Network Security Monitoring

Similar documents
Network Intrusion Analysis (Hands-on)

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Missing the Obvious: Network Security Monitoring for ICS

Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory

Security Onion. Peel Back the Layers of Your Network in Minutes. Doug Burks

Flow Analysis Versus Packet Analysis. What Should You Choose?

S N O R T I D S B L A S T C O U R S E

Network Security Monitoring

Network/Internet Forensic and Intrusion Log Analysis

Berkley Packet Filters and Open Source Tools. a tranched approach to packet capture analysis at today s network speeds

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

Transformation of honeypot raw data into structured data

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Joshua Beeman University Information Security Officer October 17, 2011

Course Title: Penetration Testing: Security Analysis

Intrusion Detection in AlienVault

Network security Exercise 10 Network monitoring

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

An Overview of the Bro Intrusion Detection System

Network Payload Analysis for Advanced Persistent Threats Charles Smutz, Lockheed Martin CIRT

The Bro Network Intrusion Detection System

Scalable Extraction, Aggregation, and Response to Network Intelligence

USE HONEYPOTS TO KNOW YOUR ENEMIES

Richard Bejtlich / taosecurity.blogspot.com BSDCan 14 May 04

AppSec DC November 13, The OWASP Foundation Custom Intrusion Detection Techniques for Monitoring Web Applications

What happens when you use nmap or a fuzzer on an ICS?

Bro at 10 Gps: Current Testing and Plans

How To Manage Sourcefire From A Command Console

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Monitoring System Status

Intrusion Detection and Prevention: Network and IDS Configuration and Monitoring using Snort

Chapter 11 Cloud Application Development

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

Network Monitoring for Cyber Security

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

Linux Network Security

Active Defense and Prevention

Network Security Monitoring

Networks and Security Lab. Network Forensics

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Detection of illegal gateways in protected networks

Barracuda Networks Web Application Firewall

NETWORK SECURITY (W/LAB) Course Syllabus

Network Security Forensics

Open Source Network Security Monitoring With Sguil

Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment

CTS2134 Introduction to Networking. Module Network Security

Packet Sniffer A Comparative Study

Network Monitoring using MMT:

Chapter 9 Firewalls and Intrusion Prevention Systems

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

Traffic Analysis. CSF: Forensics Cyber-Security. Part II.B. Techniques and Tools: Network Forensics. Fall 2015 Nuno Santos

Introduction to Network Discovery and Identity

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Intrusion Detection Systems

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Network Forensics: Log Analysis

Introduction of Intrusion Detection Systems

Intrusion Detection Architecture Utilizing Graphics Processors

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware

LESSON Networking Fundamentals. Understand TCP/IP

TheTao of Network Security Monitoring

Internet Management and Measurements Measurements

Chapter 15. Firewalls, IDS and IPS

Security threats and network. Software firewall. Hardware firewall. Firewalls

Early warning for security attacks

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

How to (passively) understand the application layer? Packet Monitoring

EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS

UNMASKCONTENT: THE CASE STUDY

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Network Intrusion Detection Systems. Beyond packet filtering

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

The principle of Network Security Monitoring[NSM]

BEGINNER S GUIDE to. Open Source Intrusion Detection Tools.

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Indexing Full Packet Capture Data With Flow

Intrusion Detection Systems (IDS)

Dynamic Rule Based Traffic Analysis in NIDS

Traffic visualization with Arista sflow and Splunk

Netflow Collection with AlienVault Alienvault 2013

Network Monitoring and Forensics

Network Security Monitoring: Looking Beyond the Network

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

Flow-level analysis: wireshark and Bro. Prof. Anja Feldmann, Ph.D. Dr. Nikolaos Chatzis

PROFESSIONAL SECURITY SYSTEMS

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

A Protocol Based Packet Sniffer

Firestorm Network Intrusion Detection System

Transcription:

Network Security Coleman Kane Coleman.Kane@ge.com September 24, 2014 Cyber Defense Overview Network Security 1 / 23

