the Presentation
Download
Report
Transcript the Presentation
Security Monitoring
In Your Network
Strategies to Safeguard Your Network Using
NetScout’s 3900 Series Packet Flow Switch
Ray Jones
Director of Solutions Architecture and Field Enablement
A BAD YEAR for Cyber Security
ENTERTAINMENT
GOV’T & HEALTH CARE
PLATFORM
RETAIL
FINANCIAL
Cyber Security Monitoring: Two Challenges
1. Obscurity
Protagonist often intentionally averts detection
2. Transience
Sequence of events may be difficult to reproduce
What you’ll learn today
AGENDA
3900 SERIES PACKET FLOW SWITCH INTRODUCTION
Extend visibility & take control of your monitoring environment
DYNAMIC TARGETING
Expedite & automate incident response
FILTERING TOOLS
Optimize Security monitoring tool performance
3900 SERIES
PACKET FLOW
SWITCH
INTRODUCTION
Scalable, flexible, feature rich.
nGenius 3900 Series Packet Flow Switch
Centralized Management
3903 Chassis
3901 Chassis
Up to 144 Ports
1/10 GbE + 12 Ports 40 GbE*
Up to 48 Ports
1/10 GbE + 4 Ports 40 GbE*
• 1RU modular switch
• Small single site or multi-site
deployments needing 16 to
48 ports
• 3RU modular switch
• Medium to large single site
or multi-site deployments
needing > 48 ports
• Pay-as-you-grow modules &
chassis
• Supports > 4000 ports with PFS
Management Software
• Large site deployments needing
>144 ports
* 100G Early Field Trial Available
nGenius 3900 Series Packet Flow Switch
Redundant Switch
Controllers
Redundant Ethernet
Management Ports
• Resides on each blade
• Automatic failover
Redundant AC/DC
Power Supplies
Serial Console Port
• Built-in GUI Management or PFS Management System
• 1U and 3U Base Chassis Options
• Modular + Stackable Monitoring Fabric Growth
• 1/10/40Gbps Native per Blade
• Full Line Rate, All-Inclusive Blade Based Features
• 100G Early Field Trial Available
Interface Blade
• FlexPorts supporting 1/10/40G
• Up to 48 x 1/10G per RU
• Up to 4 x 40G per RU
nGenius 3900 Series Packet Flow Switch
Full-Duplex 720Gbps
Line-rate Processing
*
*
Features on Blade
Scalable Up to 48 ports 1/10G, 4 x 40G per blade
*
Advanced Switching Engine
with Extensible Microcode
Industry Leading Low-latency (< 600ns Deterministic)
L2-L7 Filtering and Many-to-Any Aggregation
Load Balancing and Replication
Console
Source ID Tagging
Header Stripping
Packet Slicing/Truncation
Packet Deduplication
Time Stamping
16x 1G/10G
4x 40G
or
16x 1G/10G
Console Port Access
16x 1G/10G
nGenius 3900 Series Packet Flow Switch
Site A
Site B
Network
DYNAMIC
TARGETING
Ensuring rapid, reliable incident response.
Dynamic Targeting: Problem & Requirement
• Problem:
Security events may require
reactive changes to monitoring fabric.
• Requirement:
Implement dynamic, automated changes via secure management
channel.
Use Case: Targeted packet capture for suspect flows
Network
TAPs
PFS
Continuous
Monitoring
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
Traffic flows through
TAPs to Sites A & B
Network
TAPs
1
PFS
Continuous
Monitoring
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
Traffic flows through
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Network
TAPs
PFS
Continuous
Monitoring
2
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
3.
Traffic flows through
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Monitoring tool detects
suspicious activity
Network
TAPs
Continuous
Monitoring
!!!
3
PFS
Escalation
Analysis
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
3.
4.
Traffic flows through
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Monitoring tool detects
suspicious activity
a) Script configures
packet flow switch
to target IP address
b) Script activates
Escalation Analysis tool
Network
TAPs
PFS
4a
Continuous
Monitoring
Escalation
Analysis
4b
Site B
Site A
Use Case: Targeted packet capture for suspect flows
1.
2.
3.
4.
5.
