Transcript Dr Sureswaran Ramadass

Enterprise Network
Monitoring and Security
“iNet Enterprise”
Asco. Prof. Dr. Sureswaran Ramadass
Enterprise Network Security
The Problem
• Networks are suffering from viruses, worms, Trojans, spywares, ad-wares, hijackers, pop generators, spam, intrusion and
many more.
• If you have an internet connection (home, corporate) then, your
machine is exposed to the Internet world. And hence you are
vulnerable against Worms and Viruses.
•Virus and Worm are the biggest contributors to today’s network
problems.
• With these modern threats, firewall and antivirus alone are not
enough To protect your organization from the blended threats.
Cost of worms

Cost for cleanup of worms worldwide.








Sobig: USD 37.1 billion
MyDoom: USD 22.6 billion
Klez: USD 19.8 billion
Nachi: USD 13 billion
Mimail: USD 11.5 billion
Swen: USD 10.4 billion
Love Bug: USD 8.8 billion
Bugbear: USD 3.9 billion
Source: www.wholesecurity.com
Cost of worms…

Cost for cleanup of worms in Malaysia.






Code Red: RM 22 million
Nimda: RM 22 million
Blaster: RM 31 million
Nachi: RM 31 million
90% of desktop computers in a Malaysian internet company
experienced downtime caused by Blasted.D worm. (August
2003)
Local universities network bandwidth was badly effected by
the Nachi Worm.
Source: NISER study
Why Worms Are Dangerous?
Because of the Speed of there infection / spread….
Target discovery techniques
Random, sequential, local
Hitlist (external, internal)
Warning
Alert
What worms can do to you?
Once the host is infected, it can:




Steal YOUR private info and distribute it to all the users
in your email database.
Send dummy traffic to paralyze your network.
Destroy key system files that would damage and crash
your computer.
Destroy database system within your server.
What you need?

A holistic approach on the security strategies you currently
have in place MUST be adopted To protect your
organization from the new generation of blended Threats.

A solution that covers loopholes left by other security
products for an all round protection.

A Solution can detect internal worm attack as well as
external.

An updated Software with most worm signatures.

A warning, alerting mechanism to aware security team to
take the proper action.
The Answer…










Easy to install and use.
Low memory requirements.
Detects worm activity on the wire .
Live updates from m-Protect database server that consists of
a comprehensive list of all known worms.
Works passively to scan network traffic for worms.
Alerts you of a potential worm attack via synthesized voice
warning and visual messages as well as sms and emails.
Pinpoints the source of the computer that is broadcasting the
worm packets.
Works hand in hand with 3rd party anti – virus tools.
Able to detect worms with multiple signatures.
Detect worm attacks within the LAN and from outside.
Enterprise Network Monitoring
Network Monitoring..
Network monitoring Goals:
• To Constantly monitors a computer network for slow or failing systems.
• To Notify the network administrator in case of outages via email, sms or other
alarms.
Network monitoring tools falls into two categories:
• Software based network monitoring
• Hardware based network monitoring
Network monitoring Approaches:
• Passive Network Monitoring
• Active Network Monitoring
Because..
• it would alert everyone in the network regarding the worm
attack
• Locate source of the problem.
• Provide possible solutions
Besides propagation via the internet connection, Worms can
still reach the internal network by:
• laptops.
• external media (cd, thumbdrive).
• wireless access points.
• encrypted/ zipped emails.
Border defenses is of no use if the worm is already inside the internal network.
Buffering.. High Speed Network
Packet Capturing Engine
•The product introduces a new approach for worm
monitoring; it monitors the area left out by other current
approaches.
Process 1
Yes
m=true
No
•It has a complete database of signatures, explanation
and an expert solution and recommendation to all known
worms in the net.
No
mBuffer
ready?
No
sBuffer
ready?
Yes
sBuffer
mBuffer
•Uses an intelligent matching engine to match worm
payload packets and an expert database of solutions to
the worms.
Save Packets
•Works passively, no additional traffic is added to the
network.
Buffer Switch
m/s (i.e m=true)
Yes
Memory Free
Timer
1
pointer
•Updates definitions automatically. Boasts a database of
all currently known Email, IM, Web, Internet, P2P and IRC
worms.
Circular
file buffer
Process 2
•Warns users locally by synthesized voice warnings and
visual messages.
•Logging facilities.
Reader
Worm DB
Worm Parser
Worm Detection
Alerting
iNet Enterprise
•To minimize the limits in the time-consuming trial and error methods network
administrators spend in identifying network problems.
•To provide a robust, non-pervasive, real time network monitoring capabilities.
•To provide an intuitive designed user interface to improve users learning curve to
get acclimatized with the applications.
•To provide global access to remotely monitor any network on any corner of the
world tunneling via the Internet.
“To provide a robust monitoring tool and at the same time does not affect
the network performance while performing its tasks”
iNet Enterprise
iNet Server
iNet Segment
iNet Console
iNet m-Console
Clustering
Application
Monitoring
Worm Alerting
Network Statistics
Anomaly
Detection
Web Monitoring
Anomaly Alerting
Application
Statistics
Archiving &
Logging
Address Book
Playback
Top Usage
Connection
Synchroniser
Data Archiver
Network Statistic
Remote Control
Top Usage
Network
Distribution
Network Statistic
Network Utilization
iNet Enterprise Technology
•Use technology or techniques that consume minimal bandwidth and yet provide
real-time and up to date information about your network. (non-streaming)
•iNet Segment would gather network information and store it in the local segment.
•Administrator can probe into a particular segment, through iNet Console.
•Immediate past incident scenario can be recreated with iNet Console to
investigate the cause of the network problem.
•Synonymous to the playback of videotapes of CCTV to investigate
criminal acts.
•Via iNet Console, iNet Enterprise provides global access services to remotely
monitor your network from any part of the world via an IP connection through the
Internet. The monitoring console could also be your mobile PDA (iNet m-Console)
using EDGE, 3G or Wifi technologies.
Implementation
Deployed in National Advance IPv6
Centre, NEC, School of Computer
Science USM
 POC done for UUM and UPM
 In discussion with a National Bank of
Panama, St George Bank Panama,
MDeC, TPM

Enterprise Level overview
Segment 2
1
`
Monitoring Center
Enterprise and ISP Level overview
Thank You
Q&A