Network Forensics

How to create visibility into your network

Bob Miller
Senior Systems Manager
847-707-5498
robert.miller@flukenetworks.com

Todays Agenda
Introduction
Network Forensics Basics
Flow Based Forensics
Packet Forensics

Application level forensics (VoIP / Video)

WLAN Forensics
RF and 802.11

Questions
2

What is Network Forensics?

The ability to look at past collected data to determine IT

security threats and piece together a time frame of events
Can also be used to analyze application performance
based on past collected data.
Forensics data can be analyzed from different sources:
Ethernet OSI Layer 2 (Data Link) to Layer 7 (Application)
WLAN Layer 1 RF spectrum & Layer 2 for IPS / Forensics
Current Netflow / IP Fix type devices (Routers, L3 Devices,
etc )

Forensics Compliance
Sarbanes-Oxley
California SB 1386
Graham Leach Bliley
HIPPA
PCI-DSS
Federal Information Security Management Act of 2002
DoD
Basel II
Information Standard for Information Security (ISO 27001
Compliance)

Forensic Tools

Ethernet
Stream to Disk Technology with vast storage capacity
High Speed Disk Captures
High Speed Interfaces
Extensive capture and display filters for data analysis
WLAN
Layer 2 WLAN Analysis
Layer 1 RF Interference Detection and Analysis
Netflow Technologies
Collection from many L3 Netflow type devices for LAN, WAN, other
flow technologies devices
Network TAPS
Provides data replication without detection
5

There are several areas where forensics can be applied. Samples of

some broad categories include:
Compliance: Oops, someone sent out company confidential financial
information in an unencrypted email or used IM to gossip about a
coworker's medical condition, a HIPPA violation.
Troubleshooting: Why did your network meltdown this morning? Why
do your CRM users often experience poor performance in the afternoon?
Hackers: What was hacked, how, and by whom? Often goes hand-inhand with intrusion detection systems (IDS) to see what damage if any,
was done. Its also a good way to verify that intrusion prevention systems
(IPS) are working too.
Verticals: Why did the core switch peg during a critical trading hour?
Why are doctors losing wireless connectivity? Is our converged data +
VoIP transport operating smoothly?
Law Enforcement: In particular, CALEA (the Communications
Assistance for Law Enforcement Act of 1994), which states the
requirements of carriers to assist law enforcement in executing electronic
surveillance. CALEA is of interest more so outside the enterprise i.e.
Internet service and Internet backbone providers.
6

Where are the best collection points

Data collection points will be based on requirements of
potential threats
Inside of the Firewall
devices where access to corporate network from outside the
physical location (i.e. VPN / SSL, WLAN, etc)
In critical locations where corporate data or sensitive data is
held
Locations that may government or industry compliance is
required

What kind of tools are needed

for Network Forensics?
Long term data capture and analysis
Long term Netflow Collectors with deep analysis
functionality
Server and Network Equipment logging
TAPS / Span capable Ethernet switches
NTP / Time Synchronization
Syslog Server
SNMP Traps

8
8

Why use a TAP versus

a Network SPAN Port
TAPS can provide hidden data collection points that
threats would have a difficult time to detect
Purpose built device
Passes Layer 1 information that SPAN ports cannot
TAPS can provide better performance on busy networks in
replicating data
TAPS can allow packet injection back into network traffic

Flow Based Forensics

10

What is Flow technologies and why use it.

Flow technologies that provide information based on

different criteria within a packet as it passes through the
network
Network equipment collects this data and sends it to a flow
collector in which stores and analyzes the data
Utilizes Customers current Routers and Layer 3 Switches

NetFlow Cisco Routers and L3 Switches, VM, 3Com, others

sFlow HP, Extreme, Foundry, Force 10
IPFix Nortel / Avaya (based on Netflow v9 RFC 3917)
jFlow Juniper Routers and Layer 3 switches

11

Pros and Cons of Flow Based

Technologies

Pro Allows customers to use their current network

equipment so very little or no new equipment is needed
Pro Can provide very long term information about whos
talking to who and with what application
Pro Easy to configure and setup
Pro Minimum overhead within WAN circuits (<2.0% on
average per flow device)
Con Does not collect packets but reports information
from within the IP headers
Con Not all network equipment support flow based
technologies
12

