Date post: | 22-Oct-2014 |
Category: |
Technology |
View: | 946 times |
Download: | 3 times |
www.wildpackets.com © WildPackets, Inc.
Show us your tweets! Use today’s webinar hashtag:
#wp_networkforensics with any questions, comments, or feedback.
Follow us @wildpackets
Jay Botelho
Director of Product Management
WildPackets
Follow me @jaybotelho
Network Forensics
for Wired and Wireless Networks
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Administration
• All callers are on mute ‒ If you have problems, please let us know via the Chat window
• There will be Q&A ‒ Feel free to type a question at any time
• Slides and recording will be available ‒ Notification within 48 hours via a follow-up email
2
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Agenda
• What Is Network Forensics?
• Myths/Realities in Network Forensics
• Configuring Your Network for Forensics
• Wired vs. Wireless Network Forensics
• Use Cases
• Performing Forensic Analysis
• WildPackets Corporate Overview
• WildPackets Product Line Overview
3
www.wildpackets.com © WildPackets, Inc.
What Is Network Forensics?
4
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
What is Network Forensics ?
• Marcus Ranum is credited with defining Network
Forensics as “the capture, recording, and analysis of
network events in order to discover the source of
security attacks or other problem incidents.”
(wikipedia)
• It’s not like TV – employ forensics before the “crime”
- network traffic is transmitted and then lost, leaving
no clues behind
• Other names: packet mining, packet forensics, digital
forensics
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
What Purpose Does It Serve ?
• Allows us to find the
details of network events
after they have happened
• Eliminates the need to
reproduce network
problems
• Distill data to manageable
levels by employing
filters and analysis
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Network vs. Security Forensics
• Network forensics is a superset of security forensics
• Forensics is not just DPI (Deep Packet Inspection)
• Requires the lossless capture, storage, and analysis
of extremely large data volumes
• Network forensics: enterprise vs. lawful intercept ‒ Concerned with the process of reconstructing a network event
• Network or infrastructure outage
• Intrusion such as a “hack” or other penetration
‒ Provides a recording of the actual incident
• Based on live IP packet data captures ‒ A new way of looking at trace file analysis
‒ Continues from where traditional network troubleshooting ends
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Network Forensics Drivers
• Faster networks/greater data volumes ‒ 10/40G adoption grew 62% in 2012
‒ 75% of the investments in networking are for 10G1
• Richer data
• Subtler and more malicious security threats ‒ Zero-day attacks
‒ APTs (Advanced Persistent Threats)
‒ 75% of data breaches financially motivated
‒ 66% of breaches took months or longer to discover2
• Sampled data and high-level stats ‒ Flow-based network monitoring vs. detailed DPI analysis
8
1 http://www.infonetics.com/pr/2013/2H12-Networking-Ports-Market-Highlights.asp 2 http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Why Forensics?
• Validate what your logs are telling you
• Generate alarms/alerts on data you’ll never find in
logs
• Invest time analyzing, not reproducing
• Immediately begin investigating the issue – you have
a recording of the incident!
• Isolate key data – from multi-TB archives - rapidly
and intuitively
• Understand the depth of penetration for any incident
www.wildpackets.com © WildPackets, Inc.
Myths/Realities in Network
Forensics
10
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Network Forensics
The number of respondents that feel
network forensics is a necessity at 10G
11
85%
31% The number who are using network
forensics at 10G
The State of Faster Networks, WildPackets, Oct 2013
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Network Forensics Usage
12
28%
36%
24%
12% For securitypurposes
For monitoringintermittent networkissues
For monitoringintermittentapplication issues
For 24/7 transactionanalysis
The State of Faster Networks, WildPackets, Oct 2013
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Challenges with Network Forensics
13
The State of Faster Networks, WildPackets, Oct 2013
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
10G – Driving Network Forensics Usage
14
The State of Faster Networks, WildPackets, Oct 2013
100 Participants Company size: 43% - Large organizations 26% - Medium 31% - Small
Functional Breakdown 84% - Network Engineer 15% - IT Director 1% - Executive
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
10G – Driving Network Forensics Usage
15
The State of Faster Networks, WildPackets, Oct 2013
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
The Implications of Doing Nothing
64% of organizations reported that managing
network performance has become more complex
over last 12 months
Organizations are losing on average $72,000 per
minute of unplanned network downtime
48% of organizations reported that, on average,
they spend more than 60 minutes on repairing
performance issues - per incident
www.wildpackets.com © WildPackets, Inc.
