© 2007 Property of Lancope. Proprietary and Confidential. Enterprise Situational Awareness and Monitoring through Network Behavior Analysis Mark McDaniel,

Slides:



Advertisements
Similar presentations
NETFLOW & NETWORK-BASED APPLICATION RECOGNITION
Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
MIGRATION FROM SCREENOS TO JUNOS based firewall
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Department Of Computer Engineering
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Remote Monitoring and Desktop Management Week-7. SNMP designed for management of a limited range of devices and a limited range of functions Monitoring.
Security Guidelines and Management
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Emanuele Pasqualucci Extending AppManager Monitoring with the SNMP Toolkit.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
COEN 252 Computer Forensics
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Chapter 5: Implementing Intrusion Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
© 2006 Property of Lancope. Proprietary and Confidential. Lancope and Emory University: Illuminating (and Securing) the Network Andy Wilson Senior Systems.
Network security Product Group 2 McAfee Network Security Platform.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 Root-Cause VoIP Troubleshooting Optimizing the Process Tim Titus CTO, PathSolutions.
Security fundamentals Topic 10 Securing the network perimeter.
Net Flow Network Protocol Presented By : Arslan Qamar.
Network Components By Kagan Strayer. Network Components This presentation will cover various network components and their functions. The components that.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Simple, End-to-End Performance Management Application Performance.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Network Traffic Monitoring and Analysis - Shisheer Teli CCCF.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.
Some Great Open Source Intrusion Detection Systems (IDSs)
Security fundamentals
Barracuda NG Firewall ™
IDS Intrusion Detection Systems
Instructor Materials Chapter 5: Network Security and Monitoring
HP ProCurve Alliance + Dr Carl Windsor CISSP Major Account Manager
Security Methods and Practice CET4884
Securing the Network Perimeter with ISA 2004
Click to edit Master subtitle style
Chapter 5: Network Security and Monitoring
Chapter 8: Monitoring the Network
Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.
Presentation transcript:

© 2007 Property of Lancope. Proprietary and Confidential. Enterprise Situational Awareness and Monitoring through Network Behavior Analysis Mark McDaniel, Systems Engineering Team Leader, Lancope

© 2007 Property of Lancope. Proprietary and Confidential. Agenda What is Network Behavior Analysis? How Does NBA Work? NetFlow - A Brief Overview Current Organizational Security and Operational Challenges Traditional Security Framework NBA's Role in the Security Environment Traditional Network Operations Framework NBA's Role in the Network Operations Environment Traditional Compliance and Policy Monitoring Framework NBA for Compliance and Policy Monitoring NBA's Future

© 2007 Property of Lancope. Proprietary and Confidential. What is Network Behavior Analysis? Put simply, Network Behavior Analysis is the monitoring and analysis of network flows to understand host behavior. NBA systems monitor the network through a variety of methods to gain visibility into the behavior of hosts and their relationships with one another. NBA systems profile the behavior of a number of different factors (data points) for every host on the network to create an observed baseline of what constitutes “normal” activity for that host. NBA systems continuously monitor the network to ensure compliance with the established baseline for each behavioral data point for every active host, alarming when thresholds or other variables are exceeded. NBA systems allow administrators to divide the network into logical segments to improve the granularity of reporting and to define policies based on a number of different factors. NBA systems also provide information into the health of the network infrastructure and a wealth of other information.

© 2007 Property of Lancope. Proprietary and Confidential. How Does NBA Work? NBA systems monitor the network via SPAN or mirror ports or inline taps to capture traffic for analysis. In addition, and much more commonly, NBA systems monitor flow records generate by the network infrastructure; NetFlow for Cisco devices, sFlow for many other hardware vendors. There are pros and cons to each monitoring approach: SPAN/Mirror/Tap Systems are segment based with limited visibility but offer packet payload analysis. NetFlow monitoring can deliver visibility for the entire network provide the hardware infrastructure supports it but doesn’t offer payload. sFlow also can deliver enterprise wide visibility AND offer some payload analysis but is a sampled technology analyzing every 1:X packets. Once packets or flows are captured for analysis, tables are built within the system to create a session record. Next, a series of algorithms is performed on the session record to detect malicious activity, threshold violations and policy exceptions. NBA systems using NetFlow or sFlow also report on the traffic transiting the interfaces of flow export capable hardware and deliver information regarding their health.

