Early warning for security attacks



Similar documents
Simulated DDoS Attacks breaking the firewall infrastructure

Service Managed Gateway TM. How to Configure a Firewall

Chapter 11 Cloud Application Development

Chapter 8 Security Pt 2

Chapter 8 Network Security

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CMPT 471 Networking II

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Total solution for your network security. Provide policy-based firewall on scheduled time. Prevent many known DoS and DDoS attack

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Firewalls & Intrusion Detection

CTS2134 Introduction to Networking. Module Network Security

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Linux Network Security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

TDC s perspective on DDoS threats

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Injazat s Managed Services Portfolio

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Monitoring backbone networks

Introduction to Firewalls

A Network Design Primer

CISCO IOS NETWORK SECURITY (IINS)

Security threats and network. Software firewall. Hardware firewall. Firewalls

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Internet infrastructure. Prof. dr. ir. André Mariën

Firewalls CSCI 454/554

Multi-Homing Dual WAN Firewall Router

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Firewall Environments. Name

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Peer-to-peer networking. Jupiter Research

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Network Monitoring and Security Measures in Campus Networks

Campus Network Best Practices: Core and Edge Networks

CS 356 Lecture 16 Denial of Service. Spring 2013

Bandwidth-based load-balancing with failover. The easy way. We need more bandwidth.

FIREWALLS & CBAC. philip.heimer@hh.se

Chapter 9 Firewalls and Intrusion Prevention Systems

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January Cristian Velciov. (+40)

Architecture Overview

Network Security Monitoring

Report of Independent Auditors

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Network/Internet Forensic and Intrusion Log Analysis

Are Second Generation Firewalls Good for Industrial Control Systems?

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Tk20 Network Infrastructure

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intro to Firewalls. Summary

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Cisco Certified Security Professional (CCSP)

Network Security Monitoring

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Chapter 15. Firewalls, IDS and IPS

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Developing Network Security Strategies

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Secure Software Programming and Vulnerability Analysis

CIS 4361: Applied Security Lab 4

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Secure networks are crucial for IT systems and their

Scalable Internet Services and Load Balancing

8. Firewall Design & Implementation

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

DDoS Overview and Incident Response Guide. July 2014

NETFORT LANGUARDIAN MONITORING WAN CONNECTIONS. How to monitor WAN connections with NetFort LANGuardian Aisling Brennan

Dynamic Rule Based Traffic Analysis in NIDS

Firewalls. Ahmad Almulhem March 10, 2012

Testing Network Security Using OPNET

Cisco Advanced Services for Network Security

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

PART D NETWORK SERVICES

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Firewalls and Intrusion Detection

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Security Design.

mbits Network Operations Centrec

Campus Network Best Practices: Core and Edge Networks

Internet Security Firewalls

Network Agent Quick Start

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Firewalls Overview and Best Practices. White Paper

Firewalls. Chapter 3

Transcription:

Welcome to Early warning for security attacks 2013 Henrik Lund Kramshøj, internet samurai hlk@solido.net http://www.solidonetworks.com c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 1

Intro Security attacks and DDoS is very much in the media c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 2

Attack overview http://www.sicherheitstacho.eu/?lang=en c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 3

Graphs and Dashboards! https://observium.solido.net/ c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 4

Graphs and Dashboards! Screenshot from Peter Manev, OISF Shown are Suricata IDS alerts processed by Logstash and Kibana c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 5

Networks today internet x*10gbit connections Sample Network Location: Copenhagen Date: August X 2013 Room: x Version: 1..0 Router01 Core routing Router02 Security Services Firewalls Core switching Redundant customer with dedicated devices Redundant customer some shared devices LAN L2 switching Loadbalancer Loadbalancer Firewalls LAN L2 switching Loadbalancer Loadbalancer Dedicated load balancing c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 6

Defense in depth - multiple layers of security Knowledge about traffic Proposed actions to be done Get more bandwidth internet x*10gbit connections Individual packets Valid source IP? Stateless filtering Null-routing RTBH Blackholing Router01 Core routing Router02 Mirror IDS logging Packet capture Identify traffic by Ports/Protocols Shaping and fair distribution Core switching Security Services Firewalls Sessions #sessions/ip Stateful filtering screens IDS/IDP security services Full request with parameters and cookies Logged in user authenticated? Application tuning Next generation firewalls Load balancer features Server security Input validation Stack protection features Load balancer Load balancer c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 7

Netflow NFSen An extra 100k packets per second from this netflow source (source is a router) c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 8

DDoS traffic before filtering Only two links shown, at least 3Gbit incoming for this single IP c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 9

DDoS traffic after filtering Link toward server (next level firewall actually) about 350Mbit outgoing c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 10

How to get started How to get started searching for security events? Collect basic data from your devices and networks Netflow data from routers Session data from firewalls Logging from applications: email, web, proxy systems Centralize! Process data Top 10: interesting due to high frequency, occurs often, brute-force attacks ignore Bottom 10: least-frequent messages are interesting c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 11

View data efficiently View data by digging into it easily - must be fast Logstash and Kibana are just examples, but use indexing to make it fast! c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 12

Security Onion Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). http://securityonion.net c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 13

Next steps In our network we are always improving things: Suricata IDS http://www.openinfosecfoundation.org/ More graphs, with automatic identification of IPs under attack Identification of short sessions without data - spoofed addresses Alerting from existing devices Dashboards with key measurements Conclusion: Combine tools! c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 14

Questions? Henrik Lund Kramshøj, internet samurai hlk@solido.net http://www.solidonetworks.com You are always welcome to send me questions later via email c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 15

Contact information Henrik Lund Kramshøj, IT-security and internet samurai Email: hlk@solido.net Mobile: +45 2026 6000 Educated from the Computer Science Department at the University of Copenhagen, DIKU CISSP certified 2003-2010 Independent security consultant 2010 - owner and partner in Solido Networks ApS c license CC BY 3.0. 2014 Solido Networks, Henrik Lund Kramshøj 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information