Flow-Based Anomaly Detection - How and Why It Works Rev1 5

Flow-based Anomaly Detection:
How and Why it Works

Presenter: David Salter
1
2006 Lancope, Inc. Company Confidential All Rights Reserved
NETWORK ANOMALY DETECTION USING FLOWS
The Challenge in securing the network:
Traditional solutions require in-line devices and / or

host based agents.
Signature and pattern matching technologies only

protect the network from known threats.
In-line devices can impact throughput
Host based solutions protect the perimeter but add a

significant overhead in terms of both management
and host resources and are not infallible
2
NETWORK ANOMALY DETECTION USING FLOWS
Based on analysis of flow data (statistics, changes

in behaviour)
sFlow (Extreme, HP Procurve, Foundry)

NetFlow (Cisco, Juniper)
IPFIX (an
Not signature-based (behavior based)
Designed primarily for internal network deployments

(but can exist at the perimeter if necessary)
Mature but evolving technology

Perfect complement to existing security and network
management technologies
3
COLLECTING FLOW DATA FROM ROUTERS AND SWITCHES
Remote
Sites
Remote
Users
Extranet
Qu ickTime and a
TIFF (LZW) d ecompressor
are needed to see th is picture.
Flow Collector
Marketing
Sales
Servers
WHAT IS NETFLOW?
Cisco Router
NetFlow Packet Header
5
WHAT IS SFLOW?
Almost all Foundry products support

sFlow as well as Extreme and HP
sFlow includes payload
1 in N packets are sent from the switch to

the flow collector
Statistical scaling is used to recover the

actual network traffic patterns from the
sFlow samples
The more samples, the more accurate

analysis becomes
Duplicate sFlow PDUs must be handled

and removed
6
CONFIGURING NETFLOW AND SFLOW
Foundry switch (sFlow)

config>inte1/1to1/48
interface>sflowforwarding
config>sflowdestination10.1.1.56343
config>sflowsample128
config>sflowpollinginterval30
config>sflowenable
Cisco router (NetFlow)

router(config)#ipcacheflowtimeoutactive5
router(config)#ipflowexportversion5peeras
router(config)#ipflowexportdestination10.1.1.52055
router(configif)#iproutecacheflow
7
NETFLOW IMPACT ON THE ROUTER (CPU)
Check on
current router
CPU utilization*
* NetFlow v5 adds approximately 10% to overall CPU

NETFLOW IMPACT ON THE NETWORK (BANDWIDTH)
Number of active flows
Flows per second (fps)
9
VIEWING THE ROUTER NETFLOW CACHE DIRECTLY
Worm Infected
Host
Target Hosts
Target Port
(0x87=135)
10
CAPTURING AND VIEWING NETFLOW PACKETS: FLOW-TOOLS
FLOW-TOOLS example of scanning activity
start and end

times
src
interface
src
IP
src
port
dst
interface
dst
IP
proto
dst
port
pkts
bytes
TCP
flags
(2=SYN)
11
DATA REDUCTION: FLOW NORMALIZATION
1. Request webpage from www.slashdot.org (66.35.250.151)
2. Two NetFlow records are exported from the router
3. StealthWatch associates the two NetFlow records, building one stateful entry
Start Time
3/26/05 9:04
Client Host
209.182.184.2
Server Host
66.35.250.151
Protocol Client Pkts Server Pkts Client Port

TCP
28
42
32806
Server Port
80
12
CHALLENGES WITH FLOW-BASED MONITORING
Duplicate flows are often seen (and must be removed)
Implementations vary from vendor to vendor
No payload data (must rely on statistics; not so easy)

Requires all routers be NTP synced and share similar
settings (for proper security processing)
13
BEHAVIOR-BASED FLOW ANALYSIS FUNCTIONAL OVERVIEW
Build Profile Host

Attributes
Apply
Algorithms to
Flow data
Store Detailed Log

of All Flows
Generate
Alarms, Alerts,
and Reports
Generate
Profile-Enhanced
Alarms, Alerts,
and Reports
Send SYSLOG,
SNMP, and
Emails
Perform
Mitigation Action
Display in UI
Collect,
Deduplicate, and
Process Flow
Statistics
Flow Enabled
Routers
14
IF WE DONT HAVE PAYLOAD, HOW DO DETECT ATTACKS?
Look for patterns of behaviour in flow traffic
One hosts contacting large numbers of other hosts

in short time frame (P2P applications, worms)
Long flow durations (VPNs, covert channels)
Bandwidth anomalies (DoS, warez servers)
Unauthorized ports in use (rogue servers,

applications)
Unauthorized communications (VPN host talking to

accounting server)
15
BENEFIT: ENTERPRISE-WIDE VISIBILITY
16
BENEFIT: ENTERPRISE WIDE VISIBILITY IN ACTION
17
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
12
IDS/IPS
2 IDP/IPS
Sensors
Sensors
Required
Required
18
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
1 NetFlow
Collector
Required
2 IDP/IPS
Sensors
Required
19
BENEFIT: POWERFUL LOGGING AND FORENSICS

