Network as a Sensor
-
Upload
cisco-public-sector -
Category
Technology
-
view
481 -
download
0
Transcript of Network as a Sensor
![Page 1: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/1.jpg)
Cisco Confidential 1© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network as a Sensor / Enforcer
![Page 2: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/2.jpg)
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
A community that hides in plain sight avoids detection and attacks swiftly
YEARSMONTHSWEEKS
60%of data is stolen inHOURS
54%of breaches remain
undiscovered forMONTHS
HOURSSTART
85%of point-of-sale intrusions
aren’t discovered for WEEKS
51%increase of companies reporting a $10M lossor more in the last 3
YEARS
Breach Statistics
![Page 3: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/3.jpg)
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Customer Impact
3
Data Breach Costs ($199 to $42 per Record)
Global Cybercrime
Breach
Global Retailer ($148M)
Global Gaming($171M)
Data Breaches Are Costly and Customer Reputation is Fleeting
$Global Banking
($160M)
![Page 4: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/4.jpg)
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Network Servers
Operating Systems
Routers and
Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Client Applications
Files
Users
Web Applications
Application Protocols
Services
Malware
Command and Control
Servers
Vulnerabilities
NetFlow
NetworkBehavior
Processes
Only a Cisco Network Sees Everything
![Page 5: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/5.jpg)
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Leverage Your Cisco NetworkNetwork As A Sensor (NaaS)
Dynamic Segmentation to Contain the Attack
Network As An Enforcer
(NaaE)
Detect Anomalous Traffic
Obtain Broad Visibility of Network Traffic
Detect User Access Policy Violations
Deploy Access Control to Critical assetsDynamic Policy & User Groups
![Page 6: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/6.jpg)
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow and Lancope StealthWatch:
Scalable Source of Truth
Network as a Sensor
![Page 7: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/7.jpg)
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NaaE: Segmentation via TrustSecPolicy Defined Role-Based Segmentation
Flexible and Scalable Policy EnforcementSwitch Router DC FW DC Switch
Simplified Access ManagementAccelerated Security
OperationsConsistent Policy Anywhere
Who can talk to whomWho can access protected assetsHow systems can talk to other systems
Desired Policy
Production Servers
Development Servers
Internet Access
Employee(managed asset) Permit Deny Permit
Employee(registered BYOD) Permit Deny Permit
Employee(unknown BYOD) Deny Deny Permit
ENG VDI System Deny Permit Permit
![Page 8: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/8.jpg)
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Devices
Converged Access
Converged Access
Catalyst® 4500
Catalyst® 4500
Access Point
Access Point
Access Dist/Core
Catalyst® 3850/3650 Stack
Catalyst® 6800
Catalyst® 6800
Edge
Site-to-Site VPN
Remote Access
ISR4000
ASAWith
FirePOWER
ESA StealthWatch FlowSensor
WSA with CWS redirect
WCCP
FirePOWER
Branch
Cam
pus
Identity
Visibility:There is a need to understand what is connecting to the network, including software resident on trusted endpoints.
Enforcement:Visibility is only a looking-glass, not enforcement. A bigger picture is needed for assigning policy to endpoints
NetFlow
NetFlow
Who, What, When, Where, How
![Page 9: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/9.jpg)
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Firewall
Threat Detection
Routers
Switches
NetFlow Visibility
Content Security
ISE
Cyber Threat Defense 2.0: Scalable Network Defence
![Page 10: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/10.jpg)
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Advanced Visibility & Investigation• Partner with Lancope (StealthWatch) to deliver network visibility,
security context and intelligence.• Enhance with Identity, device, application awareness
Firewall
Threat Detection
Routers
Switches
NetFlow Visibility
Cyber Threat Defense 2.0: Scalable Network Defence
![Page 11: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/11.jpg)
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introduction to NetFlow & Lancope StealthWatch
![Page 12: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/12.jpg)
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Developed by Cisco in 1996 as a packet forwarding mechanism
• Outdated by CEF• Statistical Reporting became relevant to
customers• Reporting is based on Flow and not necessarily per-
packet (Full Flow vs. Sampled)• Various versions exist version 1 through 9, with 5
being the most popular and 9 being the most functional
• Other flow statistic gathering technologies exist with various vendors (sFlow, IPFIX, JFLOW, RFLOW, NetStream)
NetFlowIPFIX NetStream JFlow RFlow cflow
Introduction to NetFlow
![Page 13: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/13.jpg)
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Generator
Source IP AddressDestination IP AddressSource PortDestination PortLayer 3 ProtocolTOS byte (DSCP)Input Interface
NetFlow Key Fields
Flow Information
Packets
Bytes/packet
Address, ports... 11000 1528
...
