Pavel Minařík What is hidden in network traffic? Security Session 2015, 11 th April 2015, Brno, FIT VUT [email protected]
Co se skrývá v datovém provozu? - Pavel Minařík
Jul 16, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Pavel Minařík
What is hidden in network traffic?
Security Session 2015, 11th April 2015, Brno, FIT VUT
• Traditional monitoring
Availability of services and network components
SNMP polling (interfaces, resources)
100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …)
• Next-generation monitoring
Traffic visibility on various network layers
Detection of security and operational issues
Network/Application performance monitoring
Full packet capture for troubleshooting
Monitoring Tools
Monitoring Tools
SNMP polling
Flow monitoring
Packet capture and analysis
Flow Monitoring Principle
Performance Monitoring
Syn
Syn, Ack
Ack
RTT
TCP handshake
Req
Ack Data
Client request
SRT
Server response
Data Data Data
Delay
Round Trip Time – delay introduced by networkServer Response Time – delay introduced by server/applicationDelay (min, max, avg, deviation) – delays between packetsJitter (min, max, avg, deviation) – variance of delays between packets
Flow Standards
Cisco standard NetFlow v5
NetFlow v9(Flexible NetFlow)
fixed formatonly basic items available no IPv6, MAC, VLANs, …
flexible format using templatesmandatory for current needsprovides IPv6, VLANs, MAC, …
IndependentIETF standard
IPFIX(„NetFlow v10“)
the future of flow monitoringmore flexibility than NetFlow v9
Huawei NetStream same as original Cisco standardNetFlow v9
Juniper jFlow similar to NetFlow v9different timestamps
Flow Sources
• Enterprise-class network equipment
Routers, switches, firewalls
• Mikrotik routers
Popular and cost efficient hardware
• Flow Probes
Dedicated appliances for flow export
• Trends
Number of flow-enabled devices is growing
L7 visibility, performance monitoring, …
Flow Gathering Schemes
Probe on a SPAN port Probe on a TAP Flows from switch/router
Pros • Accuracy• Performance• L2/L3/L4/L7 visibility
• Same as „on a SPAN“• All packets captured• Separates RX and TX
• Already available• No additional HW• Traffic on interfaces
Cons • May reach capacity limit• No interface number
• Additional HW • Usually inaccurate• Visibility L3/L4• Performance impact
Facts • Fits most customers• Limited SPANs number
• 2 monitoring ports • Always test before use
Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)
Traffic Analysis (using flow)
• Bridges the gap left by endpoint and perimeter security solutions
• Behavior based Anomaly Detection (NBA)
• Detection of security and operational issues Attacks on network services, network reconnaissance
Infected devices and botnet C&C communication
Anomalies of network protocols (DNS, DHCP, …)
P2P traffic, TOR, on-line messengers, …
DDoS attacks and vulnerable services
Configuration issues
Full Packet Capture
• On-demand troubleshooting and forensic analysis
• How to get packet traces?
Tcpdump – Linux/Unix environment
Winpcap – Windows environment
Probes – appliances with packet capture capability
FPGA-based HW adapters – high speed networks
Packet Analysis
• Analysis of packet traces (PCAP files)
• Software tools (commercial + open source)
• Wireshark as de facto standards with largecommunity support
Support of hundreds of protocols
Powerful filters, statistics, reconstruction, etc.
Examples From the Real LifeSecurity issue
Troubleshooting
Security Issue
FlowMon © INVEA-TECH 2013
78 port scans?DNS anomalies?
• Malware infected device in the internal network
Security Issue
Let’s see the scans firstOk, users cannot access webAre the DNS anomalies related?
Security Issue
Ok, which DNS is being used?192.168.0.53? This is notebook!How did this happen?
Security Issue
Let’s look for the details…Laptop 192.168.0.53 is doing DHCP server in the network
Security Issue
Malware infected deviceTrying to redirect and bridge trafficProbably to get sensitive data
• Gmail e-mail delivery issue
FlowMon Troubleshooting
We are not receiving e-mails from GmailAnd can’t figure it outCan you try to help us and fix it?
FlowMon Troubleshooting
Using AS numbers it is possible to easily identify corresponding network traffic and do the analysis
FlowMon Troubleshooting
All flows are 640B?TCP flags are normalThis is not a network issueWe need to see the packets
Detailed visibility and drill down to flow level helps to understand traffic characteristics
FlowMon Troubleshooting
Built-in packet capture capability enables to get full packet traces when needed
FlowMon Troubleshooting
Ok, Gmail requests TLS 1.0
FlowMon Troubleshooting
And mail server doesnot support that
Life Demo
Attack detection and analysis is real-time
Life Demo
• Use-case: directory traversal attack
Flow-level visibility
Automatic detection
Packet capture and analysis
INVEA-TECH a.s. U Vodárny 2965/2616 00 BrnoCzech Republicwww.invea-tech.com
High-Speed Networking Technology Partner
Questions?
Pavel Minaří[email protected]
+420 733 713 703
Related Documents