NetFlow v5 Details
PIX Firewall Log Details
Flow Duration
Client Host IP
Server Host IP
Start Time
Last Time
Status
Protocol
Server Port
Client Port
Server Packets
TCP Flags
Client Packets
Client payload
Server Payload
Source AS
Destination AS
ToS
Source Interface
Destination Interface
Kbps Rate
Server Header Bytes
Client Header Bytes
Server Payload Bytes
Client Payload Bytes
Fragmentation
Nexthop Router
Source Netmask
Target Netmask
Source IP
Target IP
Protocol
Port
Length
IP Precedence
Status
Interface
20
INFRASTRUCTURE IPS: HOW IT WORKS

Remote
Sites
Remote
Users
disable
port
Extranet
!
Marketing
Sales
StealthWatch
Servers
Qu ickTime and a
TIFF (LZW) d ecompressor
are needed to see th is picture.
21
NETWORK TRAFFIC ANALYSIS AND VISUALIZATION
Flow Records
Traffic Analysis
Visualization
22
SUMMARY
Flow analysis provides more than just traffic

monitoring.
Flow analysis provides powerful forensics, auditing,

and attack detection capability without the need for
additional hardware or software updates.
Both open-source and commercial products are

available for analyzing Flow data.
Flow analysis allows for detection of new worms

without the need for signature updates and in-line
solutions.
23
Thank you
Presenter:
David Salter, Lancope

dsalter@lancope.com
24

Flow-Based Anomaly Detection - How and Why It Works Rev1 5

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Flow-Based Anomaly Detection - How and Why It Works Rev1 5

Încărcat de

Drepturi de autor:

Formate disponibile

Flow-based Anomaly Detection:

How and Why it Works

NETWORK ANOMALY DETECTION USING FLOWS

The Challenge in securing the network:

Traditional solutions require in-line devices and / or

Signature and pattern matching technologies only

In-line devices can impact throughput

Host based solutions protect the perimeter but add a

2006 Lancope, Inc. Company Confidential All Rights Reserved

NETWORK ANOMALY DETECTION USING FLOWS

Based on analysis of flow data (statistics, changes

sFlow (Extreme, HP Procurve, Foundry)

Not signature-based (behavior based)

Designed primarily for internal network deployments

Mature but evolving technology

COLLECTING FLOW DATA FROM ROUTERS AND SWITCHES

2006 Lancope, Inc. Company Confidential All Rights Reserved

NetFlow Packet Header

Almost all Foundry products support

sFlow includes payload

1 in N packets are sent from the switch to

Statistical scaling is used to recover the

The more samples, the more accurate

Duplicate sFlow PDUs must be handled

CONFIGURING NETFLOW AND SFLOW

Foundry switch (sFlow)

Cisco router (NetFlow)

NETFLOW IMPACT ON THE ROUTER (CPU)

* NetFlow v5 adds approximately 10% to overall CPU

NETFLOW IMPACT ON THE NETWORK (BANDWIDTH)

Number of active flows

Flows per second (fps)

VIEWING THE ROUTER NETFLOW CACHE DIRECTLY

2006 Lancope, Inc. Company Confidential All Rights Reserved

CAPTURING AND VIEWING NETFLOW PACKETS: FLOW-TOOLS

FLOW-TOOLS example of scanning activity

start and end

2006 Lancope, Inc. Company Confidential All Rights Reserved

DATA REDUCTION: FLOW NORMALIZATION

1. Request webpage from www.slashdot.org (66.35.250.151)

2. Two NetFlow records are exported from the router

Protocol Client Pkts Server Pkts Client Port

CHALLENGES WITH FLOW-BASED MONITORING

Duplicate flows are often seen (and must be removed)

Implementations vary from vendor to vendor

No payload data (must rely on statistics; not so easy)

BEHAVIOR-BASED FLOW ANALYSIS FUNCTIONAL OVERVIEW

Build Profile Host

Store Detailed Log

IF WE DONT HAVE PAYLOAD, HOW DO DETECT ATTACKS?

Look for patterns of behaviour in flow traffic

One hosts contacting large numbers of other hosts

Long flow durations (VPNs, covert channels)

Bandwidth anomalies (DoS, warez servers)

Unauthorized ports in use (rogue servers,

Unauthorized communications (VPN host talking to

2006 Lancope, Inc. Company Confidential All Rights Reserved

BENEFIT: ENTERPRISE-WIDE VISIBILITY

BENEFIT: ENTERPRISE WIDE VISIBILITY IN ACTION

BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY

BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY

BENEFIT: POWERFUL LOGGING AND FORENSICS

PIX Firewall Log Details