NetFlow Cache
Lancope StealthWatch
12
3
Source Destination
Network Visibility In Motion…
![Page 14: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/14.jpg)
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Metadata = Visibility Router# show flow monitor CYBER-MONITOR cache… IPV4 SOURCE ADDRESS: 192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT: 47321TRNS DESTINATION PORT: 443INTERFACE INPUT: Gi0/0/0IP TOS: 0x00IP PROTOCOL: 6ipv4 next hop address: 192.168.20.6tcp flags: 0x1Ainterface output: Gi0/1.20counter bytes: 1482counter packets: 23timestamp first: 12:33:53.358timestamp last: 12:33:53.370ip dscp: 0x00ip ttl min: 127ip ttl max: 127application name: nbar secure-http…
A single NetFlow Record provides a wealth of information
![Page 15: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/15.jpg)
Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Versions of NetFlow Version Major Advantage Limits/Weaknesses
V5 Defines 18 exported fieldsSimple and compact formatMost commonly used format
IPv4 onlyFixed fields, fixed length fields onlySingle flow cache
V9 Template-basedIPv6 flows transported in IPv4 packetsMPLS and BGP nexthop supportedDefines 104 fields, including L2 fieldsReports flow direction
IPv6 flows transported in IPv4 packetsFixed length fields onlyUses more memorySlower performanceSingle flow cache
Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol)Supports flow monitors (discrete caches)Supports selectable key fields and IPv6Supports NBAR data fields
Less common Requires more sophisticated platform to produceRequires more sophisticated system to consume
IP Flow Information Export (IPFIX) AKA NetFlow V10
Standardized – RFC 5101, 5102, 6313Supports variable length fields, NBAR2Can export flows via IPv4 and IPv6 packets
Even less commonOnly supported on a few Cisco platforms
NSEL (ASA only) Built on NetFlow v9 protocolState-based flow logging (context)Pre and Post NAT reporting
Missing many standard fields Limited support by collectors
![Page 16: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/16.jpg)
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
How do I want to cache information
Which interface do I want to monitor?
What data do I want to meter?Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes
Where do I want my data sent?Router(config)# flow exporter my-exporter
Router(config-flow-exporter)# destination 1.1.1.1
Router(config)# flow monitor my-monitorRouter(config-flow-monitor)# exporter my-exporterRouter(config-flow-monitor)# record my-record
Router(config)# interface s3/0Router(config-if)# ip flow monitor my-monitor input
1. Configure the Exporter
2. Configure the Flow Record
3. Configure the Flow Monitor
4. Apply to an Interface
Configuring Flexible NetFlow
Best Practice: include all v5 fields
![Page 17: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/17.jpg)
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Management
StealthWatch Management
Console
StealthWatch FlowCollector
NetFlow
NetFlow
NetFlow Capable
Collect, store and analyze NetFlow Records
NetFlow/NSEL
Real-time data correlation, traffic visualization and consolidated reporting
Devices
Converged Access
Converged Access
Catalyst® 4500
Catalyst® 4500
Access Point
Access Point
Access Dist/Core
Catalyst® 3850-X Stack
Catalyst® 6800
Catalyst® 6800
Edge
Site-to-Site VPN
Remote Access
ISR-G2
ASAWith
FirePOWER
ESA StealthWatch FlowSensor
WSA with CWS redirect
WCCP
FirePOWER
Branch
Cam
pus
Identity
NetFlow
NetFlow/NSEL
Exporters
Introduction to NetFlow
![Page 18: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/18.jpg)
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FlowTraffic set defined by a set of KEY fields
Ex. Source IP, Destination IP, Source Port, Destination Port, Protocol, TOS, Interface
Flow TemplateA flexible (v9) feature that advertises the record format to the collector
Flow CollectorA device that receives NetFlow records from a NetFlow generator
Flow RecordNetFlow Protocol Data Unit exported from a NetFlow generatorContains a collection of KEY and NON-KEY fields relating to a flowNon-KEY fields
Ex. Bytes, Packets, TCP Flags, AP MAC and Client MAC