Configuring Your Network for
Forensics
17
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Requirements for a Network Forensics Solution
• Capturing and recording data ‒ 10/40G network support
‒ No dropped packets – 100% fidelity
‒ Continuously available
‒ Always test in your environment
• Discovering data ‒ Timely results delivery
‒ Filtering for IP addresses, applications, etc.
• Analyzing data ‒ Automated analysis – Expert events
‒ Simple, intuitive workflow
‒ Data visualization from multiple perspectives
18
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
10G Network Analysis Workflow
Identify Key Analysis Pts
Deploy 24x7 Monitoring
Alarms/ Alerts
Problem?
Rewind Data
Analyze Tune if
Necessary
NO
YES
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
A Solution for Every Network
20
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Data Capture from High-Speed Links
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Forensic Analysis – Capturing An Attack
IDS/IPS System
1. Attack
bypasses firewall
3. Event logged, attack
partially tracked by IDS
2. Data Recorder records
and aggregates data
throughout attack
4. Post event analysis reveals
attacker, method, damage!
Serv
ers
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
10G Network Data Storage
• 1Gbps steady-state traffic assuming no storage
overhead:
7.68 GB/min
460 GB/hr
11 TB/day
2.9 days in a 32TB appliance
• 10Gbps:
76.8GB/min
4.6 TB/hr
110 TB/day
28 hours in a 128TB appliance
www.wildpackets.com © WildPackets, Inc.
Wired vs. Wireless Network
Forensics
24
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
802.11ac – Breaking the Gigabit Barrier
<1 Mbps
Proprietary
1-2 Mbps
802.11 1997
100%
11 Mbps
802.11b
550%
54 Mbps
802.11g/a
490%
300/450/600 Mbps
802.11n
833%
433/866/1300+ Mbps
802.11ac
288% (vs. 450)
(to 6.93 Gbps)
1989 1991 1999 2003 2009 2013
Gratuitous clipart - Please ignore
Source: Farpoint Group
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
26
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Additional Drivers for Wireless Forensics
• BYOD ‒ No configuration control
‒ Limited or no access to the end-user device
‒ Problems reported “after the fact”
• Point-of-Presence required ‒ Wireless data must be captured within a few hundred feet of the
device
‒ Vastly more collection points than for wired forensics
• Data volumes that rival wired data ‒ 1.3Gbps will be common with 802.11ac
‒ Mobile devices outnumbering wired devices
27
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Wireless Forensics Solution
• As wireless approaches wired
speeds, it’s time to start
relying on the wire
• Distributed analysis using
deployed assets – APs – is the
only effective solution as
wireless speeds grow
• 24/7 capture/analysis ensures
problems aren’t missed
• Recording enables wireless
forensic analysis
28
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Wireless Forensics Benefits
• Reduce MTTR
‒ No need to reproduce a
problem
‒ No need to wait for it to
happen again
• Increase WLAN service
uptime
‒ WLANs are now mission-
critical
‒ Mobility implies you won’t be
near the problem
• Prioritize analysis tasks
‒ Deal with emergencies
immediately
‒ Handle routine investigations
as time permits
‒ Save data for long-term
analysis
• Reduce reaction time
‒ Data are always available for
analysis
• Reduce analysis costs
‒ A single solution for wireless
and wired analysis
29
www.wildpackets.com © WildPackets, Inc.
Use Cases
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Use Cases for Network Forensics
• Finding proof of a security attack
• Troubleshooting intermittent performance issues
• Monitoring user activity for compliance with IT and
HR policies
• Identifying the source of data leaks
• Monitoring business transactions
• Verifying VoIP and video over IP performance
31
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Best Practices for Network Forensics
Capturing Network Traffic
1. Capture traffic continuously
2. Deploy a solution that captures traffic reliably
3. Set up filters to catch anomalies
Storing Traffic
4. Allocate sufficient storage for the volume of data
being collected
5. Adjust file sizes for the desired performance
optimization
32
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Best Practices for Network Forensics
(cont.)
