Network Flows and Security

Similar documents
Network Monitoring and Management NetFlow Overview

Netflow Overview. PacNOG 6 Nadi, Fiji

Introduction to Netflow

Network Management & Monitoring

Cisco IOS Flexible NetFlow Technology

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Firewalls. Chapter 3

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Flow Based Traffic Analysis

Chapter 8 Security Pt 2

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Introduction to Cisco IOS Flexible NetFlow

Firewalls and Intrusion Detection

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Using The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Securing Cisco Network Devices (SND)

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Network Security Fundamentals

Strategies to Protect Against Distributed Denial of Service (DD

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Cisco CCNP Implementing Secure Converged Wide Area Networks (ISCW)

CISCO IOS NETWORK SECURITY (IINS)

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

INTRODUCTION TO FIREWALL SECURITY

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

INTRUSION DETECTION SYSTEMS and Network Security

SonicWALL PCI 1.1 Implementation Guide

CISCO IOS NETFLOW AND SECURITY

Recommended IP Telephony Architecture

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

NetFlow Auditor Manual Getting Started

Appendix A Remote Network Monitoring

Solution of Exercise Sheet 5

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

- Basic Router Security -

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Security vulnerabilities in the Internet and possible solutions

Distributed Denial of Service Attack Tools

Flow Analysis Versus Packet Analysis. What Should You Choose?

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

Firewalls P+S Linux Router & Firewall 2013

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Securing and Monitoring BYOD Networks using NetFlow

Scalable Extraction, Aggregation, and Response to Network Intelligence

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Overview of Network Traffic Analysis

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Load Balance Router R258V

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Description: Objective: Attending students will learn:

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Hunting down a DDOS attack

PROFESSIONAL SECURITY SYSTEMS

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Team Cymru. Network Forensics. Ryan Connolly, <

Security Toolsets for ISP Defense

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

CTS2134 Introduction to Networking. Module Network Security

Chapter 15. Firewalls, IDS and IPS

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Configuring NetFlow Switching

Building an Early Warning System in a Service Provider Network

Guideline for setting up a functional VPN

NSC E

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Firewalls, IDS and IPS

Networking for Caribbean Development

CCNP: Implementing Secure Converged Wide-area Networks

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

TDC s perspective on DDoS threats

LAB II: Securing The Data Path and Routing Infrastructure

Securing end devices

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

Introduction of Intrusion Detection Systems

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Network/Internet Forensic and Intrusion Log Analysis

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

GregSowell.com. Mikrotik Basics

Transcription:

Network Flows and Security v1.01 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom nico@securite.org - http://www.securite.org/nico/

The Enterprise Today Network Flows Netflow and NIDS Anomaly Detection Policy Violation Detection Peer-to-Peer Response and Forensics Conclusion Agenda 2

Where s my border? The Enterprise Today WLANs, 3G devices, etc. Remote VPN/maintenance access: employees, partners, vendors and customers Client-side attacks Malware/spyware relying on covert channels Usually one flat undocumented network: no internal filtering, no dedicated clients/servers LANs, etc. More and more (wannabe) power users 3

The Enterprise Today Undocumented systems and applications Have you ever sniffed on a core switch s SPAN port? Do you really need (expensive) NIDS to detect worms? More and more communications are encrypted: SSH, SSL, IPsec, etc (even internally) 4

Victims The Enterprise Today Proof of Concept since 2003 Automated since 2004 Client side attack vs Direct exploitation 2002 and before Exploit Noise Time PoC + Exploit + Worm? Cross-platform/ extended research Vulnerability found Vulnerability found again Disclosure bad patch Patch available Patch deployed Full/fixed patch 5

Network Flows What are network flows and why are they so interesting? Netflow (Cisco terminology) used to be a routing technology which became a traffic accounting solution Used since years by Service Providers to detect and traceback DDoS attacks and more recently for traffic engineering purposes In the enterprise network: Network and application profiling, forensics, anomaly detection, policy violation, etc. Netflow/NIDS: and/or? Mix of macroscopic and microscopic views in high speed environments 6

«Executive floor» WLAN AP s r Remote maintenance s The Connected Enterprise ap r r s controller ar r External laptop r «IT floor» Internet access fw fw av as p cpe cpe Corporate Internet access Internet Vendor Office Remote office/ Partners IP VPN Partner 7

Netflow A flow is a set of packets with common characteristics within a given time frame and a given direction The seven netflow keys: Source and destination IP address Source and destination port (code for ICMP) Layer 3 protocol Type of Service Ingress interface ( one way ) netflow cache export (2055/udp) r 8

Netflow The following data are exported (Netflow v5) The 7 key fields Bytes and packets count Start and end time Egress interface and next-hop TCP flags (except on some HW/SW combination on multilayer switches) And you may also see the AS number and other fields depending on version and configuration IPFIX is based on Netflow v9 Egress Netflow and per class sampling in recent IOSes 9

Netflow The cache contains 64k entries (default) A flow expires: After 15 seconds of inactivity (default) After 30 minutes of activity (default) When the RST or FIN flag is set If the cache is full Counting issues: aggregation and duplicates (a flow may be counted by multiple routers and long lasting flows may be duplicated in the database) Security issues: clear text, no checksum, can be spoofed (UDP) and possible DoS (48 bytes per flow for a 32 bytes packet) 10

