Transcript of Ray Jones Director of Solutions Architecture and Field Enablement Security Monitoring In Your...
- Slide 1
- Ray Jones Director of Solutions Architecture and Field
Enablement Security Monitoring In Your Network Strategies to
Safeguard Your Network Using NetScouts 3900 Series Packet Flow
Switch
- Slide 2
- A BAD YEAR for Cyber Security ENTERTAINMENT GOVT & HEALTH
CARE PLATFORM RETAIL FINANCIAL
- Slide 3
- Cyber Security Monitoring: Two Challenges 1.Obscurity
Protagonist often intentionally averts detection 2.Transience
Sequence of events may be difficult to reproduce
- Slide 4
- What youll learn today AGENDA 3900 SERIES PACKET FLOW SWITCH
INTRODUCTION Extend visibility & take control of your
monitoring environment DYNAMIC TARGETING Expedite & automate
incident response FILTERING TOOLS Optimize Security monitoring tool
performance
- Slide 5
- Scalable, flexible, feature rich. 3900 SERIES PACKET FLOW
SWITCH INTRODUCTION
- Slide 6
- nGenius 3900 Series Packet Flow Switch 3901 Chassis 3903
Chassis Centralized Management Pay-as-you-grow modules &
chassis Supports > 4000 ports with PFS Management Software Large
site deployments needing >144 ports 3RU modular switch Medium to
large single site or multi-site deployments needing > 48 ports
1RU modular switch Small single site or multi-site deployments
needing 16 to 48 ports Up to 48 Ports 1/10 GbE + 4 Ports 40 GbE* Up
to 144 Ports 1/10 GbE + 12 Ports 40 GbE* * 100G Early Field Trial
Available
- Slide 7
- nGenius 3900 Series Packet Flow Switch Built-in GUI Management
or PFS Management System 1U and 3U Base Chassis Options Modular +
Stackable Monitoring Fabric Growth 1/10/40Gbps Native per Blade
Full Line Rate, All-Inclusive Blade Based Features 100G Early Field
Trial Available Redundant Ethernet Management Ports Redundant AC/DC
Power Supplies Redundant AC/DC Power Supplies Redundant Switch
Controllers Resides on each blade Automatic failover Redundant
Switch Controllers Resides on each blade Automatic failover
Interface Blade FlexPorts supporting 1/10/40G Up to 48 x 1/10G per
RU Up to 4 x 40G per RU Interface Blade FlexPorts supporting
1/10/40G Up to 48 x 1/10G per RU Up to 4 x 40G per RU Serial
Console Port
- Slide 8
- nGenius 3900 Series Packet Flow Switch 16x 1G/10G 4x 40G or 16x
1G/10G Console Full-Duplex 720Gbps Line-rate Processing ***
Advanced Switching Engine with Extensible Microcode
- Slide 9
- nGenius 3900 Series Packet Flow Switch Network Site A Site
B
- Slide 10
- Ensuring rapid, reliable incident response. DYNAMIC
TARGETING
- Slide 11
- Dynamic Targeting: Problem & Requirement Problem: Security
events may require reactive changes to monitoring fabric.
Requirement: Implement dynamic, automated changes via secure
management channel.
