Network Security With - Pearsoncmg

xi86NfSenSiLK86SiLK Configuration Files87Filtering, Displaying, and Sorting NetFlow Records with SiLKCounting, Grouping, and Mating NetFlow Records with SilkSiLK IPset, Bag, and Prefix Map Manipulation ToolsIP and Port Labeling FilesSiLK Runtime Plug-Ins888989SiLK Utilities for Packet Capture and IPFIX ProcessingUtilities to Detect Network ScansSiLK Flow File UtilitiesAdditional SiLK Utilities90909091Elasticsearch, Logstash, and Kibana Stack 92ElasticsearchLogstash9292Kibana 93Elasticsearch Marvel and ShieldELK Deployment TopologyInstalling ELK949495Installing Elasticsearch96Install Kibana 105Installing Nginx106Install Logstash107SummaryChapter 5109Big Data Analytics and NetFlow 111Introduction to Big Data Analytics for Cyber SecurityWhat Is Big Data?111111Unstructured Versus Structured DataExtracting Value from Big Data112113NetFlow and Other Telemetry Sources for Big Data Analytics forCyber Security 114OpenSOCHadoopHDFS115116117Flume 1198788SiLK’s Python Extension88

xiiNetwork Security with NetFlow and 24Third-Party Analytic Tools 125Other Big Data Projects in the Industry 126Understanding Big Data Scalability: Big Data Analytics in the Internet ofEverything 127SummaryChapter 6128Cisco Cyber Threat Defense and NetFlow129Overview of the Cisco Cyber Threat Defense Solution 129The Attack Continuum 130Cisco CTD Solution Components131NetFlow Platform Support 133Traditional NetFlow Support in Cisco IOS SoftwareNetFlow Support in Cisco IOS-XR SoftwareFlexible NetFlow Support133135135NetFlow Support in Cisco ASA140Deploying the Lancope StealthWatch System 140Deploying StealthWatch FlowCollectors 142StealthWatch FlowReplicators146StealthWatch Management Console 146Deploying NetFlow Secure Event Logging in the Cisco ASA148Deploying NSEL in Cisco ASA Configured for Clustering 151Unit Roles and Functions in ClusteringClustering NSEL Operations152152Configuring NSEL in the Cisco ASA 153Configuring NSEL in the Cisco ASA Using ASDM153Configuring NSEL in the Cisco ASA Using the CLI155NSEL and Syslog156Defining the NSEL Export Policy157Monitoring NSEL 159Configuring NetFlow in the Cisco Nexus 1000V 160Defining a Flow Record161Defining the Flow Exporter162

xiiiDefining a Flow Monitor 163Applying the Flow Monitor to an Interface164Configuring NetFlow in the Cisco Nexus 7000 Series 164Configuring the Cisco NetFlow Generation Appliance166Initializing the Cisco NGA 166Configuring NetFlow in the Cisco NGA via the GUI 168Configuring NetFlow in the Cisco NGA via the CLI 169Additional Cisco CTD Solution Components 171Cisco ASA 5500-X Series Next-Generation Firewallsand the Cisco ASA with FirePOWER Services 171Next-Generation Intrusion Prevention Systems 172FireSIGHT Management Center 173AMP for Endpoints 173AMP for NetworksAMP Threat GridEmail Security176176177Email Security ApplianceCloud Email Security177179Cisco Hybrid Email Security 179Web Security180Web Security Appliance180Cisco Content Security Management ApplianceCisco Cloud Web Security184185Cisco Identity Services Engine 186Summary 187Chapter 7Troubleshooting NetFlow189Troubleshooting Utilities and Debug Commands 189Troubleshooting NetFlow in Cisco IOS and Cisco IOS XE Devices 194Cisco IOS Router Flexible NetFlow Configuration 195Troubleshooting Communication Problems with theNetFlow Collector 201Additional Useful Troubleshooting Debug and Show Commands 204Verifying a Flow Monitor Configuration204Displaying Flow Exporter Templates and Export IDsDebugging Flow Records212Preventing Export Storms with Flexible NetFlow213207