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Introduction, Terminology As with any self-respecting technology, NetFlow has a number of unique terms: Exporter - Any network hardware device capable of collecting and exporting NetFlow. Collector - The device to which flows are exported and analyzed. NetFlow Cache - Where the flow records are kept prior to being exported Cache Timers - Specify flow record export in minutes and seconds. Inactive Timeout - The timer for flows representing completed sessions. Active Timeout - The time for flows representing sessions still continuing.

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Introduction, Part 1 Monitoring IP data StealthWatch Flow Collector NetFlow

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Overview, Part 2 Record Creation router  NetFlow is “uni-directional”  Flows stats are counted inbound on the router interface  Flows are stored on the router in a “flow cache”

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Overview, Part 3, Creating Flow Records Inspect Packet Key FieldsPacket 1 Source IP Destination IP Source port23 Destination port22078 Layer 3 ProtocolTCP - 6 TOS Byte0 Input InterfaceEthernet 0 Source IPDest. IPDest. I/FProtocolTOS…Pkts E160… Inspect packet for key field values 2.Compare set of values to NetFlow cache 3.If the set of values are unique create a flow in cache 4.Inspect the next packet Inspect Packet Key FieldsPacket 2 Source IP Destination IP Source port23 Destination port22078 Layer 3 ProtocolTCP - 6 TOS Byte0 Input InterfaceEthernet 0 Source IPDest. IPDest. I/FProtocolTOS…Pkts E160… E160…11000 Example 1 Example 2 7 pre-defined Key fields

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Overview, Part 4 Flow Record Export 1500 byte UDP PDU 30 NetFlow Records per PDU

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Overview, Part 5 Flow De-Duplication

© 2007 Property of Lancope. Proprietary and Confidential. NetFlow - A Brief Overview, Part 6 Flow Analysis Overview

© 2007 Property of Lancope. Proprietary and Confidential. 1.Flows are collected and exported 2.Collected flows are put into a state table for algorithmic analysis to check for threshold and policy violations. 3.Alarms are triggered and propagated. NetFlow - A Brief Overview, Part 7 Scanning Host Example

© 2007 Property of Lancope. Proprietary and Confidential. Current Organizational Security Challenges Existing Security Technologies Do Their Jobs Well but Present Challenges: Security Devices Are Segment Based, Unable to Monitor the Entire Network. Security Devices Can Only Detect “The Known Bad” Through Signatures. Security Devices Lack Contextual Awareness of the Hosts, Applications and Services. HIDS/Anti-Virus/Anti-Malware Can Be Difficult to Manage Requiring Agent Installation. NAC Only Defines Pre-Admission Control and Offers Little to No Monitoring After a Host is Authenticated SEIMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis Continuous, Real-time Policy Monitoring is Practically Impossible with Segment by Segment Visibility. ACLs and Firewalls Lack Continuous Monitoring Mechanism Resulting in a Plug and Pray Policy. The Tools Aren’t Integrated in Any Meaningful Way With Net Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information. None of These Technologies Deliver Global, Real-time Situational Awareness.

© 2007 Property of Lancope. Proprietary and Confidential. The Traditional Security Framework - The Core is Highly Secure Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets SIEM Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Highly Protected Network Core Protected Remote Site Lightly Protected Remote Site

© 2007 Property of Lancope. Proprietary and Confidential. How NBA Helps Solve Many Current Security Challenges NBA Compliments the Existing Security Infrastructure Delivering: Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid. Analysis of Host Behaviors Rather Than Pattern Matching to Detect Zero-Day Attacks. NBA is Based on Relationship Modeling and Awareness Delivering Excellent Context. NBA Systems Are Agentless and Reside on the Network Like Any Other Host for Ease of Management. NBA Compliments NAC for Compliance Monitoring and Post-Admission Control. NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis. NBA Monitors the Entire Network Detailing Host-to-Host Relationships as well as Applications, Services and Protocols in Use, Delivering Continuous Policy Monitoring. NBA is Configured with Policies to Continuously Monitor and Audit ACLs and Firewall Rule Sets. NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Net Ops Tool to the Existing SNMP and Sniffer Based Systems. NBA’s Primary Function is to Deliver Real-time Situational Awareness Through a Combination of Behavioral Analysis, Configured Policy and Host-to-Host Relationship Modeling.

