www.wildpackets.com © WildPackets, Inc.
Jay Botelho
Director of Product Management
WildPackets
Follow me @jaybotelho
Network Forensics
You’re Only Choice At 10G
Show us your tweets! Use today’s webinar hashtag:
#wp_netforensics with any questions, comments, or feedback.
Follow us @wildpackets
© WildPackets, Inc. 2 Network Forensics – You’re Only Choice at 10G
Agenda
• Defining Network Forensics
• Key Technologies
• Network Forensics and Security
• Network Forensics and Network
Performance/Analysis at 10G ‒ Capturing the right data
‒ The role of real-time analysis
‒ Identifying problem areas
‒ Root-cause analysis
• Company Overview
• Product Line Overview
www.wildpackets.com © WildPackets, Inc.
Defining Network Forensics
© WildPackets, Inc. 4 Network Forensics – You’re Only Choice at 10G
What is Network Forensics ?
• Network forensics is capturing, storing, and
analyzing network data
• It’s not like TV – employ forensics before the crime
• Marcus Ranum is credited with defining Network
Forensics as ―the capture, recording, and analysis of
network events in order to discover the source of
security attacks or other problem incidents.‖
(wikipedia)
• Network traffic is transmitted and then lost, making
network forensics a must
• Other names: packet mining, packet forensics, digital
forensics
© WildPackets, Inc. 5 Network Forensics – You’re Only Choice at 10G
What Purpose Does It Serve ?
• Allows us to find the
details of network events
after they have happened
• Eliminates the need to
reproduce network
problems
• Distill data to manageable
levels by employing
filters and analysis
The Network Time Machine
© WildPackets, Inc. 6 Network Forensics – You’re Only Choice at 10G
Why Do We Need It ?
• Tuning of intrusion detection solutions
• Identify security breaches: log files are vulnerable -
network-based evidence might be the only evidence
available for forensic analysis
• Execute lawful intercept requests,
including reconstruction
• Stop network hacks or viruses
• Identify rogue device access to the
network
• Enforce corporate compliance
policies
• Improve network performance
www.wildpackets.com © WildPackets, Inc.
Key Technologies
© WildPackets, Inc. 8 Network Forensics – You’re Only Choice at 10G
Typical Network Forensic Analysis
• Requires the lossless capture, storage and analysis
of extremely large data volumes
• Focus on Enterprise vs. Lawful Intercept usage ‒ Concerned with the process of reconstructing a network event
• Intrusion such as a “hack” or other penetration
• Network or infrastructure outage
‒ Provides a recording of the actual incident
• Based on live IP packet data captures ‒ A new way of looking at trace file analysis
‒ Continues from where traditional network troubleshooting ends
© WildPackets, Inc. 9 Network Forensics – You’re Only Choice at 10G
10G Provides Unique Challenges
• Traditional NICs not up to the task
• Processing power is a limiting factor
• Storage capacity is a limiting factor
• I/O bus and disk write speeds are a limiting factor
• 10G forces clarity in analysis
• At 10G, it truly is looking for a needle in a haystack
• ―Line rate‖ – be wary of that claim!
Importance: Packet-based PM tools remain only truly effective
approach to definitive monitoring and definitive troubleshooting –
Jim Frey, Enterprise Management Associates, Inc., July 2010
© WildPackets, Inc. 10 Network Forensics – You’re Only Choice at 10G
10G Network Data Capture
© WildPackets, Inc. 11 Network Forensics – You’re Only Choice at 10G
10G Network Data Storage
• 1Gbps steady-state traffic assuming no storage
overhead:
7.68 GB/min
460 GB/hr
11 TB/day
2.9 days in a 32TB appliance
• 10Gbps:
76.8GB/min
4.6 TB/hr
110 TB/day
7.0 hours in a 32TB appliance
© WildPackets, Inc. 12 Network Forensics – You’re Only Choice at 10G
10G Network Analysis
• Analyze the essentials
• Be specific when possible
• Know your network – baselines are critical
• Know your limits
• Real-time vs. forensics
• Filter and slice (whenever possible)
• Anticipate hardware resource needs
www.wildpackets.com © WildPackets, Inc.
Network Forensics and Security
© WildPackets, Inc. 14 Network Forensics – You’re Only Choice at 10G
―2011 - The Year of the Hack‖
• So named by IT security experts
• 60% of IT executives fear Advanced Persistent
Threat (APT) attacks
• 28% fear theft and disclosure from insiders
• 60% use either a written ―honor system‖ security
policy or have none at all
• 51% allow employees to download/install software
• Companies continue to allow employees to engage
in risky behaviors
Based on Bit9’s Third Annual Endpoint Survey of 765 IT executives
http://www.businesswire.com/news/home/20110830006206/en/%E2%80%9CYear-
Hack%E2%80%9D-Survey-Reveals-Enterprises-Concerned-%E2%80%9CAdvanced
© WildPackets, Inc. 15 Network Forensics – You’re Only Choice at 10G
Anatomy of a Breach
• Attacker exploits some mistake by
victim and installs malware to collect
data
• 98% of all records breached includes
unauthorized access via default
credentials (usually third-party
remote access) or SQL injection
(against web applications)
• Customized malware used in these
attacks more than doubled
• Most originate from external sources
• Median size of breaches is highest
for insiders
• 91% of compromised records linked
to organized criminal groups
2009 Data Breach Investigations Report, Verizon
Business RISK Team, 7/28/2010
All results are based on firsthand evidence collected during
data breach investigations conducted by Verizon Business
© WildPackets, Inc. 16 Network Forensics – You’re Only Choice at 10G
Anatomy of a Breach (cont.)