Analyzing Traffic
6. Select a network forensics solution that supports
filters and searches that are fast, flexible, and
precise
7. Record baseline measurements of network
performance
8. Use filters to zoom in on the problem at hand
33
www.wildpackets.com © WildPackets, Inc.
Performing Forensic Analysis
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
WildPackets – The Network Forensics Myth Buster
35
Myth Busted
Can’t analyze at 10G line rate
Dropped packets
Captured data is not reliable
Inability to collect packets at all network locations
Inadequate real-time stats
Real-time analysis no longer an option
Limited visibility into VoIP
Inability to analyze/search recorded traffic
No end-to-end visibility into application transactions
Limitations in security monitoring
www.wildpackets.com © WildPackets, Inc.
Q&A
Show us your tweets! Use today’s webinar hashtag:
#wp_forensics with any questions, comments, or feedback.
Follow us @wildpackets
Follow us on SlideShare! Check out today’s slides on SlideShare
www.slideshare.net/wildpackets
www.wildpackets.com © WildPackets, Inc.
WildPackets Corporate Overview
Optimizing Network and Application Performance
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Corporate Background
• Experts in network monitoring, analysis, and troubleshooting
‒ Founded: 1990 / Headquarters: Walnut Creek, CA
‒ Offices throughout the US, EMEA, and APAC
• Customers spanning leading edge organizations
‒ Mid-market and enterprise lines of business
‒ Financial, manufacturing, ISPs, major federal agencies,
state and local governments, universities
‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000
• Award-winning solutions that improve network performance
‒ Internet Telephony, Network Magazine, Network Computing awards
‒ United States Patent 5,787,253 issued July 28, 1998 • “Apparatus and Method of Analyzing Internet Activity”
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Why Our Customers Need Us
• VoIP, video, cloud, virtualization, and key business
applications are saturating critical network services
• Evolving network technologies create discontinuities ‒ 1 Gig 10 Gig 40 Gig 100 Gig networks
‒ Wireless, BYOD initiatives
• Users and business can not tolerate network
problems for mission critical services
Increasing demand for better real-time network visibility,
network analytics, network forensics, and DPI
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
How We Create Value
We provide innovative, industry-leading, real-time
network performance management solutions
‒ Easy-to-use, easy-to-learn user interface
‒ Uniquely extensible solutions
‒ Wireless network leadership
‒ Detailed analytics related to network applications
‒ Fastest network traffic capture appliance in its class
‒ Technical superiority at competitive price point
WildPackets has continually advanced its solution to meet the needs of its
customers
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Unprecedented Network Visibility
ROOT-CAUSE ANALYSIS
OmniPeek network analyzer performs deep packet inspection
and can reconstruct all network activity, including e-mail and
IM, as well as analyze VoIP and video traffic quality.
PINPOINT NETWORK ISSUES ANYWHERE
Omnipliance Portable can rapidly identify and troubleshoot
issues before they become major problems—wired or
wireless—down the hall or across the globe.
UNDERSTAND END-USER PERFORMANCE Omnipliance network analysis and recorder appliances monitor
and analyze performance across critical network
segments, virtual environments, and remote sites.
NETWORK HEALTH
WatchPoint can manage and report on key
device performance and availability across
the entire network, from anywhere on the network.
GLOBAL
DISTRIBUTED
PORTABLE
DPI
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
A History of Innovation
2003 Distributed real-time
troubleshooting
2001 • First 802.11
wireless analyzer
• First network
analyzer with
automated expert
analysis
2005 Combined
distributed
network and
VoIP
network
analysis
2008 Enterprise-wide
Monitoring and Reporting
2009 Innovative
dashboard
with drill-down for
VoIP
and video
2012 • Capture, record, and
analyze from 40G
network segments
• First wireless network
analyzer to support
801.11ac, k, r, u, v, w
2011 • Total visibility with
zero packet loss
• First wireless
network analyzer to
support capture and
analysis of 802.11n
3-stream wireless
2010 First to achieve 11
Gbps sustained
capture-to-disk
2013 Industry
leading
network
analysis and
recorder
appliances
www.wildpackets.com © WildPackets, Inc.
