Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.

Published byJody Bryan Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested."— Presentation transcript:

1 Security Management Process 1

2 six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested that you develop a multifaceted defence approach. This led Cisco to develop a six-stage security operations model, as shown in Figure 16- 2.Figure 16- 2

3 3

4 Preparation 4 Preparation for attacks includes a set of policies that define who is allowed to do what in the network. From an accounting and performance perspective, preparation means having the right device instrumentation and management applications in place.

5 5 One technique to spot the possibility that an attack is occurring is to compare the current network performance figures with the expected ones. Preparation

6 6 In summary, the following steps are a good preparation for a network administrator to protect the network in advance:  Defining policy  Activate accounting and performance management features at the network elements  Analyzing flow records  NBAR is the tool of choice for network protocol discovery up to the application level  IP SLA is the final function to verify network, server, and application response time  Deploying security management applications Preparation

7 Defining policy 7 Define a policy that describes which protocols, applications, transactions, and connections are permitted and denied in the network.

8 Activate accounting and performance management features 8 Activate accounting and performance management features at the network elements, such as the following: - Full NetFlow should be enabled at the edge of the network. It can be combined with Sampled NetFlow at the core network. - SNMP read access should be configured at all network elements. Trap destinations are required as well. From a security perspective, leveraging SNMP version 3 is the best approach.

9 Analyzing flow records 9 Analyze flow records for abnormalities to identify reconnaissance, especially ping sweeps and port scans. Advanced attacks do not use sequential scanning; they take a randomized approach or a list of ports. By tracking flow records and correlating them, you can identify these scanning activities; however, this is not as simple as detecting a massive DoS attack.

10 NBAR 10 NBAR is the tool of choice for network protocol discovery up to the application level. However, because of the CPU impact, it should be used with care and only if alternatives such as SNMP, NetFlow, and BGP PA do not provide sufficient details. Hardware-based NBAR implementations address these performance implications effectively.

11 IP SLA 11 IP SLA is the final function to verify network, server, and application response time. Using IP SLA to assess the network before, during, and after an attack is a great way to measure the impact of an attack and document how long the remedy took.

12 Deploying security management applications 12 Deploying security management applications that collect, store, aggregate, correlate, and present potential threats is the final step during the Preparation stage.

13 13

14 Identification 14 The next logical step is to detect and identify an attack. Some attacks are easy to detect, especially if their goal is to paralyze the users completely. Attacks that try to snoop for passwords or business knowledge are much harder to detect, because they do not leave massive footprints.

15 15 Constantly analyzing the flows is the first step toward identifying an abnormal situation. For example, a sudden increase in the total number of flows, or a large number of flows with the same destination IP address and port number, combined with few or no payloads, can be an attack signal. Identification

16 16 Source IP Address Destination IP Address Input I/F Output I/F Source Port Destination Port PacketsBytesPort 10.1.1.6910.44.4.24529491308771406 10.1.1.22210.44.4.2452949177412431406 10.1.1.10810.44.4.2452949186910761406 10.1.1.15910.44.4.245294910509031406 10.1.1.5410.44.4.245294920187301406 10.1.1.13610.44.4.245294918215591406 10.1.1.21610.44.4.245294915163831406 10.1.1.11110.44.4.24529491894451406 10.1.1.2910.44.4.2452949160012091406 10.1.1.2410.44.4.2452949112010341406 10.1.1.3910.44.4.245294914598681406 10.1.1.24910.44.4.245294919676921406 10.1.1.5710.44.4.245294910445211406... Identification

17 honeypot 17 An alternative approach to collecting accounting data for security purposes is to set up a "honeypot." This is a router or computer that is installed by the security operator merely for surveillance and security analysis, but to the outside world it appears to be part of the network. https://www.blacksintechnology.net/an-overview-of-honeypots/

18 18 For intrusion detection, monitoring logging messages is a key to success. The following list of event logs can serve as a starting point: Failed login attempts at the network element result in Syslog messages and SNMP traps. High number of ACL violations. High number of uRFP drops. Unicast Reverse Path Forwarding (uRPF) is a feature that drops packets with malformed or spoofed IP source addresses. The router examines all received packets to verify that the source address and interface appear in the routing table and match the interface on which the packet was received. Identification

19 19

20 Classification 20 After identifying an abnormal situation in the network, classifying the kind of attack comes next. It is tricky to block an attack without a clear understanding of the attack's characteristics. You need answers to questions such as these: Is this an attack against the network, or the servers, or the services? Is it a security threat or a denial of service, such as one caused by a worm? Is the attack distributed, or is a single source causing it? Intelligent device instrumentation features can decrease the time for classifying a threat's kind and scope.