Flow based Forensics

13

Flow based Forensics

14

Net Flow using long term data collection

15

16

17

NetFlow collectors key capabilities

for use in Forensics

Insight into how traffic usage is impacting network performance

The ability to collect, store, and report on every flow that is traversing your
infrastructure
not just top N or an average
The capability to keep all flows, all the time, for an infinite amount of time for regulatory,
compliance and forensic requirements
Finding challenging impacts like rogue users or denial of service attacks by seeing all
flows
Understand the impact of voice, viruses, hacking, multi-cast, DNS,
peer-to-peer and worms
Common data source with no averaging or discarding of information
Rich and granular data set is easily accessible and relevant across the enterprise

18

NetFlow Forensics Reporting

19

NetFlow providing Full Flow Forensics

Over 5 Million Flows Available

20

Packet Based Forensics

21

Packet Based Forensics

Capture data at various points in the network to collect

data, detect anomalies and notify of potential threats
Can be used in conjunction to IDS / IPS for network
security
Different than Flow based forensics
since all packets can be collected and
stored for deep packet inspection

May also be used to provide

information of application performance
issues by capturing packets transversing
the network
22

Packet Based Forensics

23

Packet Based Forensics

24

25

26

Packet Based Forensics

for VoIP and Video

Monitor, alert, and decode Voice and Video RTP

streams for both call quality using MOS scoring.
Provide insight to the signaling traffic and how
Reliable UDP traffic is functioning

27

VoIP Forensics

28

VoIP & Real Time Application Forensics

Signaling Traffic

SIP
H.323
MGCP
Proprietary (CSSP, Unistim)

Voice / Video Quality Scoring

MOS Mean Opinion Score

R Factor
Jitter
Latency
29

30

31

WLAN & RF Forensics

32

WLAN & RF Forensics

How do we identify and analyze WLAN & RF?

RF Analysis
Layer 1 Spectrum Analysis

802.11 WLAN Analysis

WLAN Performance
Rogue Detection
Packet Decode
Channel Utilization

33

RF Forensics

What is RF Forensics?
The ability to monitor, capture and analyze the physical layer
of the frequencies that the WLAN 802.11 (2.4GHz &5GHz)
use for transmission

How do we identify and analyze RF interference?

Spectrum Analyzer that not only captures the RF signature
but also identifies the source and location of the interference

34

WLAN Spectrum Forensics

using no RF sensors

35

WLAN Spectrum Forensics

using no RF sensors

36

WLAN Spectrum Forensics

using no RF sensors

37

WLAN Spectrum Forensics

using no RF sensors

38

WLAN RF Forensics
Prevention
Can be used as a denial of service attack. RF Forensics
equipment can be used to not only capture the type of RF
but also attempt to fingerprint the type of device that is
being used.
Other devices such as the cafeteria microwave, cordless
phones, older bluetooth devices can provide RF
interference at the 2.4GHz frequency. Spectrum Analysis
tools can be used to locate and identify these types of
interferences

39

WLAN Spectrum Forensics

using RF sensors

40

WLAN Spectrum Forensics

using RF sensors
Normal RF Environment of
the 2.4GHz Band

41

WLAN Spectrum Forensics

using RF sensors

42

WLAN Spectrum Forensics

using RF sensors

43

WLAN Spectrum Forensics

using RF sensors

RF Interference in
the 2.4GHz band

44

WLAN Spectrum Forensics

using RF sensors

45

WLAN Spectrum Forensics

using RF sensors

46

WLAN 802.11 Forensics

802.11 a/b/g/n including

out of country channels
WLAN APs can be used
to provide some rogue
detection, noise
information and connected
clients
Purpose built devices such
as WLAN sensors provide
not only connectivity and
rogue detection but also
off channel detection
47

WLAN 802.11 Forensics

using no WLAN sensors

48

WLAN 802.11 Forensics

using no WLAN sensors

49

WLAN 802.11 Forensics

using no WLAN sensors

50

WLAN 802.11 Forensics

using no WLAN sensors

51

WLAN 802.11 Forensics

Prevention
Due to the nature of WIFI, extra diligence and equipment is
needed
Alerting and Data Capture is needed to understand what
WLAN attacks have compromised the network and
information in a timely manner

52

WLAN 802.11 Forensics

using WLAN sensors

53

WLAN 802.11 Forensics

using WLAN sensors

54

WLAN 802.11 Forensics

using WLAN sensors

55

WLAN 802.11 Forensics

using WLAN sensors

56

WLAN 802.11 Forensics

using WLAN sensors

57

WLAN 802.11 Forensics

using WLAN sensors

58

Conclusion

Reasons for implementing Network Forensics

Troubleshooting network and applications Time to
Resolution greatly diminished
Compliance can provide needed data collection for
government and industry regulations
Visibility into corporate applications provide insight into
user experience
network security provide detailed information of potential
and current threats

59

Questions ?

Thank You!