© 2007 Property of Lancope. Proprietary and Confidential. NBA’s Role in the Security Infrastructure - Continuous, Global Visibility Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets SIEM Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User

© 2007 Property of Lancope. Proprietary and Confidential. Current Organizational Network Operations Challenges Existing Net Ops Technologies Do Their Jobs Fairly Well but Also Present Challenges: Most Net Ops Monitoring Tools are SNMP Based “Noise Generators” Reporting an Event Occurred but Not Why The Event Occurred. Sniffer Type Devices Are Expensive, Difficult to Deploy and Not Real-Time. Almost All Net Ops Products Lack Contextual Awareness of the Network and Hosts. Determining Root Cause of Most Events Requires Access to Multiple Consoles and Network Hardware CLI. Sniffer Type Devices Require a Strong Level of Knowledge to Operate Correctly. EMS/NMS and MoMs Are “Data Haystacks” Requiring Complex Rule Writing and Configuration While Not Being Effective for Real-time Analysis. Continuous, Real-time Policy Monitoring is Practically Impossible Because of Technology Limitations. Most Appliance Based Net Ops Tools are Segment-Based Not Delivering Global Visibility. NetFlow Offerings to Date are Extremely Limited. The Tools Aren’t Integrated in Any Meaningful Way With Security Ops Tools Creating Points of Contention Between the Two Teams if Their Tools are Generating Conflicting Information. None of These Technologies Deliver Global, Real-time Operational Awareness.

© 2007 Property of Lancope. Proprietary and Confidential. The Traditional Network Ops Framework - SNMP and Sniffers Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets EMS/NMS/MoM Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User Sniffer

© 2007 Property of Lancope. Proprietary and Confidential. How NBA Helps Solve Many Current Net Ops Challenges NBA Compliments the Existing Net Ops Infrastructure Delivering: Enterprise-Wide Visibility Through NetFlow and sFlow Enabling the Entire Network as a Sensor Grid. NBA Systems Deliver Rich, Contextual Information Surrounding Events Explaining WHY They Occurred. NetFlow is Everywhere and Able to Deliver Meaningful Insight Into Host and Application Performance Throughout the Enterprise. NBA Systems Deliver Rich and Meaningful Data About the Applications and Hosts as well as Host-to-Host Relationships, Group-to-Group Relationships, Service Distribution and Consumption and Detailed Network Interface Utilization both at a Point-In-Time as well as Long Term Trending. Root Cause Analysis is Performed on the NBA System not Multiple Consoles. The Intelligence of NBA System is Built-In Requiring Much Less Training to Deliver Useful Information. NBA Uses a Limited Number of Data Feeds for Continuous Real-time Analysis Not Requiring Complex Rule Writing and Becoming Overloaded with Massive Amounts of Data for Analysis. NBA is Configured with Policies to Continuously Monitor Compliance to AUP and Change Control. NBA, Through Its Host, Traffic and Behavioral Profiling as well as NetFlow Analysis and Exporter Interface Information, is an Excellent Complimentary Security Tool to the Existing Infrastructure.

© 2007 Property of Lancope. Proprietary and Confidential. NBA’s Role in the Network Ops Infrastructure - Contextual Visibility Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets EMS/NMS/MoM Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User

© 2007 Property of Lancope. Proprietary and Confidential. Current Organizational AUP Policy Monitoring Challenges Existing Policy Monitoring Technologies Do Their Jobs in a Mediocre Manner and Also Present Major Challenges: Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring. Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage. Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts. Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities. Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities. Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point. Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations. The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.

