Monitoring With Alterpoint And Cs Mars

© 2008 MindTree Consulting© 2008 MindTree Ltd

Security Monitoring With CS-Mars and

AlterPoint

© 2008 MindTree Ltd

Agenda

Security Fundamentals

Alterpoint

CS-MARS


Security Fundamentals

What is a Secure Network ?

A Lifetime of work

A Lifetime of Change

A Moving Target

The Goals of Network Security

Confidentiality

Data confidentiality implies keeping data private.

Integrity

Data integrity ensures that data has not been modified in transit.

Availability

The availability of data is a measure of the data’s accessibility.


Potential Hacker

Categories of HackerWhite Hat Hacker

Black Hat Hacker

Gray hat Hacker

Script Kiddy

Hobby hacker

How a Hacker HacksPerform Reconnaissance

Identify Running Applications and Operating System

Gain Access to the System

Log in With user credentials escalate privileges

Create or gather other username and passwords

create a backdoor


Types of Attacks

Confidentiality Attack

Packet capture

Ping sweep and port scan

Dumpster diving

Wiretapping

Social engineering

Integrity Attack

Password attack( Trojan horse, Packet capture,Keylogger, Dictionary attack)

Hijacking a session

Trust relationship exploitation

Availability Attack

Denial of service (DoS)

Distributed denial of service (DDoS)

TCP SYN flood

Electrical disturbances


Defense in Depth

Deploy Security in Layers

Defend multiple attack targets in the network.

Protect the network infrastructure.

Create overlapping defenses

Use strong encryption technologies


Security solutions

Two key components

AlterPoint

Provides Centralized Configuration

Cross Platform( Many Devices) , GUI Interface

Handles Routers, Switches,Firewall,AccessPoint Etc

Cisco Security Monitoring, Analysis and responses System

Handles the Monitoring, Anallysis and mitigatin piece of the Cisco security Solution

Correlates network events to avoid False positives

Uses Cisco Net Flow To Identity Anomalies


AlterPoint

Alter Point has superb capabilities to perform configuration changes including ACL changes for all Network devices. It has already been selected as the primary application used to manage all network devices.

There are a total of 396 devices being managed via Alter Point:


Alterpoint - Inventory section

Provides access to the device inventory and configuration features of the system.

Compare current device configurations with other configurations

View device configuration history


Inventory section - Cont

Viewing Current Configuration



Viewing Historical Configuration



Compare the Two Configurations



Configuration Differences


AlterPoint – Events

Provides access to the real-time device configuration changes.

Displays real-time messages about configuration change, that occur over the most recent twenty-four hour period


AlterPoint - Reports Section

Reporting of Configuration Changes: For All Routers\Switches

Individual location Routers\Switches

Compare individual Device changes [Current vs. Previous]

Compare “Running” configuration vs. “Start Up” configuration

Ability to generate manual or scheduled reports


CS-MARS (Cisco Security Monitoring, Analysis, and Response System )

A Security Information/Even Manager collect simple network management protocol and syslog data from security devices and insert it into a database. provides easy user interface with which to access that information

Summarization of events from multiple devices

Correlate data from across the Enterprise Firewall,IPS,IDS,Routers Switches

Contains a high-level summary dashboard that includes incidents, hotspot graphs, and attack diagrams. An incident can be an indication that a high-level security attack.


CS-MARS – At Glance

Summary Dashboard :The dashboard includes a summary of security incidents, or a high-level indication of a possible network attack or vulnerability based upon input from devices and hosts in the self-defending network.

Information on events within the last 24 hours, false positives that are detected, a hotspot, and an attack diagram including source and destination of the attack.


Case Study

Denies-Top Source ---Attack


CS-MARS

Generated query for its Destination address


CS-MARS – Hotspot and attack diagram

Cisco Security MARS requires SNMP read access to construct a Layer 3 and Layer 2 topological map of the network

An attack diagram allows the user to highlight a vulnerable path between two points in the network

The hotspot graph displays the path of the incident or attack across the network


CS-MARS – INCIDENT TAB

an incident is displayed with the matching rule that triggered the incident


CS-MARS – QUERY/REPORTS TAB

A collection of predefined reports in addition to the ability to create a custom report


CS-MARS : RULES TAB

To display an incident, a matching rule was used to trigger that a possible security incident or attack was in progress

A set of system rules that are automatically configured and applied to detect security incidents or attacks

Create customized or user inspection rules


CS-MARS – MANAGEMENT TAB

Enables the user to view events and create IP addresses, services (ports or protocols), and admin accounts


CS-MARS – ADMIN TAB

Enables the configuration of administrative functions like system setup, maintenance, user management, system parameters and custom setup.

Monitoring With Alterpoint And Cs Mars

Technology

Transcript of Monitoring With Alterpoint And Cs Mars