Advanced Threat Defence Using NetFlow - A L C A T R O N . N E T

1y ago
24 Views
2 Downloads
9.26 MB
89 Pages
Last View : 15d ago
Last Download : 4m ago
Upload by : Elise Ammons
Transcription

Advanced Threat Defence using NetFlowBRKSEC-2073Matthew RobertsonSecurity Technical Marketing Engineer

“The whole art of war consists of guessing atwhat is on the other side of the hill.”Arthur Wellesley, 1st Duke of WellingtonBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public3

Evolution of Cyber ConflictManual DefencesManual Attacks (1980s)UnplugWar Dialing, Phone Phreaking Mechanised DefencesMechanised Attacks (1988)Firewall, IDS/IPSViruses, Worms Google, RSA Talented Human / MechanisedAttackers (2009)TargetedHuman/MechanisedReputation, App-aware FirewallDefendersAPT, Multi-Step Attacks Target, Neiman Marcus DIY Human / MechanisedAttackers (2011)Intelligence DrivenHuman DefendersCyrptocurrency Ransoms, Store-boughtCredentials .BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public4

Defending against rs.htmlBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public5

AgendaIntroductionAdding ContextWorking w CollectionOrganising the dataIntroduction toNetFlowDesign andDeploymentFlow ExportRunning Queriesand Investigations 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicSummary6

About the SpeakerMatthew Robertson Security Technical Marketing Engineer ½ year at Lancope 5½ years at Cisco– Development and Technical Marketing Focused on advanced threat detection I am Canadian!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public7

Thinking Beyond the PerimeterModern threats are consistentlybypassing the security perimeteras they redraw the mapXX XXOXXXOOBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public8

Hiding in plain sightPolar BearBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public9

Signals IntelligenceTraffic Analysis: Deduce information fromcommunication patternsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public10

eth0/2eth0/1NetFlow10.2.2.2port 1024Start TimeInterface10:20:12.221 eth0/110:20:12.871 eth0/2BRKSEC-2073Src IP10.1.1.1port 80SrcPort10.2.2.2 102410.1.1.1 80Dest IP10.1.1.110.2.2.2DestPort801024 2014 Cisco and/or its affiliates. All rights reserved.ProtoTCPTCPPktsSent517Cisco PublicBytesSent102528712TCP FlagsSYN,ACK,PSHSYN,ACK,FIN11

NetFlow VisibilityA single NetFlow Record provides a wealth of informationRouter# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS:192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT:47321TRNS DESTINATION PORT: 443INTERFACE INPUT:Gi0/0/0IP TOS:0x00IP PROTOCOL:6ipv4 next hop address: 192.168.20.6tcp flags:0x1Ainterface output:Gi0/1.20counter bytes:1482counter packets:23timestamp first:12:33:53.358timestamp last:12:33:53.370ip dscp:0x00ip ttl min:127ip ttl max:127application name:nbar secure-http BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public12

ction toNetFlowDesign andDeploymentFlow ExportBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public13

NetFlow Deployment ArchitectureManagement/Reporting Layer: Run queries on flow data Centralise management and reportingFlow Collection Layer: Collection, storage and analysis of flow recordsNetFlowFlow Exporting Layer: Enables telemetry export As close to the traffic source as possibleBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public14

Considerations: Flow Exporting Layer1.2.3.4.BRKSEC-2073NetFlow supportWhich version of NetFlow to useHow to configure/what to measureWhere in the network to enable NetFlow export 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public15

Cisco NetFlow SupportCisco 2800Cisco 7200 VXRCisco 2900Cisco Catalyst 6500Cisco Nexus 1000vCisco 3560/3750-X/3850Cisco Catalyst 4500HardwareSupportedCisco NGACisco 1700Cisco XR 12000Cisco ISR G2Cisco 7600Cisco ASACisco Nexus 7000Cisco ASRBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public16

Versions of NetFlowVersionMajor AdvantageLimits/WeaknessesV5Defines 18 exported fieldsSimple and compact formatMost commonly used formatIPv4 onlyFixed fields, fixed length fields onlySingle flow cacheV9Template-basedIPv6 flows transported in IPv4 packetsMPLS and BGP nexthop supportedDefines 104 fields, including L2 fieldsReports flow directionIPv6 flows transported in IPv4 packetsFixed length fields onlyUses more memorySlower performanceSingle flow cacheFlexible NetFlow (FNF)Template-based flow format (built on V9protocol)Supports flow monitors (discrete caches)Supports selectable key fields and IPv6Supports NBAR data fieldsLess commonRequires more sophisticated platform to produceRequires more sophisticated system to consumeIP Flow Information Export(IPFIX) AKA NetFlow V10Standardised – RFC 5101, 5102, 6313Supports variable length fields, NBAR2Can export flows via IPv4 and IPv6 packetsEven less commonOnly supported on a few Cisco platformsNSEL (ASA only)Built on NetFlow v9 protocolState-based flow logging (context)Pre and Post NAT reportingMissing many standard fieldsLimited support by collectorsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public17