© 2007 Property of Lancope. Proprietary and Confidential. The Traditional AUP Monitoring Framework - Unique Points Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets Policy Monitoring Tool Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User

© 2007 Property of Lancope. Proprietary and Confidential. NBA’s Role in Policy Management and Monitoring - Global Configuration Management and Monitoring Existing Policy Monitoring Technologies Do Their Jobs in an Inconsistent Manner and Also Present Major Challenges: Policy Monitoring and Enforcement is a Point by Point Proposition with Almost No Holistic Visibility Therefore Not Delivering Global, Real-time Compliance Monitoring. Policy Definitions Are Configured on Different Devices with Different Capabilities and are Difficult to Deploy and Manage. Almost All Policy Monitoring Products Are Myopic and Lack Contextual Awareness of the Network and Hosts. Determining Root Cause of Most Policy Events Requires Access to Multiple Consoles for Multiple Products with Hugely Different Capabilities. Maintaining AUP is Extremely Complex Because of the Constantly Evolving Nature of Networks and the Multitude and Variety of Policy Monitoring Products and Capabilities. Policy Monitoring Tools are Still Very Immature and Limited in Scope. Deployment Creates Yet Another Monitoring Console and Touch Point. Continuous, Real-time Policy Monitoring is Practically Impossible Because of Inherent Technology Limitations. The Tools Aren’t Integrated in Any Meaningful Way With Security Ops OR Net Ops Tools Creating Points of Contention Between the Three Teams if Their Tools are Generating Conflicting Information.

© 2007 Property of Lancope. Proprietary and Confidential. NBA’s Role in the AUP Monitoring Framework - Global Configuration Management and Monitoring Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets NetFlow Collector Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User

© 2007 Property of Lancope. Proprietary and Confidential. OR!!! - Highly Granular Configuration Management and Monitoring - Users, Groups, Applications Packet Filter Packet Inspector Core Switch w/ACLs Business Critical Assets NetFlow Collector Midsized Branch Office Small Branch Office Branch Edge Router HQ Edge Router End User Switch Packet Filter Internet VPN Concentrator End User System w/HIDS,AV,NAC Etc. Remote User

© 2007 Property of Lancope. Proprietary and Confidential. NBA - What Other Benefits Does It Deliver? NBA Systems Offer a Large Variety of Other Beneficial Features: Management Reporting for Alarms and Events, Host Behaviors Over Time, Service and Traffic Patterns, Etc. User to IP Correlation Reporting for a More Complete Picture of Host and User Activity as well as Decreasing Event Remediation Time. DHCP and MAC Correlation Reporting to Reduce Event Remediation Time and Add Additional Data Points to Profiled Hosts. Closest Router Interface for Improved Troubleshooting and Remediation. Other Associated Router Interfaces for Improved Troubleshooting and Remediation. QoS Utilization Reporting using DiffServ from the NetFlow Record. Trending for Capacity Planning by Application, Host, Segment, Location and Network Q VLAN Tag Correlation for Improved Traffic Analysis. MPLS Label Correlation for Improved Traffic Analysis. BPG Traffic Reporting for Improved Understanding of External Traffic Origination and Destination. Flexible and Extensible Flow Reporting for Additional, Easy to Add Features.

© 2007 Property of Lancope. Proprietary and Confidential. NBA - In the Future NBA Systems Will Continue to Expand Their Features to Leverage Improvements in Flow Data Export: Network Hardware Vendors will Seek to Leverage Flow Reporting to Include Much More Network Telemetry Data. IP-SLA for Detailed Quality of Service Reporting. NBAR for Deep Packet Inspection and Flow Application Tagging. Flexible Packet Matching for Traffic Shaping. Packet Payload Capture for Analysis by both NBA and Other Signature Based Tools. Using NetFlow v9 to Export Data traditionally sent by other protocols - syslog, etc. Using Flow Reporting Information to Improve Security and Remediation Through Other Protocols - ACT/TIDP/TMS

© 2007 Property of Lancope. Proprietary and Confidential. That’s All Folks! Questions? Comments?

© 2007 Property of Lancope. Proprietary and Confidential. The End Thank You Mark McDaniel

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.