Presentation is loading. Please wait.

Presentation is loading. Please wait.

CanSecWest/core05 Network Flows and Security v1.02 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom -

Published byUlises Claypole Modified over 9 years ago

Similar presentations

Presentation on theme: "CanSecWest/core05 Network Flows and Security v1.02 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom -"— Presentation transcript:

1 CanSecWest/core05 Network Flows and Security v1.02 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom nico@securite.org - http://www.securite.org/nico/

2 CanSecWest/core05 2 Agenda ● The Enterprise Today ● Network Flows ● Netflow and NIDS ● Anomaly Detection ● Policy Violation Detection ● Peer-to-Peer ● Response and Forensics ● Conclusion

3 CanSecWest/core05 3 The Enterprise Today ● Where’s my border ? ● WLANs, 3G devices, etc. ● Remote VPN/maintenance access: employees, partners, vendors and customers ● Client-side attacks ● Malware/spyware relying on covert channels ● Usually one “flat” undocumented network: no internal filtering, no dedicated clients/servers LANs, etc. ● More and more (wannabe) power users

4 CanSecWest/core05 4 The Enterprise Today ● Undocumented systems and applications ● Have you ever sniffed on a core switch’s SPAN port ? ● Do you really need (expensive) NIDS to detect worms ? ● More and more communications are encrypted: SSH, SSL, IPsec, etc (even internally)

5 CanSecWest/core05 5 Threats Vulnerability found Vulnerability “found” again Disclosure Patch available Patch deployed “Victims” Time Full/fixed patch Exploit “Proof of Concept” Automated PoC + Exploit + Worm ? “Noise” “bad patch” 2002 and before since 2003 since 2004 Cross-platform/ extended research Client side attack vs Direct exploitation

6 CanSecWest/core05 Internet 6 The Enterprise thru the CSO’s eyes Corporate Internet access fw av as p s r cpe r r s r r s

7 CanSecWest/core05 Internet 7 The Enterprise thru the CISO’s eyes Corporate Internet access Office Partner ar fw av as p External laptop s r cpe r r Remote office/ Partners IP VPN r Vendor Remote maintenance s r s

8 CanSecWest/core05 Internet 8 The Enterprise : Cxx levels specials Corporate Internet access Office Partner ar fw av as p « Executive floor » WLAN AP External laptop s r cpe r r Remote office/ Partners IP VPN r Vendor Remote maintenance s ap r s

9 CanSecWest/core05 Internet 9 The Enterprise : the Reality « IT floor » Internet access Corporate Internet access Office Partner ar fw av as p « Executive floor » WLAN AP External laptop s r cpe r fw cpe r Remote office/ Partners IP VPN r Vendor Remote maintenance s ap r s

10 CanSecWest/core05 Internet 10 Collecting Network Flows controller « IT floor » Internet access Corporate Internet access Office Partner ar fw av as p « Executive floor » WLAN AP External laptop s r cpe r fw cpe r Remote office/ Partners IP VPN s r Vendor Remote maintenance s ap r

11 CanSecWest/core05 11 Network Flows ● What are network flows and why are they so interesting? ● Netflow (Cisco terminology) used to be a routing technology which became a traffic accounting solution ● Used since years by Service Providers to detect and traceback DDoS attacks and more recently for traffic engineering purposes ● In the enterprise network: – Network and application profiling, forensics, anomaly detection, policy violation, etc. – Netflow/NIDS: and/or ? Mix of macroscopic and microscopic views in high speed environments

12 CanSecWest/core05 12 Netflow ● A flow is a set of packets with common characteristics within a given time frame and a given direction ● The seven netflow keys: – Source and destination IP address – Source and destination port (code for ICMP) – Layer 3 protocol – Type of Service – Ingress interface (“one way”) r netflow cache export (2055/udp)

