The War Against Worms: A Study of Network Behavioral Anomaly Detection TechniquesPresenter: David Salter
*
NETWORK ANOMALY DETECTION USING FLOWS
The Challenge in securing the network:
Traditional solutions require in-line devices and / or host based agents.
Signature and pattern matching technologies only protect the network from known threats.
In-line devices can impact throughput
*
NETWORK ANOMALY DETECTION USING FLOWS
Based on analysis of “flow” data (statistics, changes in behaviour)
sFlow (Extreme, HP Procurve, Foundry)
NetFlow (Cisco, Juniper)
Perfect complement to existing security and network management technologies
Designed primarily for internal network deployments (but can exist at the perimeter if necessary)
*
COLLECTING FLOW DATA FROM ROUTERS AND SWITCHES
Flow Collector
Sales
Servers
Marketing
Remote
Sites
Remote
Users
Extranet
Monitoring remote sites is costly. The classic deployment model would have an IDS/IPS device at every remote location, especially in MPLS meshed environments where there is no single chokepoint.
*
WHAT IS NETFLOW?
NetFlow Packet Header
WHAT IS SFLOW?
Almost all Foundry products support sFlow as well as Extreme and HP
sFlow includes payload
1 in N packets are sent from the switch to the flow collector
Statistical scaling is used to recover the actual network traffic patterns from the sFlow samples
The more samples, the more accurate analysis becomes
Duplicate sFlow PDUs must be handled and removed
*
CONFIGURING NETFLOW AND SFLOW
interface> sflow forwarding
config> sflow sample 128
config> sflow polling-interval 30
router(config-if)# ip route-cache flow
NETFLOW IMPACT ON THE ROUTER (CPU)
Check on current router CPU utilization*
* NetFlow v5 adds approximately 10% to overall CPU
*
NETFLOW IMPACT ON THE NETWORK (BANDWIDTH)
Number of active flows
Flows per second (fps)
*
VIEWING THE ROUTER NETFLOW CACHE DIRECTLY
Worm Infected
CAPTURING AND VIEWING NETFLOW PACKETS: FLOW-TOOLS
start and end times
pkts
bytes
DATA REDUCTION: FLOW NORMALIZATION
2. Two NetFlow records are exported from the router…
3. StealthWatch associates the two NetFlow records, building one stateful entry…
Flow4.csv
3/25/01 9:04
CHALLENGES WITH FLOW-BASED MONITORING
No payload data (must rely on statistics; not so easy)
Requires all routers be NTP synced and share similar settings (for proper security processing)
Implementations vary from vendor to vendor
*
BEHAVIOR-BASED FLOW ANALYSIS FUNCTIONAL OVERVIEW
Collect, Deduplicate, and Process Flow Statistics
Apply
Send SYSLOG, SNMP, and Emails
Perform Mitigation Action
Display in UI
IF WE DON’T HAVE PAYLOAD, HOW DO DETECT ATTACKS?
Look for patterns of behaviour in flow traffic…
One hosts contacting large numbers of other hosts in short time frame (P2P applications, worms)
Long flow durations (VPNs, covert channels)
Unauthorized ports in use (rogue servers, applications)
Bandwidth anomalies (DoS, warez servers)
Unauthorized communications (VPN host talking to accounting server)
*
BENEFIT: ENTERPRISE-WIDE VISIBILITY
“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives StealthWatch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.
*
BENEFIT: ENTERPRISE WIDE VISIBILITY IN ACTION
Monitoring remote sites is costly. The classic deployment model would have an IDS/IPS device at every remote location, especially in MPLS meshed environments where there is no single chokepoint.
*
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
12 IDS/IPS Sensors Required
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
1 NetFlow Collector Required
BENEFIT: POWERFUL LOGGING AND FORENSICS
Sheet1
INFRASTRUCTURE IPS: HOW IT WORKS
Sales
NETWORK TRAFFIC ANALYSIS AND VISUALIZATION
Flow Records
SUMMARY
Flow analysis provides powerful forensics, auditing, and attack detection capability without the need for additional hardware or software updates.
Both open-source and commercial products are available for analyzing Flow data.
*
Thank you
Start Time
Client Host
Server Host