Network as a Sensor

Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved.

Network as a Sensor / Enforcer


A community that hides in plain sight avoids detection and attacks swiftly

YEARSMONTHSWEEKS

60%of data is stolen inHOURS

54%of breaches remain

undiscovered forMONTHS

HOURSSTART

85%of point-of-sale intrusions

aren’t discovered for WEEKS

51%increase of companies reporting a $10M lossor more in the last 3

YEARS

Breach Statistics


Customer Impact

3

Data Breach Costs ($199 to $42 per Record)

Global Cybercrime

Breach

Global Retailer ($148M)

Global Gaming($171M)

Data Breaches Are Costly and Customer Reputation is Fleeting

$Global Banking

($160M)


Network Servers

Operating Systems

Routers and

Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines

Client Applications

Files

Users

Web Applications

Application Protocols

Services

Malware

Command and Control

Servers

Vulnerabilities

NetFlow

NetworkBehavior

Processes

Only a Cisco Network Sees Everything


Leverage Your Cisco NetworkNetwork As A Sensor (NaaS)

Dynamic Segmentation to Contain the Attack

Network As An Enforcer

(NaaE)

Detect Anomalous Traffic

Obtain Broad Visibility of Network Traffic

Detect User Access Policy Violations

Deploy Access Control to Critical assetsDynamic Policy & User Groups


NetFlow and Lancope StealthWatch:

Scalable Source of Truth

Network as a Sensor


NaaE: Segmentation via TrustSecPolicy Defined Role-Based Segmentation

Flexible and Scalable Policy EnforcementSwitch Router DC FW DC Switch

Simplified Access ManagementAccelerated Security

OperationsConsistent Policy Anywhere

Who can talk to whomWho can access protected assetsHow systems can talk to other systems

Desired Policy

Production Servers

Development Servers

Internet Access

Employee(managed asset) Permit Deny Permit

Employee(registered BYOD) Permit Deny Permit

Employee(unknown BYOD) Deny Deny Permit

ENG VDI System Deny Permit Permit


Devices

Converged Access

Converged Access

Catalyst® 4500

Catalyst® 4500

Access Point

Access Point

Access Dist/Core

Catalyst® 3850/3650 Stack

Catalyst® 6800

Catalyst® 6800

Edge

Site-to-Site VPN

Remote Access

ISR4000

ASAWith

FirePOWER

ESA StealthWatch FlowSensor

WSA with CWS redirect

WCCP

FirePOWER

Branch

Cam

pus

Identity

Visibility:There is a need to understand what is connecting to the network, including software resident on trusted endpoints.

Enforcement:Visibility is only a looking-glass, not enforcement. A bigger picture is needed for assigning policy to endpoints

NetFlow

NetFlow

Who, What, When, Where, How


Firewall

Threat Detection

Routers

Switches

NetFlow Visibility

Content Security

ISE

Cyber Threat Defense 2.0: Scalable Network Defence


Advanced Visibility & Investigation• Partner with Lancope (StealthWatch) to deliver network visibility,

security context and intelligence.• Enhance with Identity, device, application awareness

Firewall

Threat Detection

Routers

Switches

NetFlow Visibility

Cyber Threat Defense 2.0: Scalable Network Defence


Introduction to NetFlow & Lancope StealthWatch


• Developed by Cisco in 1996 as a packet forwarding mechanism

• Outdated by CEF• Statistical Reporting became relevant to

customers• Reporting is based on Flow and not necessarily per-

packet (Full Flow vs. Sampled)• Various versions exist version 1 through 9, with 5

being the most popular and 9 being the most functional

• Other flow statistic gathering technologies exist with various vendors (sFlow, IPFIX, JFLOW, RFLOW, NetStream)

NetFlowIPFIX NetStream JFlow RFlow cflow

Introduction to NetFlow


NetFlow Generator

Source IP AddressDestination IP AddressSource PortDestination PortLayer 3 ProtocolTOS byte (DSCP)Input Interface

NetFlow Key Fields

Flow Information

Packets

Bytes/packet

Address, ports... 11000 1528

...

