Pavel Minařík, CTO

Flow-based network visibility and its role in cyber defense

minarik@invea.com

Holland Strikes Back, 27th October, Den Haag

Re-think Your Security

Neil MacDonald, VP Distinguished Analyst at Gartner Security & Risk Management Summit

One Example For All

One Example For All

• Traditional monitoring

Availability of services and network components

SNMP polling (interfaces, resources)

100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …)

• Next-generation monitoring

Traffic visibility on various network layers

Detection of security and operational issues

Network/Application performance monitoring

Full packet capture for troubleshooting

Monitoring Tools

Monitoring Tools

SNMP polling

Flow monitoring

Packet capture and analysis

Monitoring Tools

• SNMP monitoring

Amount of transferred data, number of packet, insufficient

• Flow monitoring (based on IP flows)

Detailed traffic structure visibility and reporting

• Packet analysis

For forensics and specific troubleshooting issues

Advanced visibility but usually missing!Basic monitoring

Flow Monitoring Principle

Flow Sources

• Enterprise-class network equipment

Routers, switches

Firewalls and UTM devices

Virtualized platforms

• Flow Probes

Dedicated appliances for flow export

• Various standards

NetFlow v5/v9, jFlow , NetStream, cflowd, sFlow

IPFIX = IETF standard, flexible monitoring

Flow Gathering Schemes

Probe on a SPAN port Probe on a TAP Flows from switch/router

Pros • Accuracy• Performance• L2/L3/L4/L7 visibility

• Same as „on a SPAN“• All packets captured• Separates RX and TX

• Already available• No additional HW• Traffic on interfaces

Cons • May reach capacity limit• No interface number

• Additional HW • Usually inaccurate• Visibility L3/L4• Performance impact

Facts • Fits most customers• Limited SPANs number

• 2 monitoring ports • Always test before use

Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)

Traffic Analysis (using flow)

• Bridges the gap left by endpoint and perimeter security solutions

• Behavior based Anomaly Detection (NBA)

• Detection of security and operational issues Attacks on network services, network reconnaissance

Infected devices and botnet C&C communication

Anomalies of network protocols (DNS, DHCP, …)

P2P traffic, TOR, on-line messengers, …

DDoS attacks and vulnerable services

Configuration issues

Flow vs. Packet Analysis

Flow + L7 visibility cando even 95%

Flow vs. Packet Analysis

Strong aspects Weak aspects

Flow data

• Works in high-speed networks• Resistant to encrypted traffic• Visibility and reporting• Network behavior analysis

• No application layer data• Sometimes not enough details• Sampling (routers, switches)

Packetanalysis

• Full network traffic• Enough details for troubleshooting• Supports forensic analysis• Signature based detection

• Useless for encrypted traffic• Usually to much details• Very resource consuming

• Solution?

Take advantage of strong aspects in one solution

Versatile and flexible Probes for visibility into all network layers

Multi-level Visibility

• Demonstrated on path traversal attack

Flow level visibility

Automated detection using flow analysis

Detailed application level monitoring

Full packet capture

Flow ADS APMPacketcapture

Flow Data

• Obvious network anomaly

Anomaly Detection

• Detection and interpretation of network anomaly

Performance Monitoring

• L7 visibility into the attack, performance impact

Full URL, UserAgent, …

Packet Capture & Analysis

• Traffic capture (PCAP) for subsequent forensic analysis using Wireshark

Fighting Advanced Threats

Network visibility is essential component of new protection

strategies against advanced attacks.

Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.invea.com

High-Speed Networking Technology Partner

Questions?

Pavel Minaříkminarik@invea.com

+420 733 713 703