Configuring Flexible NetFlow1. Configure the ExporterRouter(config)# flow exporter my-exporterWhere do I want my data sent?Best Practice:include all v5 fieldsRouter(config-flow-exporter)# destination 1.1.1.12. Configure the Flow RecordRouter(config)# flow record my-recordRouter(config-flow-record)#ipv4 todestinationWhat datamatchdo I wantmeter? addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes3. Configure the Flow MonitorRouter(config)# flow monitor my-monitorHow do I want to ermy-exporterRouter(config-flow-monitor)# record my-record4. Apply to anRouter(config)# interface s3/0InterfaceWhich interface do I want to monitor?Router(config-if)# ip flow monitor my-monitor inputBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public18

NetFlow DeploymentEach network layer offers unique NetFlow capabilitiesAccessDistribution& CoreEdgeISRCatalyst 3560/3750-XCatalyst 4500ASACatalyst 4500Catalyst 6500ASRBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public19

NetFlow DeploymentAccess:AccessCatalyst 3560/3750-XCatalyst 4500BRKSEC-2073 New network edge Detect threats as the enter the network Detect threats inside the switch east-west Layer 2 traffic Fewer false positives Higher-granular visibility Identify the endpoint collect MAC Address 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public20

Catalyst 3650-X,3750-X Flow Record!flow record CYBER 3KX FLOW RECORD match datalink mac sourceaddressmatch datalink mac destination-addressmatch datalink mac source-vlan-idmatch ipv4 tosmatch ipv4 ttlmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-port collect interface input snmp collectinterface output snmp collect counter bytes collect counter packets collecttimestamp sys-uptime firstcollect timestamp sys-uptime last!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public21

Catalyst 4500 Flow Record!flow record CYBER 4K FLOW RECORDmatch ipv4 tosmatch ipv4 protocolmatch ipv4 source address match ipv4 destination addressmatch transport source-portmatch transport destination-portcollect ipv4 dscpcollect ipv4 ttl minimumcollect ipv4 ttl maximumcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime last!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public22

NetFlow Deployment - Converged AccessConverged Access: NetFlow for the first time on Wireless Visibility in BYOD environments Consistent configuration for wired and wireless Single flow monitor can be applied to wiredports and SSID Natively available in the UADP ASIC Can monitor East-West and North-South flows 48k flows on the 48 port modelBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public23

NetFlow DeploymentDistribution & Core:Distribution& CoreCatalyst 4500 Traditional deployment Minimal recommended deployment Enable at critical points/bottle necks Typically done on a Layer 3 boundary Detect threats internal to the VLAN When deployed on an SVI interface Detect threats as they traverse the internalnetwork Move between subnetsCatalyst 6500BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public24

Catalyst 6500 (Sup 2T) Flow Record!flow record CYBER 6K FLOW RECORDmatch ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portmatch interface inputcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime last!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public25

NetFlow DeploymentEdgeISRASAEdge: Detect threats as they enter and leave thenetwork Monitor communication between branches Gain context from edge devices Application - NBAR Events & User-ID - NSELASRBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public26

ISR Flow Record! flow record CYBER ISR RECORDmatch ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portmatch interface inputcollect routing next-hop address ipv4collect ipv4 dscpcollect ipv4 ttl minimumcollect ipv4 ttl maximumcollect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime lastcollect application name!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Enable NBARCisco Public27

ASA NSEL Configuration!flow-export destination management ip-address 2055!policy-map global policyclass class-defaultflow-export event-type all destination ip-address !flow-export template timeout-rate 2logging flow-export syslogs disable!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public28

Flow Monitor Configuration!flow monitor CYBER MONITORexporter CYBER EXPORTERcache timeout active 60cache timeout inactive 15!Active Timeout:Inactive Timeout: How long a flow can be inactivebefore being removed from cache Recommended 15 seconds All exporters should have the sametimeoutBRKSEC-2073record CYBER RECORD Longest amount of time a flow can be in cachewithout exporting a Flow Record Recommended 60 seconds All exporters should have the same timeout 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public29