NetFlow Cache

Lancope StealthWatch

12

3

Source Destination

Network Visibility In Motion…


NetFlow Metadata = Visibility Router# show flow monitor CYBER-MONITOR cache… IPV4 SOURCE ADDRESS: 192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT: 47321TRNS DESTINATION PORT: 443INTERFACE INPUT: Gi0/0/0IP TOS: 0x00IP PROTOCOL: 6ipv4 next hop address: 192.168.20.6tcp flags: 0x1Ainterface output: Gi0/1.20counter bytes: 1482counter packets: 23timestamp first: 12:33:53.358timestamp last: 12:33:53.370ip dscp: 0x00ip ttl min: 127ip ttl max: 127application name: nbar secure-http…

A single NetFlow Record provides a wealth of information


Versions of NetFlow Version Major Advantage Limits/Weaknesses

V5 Defines 18 exported fieldsSimple and compact formatMost commonly used format

IPv4 onlyFixed fields, fixed length fields onlySingle flow cache

V9 Template-basedIPv6 flows transported in IPv4 packetsMPLS and BGP nexthop supportedDefines 104 fields, including L2 fieldsReports flow direction

IPv6 flows transported in IPv4 packetsFixed length fields onlyUses more memorySlower performanceSingle flow cache

Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol)Supports flow monitors (discrete caches)Supports selectable key fields and IPv6Supports NBAR data fields

Less common Requires more sophisticated platform to produceRequires more sophisticated system to consume

IP Flow Information Export (IPFIX) AKA NetFlow V10

Standardized – RFC 5101, 5102, 6313Supports variable length fields, NBAR2Can export flows via IPv4 and IPv6 packets

Even less commonOnly supported on a few Cisco platforms

NSEL (ASA only) Built on NetFlow v9 protocolState-based flow logging (context)Pre and Post NAT reporting

Missing many standard fields Limited support by collectors


How do I want to cache information

Which interface do I want to monitor?

What data do I want to meter?Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes

Where do I want my data sent?Router(config)# flow exporter my-exporter

Router(config-flow-exporter)# destination 1.1.1.1

Router(config)# flow monitor my-monitorRouter(config-flow-monitor)# exporter my-exporterRouter(config-flow-monitor)# record my-record

Router(config)# interface s3/0Router(config-if)# ip flow monitor my-monitor input

1. Configure the Exporter

2. Configure the Flow Record

3. Configure the Flow Monitor

4. Apply to an Interface

Configuring Flexible NetFlow

Best Practice: include all v5 fields


Management

StealthWatch Management

Console

StealthWatch FlowCollector

NetFlow

NetFlow

NetFlow Capable

Collect, store and analyze NetFlow Records

NetFlow/NSEL

Real-time data correlation, traffic visualization and consolidated reporting

Devices

Converged Access

Converged Access

Catalyst® 4500

Catalyst® 4500

Access Point

Access Point

Access Dist/Core

Catalyst® 3850-X Stack

Catalyst® 6800

Catalyst® 6800

Edge

Site-to-Site VPN

Remote Access

ISR-G2

ASAWith

FirePOWER

ESA StealthWatch FlowSensor

WSA with CWS redirect

WCCP

FirePOWER

Branch

Cam

pus

Identity

NetFlow

NetFlow/NSEL

Exporters

Introduction to NetFlow


FlowTraffic set defined by a set of KEY fields

Ex. Source IP, Destination IP, Source Port, Destination Port, Protocol, TOS, Interface

Flow TemplateA flexible (v9) feature that advertises the record format to the collector

Flow CollectorA device that receives NetFlow records from a NetFlow generator

Flow RecordNetFlow Protocol Data Unit exported from a NetFlow generatorContains a collection of KEY and NON-KEY fields relating to a flowNon-KEY fields

Ex. Bytes, Packets, TCP Flags, AP MAC and Client MAC

Flow Exporter A NetFlow configuration of where (Collector) the flows are going to be sent, including IP address and protocol/port

NetFlow Generator A NetFlow enabled network device

NetFlow Terminology


Lesson 2: Lancope StealthWatch

Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Network

NetFlow

Users/Devices

Cisco ISE

NBAR NSEL

StealthWatch Solution Components

StealthWatch FlowSensor


VE

StealthWatch Management Console• Management and reporting• Up to 25 FlowCollectors• Up 3 million FPS globally