Product Line Overview
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Omni Distributed Analysis Platform
OmniPeek Enterprise Packet Capture, Decode and Analysis
• Ethernet,1/10 Gigabit, 802.11, and voice and video over IP
• Portable capture and OmniEngine console
• Aggregate analysis data across multiple capture points
Omnipliance Network Analysis and Recorder Appliances
• High-performance packet capture and real-time analysis
• Stream-to-disk for forensics analysis
• Integrated OmniAdapter network analysis cards up to 40G
WatchPoint Centralized Enterprise Network Monitoring Appliance
• Aggregation and graphical display of network data
• WildPackets OmniEngines
• NetFlow and sFlow
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Omni Distributed Analysis Platform Software and Turnkey Solutions
• Enterprise monitoring and reporting
‒ WatchPoint Server
‒ OmniFlow, NetFlow, and sFlow Collectors
• Network Analysis and Recorder Appliances
‒ Omnipliance CX, MX, TL
‒ Optional OmniStorage
‒ OmniAdapter analysis cards
• Distributed analysis software
‒ OmniPeek – Enterprise, Professional, Basic, Connect
‒ OmniPeek Remote Assistant
‒ OmniEngine Enterprise
• Portable solutions
‒ OmniPeek network analyzer
‒ Omnipliance Portable
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
OmniPeek Network Analyzer
• Distributed analysis manager
– Connect to and configure distributed OmniEngines and Omnipliances,
• Comprehensive dashboards present network traffic in real-time
– Vital statistics and graphs display trends on network and application
performance
– Visual peer-map shows conversations and protocols
– Intuitive drill-down for root-cause analysis of performance bottlenecks
• Visual Expert diagnosis speeds problem resolution
– Packet and payload visualizers provide business-centric views
• Automated analytics and problem detection 24/7
– Easily create filters, triggers, scripting, advanced alarms, and alerts
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
OmniPeek Remote Assistant Distributed, End-user Packet Capture Made Simple
• Simple to deploy, simple to use
‒ Remote push, download from server, or even
‒ Simple user interface - eliminates confusion for
end user
‒ Full fidelity capture - see exactly what the PC
sees
‒ Wired or wireless
• Encrypted file
‒ Only the analyst can open it
‒ Different encryption keys for different locations
or customers
• Detailed client-side/end-user experience
analysis
• Perfect for Tech Support or IT Desktop
support
Trouble call from remote site -
network response is slow.
User downloads and installs
OmniPeek Remote. Encrypted capture
data sent back for analysis.
Network analyst uses OmniPeek
Enterprise to quickly troubleshoot
problem without leaving the office.
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
OmniWiFi USB WLAN Capture Adapter
• A single device for all WLAN packet capture needs
• Driver included with Omni v7.9 CDs
• Tested and supported with OmniPeek and OmniEngine
• Product features:
• USB device with extension cable
• Dual band operation – 2.4GHz and 5GHz
• Supports all standard international 802.11 channels (a/b/g/n)
• Supports 802.11n - 3 transmit/receive streams (450Mbps)
• Supports 802.11n 20MHz and 40MHz channel operation
• Supports multi-channel aggregation and roaming
• Technical Details:
‒ Size (LWH): 6 inches, 1.5 inches, 5.5 inches
‒ Weight: 5.6 ounces
• Available via Amazon - $99/each
NOTE:
• Capture ONLY – no network services
• Does not capture 802.11ac
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
New Network Analysis and Recorder Appliances
Powerful Precise
Affordable
The new family of WildPackets Network Analysis and Recorder
appliances gives IT organizations powerful and precise analysis of
high-speed networks in an affordable solution with half the
hardware footprint of rival offerings.
