Technical Introduction to the StealthWatch System Rev1
32
7 Property of Lancope. Proprietary and Confidential. Technical Introduction to the StealthWatch System Person #1 Person #2
-
Upload
faizan-hyder -
Category
Documents
-
view
17 -
download
5
description
Stealth Watch
Transcript of Technical Introduction to the StealthWatch System Rev1
Lancope Management PresentationTechnical Introduction to the
StealthWatch System
Person #1
Person #2
AGENDA
How NBA technologies work
Infrastructure IPS
NETWORK ANOMALY DETECTION USING FLOWS
Based on analysis of “flow” data (statistics, changes in behavior)
sFlow (Extreme, HP Procurve, Foundry)
NetFlow (Cisco, Juniper)
Not signature-based (behavior based)
Mature but evolving technology
Perfect complement to existing security and network management technologies
Designed primarily for internal network deployments (but can exist at the perimeter if necessary)
© 2007 Property of Lancope. Proprietary and Confidential.
THE STEALTHWATCH SYSTEM
STEALTHWATCH ENTERPRISE DEPLOYMENT OVERVIEW
COLLECTING FLOWS FROM ROUTERS AND SWITCHES
Sales
Servers
Marketing
Remote
Sites
Remote
Users
Extranet
WHAT IS NETFLOW?
NetFlow Packet Header
WHAT IS SFLOW?
Almost all Foundry products support sFlow as well as Extreme and HP
sFlow includes payload
1 in N packets are sent from the switch to the flow collector
Statistical scaling is used to recover the actual network traffic patterns from the sFlow samples
The more samples, the more accurate analysis becomes
Duplicate sFlow PDUs must be handled and removed
© 2007 Property of Lancope. Proprietary and Confidential.
CONFIGURING NETFLOW AND SFLOW
interface> sflow forwarding
config> sflow sample 128
config> sflow polling-interval 30
router(config-if)# ip route-cache flow
Cisco router (NetFlow)
Configuring both sFlow and NetFlow is a simple command line adjustment to a router or switch.
© 2007 Property of Lancope. Proprietary and Confidential.
NETFLOW IMPACT ON THE ROUTER (CPU)
Check on current router CPU utilization*
* NetFlow v5 adds approximately 10% to overall CPU
Cisco has made vast improvements in the efficiency of NetFlow processing over the last 3 to 5 years. Modern routers can process NetFlow with little to no noticeable CPU impact.
© 2007 Property of Lancope. Proprietary and Confidential.
NETFLOW IMPACT ON THE NETWORK (BANDWIDTH)
Number of active flows
Flows per second (fps)
Lancope offers a NetFlow Bandwidth calculator that can be used to estimate the actual amount of sustained NetFlow bandwidth. Generally speaking, NetFlow bandwidth will amount to approximately 1% of the bandwidth being observed (worst case).
© 2007 Property of Lancope. Proprietary and Confidential.
VIEWING THE ROUTER NETFLOW CACHE DIRECTLY
Worm Infected
CAPTURING AND VIEWING NETFLOW PACKETS: FLOW-TOOLS
start and end times
pkts
bytes
The example above shows actual flows being captured using flow-capture from the flow-tools open source toolkit. As flows are captured, they are sent to flow-print for formatting and decode. From flow-print, we grep out the IP we’re looking for. In this case, we’re observing scanning from 24.99.19.81 to 209.182.187.0/24 on TCP port 9999.
© 2007 Property of Lancope. Proprietary and Confidential.
DATA REDUCTION: FLOW NORMALIZATION
2. Two NetFlow records are exported from the router…
3. StealthWatch associates the two NetFlow records, building one stateful entry…
This series of screenshots represents a simple web request to slashdot.org. The resulting NetFlow records are consolidated (normalized) into a single Stealthwatch record. Many NetFlow records may constitute a single Stealthwatch “flow”. The ability to consolidate many directional flows into a single stateful, bidirectional flow is a key characteristic of the Stealthwatch system (allows for: data reduction, interoperability, ease in training, etc).
Flow4.csv
3/25/01 9:04
CHALLENGES WITH FLOW-BASED MONITORING
Duplicate flows are often seen (and must be removed)
No payload data (must rely on statistics; not so easy)
Requires all routers be NTP synced and share similar settings (for proper security processing)
ICMP type and codes are overloaded into TCP/UDP port field (but not always!)
Implementations vary from vendor to vendor (Extreme’s NetFlow is badly broken while Cisco works very well)
Tremendous amount of storage required
© 2007 Property of Lancope. Proprietary and Confidential.
Network Behavior Analysis
Collect and analyze flows…
Establish baseline of behavior…
IF WE DON’T HAVE PAYLOAD, HOW DO DETECT ATTACKS?
Look for patterns of behavior in flow traffic…
One hosts contacting large numbers of other hosts in short time frame (PTP apps, worms)
Long flow durations (VPNs, covert channels)
Unauthorized ports in use (rogue servers, applications)
Bandwidth anomalies (DoS, warez servers)
Unauthorized communications (VPN host talking to accounting server)
“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives StealthWatch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.