StealthWatch FlowCollector• Collect and analyze• Up to 2,000 sources• Up to 120,000 FPS

sustained

NaaS Bundles: • Exporting device and collection• FlowCollector, SMC, FPS License

NetFlow

StealthWatch FlowReplicator

Other tools/collectors


Scaling Visibility: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth0

/1

eth0

/2

Start Time Interface

Src IP Src Port Dest IP Dest Port

Proto Pkts Sent

Bytes Sent

10:20:12.221

eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025

10:20:12.871

eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

Start Time Client IP

Client Port

Server IP

Server Port

Proto Client Bytes

Client Pkts

Server Bytes

Server Pkts

Interfaces

10:20:12.221

10.2.2.2 1024 10.1.1.1

80 TCP 1025 5 28712 17 eth0/1eth0/2

Uni-directional flow records

Bi-directional:• Conversation flow record• Allows easy visualization and

analysis


Scaling Visibility: NetFlow De-duplication

Router A

Router B

Router C

Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024• Without de-duplication

• Traffic volume can be misreported• False positives would occur

• Allows for the efficient storage of flow data• Necessary for accurate host-level reporting • Does not discard data 10.2.2.2

port 1024

10.1.1.1port 80

Duplicates


Adding Context and Situation Awareness

NAT

Events

Known Command &

Control Servers

User Identit

y

Application

Application

& URL


Conversational Flow RecordWho WhoWhat

When

How

WhereMore context

• Highly scalable (enterprise class) collection

• High compression => long term storage

• Months of data retention


Alternative to NetFlow: Physical FlowSensor

Nexus 7700StealthWatch FlowSensor

SPAN

• Multiple hardware platforms up to 20 Gbps throughout

• Non-performance impacting 1:1 NetFlow generation

• Recognition of over 900 Applications• URL capture• Additional statistics:

• Server Response Time• Round Trip Time



Optional: StealthWatch FlowSensor VE

capture

SERVICECONSOLEVM VM

lightweight packet capture and IPFIX generation

• Flow records include: • VM name• VM server name• VM State

• vMotion aware• Host Profiled in terms of VM name• Application, SRT, RRT (same as

physical)

Visibility & Context


Flow Exporting Layer – Enables flow export from infrastructure to respective StealthWatch FlowCollector

1

Flow Collection Layer – Consists of FlowCollectors within each major site

2

Management/Reporting Layer – Consists of a single SMC (redundant SMC available) to centralize management and reporting

3

Network as a Sensor Architecture


3

Network as a Sensor Architecture

Overall, a Cyber Threat Defense solution can scale to:

3 million flows per second From 50,000 exporter sources Across 25 FlowCollectors All reporting to a single management

system


Visualizing the Environment


NetFlow Analysis can help:

Identify additional IOCs• Policy & Segmentation• Network Behaviour Anomaly Detection (NBAD)

Better understand / respond to an IOC:• Audit trail of all host-to-host communication

Discovery • Identify business critical applications and

services across the network


Alarms

Flow collection trend

Top Applications

Active Alarms

StealthWatch: Web Dashboard


Alarms

Users

Activity & Applications

HostHost groups and classificationsView

Flows

StealthWatch: Host Snapshot


The map displays the status of the host groups, showing live data such as active alarms and traffic bandwidth. In addition, you can add images, lines, and text boxes to aid in the visual representation of your environment

StealthWatch: Mapping


Visualizing Flows, Services, and Applications

Most comprehensive information about flows for a specific time frameBy default, displays up to 2,000 flows occurring during the last 5 minutes

When

Who What How

Who


Quick View for a Flow


Visualizing Flows, Services, and ApplicationsRelational Flow Maps

Graphical view of the current state of traffic between host groups


NetFlow Analysis can help: Data Intelligence

Incident Response


• As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:

Behavioral Detection Model

Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood.

