Monitoring With Alterpoint And Cs Mars
-
Upload
amitmonty -
Category
Technology
-
view
1.244 -
download
1
Transcript of Monitoring With Alterpoint And Cs Mars
© 2008 MindTree Consulting© 2008 MindTree Ltd
Security Monitoring With CS-Mars and
AlterPoint
© 2008 MindTree Ltd
Agenda
Security Fundamentals
Alterpoint
CS-MARS
© 2008 MindTree Ltd
Security Fundamentals
What is a Secure Network ?
A Lifetime of work
A Lifetime of Change
A Moving Target
The Goals of Network Security
Confidentiality
Data confidentiality implies keeping data private.
Integrity
Data integrity ensures that data has not been modified in transit.
Availability
The availability of data is a measure of the data’s accessibility.
© 2008 MindTree Ltd
Potential Hacker
Categories of HackerWhite Hat Hacker
Black Hat Hacker
Gray hat Hacker
Script Kiddy
Hobby hacker
How a Hacker HacksPerform Reconnaissance
Identify Running Applications and Operating System
Gain Access to the System
Log in With user credentials escalate privileges
Create or gather other username and passwords
create a backdoor
© 2008 MindTree Ltd
Types of Attacks
Confidentiality Attack
Packet capture
Ping sweep and port scan
Dumpster diving
Wiretapping
Social engineering
Integrity Attack
Password attack( Trojan horse, Packet capture,Keylogger, Dictionary attack)
Hijacking a session
Trust relationship exploitation
Availability Attack
Denial of service (DoS)
Distributed denial of service (DDoS)
TCP SYN flood
Electrical disturbances
© 2008 MindTree Ltd
Defense in Depth
Deploy Security in Layers
Defend multiple attack targets in the network.
Protect the network infrastructure.
Create overlapping defenses
Use strong encryption technologies
© 2008 MindTree Ltd
Security solutions
Two key components
AlterPoint
Provides Centralized Configuration
Cross Platform( Many Devices) , GUI Interface
Handles Routers, Switches,Firewall,AccessPoint Etc
Cisco Security Monitoring, Analysis and responses System
Handles the Monitoring, Anallysis and mitigatin piece of the Cisco security Solution
Correlates network events to avoid False positives
Uses Cisco Net Flow To Identity Anomalies
© 2008 MindTree Ltd
AlterPoint
Alter Point has superb capabilities to perform configuration changes including ACL changes for all Network devices. It has already been selected as the primary application used to manage all network devices.
There are a total of 396 devices being managed via Alter Point:
© 2008 MindTree Ltd
Alterpoint - Inventory section
Provides access to the device inventory and configuration features of the system.
Compare current device configurations with other configurations
View device configuration history
© 2008 MindTree Ltd
Inventory section - Cont
Viewing Current Configuration
© 2008 MindTree Ltd
Inventory section - Cont
Viewing Historical Configuration
© 2008 MindTree Ltd
Inventory section - Cont
Compare the Two Configurations
© 2008 MindTree Ltd
Inventory section - Cont
Configuration Differences
© 2008 MindTree Ltd
AlterPoint – Events
Provides access to the real-time device configuration changes.
Displays real-time messages about configuration change, that occur over the most recent twenty-four hour period
© 2008 MindTree Ltd
AlterPoint - Reports Section
Reporting of Configuration Changes: For All Routers\Switches
Individual location Routers\Switches
Compare individual Device changes [Current vs. Previous]
Compare “Running” configuration vs. “Start Up” configuration
Ability to generate manual or scheduled reports
© 2008 MindTree Ltd
CS-MARS (Cisco Security Monitoring, Analysis, and Response System )
A Security Information/Even Manager collect simple network management protocol and syslog data from security devices and insert it into a database. provides easy user interface with which to access that information
Summarization of events from multiple devices
Correlate data from across the Enterprise Firewall,IPS,IDS,Routers Switches
Contains a high-level summary dashboard that includes incidents, hotspot graphs, and attack diagrams. An incident can be an indication that a high-level security attack.
© 2008 MindTree Ltd
CS-MARS – At Glance
Summary Dashboard :The dashboard includes a summary of security incidents, or a high-level indication of a possible network attack or vulnerability based upon input from devices and hosts in the self-defending network.
Information on events within the last 24 hours, false positives that are detected, a hotspot, and an attack diagram including source and destination of the attack.
© 2008 MindTree Ltd
Case Study
Denies-Top Source ---Attack
© 2008 MindTree Ltd
CS-MARS
Generated query for its Destination address
© 2008 MindTree Ltd
CS-MARS – Hotspot and attack diagram
Cisco Security MARS requires SNMP read access to construct a Layer 3 and Layer 2 topological map of the network
An attack diagram allows the user to highlight a vulnerable path between two points in the network
The hotspot graph displays the path of the incident or attack across the network
© 2008 MindTree Ltd
CS-MARS – INCIDENT TAB
an incident is displayed with the matching rule that triggered the incident
© 2008 MindTree Ltd
CS-MARS – QUERY/REPORTS TAB
A collection of predefined reports in addition to the ability to create a custom report
© 2008 MindTree Ltd
CS-MARS : RULES TAB
To display an incident, a matching rule was used to trigger that a possible security incident or attack was in progress
A set of system rules that are automatically configured and applied to detect security incidents or attacks
Create customized or user inspection rules
© 2008 MindTree Ltd
CS-MARS – MANAGEMENT TAB
Enables the user to view events and create IP addresses, services (ports or protocols), and admin accounts
© 2008 MindTree Ltd
CS-MARS – ADMIN TAB
Enables the configuration of administrative functions like system setup, maintenance, user management, system parameters and custom setup.
© 2008 MindTree Consulting© 2008 MindTree Ltd© 2008 MindTree Ltd
Imagination Action JoyImagination Action Joy