Sampling Netflow By default, no sampling: each flow entry is exported Sampled: percentage of flows only (deterministic) Random Sampled: like sampled, but randomized (statistically better) Full netflow is supported on/by most of the HW/SW, sampled and random sampled only on a subset Sampling reduces load and export size but losses data: OK: DDoS detection NOK: Policy violation detection Avoid router-based aggregation 11

General configuration Tuning Display the local cache Netflow router (config)# ip flow-export destination <serverip> <port> router (config)# ip flow-export source loopback0 router (config)# ip flow-export version 5 router (config)# ip flow-cache entries <1024-524288> router (config)# ip flow-cache timeout active <1-60> router (config)# ip flow-cache timeout inactive <10-600> router# show ip cache flow 12

Full /unsampled Sampled Netflow router (config)# interface x/y router (config-if)# ip route-cache flow router (config)# ip flow-sampling-mode packet-interval 100 router (config)# interface x/y router (config-if)# ip route-cache flow sampled Random Sampled router (config)# flow-sampler-map RSN router (config-sampler)# mode random one-out-of 100 router (config)# interface x/y router (config-if)# flow-sampler RSN 13

Netflow is header only Netflow/NIDS Distributed and the network speed only has indirect impact Often the header tells you enough: encrypted e-mails with the subject in clear text or who s mailing whom =) NIDS may provide full packet dump Centralized and performance linked to the network speed Full dump or signature based dumps? PCAP-to-Netflow May tell you the whole story (disk space requirements) 14

Netflow/NIDS Let s mix both: distributed routers sourcing Netflow and NIDS/sniffers in key locations! Decide how to configure your NIDS/sniffers: PCAP-type packet sniffers Standard ruleset Very reduced and specific ruleset How much data can you store and for how long? Investigate ways of linking both solutions Storage (the older the less granular?) Flat files Database 15

Discover your network Anomaly Detection Enabling netflow will give you some insight on what your network actually carries :) After the shock and the first clean up round: Sniff traffic in specific locations Introduce security driven network segmentation Build a complete baseline Update your network diagram 16

Anomaly Detection Distributed Denial of Service Fairly easy to spot: massive increase of flows towards a destination (IP/port) Depending on your environment the delta may be so large that you don t even require a baseline You may also see some backscatter, even on an internal network Trojan horses Well known or unexpected server ports (unless session reuse) Firewall policy validation Unexpected inside/outside flow 17

Worms Anomaly Detection Old ones are easy to spot: they wildly scan the same /8, /16 or /24 or easy to code discovery pattern New ones are looking for specific ports Each variant may have a specific payload size May scan BOGON space The payload may be downloaded from specific, AV identified, websites The source address is spoofed (but that s less and less the case) 18

Anomaly Detection Covert channels / Tunnels Long flows while short ones are expected (lookups) Symmetric vs asymmetric traffic (web surfing) Large payloads instead of small ones Think ICMP, DNS, HTTP(s) Scans Slow: single flows (bottomn) Issue with bottomn: long tail Normal/Fast: large sum of small flows from and/or to an IP Return packets (RST for TCP and ICMP Port Unreachable for UDP) 19

Policy Violation Detection Workstation / server behaviour Usually very static client/server communications Who initiates the communication and to which destination? Office hours New source/destination IPs/ports showing up Tracking using DHCP logs, MAC address, physical switch port (SNMP) Identify the early flows (auto-update and spyware) After DHCP allocation or after login Flows after the initial communication Recurring flows (keyloggers) or flows towards the same destination but using various protocols (firewall piercing) 20

Peer to Peer (P2P) Legacy P2P protocols often use fixed ports or ranges Sometimes (like with FTP) the data port is the control port +/-1 Recent P2P protocols have the session details in the payload: they can t be tracked using netflow but the flow size may give you a hint 21

Locate the source host Response Requires the netflow source information (which router saw that flow) Layer 3 and Layer 2 trace: identify the last layer 3 hop and then layer 2 trace or use previously SNMP polled MAC/port address Block the host Port shutdown ACLs Blackhole route injection 22

Forensics Netflow and dumps storage need to resolved first Clear post-mortem process Usual approach is to look for the flows and once identified extract the relevant dumps/logs In some environment only a couple of minutes/hours may be stored Legal/privacy issues Out-of-band network to push data and avoid multiaccounting 23

Tools argus (http://www.qosient.com/argus/) nfdump (http://nfdump.sourceforge.net) with nfsen (http://nfsen.sourceforge.net/) graphviz (http://www.graphviz.org/): human eye is good at catching things, but the graphs become really complex ntop (http://www.ntop.org/) Comprehensive list: http://www.switch.ch/tf-tant/floma/software.html Commercial products 24

Conclusion Netflow: macroscopic view NIDS/sniffer: microscopic view Network switches: layer 0/1 view (MAC address/port) Mix them while controlling CAPEX/OPEX Storage Search/detection capabilities Avoid impact on the network Active response (quarantine/active defense)? Q&A 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information