Security Events (94

+)Alarm

Category Response

Concern

Exfiltration

C&C

Recon

Alarm TableHost

Snapshot

Email

Syslog / SIEM

Mitigation

Data Hoarding

Exploitation

DDoS Target


NaaS Bundles


ONENTWK-ADV-CTD

Catalyst 3850 (10) 2x10G Uplink, IP Base, PoE

WLC (2) 5508/8510/5760

AP-3700 (50) vMSE, CMX for 50 APs


$186K + $35K (Lancope)

CATALYST-3850-CTD

Catalyst 3850 (1)24/48 Port, Data / PoE, IP Base, Configurable Uplink


Switching + $35K (Lancope)

CATALYST-3650-CTD

Catalyst 3650 (1)24/48 Port, Data / PoE, IP Base, Choice of Uplink Model



L-LC-500-BND-VE-K9 ($35K) Management Console – Virtual

Edition Flow Collector – Virtual Edition Product support - 1st year 500 Flow Licenses

LANCOPE STEALTHWATCHINCLUDED

CATALYST-4500E-CTD

Catalyst 4500E Sup8EIP Base, a-la-carte chassis configuration:WS-C4503-E / WS-C4506-E /WS-C4507R+E / WS-C4510R+Eor bundles:WS-C4510RE-S8+96V+ / WS-C4507RE+96V+ with Sup8E



Flow License - 100/200/300/400/1000 FPS L-LC-***- BND-VE-K9

Product support – year 2+CON-LC-***-BND-VE

Installation Support – One WeekL-LC-INSTALL-BND-1WK=

FLOW LICENSES / SUPPORTOPTIONAL

Network as a SensorNew Unified Access Bundles

FCS: 12/14/2014

FY15 Promotion

CUSTOMERS RECEIVE STEALTHWATCH AT A 36% DISCOUNT USING THESE BUNDLES!

Promo Details (Internal): http://wwwin.cisco.com/tech/enterprise/promotions.shtml

http://wwwin.cisco.com/tech/enterprise/promotions.shtml

http://wwwin.cisco.com/tech/enterprise/promotions.shtml


StealthWatch Update


StealthWatch 6.6 – At a Glance

Alarm Workflow New security algorithms Threat Feed improvements NBAR2 Support ISE integration adds quarantine

actions Job Management Improvements

Cisco UCS Support ANC – Assisted Network

Classification for Network Scanners

FlowCollector 5000 FlowReplicator High Availability Virtual FlowCollector 1K, 2K, 4K


New alarm categories added to the main Security Insight Dashboard


Providing valuable dashboard of the host activities and quarantine actions*

*Cisco ISE 1.3 integration

Work flow drill down from Alarm Security Event Details Host Host Report


All new Host Report features at a glance details

Actions for research drill down, classification of hosts or quarantine the host*

Visualize traffic by peerand Traffic by application

*Cisco ISE 1.3 integration


• An indicator of scanning or other malicious behavior based on hosts who are talking to hosts that do not exist.

• This event looks for hosts communication with hosts that are not there.

• A threshold for the number of phantoms is configurable and it contributes to the recon category

Talks to phantoms

• Finds instances of data exfiltration occurring over SSH.• This event looks for large amounts of data being sent out over

SSH. • The threshold for traffic and percentage of data sent by the

outside host are configurable by the user. • SSH Reverse Shell contributes to the CI, TI, and C&C alarm

categories

SSH reverse shell

• Looks for data exfiltration and command-and-control channels by identifying applications traveling over non-standard ports.

• This event looks for scenarios where applications are being used on the wrong port or where ports have the wrong applications.

• This event has no user configurable parameters and contributes to CI, TI, and C&C alarm categories.

Fake Application Detected

Security Events added in 6.6


• A host scanning the network now has a bidirectional connection to one of the hosts that were scanned, on the port that was scanned.

• This event looks for hosts that have scanned the network then established a bidirectional connection from the scanning port to a port that was scanned.

• This event has no user configurable parameters and contributes to CI, TI, and Exploitation alarm categories

Scanner Talking• This event is made to detect occurrences of brute force login attempts over

SSH, FTP, Telnet and RDP.• This event looks for network traffic where there are unusually high numbers of

login attempts. • This event has no user configurable parameters and contributes to CI, TI, and

Exploitation alarm categories.

Brute force login event

• Host has many SMB sessions to the outside, which is consistent with worm propagation.