21 21

22 Trace Back 22 After identifying and classifying the attack, you need to trace back the source(s) of the attack and isolate them. For this task, you need answers to questions such as these: Did the attack come from inside or outside the network? Did a special segment of the network initiate the attack, or did it come from all over the network? Did servers or client PCs distribute, such as notebooks that were infected outside of the network? Are the source IP addresses real or spoofed?

23 IP spoofing attack 23 An IP spoofing attack occurs when an attacker outside of your network pretends to be a trusted computer. This can be done by using an IP address that is within the range of your network's IP addresses. Or someone could use an authorized external IP address you trust and to which you want to grant access to specified resources on your network. Detecting whether a specific IP address is spoofed is not an easy task.

24 Locating source IP address 24 Different mechanisms are available to locate the source IP address: Search the routing table(s). Check the Internet Routing Registry (IRR). Use NetFlow to trace the packet flow through the network. Identify the upstream ISP if the source is outside of your network. From there, the upstream ISP needs to continue tracing to block the source.

25 25

26 Reaction 26 As soon as the attack's characteristics and sources have been identified, a remedy can be initiated. Possible solutions range from configuring an ACL up to leveraging sophisticated security management applications.

27 Defining an ACL 27 After you identify the source of an attack, a simple way to block all traffic from the attack toward the victim is to define an ACL at a router, next to either the attacker or the victim.

28 28 If only a limited number of hosts are targets of the attack, an alternative is to propagate BGP drop information to all routers in the network. If you set the next hop of the target IP addresses to the Null interface, all packets destined for the victims are dropped into the so-called "black hole." Propagating BGP drop information

29 29 An alternative to dropping traffic from a source or toward a destination is to block only traffic from nonexistent sources. Blocking traffic from nonexistent sources.

30 Using QoS features 30 Instead of blocking or verifying all traffic, you can use QoS features such as rate-limiting packets. The committed access rate (CAR) feature can define a limit for certain traffic types. For instance, if a high rate of FTP traffic overutilizes the network capacity, a rate limit can be applied.

31 31

32 Postmortem 32 The postmortem examines the situation to identify why the network was vulnerable and what lessons can be learned from the situation. Start the process by reconstructing the attack as precisely as possible to establish a "footprint" for the attack.

33 Postmortem 33 The different steps are related to the different stages of the Cisco six- stage security operations model: The first place to inspect is fault management reporting. several conclusions can be drawn from the reported notifications. The baselining information that was initiated during the Preparation stage is useful, as well as the data gathered during the Identification stage. Check log files, such as Syslog messages from the network elements and application logs from the servers. They are gathered during the Identification stage. Performance monitoring and accounting records should provide an idea about the attack's path through the network. This is related to the Trace Back stage. Analyze configuration changes at network elements before, during, and after the attack. Distinguish between configuration changes resulting from the Reaction stage and other configuration changes.

34 Back to the preparation stage 34 Remember, as soon as the postmortem is complete, the Preparation stage for the next attack should start.

35 Preparation stage for the next attack 35 The following questions can serve as a link between the analysis of the previous security threat and the Preparation stage for the future: What worked well during and after the attack? What needs to be improved? How can it be improved? Who discovered the attack(s)—a user, the operator, or a management tool? How long did it take to identify, classify, and trace back the attack? How long did it take to block the attack? Did the existing tools help support the operators? Were the tools used at all? In which of the six stages of the process were tools used? What was their contribution to solving the issue? How well did the different teams, such as network operators, data center administrators, and the security group, cooperate? How can the cooperation be improved? What additional resources, processes, training, or tools are required? Did you find a single point of failure in the network? What is the most important lesson learned? What will you do differently next time

Download ppt "Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Access Control List (ACL)

Access Control List (ACL)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:

Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Similar presentations

Ads by Google