xivNetwork Security with NetFlow and IPFIXTroubleshooting NetFlow in Cisco NX-OS Software 214Troubleshooting NetFlow in Cisco IOS-XR Software 217Flow Exporter Statistics and Diagnostics219Flow Monitor Statistics and Diagnostics 222Displaying NetFlow Producer Statistics in Cisco IOS-XR 226Additional Useful Cisco IOS-XR Show Commands228Troubleshooting NetFlow in the Cisco ASA 228Troubleshooting NetFlow in the Cisco NetFlow Generation Appliance 235Gathering Information About Configured NGAManaged Devices 235Gathering Information About the Flow Collector 236Gathering Information About the Flow Exporter 237Gathering Information About Flow Records 237Gathering Information About the Flow Monitor 238Show Tech-Support 239Additional Useful NGA show CommandsSummaryChapter 8245246Case Studies 247Using NetFlow for Anomaly Detection and Identifying DoS Attacks 247Direct DDoS Attacks248Reflected DDoS AttacksAmplification Attacks248249Identifying DDoS Attacks Using NetFlow 250Using NetFlow in Enterprise Networks to Detect DDoS Attacks 250Using NetFlow in Service Provider Networksto Detect DDoS Attacks 253Using NetFlow for Incident Response and Forensics 254Credit Card Theft254Theft of Intellectual Property259Using NetFlow for Monitoring Guest Users and ContractorsUsing NetFlow for Capacity Planning267Using NetFlow to Monitor Cloud Usage 269SummaryIndex   273271262

xvCommand Syntax ConventionsThe conventions used to present command syntax in this book are the same conventionsused in the IOS Command Reference. The Command Reference describes these conventions as follows:nBoldface indicates commands and keywords that are entered literally as shown.In actual configuration examples and output (not general command syntax),boldface indicates commands that are manually input by the user (such as ashow command).nItalic indicates arguments for which you supply actual values.nVertical bars ( ) separate alternative, mutually exclusive elements.nSquare brackets ([ ]) indicate an optional element.nBraces ({ }) indicate a required choice.nBraces within brackets ([{ }]) indicate a required choice within an optional element.

xviNetwork Security with NetFlow and IPFIXIntroductionCisco NetFlow is now the primary network accounting technology in the industry.Visibility into the network is an indispensable tool for network and security professionals. In response to new requirements and cyber security headaches, networkoperators and security professionals are finding it critical to understand how the networkis behaving. Cisco NetFlow creates an environment where network administrators andsecurity professionals have the tools to understand who, what, when, where, and hownetwork traffic is flowing.Who Should Read This Book?This book serves as comprehensive guide for any network and security professional whomanages network security, installs and configures network security features to provideadditional visibility. It encompasses topics from an introductory level to advanced topics on Cisco NetFlow, Cisco Cyber Threat Defense, and big data analytics tools such asLogstash, Kibana, Elasticsearch, and many others.How This Book Is OrganizedThe following is an overview of how this book is organized:nChapter 1, “Introduction to NetFlow and IPFIX”: This chapter provides anoverview of Cisco NetFlow and IPFIX. Cisco NetFlow and IPFIX provide a keyset of services for IP applications, including network traffic accounting, usagebased network billing, network planning, security, denial-of-service monitoringcapabilities, and network monitoring. NetFlow provides valuable informationabout network users and applications, peak usage times, and traffic routing.Cisco invented NetFlow and is the leader in IP traffic flow technology.nChapter 2, “Cisco NetFlow Versions and Features”: This chapter covers thedifferent Cisco NetFlow versions and features available on each version. It alsocovers the NetFlow v9 export format and packet details, and includes a detailedcomparison between NetFlow and IPFIX.nChapter 3, “Cisco Flexible NetFlow”: Flexible NetFlow provides enhancedoptimization of the network infrastructure, reduces costs, and improves capacityplanning and security detection beyond other flow-based technologies availabletoday. This chapter provides an introduction to Cisco’s Flexible NetFlow, and itcovers the Flexible NetFlow components and fields. It also provides step-by-stepguidance on how to configure flexible NetFlow in Cisco IOS Software.nChapter 4, “NetFlow Commercial and Open Source Monitoring and AnalysisSoftware Packages”: This chapter provides details about the top commercialNetFlow analyzers. It also provides detailed information about the top opensource NetFlow analyzers including SiLK, Flow-tools, FlowScan, NTop, EHNT,BPFT, Cflowd, Logstash, Kibana, Elasticsearch, and others.

