Ray Jones Director of Solutions Architecture and Field
Enablement Security Monitoring In Your Network Strategies to
Safeguard Your Network Using NetScouts 3900 Series Packet Flow
Switch
Slide 2
A BAD YEAR for Cyber Security ENTERTAINMENT GOVT & HEALTH
CARE PLATFORM RETAIL FINANCIAL
Slide 3
Cyber Security Monitoring: Two Challenges 1.Obscurity
Protagonist often intentionally averts detection 2.Transience
Sequence of events may be difficult to reproduce
Slide 4
What youll learn today AGENDA 3900 SERIES PACKET FLOW SWITCH
INTRODUCTION Extend visibility & take control of your
monitoring environment DYNAMIC TARGETING Expedite & automate
incident response FILTERING TOOLS Optimize Security monitoring tool
performance
Slide 5
Scalable, flexible, feature rich. 3900 SERIES PACKET FLOW
SWITCH INTRODUCTION
Slide 6
nGenius 3900 Series Packet Flow Switch 3901 Chassis 3903
Chassis Centralized Management Pay-as-you-grow modules &
chassis Supports > 4000 ports with PFS Management Software Large
site deployments needing >144 ports 3RU modular switch Medium to
large single site or multi-site deployments needing > 48 ports
1RU modular switch Small single site or multi-site deployments
needing 16 to 48 ports Up to 48 Ports 1/10 GbE + 4 Ports 40 GbE* Up
to 144 Ports 1/10 GbE + 12 Ports 40 GbE* * 100G Early Field Trial
Available
Slide 7
nGenius 3900 Series Packet Flow Switch Built-in GUI Management
or PFS Management System 1U and 3U Base Chassis Options Modular +
Stackable Monitoring Fabric Growth 1/10/40Gbps Native per Blade
Full Line Rate, All-Inclusive Blade Based Features 100G Early Field
Trial Available Redundant Ethernet Management Ports Redundant AC/DC
Power Supplies Redundant AC/DC Power Supplies Redundant Switch
Controllers Resides on each blade Automatic failover Redundant
Switch Controllers Resides on each blade Automatic failover
Interface Blade FlexPorts supporting 1/10/40G Up to 48 x 1/10G per
RU Up to 4 x 40G per RU Interface Blade FlexPorts supporting
1/10/40G Up to 48 x 1/10G per RU Up to 4 x 40G per RU Serial
Console Port
Slide 8
nGenius 3900 Series Packet Flow Switch 16x 1G/10G 4x 40G or 16x
1G/10G Console Full-Duplex 720Gbps Line-rate Processing ***
Advanced Switching Engine with Extensible Microcode
Slide 9
nGenius 3900 Series Packet Flow Switch Network Site A Site
B
Dynamic Targeting: Problem & Requirement Problem: Security
events may require reactive changes to monitoring fabric.
Requirement: Implement dynamic, automated changes via secure
management channel.
Slide 12
Use Case: Targeted packet capture for suspect flows Site A Site
B Continuous Monitoring PFS Network TAPs Escalation Analysis
Slide 13
Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B Site A Site B Continuous
Monitoring PFS 1 Network TAPs Escalation Analysis
Slide 14
Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools Site A Site B Continuous Monitoring PFS 2
Network TAPs Escalation Analysis
Slide 15
Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools 3.Monitoring tool detects suspicious
activity Site A Site B Continuous Monitoring PFS 3 !!! Network TAPs
Escalation Analysis
Slide 16
Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools 3.Monitoring tool detects suspicious
activity 4.a) Script configures packet flow switch to target IP
address b) Script activates Escalation Analysis tool Site A Site B
Continuous Monitoring PFS 4a 4b Network TAPs Escalation
Analysis
Slide 17
Use Case: Targeted packet capture for suspect flows 1.Traffic
flows through TAPs to Sites A & B 2.PFS steers traffic from
TAPs to Monitoring tools 3.Monitoring tool detects suspicious
activity 4.a) Script configures packet flow switch to target IP
address b) Script activates Escalation Analysis tool 5.PFS sends
targeted traffic to Escalation Analysis tool Site A Site B
Escalation Analysis Continuous Monitoring PFS 5 Network TAPs
Slide 18
Scripting for Dynamic Targeting Optimized Management for
Monitoring Tools nGeniusONE
Slide 19
Scripting for Dynamic Targeting Optimized Management for
Monitoring Tools PFS Manager for PFS PFS Manager nGeniusONE
Slide 20
Scripting for Dynamic Targeting nGenius PFS Management Software
Administrator Guide PFS Manager SSH from Client to PFS, Monitoring
Tools SSH Client SSH
Slide 21
def main(): client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) prompt
= '=> ' hostname = '10.88.39.192' #Replace with actual IP
address of PFS or PFS Mgmt Server username = 'administrator'
#Replace if you need to use a different user; normally
"administrator" is correct password = 'netscout1' #Replace with
actual password
client.connect(hostname,int(22022),username,password) #Presumes
that PFS CLI SSH uses default port 22022 interact =
SSHClientInteraction(client,timeout=10,display=True)
interact.expect(prompt) # raw_input('Press Enter to continue')
interact.send("Add Rule 'Dynamic Target' 'permit ip &&
ip.addr==192.168.0.171'") interact.expect(prompt) cmd_output =
interact.current_output_clean Sample PFS SSH/CLI Script
interact.send("Add Rule 'Dynamic Target' 'permit ip &&
ip.addr==192.168.0.171'")
Slide 22
What should the system do? Upon trigger detection: 1.Create
Rule(s) based upon trigger, e.g., IP address 2.Create Filter(s) and
assign Rule(s) to it 3.Connect Source Ports(s) via Filter(s) to
Destination Port(s) 4.Prepare Escalation Analysis platform.
Following All Clear: 5.Restore original configuration
Slide 23
Components of Dynamic Targeting 1.Preparation Define/configure
interfaces to PFS, Tools 2.Identification Establish triggers for
response 3.Response Initiate changes to monitoring
infrastructure
Slide 24
Everything you need, and nothing you dont. FILTERING TOOLS
Slide 25
Filtering: Problem & Requirement Problem: Cyber tools may
become congested by high traffic volumes Requirement: Filter for
traffic of interest, expect to make changes later. Total Network
Activity Traffic of Interest Threat
Slide 26
Use Case: Limit traffic to necessary content CyberSecurity
Monitoring ! Network Link Utilization Packet Rate
Slide 27
Filtering Techniques Criteria Layer 2: MAC, VLAN ID &
Priority, Ethertype Layer 3: IP address, Payload type Layer 4:
TCP/UDP Port, Protocol DPI: Custom Mask & Offset Dimension
Direction: Side A v. Side B, Source v. Destination Criteria: Permit
v. Deny per Criterion Range: Efficient Address Masking Types:
Connection v. Destination
Slide 28
Filtering Structure Building Blocks Criteria Rules Filter
Topology
Slide 29
Flexible Filtering: Connection v. Destination Filter at
Destination Filter on Connection
Slide 30
Dynamic Targeting: On-demand Filter creation Both Connection
and Destination Filters work for Dynamic Targeting Filtering occurs
in hardware at line-rate Filter changes are non-disruptive (except
adding a Connection Filter into a Connection - obviously) Site A
Site B Escalation Analysis Continuous Monitoring PFS Network
TAPs
Slide 31
Traffic Conditioning: Problem & Requirement Problem: Cyber
Monitoring tool may be unable to parse some packet headers,
rendering payload analysis impossible. Requirement: Condition
Traffic within the monitoring switch.