13 CanSecWest/core05 13 Netflow ● The following data are exported (Netflow v5) – The 7 key fields – Bytes and packets count – Start and end time – Egress interface and next-hop – TCP flags (except on some HW/SW combination on multilayer switches) ● And you may also see the AS number and other fields depending on version and configuration ● IPFIX is based on Netflow v9 ● Egress Netflow and per class sampling in recent IOSes

14 CanSecWest/core05 14 Netflow ● The cache contains 64k entries (default) ● A flow expires: – After 15 seconds of inactivity (default) – After 30 minutes of activity (default) – When the RST or FIN flag is set – If the cache is full ● Counting issues: aggregation and duplicates (a flow may be counted by multiple routers and long lasting flows may be “duplicated” in the database) ● Security issues: clear text, no checksum, can be spoofed (UDP) and possible DoS (48 bytes per flow for a 32 bytes packet)

15 CanSecWest/core05 15 Netflow ● Sampling – By default, no sampling: each flow entry is exported – Sampled: percentage of flows only (deterministic) – Random Sampled: like sampled, but randomized (statistically better) ● “Full netflow” is supported on/by most of the HW/SW, sampled and random sampled only on a subset ● Sampling reduces load and export size but “losses” data: – OK: DDoS detection – NOK: Policy violation detection ● Avoid router-based aggregation

16 CanSecWest/core05 16 Netflow ● General configuration ● Tuning ● Display the local cache router (config)# ip flow-export destination router (config)# ip flow-export source loopback0 router (config)# ip flow-export version 5 router (config)# ip flow-cache entries router (config)# ip flow-cache timeout active router (config)# ip flow-cache timeout inactive router# show ip cache flow

17 CanSecWest/core05 17 Netflow ● “Full”/unsampled ● Sampled ● Random Sampled router (config)# interface x/y router (config-if)# ip route-cache flow router (config)# ip flow-sampling-mode packet-interval 100 router (config)# interface x/y router (config-if)# ip route-cache flow sampled router (config)# flow-sampler-map RSN router (config-sampler)# mode random one-out-of 100 router (config)# interface x/y router (config-if)# flow-sampler RSN

18 CanSecWest/core05 18 Netflow/NIDS ● Netflow is “header” only – Distributed and the network “speed” only has indirect impact – Often the header tells you enough: encrypted e-mails with the subject in clear text or who’s mailing whom =) ● NIDS may provide full packet dump – Centralized and performance linked to the network “speed” – Full dump or signature based dumps ? – PCAP-to-Netflow – May tell you the whole story (disk space requirements)

19 CanSecWest/core05 19 Netflow/NIDS ● Let’s mix both: distributed routers sourcing Netflow and NIDS/sniffers in key locations! ● Decide how to configure your NIDS/sniffers: – PCAP-type packet sniffers – Standard ruleset – Very reduced and specific ruleset – How much data can you store and for how long ? ● Investigate ways of linking both solutions ● Storage (the older the less granular ?) – Flat files – Database

20 CanSecWest/core05 20 Anomaly Detection ● Discover your network – Enabling netflow will give you some insight on what your network actually carries :) – After the shock and the first clean up round: ● Sniff traffic in specific locations ● Introduce security driven network segmentation ● Build a complete baseline – Update your network diagram

21 CanSecWest/core05 21 Anomaly Detection ● Distributed Denial of Service – Fairly easy to spot: massive increase of flows towards a destination (IP/port) – Depending on your environment the delta may be so large that you don’t even require a baseline – You may also see some backscatter, even on an internal network ● Trojan horses – Well known or unexpected server ports (unless session re- use) ● Firewall policy validation – Unexpected inside/outside flow

22 CanSecWest/core05 22 Anomaly Detection ● Worms – Old ones are easy to spot: they wildly scan the same /8, /16 or /24 or easy to code discovery pattern – New ones are looking for specific ports – Each variant may have a specific payload size – May scan BOGON space – The payload may be downloaded from specific, AV identified, websites – The source address is spoofed (but that’s less and less the case)