Flow Exporter A NetFlow configuration of where (Collector) the flows are going to be sent, including IP address and protocol/port
NetFlow Generator A NetFlow enabled network device
NetFlow Terminology
![Page 19: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/19.jpg)
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Lesson 2: Lancope StealthWatch
![Page 20: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/20.jpg)
Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Network
NetFlow
Users/Devices
Cisco ISE
NBAR NSEL
StealthWatch Solution Components
StealthWatch FlowSensor
StealthWatch FlowSensor
VE
StealthWatch Management Console• Management and reporting• Up to 25 FlowCollectors• Up 3 million FPS globally
StealthWatch FlowCollector• Collect and analyze• Up to 2,000 sources• Up to 120,000 FPS
sustained
NaaS Bundles: • Exporting device and collection• FlowCollector, SMC, FPS License
NetFlow
StealthWatch FlowReplicator
Other tools/collectors
![Page 21: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/21.jpg)
Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scaling Visibility: Flow Stitching
10.2.2.2port 1024
10.1.1.1port 80
eth0
/1
eth0
/2
Start Time Interface
Src IP Src Port Dest IP Dest Port
Proto Pkts Sent
Bytes Sent
10:20:12.221
eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871
eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
Start Time Client IP
Client Port
Server IP
Server Port
Proto Client Bytes
Client Pkts
Server Bytes
Server Pkts
Interfaces
10:20:12.221
10.2.2.2 1024 10.1.1.1
80 TCP 1025 5 28712 17 eth0/1eth0/2
Uni-directional flow records
Bi-directional:• Conversation flow record• Allows easy visualization and
analysis
![Page 22: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/22.jpg)
Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Scaling Visibility: NetFlow De-duplication
Router A
Router B
Router C
Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024• Without de-duplication
• Traffic volume can be misreported• False positives would occur
• Allows for the efficient storage of flow data• Necessary for accurate host-level reporting • Does not discard data 10.2.2.2
port 1024
10.1.1.1port 80
Duplicates
![Page 23: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/23.jpg)
Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Adding Context and Situation Awareness
NAT
Events
Known Command &
Control Servers
User Identit
y
Application
Application
& URL
![Page 24: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/24.jpg)
Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Conversational Flow RecordWho WhoWhat
When
How
WhereMore context
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
![Page 25: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/25.jpg)
Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Alternative to NetFlow: Physical FlowSensor
Nexus 7700StealthWatch FlowSensor
SPAN
• Multiple hardware platforms up to 20 Gbps throughout
• Non-performance impacting 1:1 NetFlow generation
• Recognition of over 900 Applications• URL capture• Additional statistics:
• Server Response Time• Round Trip Time
StealthWatch FlowSensor
![Page 26: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/26.jpg)
Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Optional: StealthWatch FlowSensor VE
capture
SERVICECONSOLEVM VM
lightweight packet capture and IPFIX generation
• Flow records include: • VM name• VM server name• VM State
• vMotion aware• Host Profiled in terms of VM name• Application, SRT, RRT (same as
physical)
Visibility & Context
![Page 27: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/27.jpg)
Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Flow Exporting Layer – Enables flow export from infrastructure to respective StealthWatch FlowCollector
1
Flow Collection Layer – Consists of FlowCollectors within each major site
2
Management/Reporting Layer – Consists of a single SMC (redundant SMC available) to centralize management and reporting
3
Network as a Sensor Architecture
![Page 28: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/28.jpg)
Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved.