- Slide 12
- Use Case: Targeted packet capture for suspect flows Site A Site
B Continuous Monitoring PFS Network TAPs Escalation Analysis
- Slide 13
- Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B Site A Site B Continuous
Monitoring PFS 1 Network TAPs Escalation Analysis
- Slide 14
- Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools Site A Site B Continuous Monitoring PFS 2
Network TAPs Escalation Analysis
- Slide 15
- Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools 3.Monitoring tool detects suspicious
activity Site A Site B Continuous Monitoring PFS 3 !!! Network TAPs
Escalation Analysis
- Slide 16
- Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools 3.Monitoring tool detects suspicious
activity 4.a) Script configures packet flow switch to target IP
address b) Script activates Escalation Analysis tool Site A Site B
Continuous Monitoring PFS 4a 4b Network TAPs Escalation
Analysis
- Slide 17
- Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools 3.Monitoring tool detects suspicious
activity 4.a) Script configures packet flow switch to target IP
address b) Script activates Escalation Analysis tool 5.PFS sends
targeted traffic to Escalation Analysis tool Site A Site B
Escalation Analysis Continuous Monitoring PFS 5 Network TAPs
- Slide 18
- Scripting for Dynamic Targeting Optimized Management for
Monitoring Tools nGeniusONE
- Slide 19
- Scripting for Dynamic Targeting Optimized Management for
Monitoring Tools PFS Manager for PFS PFS Manager nGeniusONE
- Slide 20
- Scripting for Dynamic Targeting nGenius PFS Management Software
Administrator Guide PFS Manager SSH from Client to PFS, Monitoring
Tools SSH Client SSH
- Slide 21
- def main(): client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) prompt
= '=> ' hostname = '10.88.39.192' #Replace with actual IP
address of PFS or PFS Mgmt Server username = 'administrator'
#Replace if you need to use a different user; normally
"administrator" is correct password = 'netscout1' #Replace with
actual password
client.connect(hostname,int(22022),username,password) #Presumes
that PFS CLI SSH uses default port 22022 interact =
SSHClientInteraction(client,timeout=10,display=True)
interact.expect(prompt) # raw_input('Press Enter to continue')
interact.send("Add Rule 'Dynamic Target' 'permit ip &&
ip.addr==192.168.0.171'") interact.expect(prompt) cmd_output =
interact.current_output_clean Sample PFS SSH/CLI Script
interact.send("Add Rule 'Dynamic Target' 'permit ip &&
ip.addr==192.168.0.171'")
- Slide 22
- What should the system do? Upon trigger detection: 1.Create
Rule(s) based upon trigger, e.g., IP address 2.Create Filter(s) and
assign Rule(s) to it 3.Connect Source Ports(s) via Filter(s) to
Destination Port(s) 4.Prepare Escalation Analysis platform.
Following All Clear: 5.Restore original configuration
- Slide 23
- Components of Dynamic Targeting 1.Preparation Define/configure
interfaces to PFS, Tools 2.Identification Establish triggers for
response 3.Response Initiate changes to monitoring
infrastructure
- Slide 24
- Everything you need, and nothing you dont. FILTERING TOOLS
- Slide 25
- Filtering: Problem & Requirement Problem: Cyber tools may
become congested by high traffic volumes Requirement: Filter for
traffic of interest, expect to make changes later. Total Network
Activity Traffic of Interest Threat
- Slide 26
- Use Case: Limit traffic to necessary content CyberSecurity
Monitoring ! Network Link Utilization Packet Rate
- Slide 27
- Filtering Techniques Criteria Layer 2: MAC, VLAN ID &
Priority, Ethertype Layer 3: IP address, Payload type Layer 4:
TCP/UDP Port, Protocol DPI: Custom Mask & Offset Dimension
Direction: Side A v. Side B, Source v. Destination Criteria: Permit
v. Deny per Criterion Range: Efficient Address Masking Types:
Connection v. Destination
- Slide 28
- Filtering Structure Building Blocks Criteria Rules Filter
Topology
- Slide 29
- Flexible Filtering: Connection v. Destination Filter at
Destination Filter on Connection
- Slide 30
- Dynamic Targeting: On-demand Filter creation Both Connection
and Destination Filters work for Dynamic Targeting Filtering occurs
in hardware at line-rate Filter changes are non-disruptive (except
adding a Connection Filter into a Connection - obviously) Site A
Site B Escalation Analysis Continuous Monitoring PFS Network
TAPs
- Slide 31
- Traffic Conditioning: Problem & Requirement Problem: Cyber
Monitoring tool may be unable to parse some packet headers,
rendering payload analysis impossible. Requirement: Condition
Traffic within the monitoring switch.
- Slide 32
- DPI Challenges for Legacy Cyber Tools TechnologyInfiniStream
Legacy Cyber Monitoring Tools Mitigation Cisco VN-Tag Parses
header, analyzes content Possibly confused by header, cannot parse
traffic ! PFS strips VN-Tag Cisco FabricPath PFS strips FabricPath
Duplicate packets Ignores duplicates May report false errors ! PFS
Dedups at L2 & L3
- Slide 33
- Summary 1.DYNAMIC TARGETING Expedite incident response,
especially after hours 2.FILTERING TOOLS Optimize monitoring tool
performance 3.ADVANCED TIPS & TRICKS Traffic Conditioning,
Metrics, Load-Balancing, Baselining
- Slide 34
- Summary 1.3900 SERIES PFS OVERVIEW Improve visibility while
controlling scale 2.DYNAMIC TARGETING Expedite incident response,
especially after hours 3.FILTERING TOOLS Optimize monitoring tool
performance
- Slide 35
- THANK YOU