Passive Passive 2 Alert Alert Passive monitoring analyzes traffic with the intention of being non-disruptive to the transmission of the traffic. Typically used in environments where high-network-availability is critical. This is typical in many coporate environments where the network supports a considerably large user base. As such, there are numerous solutions out there which provide passive network and host monitoring. Cyber Defense Overview Network Security 2 / 23

Passive 2 Alert Alert There are various approaches to network monitoring which range from basic "flow data" to full packet capture, and even beyond. Flow data Logs per-packet endpoint information, optionally including packet sizes. Common for aggregate reporting to determine activity anomolies between your network and specific external or internal hosts. Transaction data Logs deeper connection-level information, which may span multiple packets within a connection. Must have pre-defined templates for protocol formatting. Common for logging HTTP header/request information, SMTP command data, etc. Alert data Typically the result of finely-tuned signatures matching against packet content, and similar in nature to transaction data. This information, rather than being for logging purposes is intended to indicate discrete events which might be attacks. Cyber Defense Overview Network Security 3 / 23

2 Passive 2 Alert Alert Packet capture Full capture of packet-level contents (sometimes called pcap). This is roughly identical to what the OS sees on the wire Reassembly Beyond packet-level capture, this functionality involves transport/application recognition and can reassemble IP packets into TCP stream data, or even parse application-level communications to rebuild a conversation, file transfer, or even email. Cyber Defense Overview Network Security 4 / 23

Passive 2 Alert Alert Per-packet statistics, sometimes including connection/packet-counting. The goal of this is to determine how much traffic (either counts or bytes) is flowing into or out of a particular host. Distributed across the network and combined with centralized aggregation of data from many sensors, you can build a picture of your network to help you identify "high traffic" entities which might indicate a problem (such as active data theft). Cyber Defense Overview Network Security 5 / 23

Passive 2 Alert Alert Figure 1: in Snorby[2] Cyber Defense Overview Network Security 6 / 23

Passive 2 Alert Alert Example tools which capture/analyze flow data cxtracker http://www.gamelinux.org/?cat=21 https://github.com/gamelinux/cxtracker/ SANCP http://www.metre.net/sancp.html Cisco NetFlow Collector http://www.cisco.com/c/en/us/products/cloud-systems-management/ netflow-collection-engine/index.html Arbor PeakFlow http://www.arbornetworks.com/products/peakflow/sp netstat With -s/ statistics option on Linux (-m on BSD & MacOS X) can report host-local flow information per interface. Endpoints could log this info at regular intervals to centralized system to build endpoint flow database. Cyber Defense Overview Network Security 7 / 23

Passive 2 Alert Alert Standard UDP-reporting mechanism for multiple devices to communicate "net flow" information amongst one another http://www.sflow.org/ http://www.faqs.org/rfcs/rfc3176.html Products supporting the export and import of sflow data: http://www.sflow.org/products/index.php Cyber Defense Overview Network Security 8 / 23

Passive 2 Alert Alert Sometimes lumped into flow data category. However, we will make the distinction that transaction data requires sensor-level parsing that is traditionally not included in the base OS. For instance, transaction-level monitoring might involve parsing the Referer header from HTTP traffic, usernames from FTP or Telnet traffic, or any other metadata which must be parsed via a prepared recipe, but gets reported while associated traffic may be discarded after parsing is complete. Cyber Defense Overview Network Security 9 / 23

Passive 2 Alert Alert Example tools which handle/generate transaction data httpry http://dumpsterventures.com/jason/httpry/ bro https://www.bro.org/sphinx/httpmonitor/index.html https://www.bro.org/sphinx/mimestats/index.html Colasoft Capsa http://www.colasoft.com/capsa-free/ Network Proxy Most proxies can do this for you for HTTP & FTP, sometimes more protocol support too Cyber Defense Overview Network Security 10 / 23

Passive 2 Alert Alert Figure 2: ELSA ScreenShot including HTTP transaction data[1] Cyber Defense Overview Network Security 11 / 23