3
Network as a Sensor Architecture
Overall, a Cyber Threat Defense solution can scale to:
3 million flows per second From 50,000 exporter sources Across 25 FlowCollectors All reporting to a single management
system
![Page 29: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/29.jpg)
Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Visualizing the Environment
![Page 30: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/30.jpg)
Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Analysis can help:
Identify additional IOCs• Policy & Segmentation• Network Behaviour Anomaly Detection (NBAD)
Better understand / respond to an IOC:• Audit trail of all host-to-host communication
Discovery • Identify business critical applications and
services across the network
![Page 31: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/31.jpg)
Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Alarms
Flow collection trend
Top Applications
Active Alarms
StealthWatch: Web Dashboard
![Page 32: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/32.jpg)
Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Alarms
Users
Activity & Applications
HostHost groups and classificationsView
Flows
StealthWatch: Host Snapshot
![Page 33: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/33.jpg)
Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The map displays the status of the host groups, showing live data such as active alarms and traffic bandwidth. In addition, you can add images, lines, and text boxes to aid in the visual representation of your environment
StealthWatch: Mapping
![Page 34: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/34.jpg)
Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Visualizing Flows, Services, and Applications
Most comprehensive information about flows for a specific time frameBy default, displays up to 2,000 flows occurring during the last 5 minutes
When
Who What How
Who
![Page 35: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/35.jpg)
Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Quick View for a Flow
![Page 36: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/36.jpg)
Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Visualizing Flows, Services, and ApplicationsRelational Flow Maps
Graphical view of the current state of traffic between host groups
![Page 37: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/37.jpg)
Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NetFlow Analysis can help: Data Intelligence
Incident Response
![Page 38: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/38.jpg)
Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:
Behavioral Detection Model
Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood.
Security Events (94
+)Alarm
Category Response
Concern
Exfiltration
C&C
Recon
Alarm TableHost
Snapshot
Syslog / SIEM
Mitigation
Data Hoarding
Exploitation
DDoS Target
![Page 39: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/39.jpg)
Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NaaS Bundles
![Page 40: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/40.jpg)
Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ONENTWK-ADV-CTD
Catalyst 3850 (10) 2x10G Uplink, IP Base, PoE
WLC (2) 5508/8510/5760
AP-3700 (50) vMSE, CMX for 50 APs
Lancope StealthWatch
$186K + $35K (Lancope)
CATALYST-3850-CTD
Catalyst 3850 (1)24/48 Port, Data / PoE, IP Base, Configurable Uplink
Lancope StealthWatch
Switching + $35K (Lancope)
CATALYST-3650-CTD
Catalyst 3650 (1)24/48 Port, Data / PoE, IP Base, Choice of Uplink Model
Lancope StealthWatch
Switching + $35K (Lancope)
L-LC-500-BND-VE-K9 ($35K) Management Console – Virtual
Edition Flow Collector – Virtual Edition Product support - 1st year 500 Flow Licenses
LANCOPE STEALTHWATCHINCLUDED
CATALYST-4500E-CTD
Catalyst 4500E Sup8EIP Base, a-la-carte chassis configuration:WS-C4503-E / WS-C4506-E /WS-C4507R+E / WS-C4510R+Eor bundles:WS-C4510RE-S8+96V+ / WS-C4507RE+96V+ with Sup8E
Lancope StealthWatch
Switching + $35K (Lancope)
Flow License - 100/200/300/400/1000 FPS L-LC-***- BND-VE-K9
Product support – year 2+CON-LC-***-BND-VE
Installation Support – One WeekL-LC-INSTALL-BND-1WK=
FLOW LICENSES / SUPPORTOPTIONAL
Network as a SensorNew Unified Access Bundles
FCS: 12/14/2014
FY15 Promotion
CUSTOMERS RECEIVE STEALTHWATCH AT A 36% DISCOUNT USING THESE BUNDLES!
