Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security Monitoring In Your Network Strategies to Safeguard Your Network Using NetScout’s 3900 Series Packet Flow Switch Ray Jones Director of Solutions Architecture and Field Enablement A BAD YEAR for Cyber Security ENTERTAINMENT GOV’T & HEALTH CARE PLATFORM RETAIL FINANCIAL Cyber Security Monitoring: Two Challenges 1. Obscurity Protagonist often intentionally averts detection 2. Transience Sequence of events may be difficult to reproduce What you’ll learn today AGENDA 3900 SERIES PACKET FLOW SWITCH INTRODUCTION Extend visibility & take control of your monitoring environment DYNAMIC TARGETING Expedite & automate incident response FILTERING TOOLS Optimize Security monitoring tool performance 3900 SERIES PACKET FLOW SWITCH INTRODUCTION Scalable, flexible, feature rich. nGenius 3900 Series Packet Flow Switch Centralized Management 3903 Chassis 3901 Chassis Up to 144 Ports 1/10 GbE + 12 Ports 40 GbE* Up to 48 Ports 1/10 GbE + 4 Ports 40 GbE* • 1RU modular switch • Small single site or multi-site deployments needing 16 to 48 ports • 3RU modular switch • Medium to large single site or multi-site deployments needing > 48 ports • Pay-as-you-grow modules & chassis • Supports > 4000 ports with PFS Management Software • Large site deployments needing >144 ports * 100G Early Field Trial Available nGenius 3900 Series Packet Flow Switch Redundant Switch Controllers Redundant Ethernet Management Ports • Resides on each blade • Automatic failover Redundant AC/DC Power Supplies Serial Console Port • Built-in GUI Management or PFS Management System • 1U and 3U Base Chassis Options • Modular + Stackable Monitoring Fabric Growth • 1/10/40Gbps Native per Blade • Full Line Rate, All-Inclusive Blade Based Features • 100G Early Field Trial Available Interface Blade • FlexPorts supporting 1/10/40G • Up to 48 x 1/10G per RU • Up to 4 x 40G per RU nGenius 3900 Series Packet Flow Switch Full-Duplex 720Gbps Line-rate Processing * * Features on Blade Scalable Up to 48 ports 1/10G, 4 x 40G per blade * Advanced Switching Engine with Extensible Microcode Industry Leading Low-latency (< 600ns Deterministic) L2-L7 Filtering and Many-to-Any Aggregation Load Balancing and Replication Console Source ID Tagging Header Stripping Packet Slicing/Truncation Packet Deduplication Time Stamping 16x 1G/10G 4x 40G or 16x 1G/10G Console Port Access 16x 1G/10G nGenius 3900 Series Packet Flow Switch Site A Site B Network DYNAMIC TARGETING Ensuring rapid, reliable incident response. Dynamic Targeting: Problem & Requirement • Problem: Security events may require reactive changes to monitoring fabric. • Requirement: Implement dynamic, automated changes via secure management channel. Use Case: Targeted packet capture for suspect flows Network TAPs PFS Continuous Monitoring Escalation Analysis Site B Site A Use Case: Targeted packet capture for suspect flows 1. Traffic flows through TAPs to Sites A & B Network TAPs 1 PFS Continuous Monitoring Escalation Analysis Site B Site A Use Case: Targeted packet capture for suspect flows 1. 2. Traffic flows through TAPs to Sites A & B PFS steers traffic from TAPs to Monitoring tools Network TAPs PFS Continuous Monitoring 2 Escalation Analysis Site B Site A Use Case: Targeted packet capture for suspect flows 1. 2. 3. Traffic flows through TAPs to Sites A & B PFS steers traffic from TAPs to Monitoring tools Monitoring tool detects suspicious activity Network TAPs Continuous Monitoring !!! 3 PFS Escalation Analysis Site B Site A Use Case: Targeted packet capture for suspect flows 1. 2. 3. 4. Traffic flows through TAPs to Sites A & B PFS steers traffic from TAPs to Monitoring tools Monitoring tool detects suspicious activity a) Script configures packet flow switch to target IP address b) Script activates Escalation Analysis tool Network TAPs PFS 4a Continuous Monitoring Escalation Analysis 4b Site B Site A Use Case: Targeted packet capture for suspect flows 1. 2. 3. 4. 