• Correlation between small corporate policy violations and
more serious violations
• Illegal content on a user’s machine can be an indication of a
breach down the road
• 17% of tasks highly difficult but
resulted in 95% of total records
• Hackers know where to best apply
pressure when motivated
• Most incidents do not require
difficult or expensive preventive
controls
• Mistakes and oversight hinder
security efforts more than a lack of
resources
2009 Data Breach Investigations Report, Verizon
Business RISK Team, 7/28/2010
All results are based on firsthand evidence collected during
data breach investigations conducted by Verizon Business
© WildPackets, Inc. 17 Network Forensics – You’re Only Choice at 10G
Forensic Analysis – Capturing An Attack
IDS/IPS System
1. Attack
bypasses firewall
3. Event logged, attack
partially tracked by IDS
2. Data Recorder records
and aggregates data
throughout attack
4. Post event analysis reveals
attacker, method, damage!
Serv
ers
© WildPackets, Inc. 18 Network Forensics – You’re Only Choice at 10G
Key Questions
1. Who was the intruder?
2. How did the intruder penetrate security?
3. What damage has been done?
4. Did the intruder leave anything behind?
5. How can we prevent this attack from
reoccurring?
www.wildpackets.com © WildPackets, Inc.
I Didn’t Catch That? Network Forensics and Network
Performance/Analysis at 10G
© WildPackets, Inc. 20 Network Forensics – You’re Only Choice at 10G
Meeting the 10G Challenge – TimeLine
• Fastest network recording and real-time statistical
display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss
‒ Network statistics display in TimeLine visualization format
• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding
‒ Several pre-defined forensics search templates making
searches easy and fast
• A natural extension to the WildPackets product line
• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect
© WildPackets, Inc. 21 Network Forensics – You’re Only Choice at 10G
11.7 Gbps Sustained CTD with Zero Packet Loss
© WildPackets, Inc. 22 Network Forensics – You’re Only Choice at 10G
Real-time Statistics While Capturing
© WildPackets, Inc. 23 Network Forensics – You’re Only Choice at 10G
Including VoIP/Video
© WildPackets, Inc. 24 Network Forensics – You’re Only Choice at 10G
Rapid Forensics Search and Retrieval
• Pre-defined Forensics
Search Templates
making search easier
and faster
‒ Overview
‒ Packets
‒ Expert
‒ Voice & Video
© WildPackets, Inc. 25 Network Forensics – You’re Only Choice at 10G
The Results
© WildPackets, Inc. 26 Network Forensics – You’re Only Choice at 10G
Network Forensics of Email Traffic
© WildPackets, Inc. 27 Network Forensics – You’re Only Choice at 10G
Web Page Reconstruction
© WildPackets, Inc. 28 Network Forensics – You’re Only Choice at 10G
Why Forensics?
• Validate what your logs are telling you
• Generate alarms/alerts on data you’ll never find in
logs
• Invest time analyzing, not reproducing
• Immediately begin investigating the issue – you have
a recording of the incident!
• Isolate key data – from multi-TB archives - rapidly
and intuitively
• Understand the depth of penetration for any incident
© WildPackets, Inc. 29 Network Forensics – You’re Only Choice at 10G
What Can You Do?
• Processes, processes, processes
• Implement a network recording/network forensics
solution
• Establish clear baselines so changes are easy to
detect
• Employ solutions that continuously monitor packet-
level security heuristics
• Actively search for minor policy violations that could
be indicators of bigger problems
www.wildpackets.com © WildPackets, Inc.
Company Overview
© WildPackets, Inc. 31 Network Forensics – You’re Only Choice at 10G
Corporate Background
• Experts in network monitoring, analysis, and troubleshooting
‒ Founded: 1990 / Headquarters: Walnut Creek, CA
‒ Offices throughout the US, EMEA, and APAC
• Our customers are leading edge organizations
‒ Mid-market, and enterprise lines of business
‒ Financial, manufacturing, ISPs, major federal agencies,
state and local governments, and universities
‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000
• Award-winning solutions that improve network performance
‒ Internet Telephony, Network Magazine, Network Computing Awards
‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services
© WildPackets, Inc. 32 Network Forensics – You’re Only Choice at 10G
Real-World Deployments
Education
Health Care / Retail
Financial
Telecom
Government
Technology
www.wildpackets.com © WildPackets, Inc.