Promo Details (Internal): http://wwwin.cisco.com/tech/enterprise/promotions.shtml
![Page 41: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/41.jpg)
Cisco Confidential 41© 2013-2014 Cisco and/or its affiliates. All rights reserved.
StealthWatch Update
![Page 42: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/42.jpg)
Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved.
StealthWatch 6.6 – At a Glance
Alarm Workflow New security algorithms Threat Feed improvements NBAR2 Support ISE integration adds quarantine
actions Job Management Improvements
Cisco UCS Support ANC – Assisted Network
Classification for Network Scanners
FlowCollector 5000 FlowReplicator High Availability Virtual FlowCollector 1K, 2K, 4K
![Page 43: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/43.jpg)
Cisco Confidential 43© 2013-2014 Cisco and/or its affiliates. All rights reserved.
New alarm categories added to the main Security Insight Dashboard
![Page 44: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/44.jpg)
Cisco Confidential 44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Providing valuable dashboard of the host activities and quarantine actions*
*Cisco ISE 1.3 integration
Work flow drill down from Alarm Security Event Details Host Host Report
![Page 45: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/45.jpg)
Cisco Confidential 45© 2013-2014 Cisco and/or its affiliates. All rights reserved.
All new Host Report features at a glance details
Actions for research drill down, classification of hosts or quarantine the host*
Visualize traffic by peerand Traffic by application
*Cisco ISE 1.3 integration
![Page 46: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/46.jpg)
Cisco Confidential 46© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• An indicator of scanning or other malicious behavior based on hosts who are talking to hosts that do not exist.
• This event looks for hosts communication with hosts that are not there.
• A threshold for the number of phantoms is configurable and it contributes to the recon category
Talks to phantoms
• Finds instances of data exfiltration occurring over SSH.• This event looks for large amounts of data being sent out over
SSH. • The threshold for traffic and percentage of data sent by the
outside host are configurable by the user. • SSH Reverse Shell contributes to the CI, TI, and C&C alarm
categories
SSH reverse shell
• Looks for data exfiltration and command-and-control channels by identifying applications traveling over non-standard ports.
• This event looks for scenarios where applications are being used on the wrong port or where ports have the wrong applications.
• This event has no user configurable parameters and contributes to CI, TI, and C&C alarm categories.
Fake Application Detected
Security Events added in 6.6
![Page 47: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/47.jpg)
Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• A host scanning the network now has a bidirectional connection to one of the hosts that were scanned, on the port that was scanned.
• This event looks for hosts that have scanned the network then established a bidirectional connection from the scanning port to a port that was scanned.
• This event has no user configurable parameters and contributes to CI, TI, and Exploitation alarm categories
Scanner Talking• This event is made to detect occurrences of brute force login attempts over
SSH, FTP, Telnet and RDP.• This event looks for network traffic where there are unusually high numbers of
login attempts. • This event has no user configurable parameters and contributes to CI, TI, and
Exploitation alarm categories.
Brute force login event
• Host has many SMB sessions to the outside, which is consistent with worm propagation.
• This event looks for host that have many SMB sessions to the outside. • This event has no user configurable parameters and contributes to CI,
and TI alarm categories.High SMB Peers
• This event looks for flows of long duration that have had unusually low amounts data transferred.
• Thresholds for the length of flow and bytes transferred are configurable by the user and it contributes to the C&C alarm category
Suspect Quiet Longflow
Security Events added in 6.6
![Page 48: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/48.jpg)
Cisco Confidential 48© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Support of Cisco UCS NetFlow • Increase datacenter traffic visibility within
the UCS platform• Deploy using Cisco UCS
• FC1000, FC2000, FC4000 equivalents on Series B and C
• FS1000, FS2000, FS3000 equivalents on Series B and C
• FR1000, FR2000 equivalents on Series B and C
Extend deployment and visibility
![Page 49: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/49.jpg)
Cisco Confidential 49© 2013-2014 Cisco and/or its affiliates. All rights reserved.
