Download the Presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
Document related concepts

Computational fluid dynamics wikipedia , lookup

Traffic flow wikipedia , lookup

Transcript 
Security Monitoring
In Your Network
Strategies to Safeguard Your Network Using
NetScout’s 3900 Series Packet Flow Switch
Ray Jones
Director of Solutions Architecture and Field Enablement
A BAD YEAR for Cyber Security
 ENTERTAINMENT
 GOV’T & HEALTH CARE
 PLATFORM
 RETAIL
 FINANCIAL
Cyber Security Monitoring: Two Challenges
1. Obscurity
Protagonist often intentionally averts detection
2. Transience
Sequence of events may be difficult to reproduce
What you’ll learn today
AGENDA
3900 SERIES PACKET FLOW SWITCH INTRODUCTION
Extend visibility & take control of your monitoring environment
DYNAMIC TARGETING
Expedite & automate incident response
FILTERING TOOLS
Optimize Security monitoring tool performance
3900 SERIES
PACKET FLOW
SWITCH
INTRODUCTION
Scalable, flexible, feature rich.
nGenius 3900 Series Packet Flow Switch
Centralized Management
3903 Chassis
3901 Chassis
Up to 144 Ports
1/10 GbE + 12 Ports 40 GbE*
Up to 48 Ports
1/10 GbE + 4 Ports 40 GbE*
• 1RU modular switch
• Small single site or multi-site
deployments needing 16 to
48 ports
• 3RU modular switch
• Medium to large single site
or multi-site deployments
needing > 48 ports
• Pay-as-you-grow modules &
chassis
• Supports > 4000 ports with PFS
Management Software
• Large site deployments needing
>144 ports
* 100G Early Field Trial Available
nGenius 3900 Series Packet Flow Switch
Redundant Switch
Controllers
Redundant Ethernet
Management Ports
• Resides on each blade
• Automatic failover
Redundant AC/DC
Power Supplies
Serial Console Port
• Built-in GUI Management or PFS Management System
• 1U and 3U Base Chassis Options
• Modular + Stackable Monitoring Fabric Growth
• 1/10/40Gbps Native per Blade
• Full Line Rate, All-Inclusive Blade Based Features
• 100G Early Field Trial Available
Interface Blade
• FlexPorts supporting 1/10/40G
• Up to 48 x 1/10G per RU
• Up to 4 x 40G per RU
nGenius 3900 Series Packet Flow Switch
Full-Duplex 720Gbps
Line-rate Processing
*
*
Features on Blade
Scalable Up to 48 ports 1/10G, 4 x 40G per blade
*
Advanced Switching Engine
with Extensible Microcode
Industry Leading Low-latency (< 600ns Deterministic)
L2-L7 Filtering and Many-to-Any Aggregation
Load Balancing and Replication
Console
Source ID Tagging
Header Stripping
Packet Slicing/Truncation
Packet Deduplication
Time Stamping
16x 1G/10G
4x 40G
or
16x 1G/10G
Console Port Access
16x 1G/10G
nGenius 3900 Series Packet Flow Switch
Site A
Site B
Network
DYNAMIC
TARGETING
Ensuring rapid, reliable incident response.
Dynamic Targeting: Problem & Requirement
• Problem:
Security events may require
reactive changes to monitoring fabric.
• Requirement:
Implement dynamic, automated changes via secure management
channel.
Use Case: Targeted packet capture for suspect flows
Network
TAPs
PFS
Continuous
Monitoring
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
Traffic flows through
TAPs to Sites A & B
Network
TAPs
1
PFS
Continuous
Monitoring
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
Traffic flows through
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Network
TAPs
PFS
Continuous
Monitoring
2
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
3.
Traffic flows through
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Monitoring tool detects
suspicious activity
Network
TAPs
Continuous
Monitoring
!!!
3
PFS
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
3.
4.
Traffic flows through
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Monitoring tool detects
suspicious activity
a) Script configures
packet flow switch
to target IP address
b) Script activates
Escalation Analysis tool
Network
TAPs
PFS
4a
Continuous
Monitoring
Escalation
Analysis
4b
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
3.
4.
5.
Traffic flows through
Network
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Monitoring tool detects
suspicious activity
a) Script configures
packet flow switch
to target IP address
b) Script activates
Escalation Analysis tool
PFS sends targeted traffic to
Escalation Analysis tool
TAPs
Continuous
Monitoring
PFS
5
Escalation
Analysis
Site B
Site A
Scripting for Dynamic Targeting
• Optimized
Management for
Monitoring Tools
nGeniusONE
Scripting for Dynamic Targeting
• Optimized
Management for
Monitoring Tools
• PFS Manager
for PFS
PFS
Manager
nGeniusONE
Scripting for Dynamic Targeting
nGenius PFS
Management Software
Administrator Guide
PFS
Manager
• SSH from
Client to PFS,
Monitoring Tools
SSH Client
Sample PFS SSH/CLI Script
def main():
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
prompt = '=> '
hostname = '10.88.39.192' #Replace with actual IP address of PFS or PFS Mgmt Server
username = 'administrator' #Replace if you need to use a different user; normally "administrator" is correct
password = 'netscout1' #Replace with actual password
client.connect(hostname,int(22022),username,password) #Presumes that PFS CLI SSH uses default port 22022
interact = SSHClientInteraction(client,timeout=10,display=True)
interact.expect(prompt)
#
raw_input('Press Enter to continue')
interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'")
interact.expect(prompt)
cmd_output = interact.current_output_clean
interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'")
What should the system do?
Upon trigger detection:
1. Create Rule(s) based upon trigger, e.g., IP address
2. Create Filter(s) and assign Rule(s) to it
3. Connect Source Ports(s) via Filter(s) to
Destination Port(s)
4. Prepare Escalation Analysis platform.
Following “All Clear”:
5. Restore original configuration
Components of Dynamic Targeting
1. Preparation
Define/configure interfaces to PFS, Tools
2. Identification
Establish triggers for response
3. Response
Initiate changes to monitoring infrastructure
FILTERING
TOOLS
Everything you need, and nothing you don’t.
Filtering: Problem & Requirement
• Problem:
Cyber tools may become
congested by high traffic volumes
Total Network Activity
• Requirement:
Filter for traffic of interest,
expect to make changes later.
Traffic of Interest
Threat
Use Case: Limit traffic to necessary content
Network
Network
Network
Link Utilization 
Packet Rate 
CyberSecurity
Monitoring
!
Filtering Techniques
• Criteria
–
–
–
–
Layer 2: MAC, VLAN ID & Priority, Ethertype
Layer 3: IP address, Payload type
Layer 4: TCP/UDP Port, Protocol
DPI: Custom Mask & Offset
• Dimension
–
–
–
–
Direction: Side A v. Side B, Source v. Destination
Criteria: Permit v. Deny per Criterion
Range: Efficient Address Masking
Types: Connection v. Destination
Filtering Structure – Building Blocks
•
•
•
•
Criteria 
Rules 
Filter 
Topology
Flexible Filtering: Connection v. Destination
Filter on Connection
Filter at Destination
Dynamic Targeting: On-demand Filter creation
Network
• Both Connection
and Destination Filters
work for Dynamic Targeting
TAPs
PFS
• Filtering occurs in
hardware at line-rate
Continuous
Monitoring
Escalation
Analysis
• Filter changes are non-disruptive
(except adding a Connection Filter
into a Connection - obviously)
Site B
Site A
Traffic Conditioning: Problem & Requirement
• Problem:
Cyber Monitoring tool may be unable to parse
some packet headers, rendering payload analysis
impossible.
• Requirement:
Condition Traffic within the monitoring switch.
DPI Challenges for Legacy Cyber Tools
Technology
Cisco VN-Tag
Cisco FabricPath
InfiniStream
Legacy Cyber
Monitoring Tools
Parses header,
analyzes content
Possibly confused
by header,
cannot parse
traffic