Other technologies see only what’s within their local “scope” of a SPAN or tap port.
© 2007 Property of Lancope. Proprietary and Confidential.
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
BENEFIT: ENTERPRISE-WIDE VISIBILITY
“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives StealthWatch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.
Other technologies see only what’s within their local “scope” of a SPAN or tap port.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: ENTERPRISE WIDE VISIBILITY IN ACTION
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: OVERCOME COMPLEX DEPLOYMENTS, COST, AND SPEED
8 Inline IPS @ $64,995: $519,960
1 Netflow-based Xe-2000: <$150,000
Inline IPS
Inline IPS
Inline IPS
Inline IPS
Inline IPS
Modern, complex environments create significant challenges for inline IPS solutions. The above diagram show the need for eight, 4 segment inline devices plus perimeter IPS above the firewall. This kind of deployment is both costly and complex to deploy and manage.
Example pricing for Inline IPS technology:
ISS Proventia G200: 1 segment, $11,999
Netscreen IDS-500: 1 segment, $34,999
Top Layer IPS 2400: 1 segment, $80,000
Tipping Point Unity-1 1200 (1Gbps): 4 segments, $64,995
Tipping Point Unity-1 2400 (2Gbps): 4 segments, $89,995
McAfee Intrushield 4000: 2 segments, $99,995
(ref: NSS report on Intrusion Prevention)
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
12 IDS/IPS Sensors Required
Monitoring remote sites is costly. The classic deployment model would have an IDS/IPS device at every remote location, especially in MPLS meshed environments where there is no single chokepoint.
Xe solves this problem by providing an ability to monitor remote locations through the use of Netflow messages from remote routers. Where we would have needed 12 network sensors before, now we only need 1 Xe appliance.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
1 NetFlow Collector Required
Monitoring remote sites is costly. The classic deployment model would have an IDS/IPS device at every remote location, especially in MPLS meshed environments where there is no single chokepoint.
Xe solves this problem by providing an ability to monitor remote locations through the use of Netflow messages from remote routers. Where we would have needed 12 network sensors before, now we only need 1 Xe appliance.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: POWERFUL LOGGING AND FORENSICS
Sheet1
INFRASTRUCTURE IPS: HOW IT WORKS
Sales
NETWORK TRAFFIC ANALYSIS AND VISUALIZATION
Flow Records
SUMMARY
NetFlow provides powerful forensics, auditing, and attack detection capability without the need for additional hardware or software updates.
Cisco routers are everywhere.
Both open-source and commercial products are available for analyzing NetFlow.
NetFlow analysis allows for detection of new worms without the need for signature updates.
© 2007 Property of Lancope. Proprietary and Confidential.
www.lancope.com
Person #1
Person #2
AGENDA
How NBA technologies work
Infrastructure IPS
NETWORK ANOMALY DETECTION USING FLOWS
Based on analysis of “flow” data (statistics, changes in behavior)
sFlow (Extreme, HP Procurve, Foundry)
NetFlow (Cisco, Juniper)
Not signature-based (behavior based)
Mature but evolving technology
Perfect complement to existing security and network management technologies
Designed primarily for internal network deployments (but can exist at the perimeter if necessary)
© 2007 Property of Lancope. Proprietary and Confidential.
THE STEALTHWATCH SYSTEM
STEALTHWATCH ENTERPRISE DEPLOYMENT OVERVIEW
COLLECTING FLOWS FROM ROUTERS AND SWITCHES
Sales
Servers
Marketing
Remote
Sites
Remote
Users
Extranet
WHAT IS NETFLOW?
NetFlow Packet Header
WHAT IS SFLOW?
Almost all Foundry products support sFlow as well as Extreme and HP
sFlow includes payload
1 in N packets are sent from the switch to the flow collector
Statistical scaling is used to recover the actual network traffic patterns from the sFlow samples
The more samples, the more accurate analysis becomes
Duplicate sFlow PDUs must be handled and removed
© 2007 Property of Lancope. Proprietary and Confidential.
CONFIGURING NETFLOW AND SFLOW
interface> sflow forwarding
config> sflow sample 128
config> sflow polling-interval 30
router(config-if)# ip route-cache flow
Cisco router (NetFlow)
Configuring both sFlow and NetFlow is a simple command line adjustment to a router or switch.
© 2007 Property of Lancope. Proprietary and Confidential.
NETFLOW IMPACT ON THE ROUTER (CPU)
Check on current router CPU utilization*
* NetFlow v5 adds approximately 10% to overall CPU
Cisco has made vast improvements in the efficiency of NetFlow processing over the last 3 to 5 years. Modern routers can process NetFlow with little to no noticeable CPU impact.
© 2007 Property of Lancope. Proprietary and Confidential.
NETFLOW IMPACT ON THE NETWORK (BANDWIDTH)
Number of active flows
Flows per second (fps)
Lancope offers a NetFlow Bandwidth calculator that can be used to estimate the actual amount of sustained NetFlow bandwidth. Generally speaking, NetFlow bandwidth will amount to approximately 1% of the bandwidth being observed (worst case).
