methods for Data Analysis TCP SYN scanning detection Simple, e ective general method, low false positive rate. Honeypot monitoring Uses subnet allocated for high- and low-interaction honeypots. Eliminates false positives, mainly catches hosts from outside. Brute force attack detection Similar flows may be symptoms of this attack. Suitable even for encrypted services such as SSH. Round trip time anomaly detection (D)DOSes overwhelm servers and increase response time. Abrupt increase of RTT may point to attack/misconfiguration. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 6 / 23

HAMOC Hardware Platform Features Tra c distribution among multiple CPU cores. Network applications with hardware acceleration. Capable of concurrent monitoring/blocking/filtering/etc. Low-speed networks SW alternative (NetFlow/iptables). Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 7 / 23

Network Protection Deployment Scenarios Scenarios NetFlow probes + control center + RTBH 1 filtering HAMOC as NetFlow probe and firewall HAMOC as redirection to quarantine (phishing) HAMOC as NetFlow probe and active attack tool HAMOC as NetFlow probe and tra c limiter 1 Remote Triggered Black Hole Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 8 / 23

Part II Network Protection Scenarios Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 9 / 23

NetFlow Probes + Control Center + RTBH Filtering Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 10 / 23

HAMOC as NetFlow Probe and Firewall Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 11 / 23

HAMOC as Redirection to Quarantine (Phishing) Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 12 / 23

HAMOC as NetFlow Probe and Active Attack Tool Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 13 / 23

HAMOC as NetFlow Probe and Tra c Limiter Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 14 / 23

Part III Network Protection Use Case: SSH Dictionary Attack and HAMOC Firewall Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 15 / 23

I. Attacker Performs SSH Horizontal Scan Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 16 / 23

II. Attacker Starts SSH Dictionary Attack Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 17 / 23

III. Center Detects Attack/Inserts Blocking Rule Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 18 / 23

IV. New SSH Attack, Blocked at the Border Attacker Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 19 / 23

V. Regular User Can Access Network, Attacker Not Attacker Regular User Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 20 / 23

Part IV Conclusion Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 21 / 23

Conclusion Role of IP Flow Monitoring in High Speed Networks Flow-based monitoring suitable for large networks. Observe and automatically inspect 24x7 network data. Possible future deployment in 10Gbps/40Gbps/100Gbps networks. Automatic Network Protection Class of attacks can be detected automatically. Automatic network protection supports operators. Detect and block attacks before hosts are infected. Not usable in every situation limitations. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 22 / 23

Thank you for your attention! Automatic Network Protection Scenarios Using NetFlow Vojt ch Krmí ek et al. {krmicek vykopal}@ics.muni.cz Project CYBER http://www.muni.cz/ics/cyber This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN200801. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 23 / 23