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Powerful
‒ Fastest network recorder in its class! Captures traffic up to 20Gbps of real-
world traffic (all size packet distribution)
‒ Scales up to 128 TB of storage
‒ Provides simultaneous real-time analysis and a comprehensive Forensic
Search that rapidly searches through terabytes of captured traffic for the
details relevant to an investigation
Precise
‒ Captures complete network traffic, so you can analyze everything, not just
samples or high-level statistics
‒ Doesn’t drop packets or sacrifice accuracy for speed
‒ Supports rich, detailed analysis, including VoIP and video-over-IP traffic
Affordable
‒ Delivers outstanding price/performance (lower price; half the rack space)
‒ Allows mix of 1G/10G/40G interfaces without buying extra appliances
‒ Solutions start at $16,995
Your network is bigger and faster. Now your analysis solution is, too.
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Omnipliance TL Industry Leading Network Analysis and Recorder Appliance
• Sets a new standard in capture-to-disk speeds
‒ 20Gbps sustained capture to disk rate with zero packet drop
• Best price/performance Network Analysis Appliance
in the market ‒ 20Gbps with only one Omnipliance TL + OmniStorage
‒ Consuming less rack space, less cooling, less electrical power
• Most flexible network interface offering ‒ 1G/10G/40G interfaces supported in a single unit eliminates
additional unit requirement
• Most accurate real-time analytics ‒ Packet-based processing and analysis vs. inaccurate sample-
based calculation
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
WildPackets Network Analysis Recorder Appliances Price/Performance Solutions for Every Application
Portable Omnipliance CX Omnipliance MX Omnipliance TL
Ruggedized
Troubleshooting
Less Demanding Networks
Remote Offices
Datacenter Workhorse
Easily Expandable
Enterprise, Highly-
Utilized Networks
Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis 3U rack mountable chassis
24GB RAM 16GB RAM 32GB RAM 64GB RAM
2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots 4 PCI-E Slots
2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports
6TB Storage 4/8/16TB Storage 16/32TB Storage 32/48/64TB Storage
Optional OmniStorage:
32/48/64TB
Up to 128TB total Storage
OmniAdapter 1G and 10G OmniAdapter 1G/10G MX OmniAdapter 1G/10G MX OmniAdapter 1G/10G/40G
6.5Gbps CTD 3.8Gbps CTD 8.8Gbps CTD 20Gbps CTD with
OmniStorage
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
WatchPoint Centralized Monitoring for Distributed Enterprise Networks
• High-level, aggregated
view of all network
segments
– Monitor per campus, per
region, per country
• Wide range of network
data
– NetFlow, sFlow, OmniFlow
• Web-based, customizable
network dashboards
• Flexible detailed reports
• Direct link to detailed,
packet-based analysis
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
Comprehensive Support and Services
Standard Support
Maintenance and upgrades
Telephone and email contacts
Knowledgebase
MyPeek Portal
Premier Support
24 x 7 x 365
Dedicated escalation manager
2 customer contacts per site
Plug-in reconfiguration assistance
WildPackets Training Academy
Public, web-based, and on-site classes
Complete curriculum: technology and product focused
Practical applications and labs covering network analysis,
wireless, VoIP monitoring and advanced troubleshooting
Consulting and Custom Development Services
Deployment, configuration, and assessment engagement
Systems integration and testing
Application integration, driver, decode, interface development
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
WildPackets Key Differentiators
• Visual Expert intelligence with intuitive drill-down
– Let computer do the hard work, and return results, real-time
– Packet /payload visualization is faster than packet-per-packet diagnostics
– Experts and analytics can be memorized and automated
• Automated capture analytics
– Filters, triggers, scripting, and advanced alarming system combine to provide
automated network problem detection 24x7
• Multiple issue network forensics
– Can be tracked by one or more people simultaneously
– Real-time or post capture
• User-extensible platform
– Plug-in architecture and SDK
• Aggregated network views and reporting
– NetFlow, sFlow, and OmniFlow
© WildPackets, Inc. #wp_forensics Network Forensics for Wired and Wireless Networks
24x7 Network Monitoring,
Analysis, and Troubleshooting
www.wildpackets.com © WildPackets, Inc.
Thank You!
WildPackets, Inc.
1340 Treat Boulevard, Suite 500
Walnut Creek, CA 94597
(925) 937-3200