Passive 2 Alert Alert Alert data is the monitoring data which is intended to be used to drive investigation & work. While Flow & Transactional data is intended to log a small amount of the total data from all network traffic (80/20 rule), alert data is intended to identify to analysts where/when occurred the specific network traffic which is highly suspicious, and necessitates being investigated. Identifies where to look in your transaction logs & packet capture archives quickly "Best guess" alert as to what attack might be happening Cyber Defense Overview Network Security 12 / 23

Alert Passive 2 Alert Alert Snort One of the oldest signature-based packet analysis tools https://www.snort.org/ Suricata Newer signature-based packet analysis tool, similar to Snort http://suricata-ids.org/ Bro Newer versions have signature analysis capability on top of the transactional parsing capabilities https://www.bro.org/ SourceFire Now owned by Cisco Systems http://www.sourcefire.com/, based upon Snort HP TippingPoint Firewal & IDS http://www.tippingpoint.com Cyber Defense Overview Network Security 13 / 23

Alert Passive 2 Alert Alert These tools can be used for managing response to alerts RT Best Practical Request Tracker, has a module for incident response called "RTIR" Sguil Very popular alert management/handling console http://nsmwiki.org Commercial A lot of commercial IDS systems provide a custom console for managing alerts ArcSight "SEIM" tool which can help manage alerts across multiple IDS/IPS tools Cyber Defense Overview Network Security 14 / 23

Passive 2 Alert Alert Figure 3: Sguil with a bunch of Snort alerts Cyber Defense Overview Network Security 15 / 23

Passive 2 Alert Alert Packet capture is the mechanism by which full or partial network traffic is archived for analysis. Some sensors implement continuous recording of traffic to a storage device, in the event that it needs to be retrieved in response to alerting in the future. This is commonly referred to as "full packet capture", and storage is typically managed in a FIFO. Cyber Defense Overview Network Security 16 / 23

Passive 2 Alert Alert You should already be familiar with: Also: WireShark, tshark Tcpdump NetSniff-NG http://netsniff-ng.org/ IPCopper http://www.ipcopper.com/ Cyber Defense Overview Network Security 17 / 23

Passive 2 Alert Alert Reasons for implementing packet capture: You might only learn of an attack after it happens Many alerts built for later-stages of intrusion, but you want to learn entire attack User traffic baselining Reference "good" traffic sampling Cyber Defense Overview Network Security 18 / 23

Passive 2 Alert Alert Step above packet capture, and typically assists in stream analysis and forensics. Packet capture will have all data objects broken up into individual packets, and must be reassembled using network tools. Additionally, forensics on this data set need to be performed by a networking expert. Storing reassembled files, machine-to-machine conversations and other stream objects can improve forensic analysis and enable more participants to help analyze. Some attacks can only be identified at this level, too. Cyber Defense Overview Network Security 19 / 23

Passive 2 Alert Alert Bro NSM supports two capture methods: File capture/carving Stream capture carving Configurable filtering for both Cyber Defense Overview Network Security 20 / 23

Passive 2 Alert Alert In many cases, network monitoring doesn t come down to a single implementation from above, but rather a sensor software stack built out of multiple components to fill your network gaps. Cyber Defense Overview Network Security 21 / 23

Linux Passive 2 Alert Alert Turn-key implementation of Ubuntu Linux to provide a complete software stack using the best open-source projects for monitoring http://blog.securityonion.net/p/securityonion.html Named "security onion" to reflect the many layers it is built from Easy, scripted install, and designed to run in a VirtualBox environment Cyber Defense Overview Network Security 22 / 23

References Passive 2 Alert Alert [1] Fighting apt with open-source software, part 1: Logging. http://ossectools.blogspot.com/2011/03/fighting-apt-with-open-source-software.html, March 2011. [2] Scott Runnels. Managing overactive signatures. https://code.google.com/p/security-onion/wiki/managingalerts, January 2014. Cyber Defense Overview Network Security 23 / 23

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information