1
Foundry Foundry -- Lancope Lancope Security AllianceSecurity Alliance
The Security Benefits of sFlow IntegrationThe Security Benefits of sFlow Integration
AGENDA
Foundry Networks & Lancope Partnership Overview (15mins)
Gary Hemminger, Director Product Marketing, Foundry Networks
StealthWatch Xe for sFlow Overview (30mins)Jason Anderson, Vice President Engineering, Lancope
Questions & Answers (15mins)
2
Foundry Networks & Lancope Foundry Networks & Lancope Security Alliance OverviewSecurity Alliance Overview
Gary HemmingerDirectory, Product Marketing
Foundry Networks
FOUNDRY - LANCOPE SECURITY ALLIANCE
Gather sFlow from Foundry network devices
Baseline network and profile hosts for normal behavior (includes over 100 host and network characteristics).
Apply over 70 flow analysis algorithms to the flows and baseline characteristics
Provide complete enterprise visibility and threat protection at a lower cost
Adaptive mitigation at the closest network device
3
FOUNDRY SFLOW ARCHITECTURE & LANCOPE ZERO-DAY SOLUTION
Integrated Switch Security Features
• Wire-speed ACLs• MAC Port Security• TCP SYN and Smurf Attack Protection• Hardware VLAN Flooding• Control Plane Security• Unicast Reverse Path Forwarding• Private VLANs• Integrated sFlow Monitoring
Foundry Stackable & Chassis Secure Switches
Foundry Integrated Switch Security Benefits:• Insures malicious or accidental L2/L3 attacks are thwarted before infecting network• Provides security with no loss of data performance or voice quality• Prevents industry’s widest range of DoS attacks• Fully integrated with Lancope Stealthwatch XE anomaly detection solution
sFlow Security Policy
StealthWatch Xe
FOUNDRY EMBEDDED SFLOW & LANCOPE INTERFACE
ASIC based sFlow (RFC 3176) support for fast, low overhead monitoring
Reduces cost and complexity of provisioning probes throughout the switched network
Eliminates the need for SPAN and mirror ports
Protocol Independent (IPv4, IPv6, MPLS, IPX, AppleTalk) to insure all traffic is seen
Integrated with Lancope Stealthwatch Xeanomaly detection system forhighly-scalable Zero-Daysolution
4
StealthWatch Xe for sFlow StealthWatch Xe for sFlow OverviewOverview
Jason AndersonVice President, Engineering
Lancope, Inc.
SFLOW FOR “MOUNTAINTOP” OBSERVATION
5
SFLOW STEALTHWATCH INTEGRATION
Almost all Foundry products support sFlow
sFlow includes packet payload (allows for such things as fragmentation analysis and OS fingerprinting)
Duplicate sFlow records are removed
FLOW-BASED ANOMALY DETECTION
Number of concurrent flowsPackets per secBits per secondNew flows createdNumber of SYNs sentTime of dayNumber of SYNs receivedRate of connection resetsDuration of the flowMany others…
Collect and Analyze FlowsEstablish Baseline of Behaviors
Alarm on Anomaly Behaviors
1 2
3
6
INFRASTRUCTURE IPS: HOW IT WORKS
Sales ServersMarketing
RemoteSites
RemoteUsers
Extranet
!
disable port
StealthWatch Xe Flow Collector
STEALTHWATCH IPS: AUTHORIZE MODE
7
STEALTHWATCH IPS: AUTOMATIC MODE
ENTERPRISE STEALTHWATCH DEPLOYMENT
StealthWatch allows for distributed deployment using Ethernet taps, mirror ports, or sFlow collection
8
STEALTHWATCH XE FOR SFLOW SIZING
Xe-2000
Xe-1000
Xe-500
Model
50,000 ports across 1000 devices55,000 sps
25,000 ports across 500 devices25,000 sps
10,000 ports across 200 devices10,000 sps
Number of SourcesData rates
Note: “sps” is Samples Per Second. Given a sample rate of 1 in 128 packets sampled, the Xe-2000 is capable of a scaled packet rate of 7,040,000 pps. At an average packet size of 400 bytes per second, a single Xe-2000 can process network traffic at speeds of over22.5 Gigabits Per Second!
STEALTHWATCH BENEFITS
FLOW ANALYSIS
Traffic Accounting
Traffic Traffic AccountingAccounting
Policy Enforcement
Policy Policy EnforcementEnforcement
Loggingand
Analysis
LoggingLoggingandand
AnalysisAnalysis
PrioritizationPrioritizationPrioritization
ThreatDetection
ThreatThreatDetectionDetection
Detect zero-day attacks, worms, viruses and other malware.Detect zero-day attacks, worms, viruses and other malware.
Discover unauthorized applications and prevent network misuse by internal users.
Discover unauthorized applications and prevent network misuse by internal users.
Investigate and diagnose internal security events.Investigate and diagnose internal security events.
Focus on the the events that matter most.Focus on the the events that matter most.
Monitor network performance and usage.Monitor network performance and usage.
9
NETWORK TRAFFIC ANALYSIS AND VISUALIZATION
Flow Records
Visualization
Traffic Analysis
(StealthWatch Rack Mountable 1U Appliance)
SUMMARY
Complete enterprise visibility through cost effective flow processing
Detects threats and attacks without the need for signature updates
Provides extensive forensics and audit reporting
StealthWatch leverages existing Foundry equipment to mitigate and quarantine attacks
10
Questions & AnswersQuestions & Answers
Gary HemmingerDirectory, Product Marketing
Foundry [email protected]
Jason AndersonVice President, Engineering
Lancope, [email protected]