Aside: Myths about NetFlow GenerationMyth #1: NetFlow impacts performance Hardware implemented NetFlow has noperformance impact Software implementation is typicallysignificantly 15% processing overheadMyth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly 1% oftotal traffic per exporting deviceBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public30

AgendaIntroductionUnderstandingtheLandscapeFlow CollectionBRKSEC-2073Introduction toNetFlowDesign andDeploymentFlow Export 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public31

Flow Collection ConsiderationsScalability & Performance # of NetFlow sources # of users Flows per second Sustained vs. burstFeature set Reporting Drill down Retention AnalysisFlow Handling De-duplication Stitching ReplicationBRKSEC-2073Your time,resources andbudgetNetFlowNetFlowNetFlow 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public32

Components for NetFlow Security MonitoringStealthWatch ManagementConsole Management and reporting Up to 25 FlowCollectors Up 3 million fps globallyStealthWatch FlowCollector Collect and analyse Up to 2000 sources Up to sustained 120,000 fpsBest Practice: Centralisecollection globallyStealthWatch FlowReplicator UDP Packet copier Forward to multiplecollection systemsNetFlowStealthWatch FlowSensor Generate NetFlow dataStealthWatch FlowSensor VE Virtual environment Visibility into ESXCisco NetworkBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public33

Uni-directionalflow recordseth0/2eth0/1NetFlow Collection: Flow Stitching10.2.2.2port 1024Start TimeInterface10.1.1.1port 80Src IPSrc PortDest IPDest PortProtoPkts SentBytesSent10:20:12.221 eth0/110.2.2.2102410.1.1.180TCP5102510:20:12.871 eth0/210.1.1.18010.2.2.21024TCP1728712Start TimeClient IP PktsServer Server CP1025528712eth0/1eth0/2102417Bi-directional: Conversation flow record Allows easy visualisation and analysisBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public34

NetFlow Collection: De-duplicationDuplicatesRouter A: 10.2.2.2:1024 - 10.1.1.1:80Router B: 10.2.2.2:1024 - 10.1.1.1:80Router C: 10.1.1.1:80 - 10.2.2.2:102410.1.1.1port 80Router BRouter CRouter A Without de-duplication: Traffic volume can be misreported False positive would occur Allows for the efficient storage of flow data Necessary for accurate host-level reporting Does not discard dataBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.10.2.2.2port 1024Cisco Public35

Conversational Flow RecordWhoWhatHowWhoWhenMore DetailsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public36

Integrating with a SIEMLog alarms and summary info to SIEM Complete visibility throughout network Leverage specialty data handlingSecurity EventsSIEMAPISyslogBRKSEC-2073SDEENetFlowAPI’s to access database Directly access flow data (ex. getFlows) Improved scale - collection and retention Decreased cost 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public37

AgendaIntroductionAdding ContextBRKSEC-2073UnderstandingtheLandscapeFlow CollectionIntroduction toNetFlowDesign andDeploymentFlow Export 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public38

Context is CriticalBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public39

ISE as a Telemetry SourceMonitor Mode Open Mode, Multi-Auth Unobstructed Access No impact on productivity Profiling, posture assessment Gain Visibility Maintain historical session tableCorrelate NetFlow to usernameBuild User-centric reportsStealthWatchManagementConsolesyslogCisco ISEAuthenticated Session TableBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public40

Configuration: Logging on ISE1. Create Remote Logging Target on ISE2. Add Target to Logging Categories12Required Logging categories: RADIUS Accounting Profiler Administrative and Operational AuditBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public41

Configuration: Add ISE to SMC1.2.3.4.3(Not Shown) Create Admin User on ISE(Not Shown) Configure ISE or CA certificate on SMC(Shown) Add Cisco ISE to SMC Configuration(Shown) Add additional ISE nodes34. Add additional ISE nodesBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public42

Global IntelligenceList of known Commandand Control ServersBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public43

Adding Situational AwarenessClient HostClient HostGroupServer HostServer HostGroupsApplicationDurationTotalTrafficStart ActiveTime10.201.3.149Sales andMarketing,End 6.56KJan 11, 2014BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public44

Adding Situational AwarenessClientUserNameClient HostClientHostGroupServer cStartActiveTimeKen10.201.3.149Sales andMarketing,End 56.56KJan 11,2014BRKSEC-2073Zeus 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public45

AgendaIntroductionAdding ContextWorking w CollectionOrganising the dataIntroduction toNetFlowDesign andDeploymentFlow ExportRunning Queriesand Investigations 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public46

Behavioural Analysis & Anomaly DetectionBehavioural Analysis: Leverages knowledge of known bad behaviourAnomaly Detection: Identify a change from “normal”BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public47