23 CanSecWest/core05 23 Anomaly Detection ● Covert channels / Tunnels – Long flows while short ones are expected (lookups) – Symmetric vs asymmetric traffic (web surfing) – Large payloads instead of small ones – Think ICMP, DNS, HTTP(s) ● Scans – Slow: single flows (bottomN) – Issue with bottomN: long tail – Normal/Fast: large sum of small flows from and/or to an IP – Return packets (RST for TCP and ICMP Port Unreachable for UDP)

24 CanSecWest/core05 24 Policy Violation Detection ● Workstation / server behaviour – Usually very “static” client/server communications – Who initiates the communication and to which destination ? – Office hours – New source/destination IPs/ports showing up – Tracking using DHCP logs, MAC address, physical switch port (SNMP) – Identify the “early” flows (auto-update and spyware) ● After DHCP allocation or after login ● Flows after the initial communication – Recurring flows (keyloggers) or flows towards the same destination but using various protocols (firewall piercing)

25 CanSecWest/core05 25 Peer to Peer (P2P) ● Legacy P2P protocols often use fixed ports or ranges ● Sometimes (like with FTP) the data port is the control port +/-1 ● Recent P2P protocols have the session details in the payload: they can’t be tracked using netflow but the flow size may give you a hint

26 CanSecWest/core05 26 Response ● Locate the source host – Requires the “netflow source” information (which router saw that flow) – Layer 3 and Layer 2 trace: identify the last layer 3 hop and then layer 2 trace or use previously SNMP polled MAC/port address ● Block the host – Port shutdown – ACLs – Blackhole route injection

27 CanSecWest/core05 27 Forensics ● Netflow and dumps storage need to resolved first ● Clear post-mortem process ● Usual approach is to look for the flows and once identified extract the relevant dumps/logs ● In some environment only a couple of minutes/hours may be stored ● Legal/privacy issues ● Out-of-band network to push data and avoid multi- accounting

28 CanSecWest/core05 28 Tools ● Lolo’s early proof-of-concept: YeFLOW - http://yeflow.rstack.org/ ● argus (http://www.qosient.com/argus/) ● flow-tools (http://www.splintered.net/sw/flow-tools/) ● nfdump (http://nfdump.sourceforge.net) ● graphviz (http://www.graphviz.org/): human eye is good at catching things, but the graphs become really complex ● Comprehensive list: http://www.switch.ch/tf-tant/floma/software.html ● Commercial products

29 CanSecWest/core05 29 Conclusion ● Netflow: macroscopic view ● NIDS/sniffer: microscopic view ● Network switches: layer 0/1 view (MAC address/port) ● Mix them while controlling – CAPEX/OPEX – Storage – Search/detection capabilities – Avoid impact on the network ● Active response (quarantine/active defense) ? ● Q&A

Download ppt "CanSecWest/core05 Network Flows and Security v1.02 Nicolas FISCHBACH Senior Manager, Network Engineering Security, COLT Telecom -"

Similar presentations

Computer Concepts – Illustrated 8th edition

Computer Concepts – Illustrated 8th edition
What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.

Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Security Issues In Mobile IP

Security Issues In Mobile IP
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Configuration management

Configuration management
Mehdi Naghavi naghavi@iust.ac.ir naghavi@aut.ac.ir Spring 1386 Operating Systems Mehdi Naghavi naghavi@iust.ac.ir naghavi@aut.ac.ir Spring 1386.

Mehdi Naghavi Spring 1386 Operating Systems Mehdi Naghavi Spring 1386.
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Local Area Networks - Internetworking

Local Area Networks - Internetworking
CCENT Study Guide Chapter 12 Security.

CCENT Study Guide Chapter 12 Security.
What is access control list (ACL)?

What is access control list (ACL)?
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Distance Vector Routing Protocols Routing Protocols and Concepts –

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Distance Vector Routing Protocols Routing Protocols and Concepts –

Similar presentations

Ads by Google