5. Traffic flows through Network TAPs to Sites A & B PFS steers traffic from TAPs to Monitoring tools Monitoring tool detects suspicious activity a) Script configures packet flow switch to target IP address b) Script activates Escalation Analysis tool PFS sends targeted traffic to Escalation Analysis tool TAPs Continuous Monitoring PFS 5 Escalation Analysis Site B Site A Scripting for Dynamic Targeting • Optimized Management for Monitoring Tools nGeniusONE Scripting for Dynamic Targeting • Optimized Management for Monitoring Tools • PFS Manager for PFS PFS Manager nGeniusONE Scripting for Dynamic Targeting nGenius PFS Management Software Administrator Guide PFS Manager • SSH from Client to PFS, Monitoring Tools SSH Client Sample PFS SSH/CLI Script def main(): client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) prompt = '=> ' hostname = '10.88.39.192' #Replace with actual IP address of PFS or PFS Mgmt Server username = 'administrator' #Replace if you need to use a different user; normally "administrator" is correct password = 'netscout1' #Replace with actual password client.connect(hostname,int(22022),username,password) #Presumes that PFS CLI SSH uses default port 22022 interact = SSHClientInteraction(client,timeout=10,display=True) interact.expect(prompt) # raw_input('Press Enter to continue') interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'") interact.expect(prompt) cmd_output = interact.current_output_clean interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'") What should the system do? Upon trigger detection: 1. Create Rule(s) based upon trigger, e.g., IP address 2. Create Filter(s) and assign Rule(s) to it 3. Connect Source Ports(s) via Filter(s) to Destination Port(s) 4. Prepare Escalation Analysis platform. Following “All Clear”: 5. Restore original configuration Components of Dynamic Targeting 1. Preparation Define/configure interfaces to PFS, Tools 2. Identification Establish triggers for response 3. Response Initiate changes to monitoring infrastructure FILTERING TOOLS Everything you need, and nothing you don’t. Filtering: Problem & Requirement • Problem: Cyber tools may become congested by high traffic volumes Total Network Activity • Requirement: Filter for traffic of interest, expect to make changes later. Traffic of Interest Threat Use Case: Limit traffic to necessary content Network Network Network Link Utilization Packet Rate CyberSecurity Monitoring ! Filtering Techniques • Criteria – – – – Layer 2: MAC, VLAN ID & Priority, Ethertype Layer 3: IP address, Payload type Layer 4: TCP/UDP Port, Protocol DPI: Custom Mask & Offset • Dimension – – – – Direction: Side A v. Side B, Source v. Destination Criteria: Permit v. Deny per Criterion Range: Efficient Address Masking Types: Connection v. Destination Filtering Structure – Building Blocks • • • • Criteria Rules Filter Topology Flexible Filtering: Connection v. Destination Filter on Connection Filter at Destination Dynamic Targeting: On-demand Filter creation Network • Both Connection and Destination Filters work for Dynamic Targeting TAPs PFS • Filtering occurs in hardware at line-rate Continuous Monitoring Escalation Analysis • Filter changes are non-disruptive (except adding a Connection Filter into a Connection - obviously) Site B Site A Traffic Conditioning: Problem & Requirement • Problem: Cyber Monitoring tool may be unable to parse some packet headers, rendering payload analysis impossible. • Requirement: Condition Traffic within the monitoring switch. DPI Challenges for Legacy Cyber Tools Technology Cisco VN-Tag Cisco FabricPath InfiniStream Legacy Cyber Monitoring Tools Parses header, analyzes content Possibly confused by header, cannot parse traffic Ignores duplicates Duplicate packets ! May report false errors ! Mitigation PFS strips VN-Tag PFS strips FabricPath PFS Dedups at L2 & L3 Summary 1. DYNAMIC TARGETING Expedite incident response, especially after hours 2. FILTERING TOOLS Optimize monitoring tool performance 3. ADVANCED TIPS & TRICKS Traffic Conditioning, Metrics, Load-Balancing, Baselining Summary 1. 3900 SERIES PFS OVERVIEW Improve visibility while controlling scale 2. DYNAMIC TARGETING Expedite incident response, especially after hours 3. FILTERING TOOLS Optimize monitoring tool performance THANK YOU