Product Line Overview
© WildPackets, Inc. 35 Network Forensics – You’re Only Choice at 10G
OmniPeek/Compass Enterprise Packet Capture, Decode and Analysis
• 10/100/1000 Ethernet, Wireless, WAN, 10G
• Portable capture and OmniEngine console
• VoIP analysis and call playback
Omnipliance / TimeLine Distributed Enterprise Network Forensics
• Packet capture and real-time analysis
• Stream-to-disk for forensics analysis
• Integrated OmniAdapter network analysis cards
WatchPoint Centralized Enterprise Network Monitoring Appliance
• Aggregation and graphical display of network data
• WildPackets OmniEngines
• NetFlow and sFlow
Product Line Overview
© WildPackets, Inc. 36 Network Forensics – You’re Only Choice at 10G
OmniPeek Network Analyzer
• OmniEngine Manager
– Connect and configure distributed OmniEngines/Omnipliances
• Comprehensive dashboards present network traffic in real-time
– Vital statistics and graphs display trends on network and application
performance
– Visual peer-map shows conversations and protocols
– Intuitive drill-down for root-cause analysis of performance bottlenecks
• Visual Expert diagnosis speeds problem resolution
– Packet and Payload visualizers provide business-centric views
• Automated analytics and problem detection 24/7
– Easily create filters, triggers, scripting, advanced alarms and alerts
© WildPackets, Inc. 37 Network Forensics – You’re Only Choice at 10G
Omnipliance Network Recorders
• Captures and analyzes all network traffic 24x7
– Runs our OmniEngine software probe
– Generates vital statistics on network and application performance
– Intuitive root-cause analysis of performance bottlenecks
• Expert analysis speeds problem resolution
– Fault analysis, statistical analysis, and independent notification
• Multiple Issue Digital Forensics
– Real-time and post capture data mining for compliance and troubleshooting
• Intelligent data transport
– Network data analyzed locally
– Detailed analysis passed to OmniPeek on demand
– Summary statistics sent to WatchPoint for long term trending and reporting
– Efficient use of network bandwidth
• User-Extensible Platform
– Plug-in architecture and SDK
© WildPackets, Inc. 38 Network Forensics – You’re Only Choice at 10G
Omnipliance Network Recorders Price/performance solutions for every application
Portable Edge Core
Ruggedized
Troubleshooting
Small Networks
Remote Offices
Datacenter Workhorse
Easily Expandable
Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis
Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon
X3460 2.80Ghz
Two Quad-Core Intel Xeon
E5530 2.4Ghz
4GB RAM 4GB RAM 6GB RAM
2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots
2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports
500GB and 2.5TB SATA
storage capacity
1TB SATA storage capacity 2TB SATA storage capacity
© WildPackets, Inc. 39 Network Forensics – You’re Only Choice at 10G
TimeLine
• Fastest network recording and real-time statistical
display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss
‒ Network statistics display in TimeLine visualization format
• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding
‒ Several pre-defined forensics search templates making
searches easy and fast
• A natural extension to the WildPackets product line
• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect
© WildPackets, Inc. 40 Network Forensics – You’re Only Choice at 10G
TimeLine For the most demanding network analysis tasks
TimeLine
10g Network Forensics
3U rack mountable chassis
Two Quad-Core Intel Xeon 5560 2.8Ghz
18GB RAM
4 PCI-E Slots
2 Built-in Ethernet Ports
8/16/32TB SATA storage capacity
© WildPackets, Inc. 41 Network Forensics – You’re Only Choice at 10G
WatchPoint Centralized Monitoring for Distributed Enterprise Networks
• High-level, aggregated
view of all network
segments
– Monitor per campus, per
region, per country
• Wide range of network
data
– NetFlow, sFlow, OmniFlow
• Web-based, customizable
network dashboards
• Flexible detailed reports
• Omnipliances must be
configured for continuous
capture
© WildPackets, Inc. 42 Network Forensics – You’re Only Choice at 10G
WildPackets Key Differentiators
• Visual Expert Intelligence with Intuitive Drill-down
– Let computer do the hard work, and return results, real-time
– Packet / Payload Visualizers are faster than packet-per-packet diagnostics
– Experts and analytics can be memorized and automated
• Automated Capture Analytics
– Filters, triggers, scripting and advanced alarming system combine to provide
automated network problem detection 24x7
• Multiple Issue Network Forensics
– Can be tracked by one or more people simultaneously
– Real-time or post capture
• User-Extensible Platform
– Plug-in architecture and SDK
• Aggregated Network Views and Reporting
– NetFlow, sFlow, and OmniFlow
www.wildpackets.com © WildPackets, Inc.
Q&A
Show us your tweets! Use today’s webinar hashtag:
#wp_netforensics with any questions, comments, or feedback.
Follow us @wildpackets
Follow us on SlideShare! Check out today’s slides on SlideShare
www.slideshare.net/wildpackets
www.wildpackets.com © WildPackets, Inc.
Thank You!
WildPackets, Inc.
1340 Treat Boulevard, Suite 500
Walnut Creek, CA 94597
(925) 937-3200