Ignores duplicates
Duplicate packets

!
May report
false errors
!
Mitigation
 PFS strips
VN-Tag
 PFS strips
FabricPath
 PFS Dedups
at L2 & L3
Summary
1. DYNAMIC TARGETING
Expedite incident response, especially after hours
2. FILTERING TOOLS
Optimize monitoring tool performance
3. ADVANCED TIPS & TRICKS
Traffic Conditioning, Metrics, Load-Balancing, Baselining
Summary
1. 3900 SERIES PFS OVERVIEW
Improve visibility while controlling scale
2. DYNAMIC TARGETING
Expedite incident response, especially after hours
3. FILTERING TOOLS
Optimize monitoring tool performance
THANK
YOU
Related documents
Clin Lung Cancer. 2015 Mar 5. Bevacizumab, Pemetrexed, and
Clin Lung Cancer. 2015 Mar 5. Bevacizumab, Pemetrexed, and
Endometrial Cancer - Gold Coast Cancer Care
Endometrial Cancer - Gold Coast Cancer Care
Assessing the VALue of PROgression Free Survival (AVALPROFS)
Assessing the VALue of PROgression Free Survival (AVALPROFS)
fdg pet-ct response after neoadjuvant chemotherapy continues to
fdg pet-ct response after neoadjuvant chemotherapy continues to
Patient Benefit-Risk Preferences for Advanced Renal Cell
Patient Benefit-Risk Preferences for Advanced Renal Cell
2015 ASCO Annual Meeting
2015 ASCO Annual Meeting
E2112: A randomized phase III trial of endocrine therapy plus
E2112: A randomized phase III trial of endocrine therapy plus
here - ENS@T
here - ENS@T
H37-R38 - Uplift Mighty Prep
H37-R38 - Uplift Mighty Prep
Phase III clinical trials: objectives, hypothesis and design
Phase III clinical trials: objectives, hypothesis and design
PART III: CONSUMER INFORMATION ADRIAMYCIN® PFS
PART III: CONSUMER INFORMATION ADRIAMYCIN® PFS