StealthWatch: IndicesConcern Index: Track hosts that appear to compromising network integrityTarget Index: Track hosts that appear to be victims of the suspicious behaviour of other hostsFile Sharing Index: Tracks behaviour that is indicative of peer-to-peer activityBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public48

StealthWatch: AlarmsAlarms Indicate significant behaviour changes and policy violations Known and unknown attacks generate alarms Activity that falls outside the baseline, acceptable behaviouror established policiesBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public49

Host GroupsVirtual container of multipleIP Addresses/ranges thathave similar attributesLab serversBest Practice: classify allknown IP Addresses in oneor more host groupsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public50

Policy TuningTune alarm thresholdsPolicies can be created forindividual host groupsDefault policy for Inside and Outside hostsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public51

Flow Query Basics – The Flow TableFilterDetailsBRKSEC-2073Filter conditionsMore details 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public52

Flow Query Basics - FilteringSelect host toinvestigateAll flows in which this host wasa client or serverBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public53

Flow Query Basics - FilteringAll flows for 10.10.200.79 in the last hourBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public54

Flow Table: Visibility across NATUserInside localBRKSEC-2073Outside global 2014 Cisco and/or its affiliates. All rights reserved.ServerCisco Public55

Querying Events - Leveraging NSELFlow denied events over many portsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public56

Flow Table – IPv6BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public57

Host Groups – Targeted MonitoringHost Group Dashboard forEngineersSuspiciouslybehaving hostsAlarmsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public58

Host Groups – Application ReportApplications inboundApplications outboundBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public59

Host Groups – Targeted ReportingGeo-IP-based Host GroupSummary chart of trafficinbound and outbound fromthis Host GroupBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public60

Host Groups – Targeted ReportingTraffic inboundTraffic outboundBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public61

Host Groups – Discovering Rogue HostsCatch All: All unclassified RFC1918 addressesTable of all individual hostsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public62

Host Groups – Discovering Rogue HostsRogue HostsBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public63

Indicators of CompromiseRaw flow analysisOutside notificationLog analysis (SIEM)IDS AlertBehavioural analysisActivity monitoringBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public64

Attack Lifecycle Model (AKA the Kill tePrivilegesCompleteMissionMandiant APT1 Report: http://intelreport.mandiant.com/Mandiant APT1 Report.pdfKill Chain: http://bit.ly/killchainBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public65

Building a latePrivilegesCompleteMissionIOC Found:Investigate forwardsand backwardBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public66

Identifying the CulpritSupplemental Information:Indicator ofCompromise Alarm Alarm TableAlarm SummaryIDS AlertOtherIs a wormindicated? Host IPAddressNoMost recent flows/Active flowsTraffic volume/typeOther AlarmsExporter interfacesActivity – scanning?ThresholdsTouchesHostSnapshotIdentity:Yes Hosts affectedHost Groups AffectedSubnets AffectedPorts UsedProtocols UsedBRKSEC-2073Is the behaviournormal orpermissible?WormTrackerYesUsernameDevice type and OSAccess locationOrganisation/GeoRole – Client or ServerNoTune 2014 Cisco and/or its affiliates. All rights reserved. RespondCisco Public67

APT1IOC: Mandiant publishes list of domain names and IP addresses known to be used by APT1IP AddressesCreate a HostGroup for APT1BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public68

APT1 – Host Locking Violation AlarmSet client hosts to all Inside HostsCreate a Host LockViolation Alarm forcommunication to APT1Set server hosts to APT1Disallow all trafficTrigger alarm on anyunidirectional trafficBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public69

APT1 - InvestigateYou know today what you didn’t know yesterdayRun a Flow QueryOver the last 90 daysServer or client includesthe APT1 IP Address listBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public70

APT1 – Returned FlowsInfected hostsFTP TransfersAPT1 ServersBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public71

Investigating Malware Spread: Worm TrackerWorm trackerInitial infectionSecondary infectionsSubnets being scannedIOC: IDS Alert indicating a known worm operating inside your networkBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public72

Investigating Malware Spread: Host SnapshotEverything the systemknows about 10.10.200.59BRKSEC-2073Start with CI Events. We noticesignificant scanning activity 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public73

Investigating Malware Spread: IdentityTelemetry from the ISEUsernameBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.InfectedmachineCisco Public74

Investigating Malware Spread: Touched HostsThis infected host has established a connection with another hostBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public75

Investigating Malware Spread: Touched HostsAll hosts touched by 10.10.200.59BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public76

High Concern IndexBaseline deviated by 2,432%!BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public77