• This event looks for host that have many SMB sessions to the outside. • This event has no user configurable parameters and contributes to CI,

and TI alarm categories.High SMB Peers

• This event looks for flows of long duration that have had unusually low amounts data transferred.

• Thresholds for the length of flow and bytes transferred are configurable by the user and it contributes to the C&C alarm category

Suspect Quiet Longflow

Security Events added in 6.6


• Support of Cisco UCS NetFlow • Increase datacenter traffic visibility within

the UCS platform• Deploy using Cisco UCS

• FC1000, FC2000, FC4000 equivalents on Series B and C

• FS1000, FS2000, FS3000 equivalents on Series B and C

• FR1000, FR2000 equivalents on Series B and C

Extend deployment and visibility

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&uact=8&docid=t45jhKSDD6d-LM&tbnid=fD6OwrJdC19K_M&ved=0CAgQjRw&url=http://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-5100-series-blade-server-chassis/&ei=Il8cVPjHDoyONrGXgcgK&psig=AFQjCNHWxGhM3keBlP0ybH0veXoSJVdGJg&ust=1411231906298064


• FlowCollector 1K, 2K and 4K available• Software only deployment• Supported Hypervisors

• Citrix XenServer• KVM• VMware ESX/ESXi

• It's a simple download, no on-site hardware installation

• Lower cost of ownership

Virtual FlowCollector


NBAR2 Applications Support

Updated application identification including Cisco AVC NBAR2 Increased number of applications identified and more granular detail about the applicationFor a complete list of applications in the NBAR2 Library http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/network-based-application-recognition-nbar/product_bulletin_c25-627831.html

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/network-based-application-recognition-nbar/product_bulletin_c25-627831.html







Cisco ISE 1.3 Integration

StealthWatch will now utilize the Cisco pxGrid API to initiate a Quarantine actionThrough the StealthWatch interface a quarantine action can be initiated from rhe host dashboard


Configure Cisco ISE 1.3 Integration via Web Interface

Cisco ISE can now be configured in either the java or web interfaceCisco ISE Mitigation must be configured in the web interface


Assisted Network Classification for Network ScannersStealthWatch will now identify devices in your network that are acting like Network Scanners daily

Assisting customers in identifying system types within their network

As well as identify rouge systems that were not previously authorized.


Increased flow ingestion Target 240,000+ FPS, 3U

1U Flow Collection 2U 6TB storage

Increased Maximum Exporters/Routers 4096

Requires 6.6+

FlowCollector 5000


High Availability options are now available for the FlowReplicatorA maximum of 2 FlowReplicators are supported per cluster

The Primary (active) FlowReplicator and the Secondary (passive) FlowReplicator. If the Primary FlowReplicator in the pair should fail, the Secondary FlowReplicator takes over and becomes the Primary.High Availability in the FlowReplicator supports Active/Passive only. In this model, both nodes are fully redundant, however only one node is online at a time

FlowReplicator HA

Flows and Tags


Segmentation Monitoring with StealthWatch Clear visibility into any traffic traversing the environment

Traffic violating segmentation policy generates an alarm


TrustSec Fields in NetFlow Router# show flow monitor CYBER-MONITOR cache… IPV4 SOURCE ADDRESS: 10.1.100.82IPV4 DESTINATION ADDRESS: 8.8.8.100TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 2048INTERFACE INPUT: Gi0/0/0FLOW DIRECTION: InputFLOW CTS SOURCE GROUP TAG: 1001FLOW CTS DESTINATION GROUP TAG: 1000IP PROTOCOL: 1ipv4 next hop address: 8.8.8.100tcp flags: 0x00interface output: Gi0/0/2counter bytes: 120counter packets: 2timestamp first: 05:29:17.398timestamp last: 05:29:18.396ip dscp: 0x00ip ttl min: 123ip ttl max: 123application name: layer7 ping…


High Level Proposition

Cisco ISE Cisco ASA

Session TablePolicy Table(syslog/pxgrid) NetFlow

Instruct ISE to enforce policy on a suspicious

host

Update IP-SGT mappings through SXP for mitigation

actionspxGrid

SXP

Cisco Network

NetFlow

SXPCoA

SXP

Integration with Sourcefire Module

through SXP

Network as a Sensor

Technology

Transcript of Network as a Sensor