xviinChapter 5, “Big Data Analytics and NetFlow”: Big data analytics is a keyand growing network security, monitoring, and troubleshooting trend. CiscoNetFlow provides a source of relevant big data that customers should beanalyzing to improve the performance, stability, and security of their networks.This chapter describes how NetFlow is used for big data analytics for cybersecurity, along with other network telemetry capabilities such as firewalllogs, syslog, SNMP, and authentication, authorization and accounting logs,in addition to logs from routers and switches, servers, and endpoint stations,among others.nChapter 6, “Cisco Cyber Threat Defense and NetFlow”: Cisco has partneredwith Lancope to deliver a solution that provides visibility into security threatsby identifying suspicious traffic patterns in the corporate network. Thesesuspicious patterns are then augmented with circumstantial informationnecessary to determine the level of threat associated with a particular incident.This solution allows a network administrator or security professional to analyzethis information in a timely, efficient, and cost-effective manner for advancedcyber threats. This chapter provides detailed coverage of Cisco Cyber ThreatDefense Solution. Cisco Cyber Threat Defense Solution utilizes the LancopeStealthWatch System to analyze NetFlow information from Cisco switches,routers, and the Cisco ASA 5500 Next-Generation Firewalls to detect advancedand persistent security threats such as internally spreading malware, data leakage,botnet command-and-control traffic, and network reconnaissance. The Cisco ISEsolution supplements StealthWatch NetFlow-based behavioral threat detectiondata with contextual information such as user identity, user authorizationlevel, device type, and posture. This chapter provides design and configurationguidance when deploying the Cisco Cyber Threat Defense Solution.nChapter 7, “Troubleshooting NetFlow”: This chapter focuses on the differenttechniques and best practices available when troubleshooting NetFlowdeployments and configurations. It assumes that you already have an understandingof the topics covered in previous chapters, such as configuration and deploymentof NetFlow in all the supported devices.nChapter 8, “Case Studies”: This chapter covers several case studies and reallife scenarios on how NetFlow is deployed in large enterprises and in small andmedium-sized businesses.

This page intentionally left blank

This page intentionally left blank

Chapter 5Big Data Analytics and NetFlowThis chapter covers the following topics:nIntroduction to big data analytics for cyber securitynNetFlow and other telemetry sources for big data analytics for cyber securitynOpen Security Operations Center (OpenSOC)nUnderstanding big data scalability: Big data analytics in the Internet ofEverything (IoE)Introduction to Big Data Analytics for Cyber SecurityBig data analytics is the practice of studying large amounts of data of a variety of typesand a variety of courses to learn interesting patterns, unknown facts, and other usefulinformation. Big data analytics can play a crucial role in cyber security. Many in theindustry are changing the tone of their conversation, saying that it is no longer if orwhen your network will be compromised, but the assumption is that your network hasalready been hacked or compromised, and suggest focusing on minimizing the damageand increasing visibility to aid in identification of the next hack or compromise.Advanced analytics can be run against very large diverse data sets to find indicatorsof compromise (IOCs). These data sets can include different types of structured andunstructured data processed in a “streaming” fashion or in batches. NetFlow plays animportant role for big data analytics for cyber security, and you will learn why as youread through in this chapter.What Is Big Data?There are a lot of very interesting definitions for the phenomenon called big data. Itseems that a lot of people have different views of what big data is. Let’s cut through the

112   Chapter 5: Big Data Analytics and NetFlowmarketing hype and get down to the basics of the subject. A formal definition for bigdata can be obtained in the Merriam-Webster dictionary: ta.An accumulation of data that is too large and complex for processing by traditionaldatabase management tools.Big data usually includes data sets with sizes beyond the ability of commonly usedsoftware tools to capture, curate, manage, and process the data within a tolerableelapsed time.The size of data that can be classified as big data is a moving target. It can range from afew terabytes to yottabytes of data in a single data set. For instance:nA petabyte is 1000 terabytes.nAn exabyte is 1000 petabytes.nA zettabyte is 1000 exabytes.nA yoyabyte is 1000 zettabytes.Tip Cisco has created the Cisco Visual Networking Index (VNI). Cisco VNI is anongoing initiative to forecast and analyze the growth and use of the Internet, in additionto the data being transferred. You can find details of the Cisco VNI global IP trafficforecast and the methodology behind it at http://www.cisco.com/go/vni.Unstructured Versus Structured DataThe term unstructured data is used when referring to data that does not have a predefined data model or is not organized in a predetermined way. Typically, unstructureddata is defined as data that is not typically tracked in a “structured” or traditional rowcolumn database. The prime examples of unstructured data are as follows:nMultimedia content such as videos, photos, and audio filesnE-mail messagesnSocial media (Facebook, Twitter, LinkedIn) status updatesnPresentationsnWord processing documentsnBlog postsnExecutable filesIn the world of cyber security, a lot of the network can be also categorized as unstructured:nSyslognSimple Network Management Protocol (SNMP) logs