Traffic flows through
Network
TAPs to Sites A & B
PFS steers traffic from
TAPs to Monitoring tools
Monitoring tool detects
suspicious activity
a) Script configures
packet flow switch
to target IP address
b) Script activates
Escalation Analysis tool
PFS sends targeted traffic to
Escalation Analysis tool
TAPs
Continuous
Monitoring
PFS
5
Escalation
Analysis
Site B
Site A
Scripting for Dynamic Targeting
• Optimized
Management for
Monitoring Tools
nGeniusONE
Scripting for Dynamic Targeting
• Optimized
Management for
Monitoring Tools
• PFS Manager
for PFS
PFS
Manager
nGeniusONE
Scripting for Dynamic Targeting
nGenius PFS
Management Software
Administrator Guide
PFS
Manager
• SSH from
Client to PFS,
Monitoring Tools
SSH Client
Sample PFS SSH/CLI Script
def main():
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
prompt = '=> '
hostname = '10.88.39.192' #Replace with actual IP address of PFS or PFS Mgmt Server
username = 'administrator' #Replace if you need to use a different user; normally "administrator" is correct
password = 'netscout1' #Replace with actual password
client.connect(hostname,int(22022),username,password) #Presumes that PFS CLI SSH uses default port 22022
interact = SSHClientInteraction(client,timeout=10,display=True)
interact.expect(prompt)
#
raw_input('Press Enter to continue')
interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'")
interact.expect(prompt)
cmd_output = interact.current_output_clean
interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'")
What should the system do?
Upon trigger detection:
1. Create Rule(s) based upon trigger, e.g., IP address
2. Create Filter(s) and assign Rule(s) to it
3. Connect Source Ports(s) via Filter(s) to
Destination Port(s)
4. Prepare Escalation Analysis platform.
Following “All Clear”:
5. Restore original configuration
Components of Dynamic Targeting
1. Preparation
Define/configure interfaces to PFS, Tools
2. Identification
Establish triggers for response
3. Response
Initiate changes to monitoring infrastructure
FILTERING
TOOLS
Everything you need, and nothing you don’t.
Filtering: Problem & Requirement
• Problem:
Cyber tools may become
congested by high traffic volumes
Total Network Activity
• Requirement:
Filter for traffic of interest,
expect to make changes later.
Traffic of Interest
Threat
Use Case: Limit traffic to necessary content
Network
Network
Network
Link Utilization
Packet Rate
CyberSecurity
Monitoring
!
Filtering Techniques
• Criteria
–
–
–
–
Layer 2: MAC, VLAN ID & Priority, Ethertype
Layer 3: IP address, Payload type
Layer 4: TCP/UDP Port, Protocol
DPI: Custom Mask & Offset
• Dimension
–
–
–
–
Direction: Side A v. Side B, Source v. Destination
Criteria: Permit v. Deny per Criterion
Range: Efficient Address Masking
Types: Connection v. Destination
Filtering Structure – Building Blocks
•
•
•
•
Criteria
Rules
Filter
Topology
Flexible Filtering: Connection v. Destination
Filter on Connection
Filter at Destination
Dynamic Targeting: On-demand Filter creation
Network
• Both Connection
and Destination Filters
work for Dynamic Targeting
TAPs
PFS
• Filtering occurs in
hardware at line-rate
Continuous
Monitoring
Escalation
Analysis
• Filter changes are non-disruptive
(except adding a Connection Filter
into a Connection - obviously)
Site B
Site A
Traffic Conditioning: Problem & Requirement
• Problem:
Cyber Monitoring tool may be unable to parse
some packet headers, rendering payload analysis
impossible.
• Requirement:
Condition Traffic within the monitoring switch.
DPI Challenges for Legacy Cyber Tools
Technology
Cisco VN-Tag
Cisco FabricPath
InfiniStream
Legacy Cyber
Monitoring Tools
Parses header,
analyzes content
Possibly confused
by header,
cannot parse
traffic
Ignores duplicates
Duplicate packets
!
May report
false errors
!
Mitigation
PFS strips
VN-Tag
PFS strips
FabricPath
PFS Dedups
at L2 & L3
Summary
1. DYNAMIC TARGETING
Expedite incident response, especially after hours
2. FILTERING TOOLS
Optimize monitoring tool performance
3. ADVANCED TIPS & TRICKS
Traffic Conditioning, Metrics, Load-Balancing, Baselining
Summary
1. 3900 SERIES PFS OVERVIEW
Improve visibility while controlling scale
2. DYNAMIC TARGETING
Expedite incident response, especially after hours
3. FILTERING TOOLS
Optimize monitoring tool performance
THANK
YOU