• FlowCollector 1K, 2K and 4K available• Software only deployment• Supported Hypervisors
• Citrix XenServer• KVM• VMware ESX/ESXi
• It's a simple download, no on-site hardware installation
• Lower cost of ownership
Virtual FlowCollector
![Page 50: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/50.jpg)
Cisco Confidential 50© 2013-2014 Cisco and/or its affiliates. All rights reserved.
NBAR2 Applications Support
Updated application identification including Cisco AVC NBAR2 Increased number of applications identified and more granular detail about the applicationFor a complete list of applications in the NBAR2 Library http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/network-based-application-recognition-nbar/product_bulletin_c25-627831.html
![Page 51: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/51.jpg)
Cisco Confidential 51© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE 1.3 Integration
StealthWatch will now utilize the Cisco pxGrid API to initiate a Quarantine actionThrough the StealthWatch interface a quarantine action can be initiated from rhe host dashboard
![Page 52: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/52.jpg)
Cisco Confidential 52© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Configure Cisco ISE 1.3 Integration via Web Interface
Cisco ISE can now be configured in either the java or web interfaceCisco ISE Mitigation must be configured in the web interface
![Page 53: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/53.jpg)
Cisco Confidential 53© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Assisted Network Classification for Network ScannersStealthWatch will now identify devices in your network that are acting like Network Scanners daily
Assisting customers in identifying system types within their network
As well as identify rouge systems that were not previously authorized.
![Page 54: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/54.jpg)
Cisco Confidential 54© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Increased flow ingestion Target 240,000+ FPS, 3U
1U Flow Collection 2U 6TB storage
Increased Maximum Exporters/Routers 4096
Requires 6.6+
FlowCollector 5000
![Page 55: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/55.jpg)
Cisco Confidential 55© 2013-2014 Cisco and/or its affiliates. All rights reserved.
High Availability options are now available for the FlowReplicatorA maximum of 2 FlowReplicators are supported per cluster
The Primary (active) FlowReplicator and the Secondary (passive) FlowReplicator. If the Primary FlowReplicator in the pair should fail, the Secondary FlowReplicator takes over and becomes the Primary.High Availability in the FlowReplicator supports Active/Passive only. In this model, both nodes are fully redundant, however only one node is online at a time
FlowReplicator HA
![Page 56: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/56.jpg)
Flows and Tags
![Page 57: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/57.jpg)
Cisco Confidential 57© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Segmentation Monitoring with StealthWatch Clear visibility into any traffic traversing the environment
Traffic violating segmentation policy generates an alarm
![Page 58: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/58.jpg)
Cisco Confidential 58© 2013-2014 Cisco and/or its affiliates. All rights reserved.
TrustSec Fields in NetFlow Router# show flow monitor CYBER-MONITOR cache… IPV4 SOURCE ADDRESS: 10.1.100.82IPV4 DESTINATION ADDRESS: 8.8.8.100TRNS SOURCE PORT: 0TRNS DESTINATION PORT: 2048INTERFACE INPUT: Gi0/0/0FLOW DIRECTION: InputFLOW CTS SOURCE GROUP TAG: 1001FLOW CTS DESTINATION GROUP TAG: 1000IP PROTOCOL: 1ipv4 next hop address: 8.8.8.100tcp flags: 0x00interface output: Gi0/0/2counter bytes: 120counter packets: 2timestamp first: 05:29:17.398timestamp last: 05:29:18.396ip dscp: 0x00ip ttl min: 123ip ttl max: 123application name: layer7 ping…
![Page 59: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/59.jpg)
Cisco Confidential 59© 2013-2014 Cisco and/or its affiliates. All rights reserved.
High Level Proposition
Cisco ISE Cisco ASA
Session TablePolicy Table(syslog/pxgrid) NetFlow
Instruct ISE to enforce policy on a suspicious
host
Update IP-SGT mappings through SXP for mitigation
actionspxGrid
SXP
Cisco Network
NetFlow
SXPCoA
SXP
Integration with Sourcefire Module
through SXP
![Page 60: Network as a Sensor](https://reader035.fdocuments.us/reader035/viewer/2022070518/58e53f241a28ab18318b50db/html5/thumbnails/60.jpg)