Introduction to Big Data Analytics for Cyber Security    113nNetFlownServer and host logsnPacket capturesnExecutablesnMalwarenExploitsIndustry experts estimate that the majority of the data in any organization is unstructured, and the amount of unstructured data is growing significantly. There are numerous,disparate data sources. NetFlow is one of the largest single sources, and it can grow totens of terabytes of data per day in large organizations, and it is expected to grow overthe years to petabytes. The differentiation in the usefulness of any big data solution isthe merging of numerous data sources and sizes that are all in the same infrastructureand providing the ability to query across all of these different data sets using the samelanguage and tools.There is an industry concept called Not-Only SQL (NoSQL), which is the name given toseveral databases that do not require SQL to process data. However, some of these databases support both SQL and non-SQL forms of data processing.Big data analytics can be done in combination of advanced analytics disciplines such aspredictive analytics and data mining.Note Cisco acquired Cognitive Security in 2013, a company focused on applyingartificial intelligence techniques to detect advanced cyber threats. The new Cisco securitysolutions integrate a range of sophisticated technologies to identify and analyze keythreats through advanced behavioral analysis of real-time data.Extracting Value from Big DataAny organization can collect data just for the matter of collecting data; however, theusefulness of such data depends on how actionable such data is to make any decisions(in addition to whether the data is regularly monitored and analyzed).There are three high-level key items for big data analytics:nnnInformation management: An ongoing management and process control for bigdata analytics.High-performance analytics: The ability to gain fast actionable information frombig data and being able to solve complex problems using more data.Flexible deployment options: Options for on-premises or cloud-based, software-asa-service (SaaS) tactics for big data analytics.

114   Chapter 5: Big Data Analytics and NetFlowThere are a few high-level approaches for accelerating the analysis of giant data sets. Thefollowing are the most common:nnnnnGrid computing: A centralized grid infrastructure for dynamic analysis with highavailability and parallel processing.Intra-database processing: Performing data management, analytics, and reportingtasks using scalable architectures.In-memory analytics: Quickly solves complex problems using in-memory, multiuseaccess to data and rapidly runs new scenarios or complex analytical computations.Support for Hadoop: Stores and processes large volumes of data on commodityhardware. Hadoop will be covered in a few pages in the section “Hadoop.”Visualizations: Quickly visualize correlations and patterns in big data to identifyopportunities for further analysis and to improve decision making.Examples of technologies used in big data analytics are covered in detail later in thischapter.NetFlow and Other Telemetry Sources for Big DataAnalytics for Cyber SecurityAs discussed in Chapter 1, “Introduction to NetFlow and IPFIX,” NetFlow providesdetailed network telemetry that allows the administrator to:nSee what is actually happening across your entire networknRegain control of your network, in case of denial-of-service (DoS) attacknQuickly identify compromised endpoints and network infrastructure devicesnMonitor network usage of employees, contractors, or partnersnObtain network telemetry during security incident response and forensicsnDetect firewall misconfigurations and inappropriate access to corporate resourcesAs previously mentioned, NetFlow data can grow to tens of terabytes of data per dayin large organizations, and it is expected to grow over the years to petabytes. However,many other telemetry sources can be used in conjunction with NetFlow to identify, classify, and mitigate potential threats in your network.

topics at Cisco Live, Black Hat, and other customer-facing cyber security conferences. In addition, John contributes to the Cisco Security Portal through the publication of white- . NetFlow v7 Flow Header Format and Flow Record Format 42 NetFlow Version 9 43 NetFlow and IPFIX Comparison 57 Summary 57 Chapter 3 Cisco Flexible NetFlow 59