Pavel Minařík
What is hidden in network traffic?
Security Session 2015, 11th April 2015, Brno, FIT VUT
• Traditional monitoring
Availability of services and network components
SNMP polling (interfaces, resources)
100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …)
• Next-generation monitoring
Traffic visibility on various network layers
Detection of security and operational issues
Network/Application performance monitoring
Full packet capture for troubleshooting
Monitoring Tools
Performance Monitoring
Syn
Syn, Ack
Ack
RTT
TCP handshake
Req
Ack Data
Client request
SRT
Server response
Data Data Data
Delay
Round Trip Time – delay introduced by networkServer Response Time – delay introduced by server/applicationDelay (min, max, avg, deviation) – delays between packetsJitter (min, max, avg, deviation) – variance of delays between packets
Flow Standards
Cisco standard NetFlow v5
NetFlow v9(Flexible NetFlow)
fixed formatonly basic items available no IPv6, MAC, VLANs, …
flexible format using templatesmandatory for current needsprovides IPv6, VLANs, MAC, …
IndependentIETF standard
IPFIX(„NetFlow v10“)
the future of flow monitoringmore flexibility than NetFlow v9
Huawei NetStream same as original Cisco standardNetFlow v9
Juniper jFlow similar to NetFlow v9different timestamps
Flow Sources
• Enterprise-class network equipment
Routers, switches, firewalls
• Mikrotik routers
Popular and cost efficient hardware
• Flow Probes
Dedicated appliances for flow export
• Trends
Number of flow-enabled devices is growing
L7 visibility, performance monitoring, …
Flow Gathering Schemes
Probe on a SPAN port Probe on a TAP Flows from switch/router
Pros • Accuracy• Performance• L2/L3/L4/L7 visibility
• Same as „on a SPAN“• All packets captured• Separates RX and TX
• Already available• No additional HW• Traffic on interfaces
Cons • May reach capacity limit• No interface number
• Additional HW • Usually inaccurate• Visibility L3/L4• Performance impact
Facts • Fits most customers• Limited SPANs number
• 2 monitoring ports • Always test before use
Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)
Traffic Analysis (using flow)
• Bridges the gap left by endpoint and perimeter security solutions
• Behavior based Anomaly Detection (NBA)
• Detection of security and operational issues Attacks on network services, network reconnaissance
Infected devices and botnet C&C communication
Anomalies of network protocols (DNS, DHCP, …)
P2P traffic, TOR, on-line messengers, …
DDoS attacks and vulnerable services
Configuration issues
Full Packet Capture
• On-demand troubleshooting and forensic analysis
• How to get packet traces?
Tcpdump – Linux/Unix environment
Winpcap – Windows environment
Probes – appliances with packet capture capability
FPGA-based HW adapters – high speed networks
Packet Analysis
• Analysis of packet traces (PCAP files)
• Software tools (commercial + open source)
• Wireshark as de facto standards with largecommunity support
Support of hundreds of protocols
Powerful filters, statistics, reconstruction, etc.
Security Issue
FlowMon © INVEA-TECH 2013
78 port scans?DNS anomalies?
• Malware infected device in the internal network
Security Issue
Malware infected deviceTrying to redirect and bridge trafficProbably to get sensitive data
• Gmail e-mail delivery issue
FlowMon Troubleshooting
We are not receiving e-mails from GmailAnd can’t figure it outCan you try to help us and fix it?
FlowMon Troubleshooting
Using AS numbers it is possible to easily identify corresponding network traffic and do the analysis
FlowMon Troubleshooting
All flows are 640B?TCP flags are normalThis is not a network issueWe need to see the packets
Detailed visibility and drill down to flow level helps to understand traffic characteristics
FlowMon Troubleshooting
Built-in packet capture capability enables to get full packet traces when needed
Life Demo
• Use-case: directory traversal attack
Flow-level visibility
Automatic detection
Packet capture and analysis
INVEA-TECH a.s. U Vodárny 2965/2616 00 BrnoCzech Republicwww.invea-tech.com
High-Speed Networking Technology Partner
Questions?
Pavel Minaří[email protected]
+420 733 713 703
Recommended