What was this Host up to?Target – entire subnet?Scanning on TCP-445BRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public78

NetFlow and (D)DoS DetectionIdentify targets Target of suspicious activity Abnormal traffic volume Decrease in performanceIdentify attackersBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public79

Volumetric DDoSTraffic SpikesBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public80

Identifying a DDoS ParticipantIOC: Notification from 3rd party that your IP Address is participating in a DDoSPublic IP addressTime of reported attackTarget serverBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public81

Identifying a DDoS ParticipantTime of reported attackValidate attack activityUserInside localBRKSEC-2073Outside global 2014 Cisco and/or its affiliates. All rights reserved.Target ServerCisco Public82

Identify a DDoS ParticipantHost snapshotOther suspicious activityBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public83

AgendaIntroductionAdding ContextWorking w CollectionOrganising the dataIntroduction toNetFlowDesign andDeploymentFlow ExportRunning Queriesand Investigations 2014 Cisco and/or its affiliates. All rights reserved.Cisco PublicSummary84

Links and Recommended ReadingMore about the Cisco Cyber Threat Defence ://www.lancope.comRecommended ReadingCyber Threat Defence Cisco Validated Design ral/ns1015/ns1238/cyber threat defense design guide.pdfBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public85

Key TakeawaysModern threats are consistentlybypassing the security perimeterThreat Detection requires visibility andcontext into network trafficNetFlow and the Lancope StealthWatch System provide actionable security intelligenceBRKSEC-2073 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public86

Q&A

Complete Your Online Session EvaluationGive us your feedback and receive aCisco Live 2014 Polo Shirt!Complete your Overall Event Survey and 5 SessionEvaluations. Directly from your mobile device on the Cisco LiveMobile App By visiting the Cisco Live Mobile Sitewww.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station locatedthroughout the venuePolo Shirts can be collected in the World of Solutionson Friday 21 March 12:00pm - 2:00pmBRKSEC-2073Learn online with Cisco Live!Visit us online after the conference for full accessto session videos and presentations.www.CiscoLiveAPAC.com 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public

Aside: Myths about NetFlow Generation 30 Myth #1: NetFlow impacts performance Hardware implemented NetFlow has no performance impact Software implementation is typically significantly 15% processing overhead Myth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly 1% of

Related Documents:

Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 3 Cisco NetFlow Configuration Cisco IOS NetFlow Configuration Guide Netflow Configuration In configuration mode issue the following to enable NetFlow Export:

Cisco 3560 & 3750 NetFlow Configuration Guide Cisco Nexus 7000 NetFlow Configuration Cisco Nexus 1000v NetFlow Configuration Cisco ASR 9000 NetFlow Configuration Appendix. 8 Cisco NetFlow Configuration Cisco 3560X & 3750X NetFlow Configuration Your software release may not support all the features documented in this module.File Size: 2MB

Example: Router enable Enteryourpasswordifprompted. configureterminal (Required)Entersglobalconfigurationmode. Example: Router# configure terminal Step 2 NetFlow Configuration Guide, Cisco IOS Release 15M&T 5 Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data How to Configure SNMP and use the NetFlow MIB to Monitor NetFlow Data

Configuring NetFlow on a Cisco 6500 Series Switch 148 Configuring NetFlow on a Cisco 6500 Series Switch 150 Configuring NetFlow on Cisco Routers 151 Contents NetFlow Configuration Guide, Cisco IOS Release 12.2SX viii . Configuring NetFlow on Cisco Routers 153 Configuring NetFlow Top Talkers 153

NetFlow-lite Aggregators and collectors can sit anywhere in the network, as long as L3 reachable NetFlow-lite Aggregators are transparent to NetFlow collector (NetFlow collectors receive aggregated flow data as if it's coming directly from the switch) NetFlow collector analyzes & correlates both NetFow and aggregated NetFlow-lite data

NetFlow-enabled device. NetFlow builds its cache by processing the first packet of a flow through the standard switching path. It maintains a flow record within the NetFlow cache for all active flows. Each flow record in the NetFlow cache contains key fields, as well as additional non-key fields, that can be used later for exporting data

Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 3 Configuring Flexible NetFlow Information About Flexible Netflow . Flexible NetFlow Configuration Guide, Cisco IOS Release 15.2(3)E and Later (Catalyst 3750-X and 3560-X Switches) 17 Configur

Target Publications Pvt. Ltd. Std. XI Sci.: Perfect Maths - I 4 In figure XOP, XOQ and XOR lie in first, second and third quadrants respectively. Quadrantal Angles: If the terminal arm of an angle in standard position