HSB15 - Pavel Minarik - INVEATECH
-
Upload
splend -
Category
Technology
-
view
796 -
download
3
Transcript of HSB15 - Pavel Minarik - INVEATECH
![Page 1: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/1.jpg)
Pavel Minařík, CTO
Flow-based network visibility and its role in cyber defense
Holland Strikes Back, 27th October, Den Haag
![Page 2: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/2.jpg)
Re-think Your Security
Neil MacDonald, VP Distinguished Analyst at Gartner Security & Risk Management Summit
![Page 3: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/3.jpg)
One Example For All
![Page 4: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/4.jpg)
One Example For All
![Page 5: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/5.jpg)
• Traditional monitoring
Availability of services and network components
SNMP polling (interfaces, resources)
100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …)
• Next-generation monitoring
Traffic visibility on various network layers
Detection of security and operational issues
Network/Application performance monitoring
Full packet capture for troubleshooting
Monitoring Tools
![Page 6: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/6.jpg)
Monitoring Tools
SNMP polling
Flow monitoring
Packet capture and analysis
![Page 7: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/7.jpg)
Monitoring Tools
• SNMP monitoring
Amount of transferred data, number of packet, insufficient
• Flow monitoring (based on IP flows)
Detailed traffic structure visibility and reporting
• Packet analysis
For forensics and specific troubleshooting issues
Advanced visibility but usually missing!Basic monitoring
![Page 8: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/8.jpg)
Flow Monitoring Principle
![Page 9: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/9.jpg)
Flow Sources
• Enterprise-class network equipment
Routers, switches
Firewalls and UTM devices
Virtualized platforms
• Flow Probes
Dedicated appliances for flow export
• Various standards
NetFlow v5/v9, jFlow , NetStream, cflowd, sFlow
IPFIX = IETF standard, flexible monitoring
![Page 10: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/10.jpg)
Flow Gathering Schemes
Probe on a SPAN port Probe on a TAP Flows from switch/router
Pros • Accuracy• Performance• L2/L3/L4/L7 visibility
• Same as „on a SPAN“• All packets captured• Separates RX and TX
• Already available• No additional HW• Traffic on interfaces
Cons • May reach capacity limit• No interface number
• Additional HW • Usually inaccurate• Visibility L3/L4• Performance impact
Facts • Fits most customers• Limited SPANs number
• 2 monitoring ports • Always test before use
Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)
![Page 11: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/11.jpg)
Traffic Analysis (using flow)
• Bridges the gap left by endpoint and perimeter security solutions
• Behavior based Anomaly Detection (NBA)
• Detection of security and operational issues Attacks on network services, network reconnaissance
Infected devices and botnet C&C communication
Anomalies of network protocols (DNS, DHCP, …)
P2P traffic, TOR, on-line messengers, …
DDoS attacks and vulnerable services
Configuration issues
![Page 12: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/12.jpg)
Flow vs. Packet Analysis
Flow + L7 visibility cando even 95%
![Page 13: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/13.jpg)
Flow vs. Packet Analysis
Strong aspects Weak aspects
Flow data
• Works in high-speed networks• Resistant to encrypted traffic• Visibility and reporting• Network behavior analysis
• No application layer data• Sometimes not enough details• Sampling (routers, switches)
Packetanalysis
• Full network traffic• Enough details for troubleshooting• Supports forensic analysis• Signature based detection
• Useless for encrypted traffic• Usually to much details• Very resource consuming
• Solution?
Take advantage of strong aspects in one solution
Versatile and flexible Probes for visibility into all network layers
![Page 14: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/14.jpg)
Multi-level Visibility
• Demonstrated on path traversal attack
Flow level visibility
Automated detection using flow analysis
Detailed application level monitoring
Full packet capture
Flow ADS APMPacketcapture
![Page 15: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/15.jpg)
Flow Data
• Obvious network anomaly
![Page 16: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/16.jpg)
Anomaly Detection
• Detection and interpretation of network anomaly
![Page 17: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/17.jpg)
Performance Monitoring
• L7 visibility into the attack, performance impact
Full URL, UserAgent, …
![Page 18: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/18.jpg)
Packet Capture & Analysis
• Traffic capture (PCAP) for subsequent forensic analysis using Wireshark
![Page 19: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/19.jpg)
Fighting Advanced Threats
Network visibility is essential component of new protection
strategies against advanced attacks.
![Page 20: HSB15 - Pavel Minarik - INVEATECH](https://reader034.fdocuments.us/reader034/viewer/2022051101/5886d0d71a28ab776a8b46e3/html5/thumbnails/20.jpg)
Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.invea.com
High-Speed Networking Technology Partner
Questions?
Pavel Minaří[email protected]
+420 733 713 703