© 2007 Property of Lancope. Proprietary and Confidential.
VIEWING THE ROUTER NETFLOW CACHE DIRECTLY
Worm Infected
CAPTURING AND VIEWING NETFLOW PACKETS: FLOW-TOOLS
start and end times
pkts
bytes
The example above shows actual flows being captured using flow-capture from the flow-tools open source toolkit. As flows are captured, they are sent to flow-print for formatting and decode. From flow-print, we grep out the IP we’re looking for. In this case, we’re observing scanning from 24.99.19.81 to 209.182.187.0/24 on TCP port 9999.
© 2007 Property of Lancope. Proprietary and Confidential.
DATA REDUCTION: FLOW NORMALIZATION
2. Two NetFlow records are exported from the router…
3. StealthWatch associates the two NetFlow records, building one stateful entry…
This series of screenshots represents a simple web request to slashdot.org. The resulting NetFlow records are consolidated (normalized) into a single Stealthwatch record. Many NetFlow records may constitute a single Stealthwatch “flow”. The ability to consolidate many directional flows into a single stateful, bidirectional flow is a key characteristic of the Stealthwatch system (allows for: data reduction, interoperability, ease in training, etc).
Flow4.csv
3/25/01 9:04
CHALLENGES WITH FLOW-BASED MONITORING
Duplicate flows are often seen (and must be removed)
No payload data (must rely on statistics; not so easy)
Requires all routers be NTP synced and share similar settings (for proper security processing)
ICMP type and codes are overloaded into TCP/UDP port field (but not always!)
Implementations vary from vendor to vendor (Extreme’s NetFlow is badly broken while Cisco works very well)
Tremendous amount of storage required
© 2007 Property of Lancope. Proprietary and Confidential.
Network Behavior Analysis
Collect and analyze flows…
Establish baseline of behavior…
IF WE DON’T HAVE PAYLOAD, HOW DO DETECT ATTACKS?
Look for patterns of behavior in flow traffic…
One hosts contacting large numbers of other hosts in short time frame (PTP apps, worms)
Long flow durations (VPNs, covert channels)
Unauthorized ports in use (rogue servers, applications)
Bandwidth anomalies (DoS, warez servers)
Unauthorized communications (VPN host talking to accounting server)
“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives StealthWatch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.
Other technologies see only what’s within their local “scope” of a SPAN or tap port.
© 2007 Property of Lancope. Proprietary and Confidential.
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
BENEFIT: ENTERPRISE-WIDE VISIBILITY
“Flows” provide total visibility across a wide network range by collecting data from routers in varying locations. This gives StealthWatch total supervision over the network and provides an ability to track behavior throughout the network, from start to end.
Other technologies see only what’s within their local “scope” of a SPAN or tap port.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: ENTERPRISE WIDE VISIBILITY IN ACTION
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: OVERCOME COMPLEX DEPLOYMENTS, COST, AND SPEED
8 Inline IPS @ $64,995: $519,960
1 Netflow-based Xe-2000: <$150,000
Inline IPS
Inline IPS
Inline IPS
Inline IPS
Inline IPS
Modern, complex environments create significant challenges for inline IPS solutions. The above diagram show the need for eight, 4 segment inline devices plus perimeter IPS above the firewall. This kind of deployment is both costly and complex to deploy and manage.
Example pricing for Inline IPS technology:
ISS Proventia G200: 1 segment, $11,999
Netscreen IDS-500: 1 segment, $34,999
Top Layer IPS 2400: 1 segment, $80,000
Tipping Point Unity-1 1200 (1Gbps): 4 segments, $64,995
Tipping Point Unity-1 2400 (2Gbps): 4 segments, $89,995
McAfee Intrushield 4000: 2 segments, $99,995
(ref: NSS report on Intrusion Prevention)
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
12 IDS/IPS Sensors Required
Monitoring remote sites is costly. The classic deployment model would have an IDS/IPS device at every remote location, especially in MPLS meshed environments where there is no single chokepoint.
Xe solves this problem by providing an ability to monitor remote locations through the use of Netflow messages from remote routers. Where we would have needed 12 network sensors before, now we only need 1 Xe appliance.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
1 NetFlow Collector Required
Monitoring remote sites is costly. The classic deployment model would have an IDS/IPS device at every remote location, especially in MPLS meshed environments where there is no single chokepoint.
Xe solves this problem by providing an ability to monitor remote locations through the use of Netflow messages from remote routers. Where we would have needed 12 network sensors before, now we only need 1 Xe appliance.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: POWERFUL LOGGING AND FORENSICS
Sheet1
INFRASTRUCTURE IPS: HOW IT WORKS
Sales
NETWORK TRAFFIC ANALYSIS AND VISUALIZATION
Flow Records
SUMMARY
NetFlow provides powerful forensics, auditing, and attack detection capability without the need for additional hardware or software updates.
Cisco routers are everywhere.
Both open-source and commercial products are available for analyzing NetFlow.
NetFlow analysis allows for detection of new worms without the need for signature updates.
© 2007 Property of Lancope. Proprietary and Confidential.
www.lancope.com
