Lancope Management PresentationTechnical Introduction to the
StealthWatch System
Person #1
Person #2
AGENDA
How NBA technologies work
Infrastructure IPS
NETWORK ANOMALY DETECTION USING FLOWS
Based on analysis of “flow” data (statistics, changes in
behavior)
sFlow (Extreme, HP Procurve, Foundry)
NetFlow (Cisco, Juniper)
Not signature-based (behavior based)
Mature but evolving technology
Perfect complement to existing security and network management
technologies
Designed primarily for internal network deployments (but can exist
at the perimeter if necessary)
© 2007 Property of Lancope. Proprietary and Confidential.
THE STEALTHWATCH SYSTEM
STEALTHWATCH ENTERPRISE DEPLOYMENT OVERVIEW
COLLECTING FLOWS FROM ROUTERS AND SWITCHES
Sales
Servers
Marketing
Remote
Sites
Remote
Users
Extranet
WHAT IS NETFLOW?
NetFlow Packet Header
WHAT IS SFLOW?
Almost all Foundry products support sFlow as well as Extreme and
HP
sFlow includes payload
1 in N packets are sent from the switch to the flow collector
Statistical scaling is used to recover the actual network traffic
patterns from the sFlow samples
The more samples, the more accurate analysis becomes
Duplicate sFlow PDUs must be handled and removed
© 2007 Property of Lancope. Proprietary and Confidential.
CONFIGURING NETFLOW AND SFLOW
interface> sflow forwarding
config> sflow sample 128
config> sflow polling-interval 30
router(config-if)# ip route-cache flow
Cisco router (NetFlow)
Configuring both sFlow and NetFlow is a simple command line
adjustment to a router or switch.
© 2007 Property of Lancope. Proprietary and Confidential.
NETFLOW IMPACT ON THE ROUTER (CPU)
Check on current router CPU utilization*
* NetFlow v5 adds approximately 10% to overall CPU
Cisco has made vast improvements in the efficiency of NetFlow
processing over the last 3 to 5 years. Modern routers can process
NetFlow with little to no noticeable CPU impact.
© 2007 Property of Lancope. Proprietary and Confidential.
NETFLOW IMPACT ON THE NETWORK (BANDWIDTH)
Number of active flows
Flows per second (fps)
Lancope offers a NetFlow Bandwidth calculator that can be used to
estimate the actual amount of sustained NetFlow bandwidth.
Generally speaking, NetFlow bandwidth will amount to approximately
1% of the bandwidth being observed (worst case).
© 2007 Property of Lancope. Proprietary and Confidential.
VIEWING THE ROUTER NETFLOW CACHE DIRECTLY
Worm Infected
CAPTURING AND VIEWING NETFLOW PACKETS: FLOW-TOOLS
start and end times
pkts
bytes
The example above shows actual flows being captured using
flow-capture from the flow-tools open source toolkit. As flows are
captured, they are sent to flow-print for formatting and decode.
From flow-print, we grep out the IP we’re looking for. In this
case, we’re observing scanning from 24.99.19.81 to 209.182.187.0/24
on TCP port 9999.
© 2007 Property of Lancope. Proprietary and Confidential.
DATA REDUCTION: FLOW NORMALIZATION
2. Two NetFlow records are exported from the router…
3. StealthWatch associates the two NetFlow records, building one
stateful entry…
This series of screenshots represents a simple web request to
slashdot.org. The resulting NetFlow records are consolidated
(normalized) into a single Stealthwatch record. Many NetFlow
records may constitute a single Stealthwatch “flow”. The ability to
consolidate many directional flows into a single stateful,
bidirectional flow is a key characteristic of the Stealthwatch
system (allows for: data reduction, interoperability, ease in
training, etc).
Flow4.csv
3/25/01 9:04
CHALLENGES WITH FLOW-BASED MONITORING
Duplicate flows are often seen (and must be removed)
No payload data (must rely on statistics; not so easy)
Requires all routers be NTP synced and share similar settings (for
proper security processing)
ICMP type and codes are overloaded into TCP/UDP port field (but not
always!)
Implementations vary from vendor to vendor (Extreme’s NetFlow is
badly broken while Cisco works very well)
Tremendous amount of storage required
© 2007 Property of Lancope. Proprietary and Confidential.
Network Behavior Analysis
Collect and analyze flows…
Establish baseline of behavior…
IF WE DON’T HAVE PAYLOAD, HOW DO DETECT ATTACKS?
Look for patterns of behavior in flow traffic…
One hosts contacting large numbers of other hosts in short time
frame (PTP apps, worms)
Long flow durations (VPNs, covert channels)
Unauthorized ports in use (rogue servers, applications)
Bandwidth anomalies (DoS, warez servers)
Unauthorized communications (VPN host talking to accounting
server)
“Flows” provide total visibility across a wide network range by
collecting data from routers in varying locations. This gives
StealthWatch total supervision over the network and provides an
ability to track behavior throughout the network, from start to
end.
Other technologies see only what’s within their local “scope” of a
SPAN or tap port.
© 2007 Property of Lancope. Proprietary and Confidential.
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
NBA OPERATIONAL EXAMPLE
BENEFIT: ENTERPRISE-WIDE VISIBILITY
“Flows” provide total visibility across a wide network range by
collecting data from routers in varying locations. This gives
StealthWatch total supervision over the network and provides an
ability to track behavior throughout the network, from start to
end.
Other technologies see only what’s within their local “scope” of a
SPAN or tap port.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: ENTERPRISE WIDE VISIBILITY IN ACTION
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: OVERCOME COMPLEX DEPLOYMENTS, COST, AND SPEED
8 Inline IPS @ $64,995: $519,960
1 Netflow-based Xe-2000: <$150,000
Inline IPS
Inline IPS
Inline IPS
Inline IPS
Inline IPS
Modern, complex environments create significant challenges for
inline IPS solutions. The above diagram show the need for eight, 4
segment inline devices plus perimeter IPS above the firewall. This
kind of deployment is both costly and complex to deploy and
manage.
Example pricing for Inline IPS technology:
ISS Proventia G200: 1 segment, $11,999
Netscreen IDS-500: 1 segment, $34,999
Top Layer IPS 2400: 1 segment, $80,000
Tipping Point Unity-1 1200 (1Gbps): 4 segments, $64,995
Tipping Point Unity-1 2400 (2Gbps): 4 segments, $89,995
McAfee Intrushield 4000: 2 segments, $99,995
(ref: NSS report on Intrusion Prevention)
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
12 IDS/IPS Sensors Required
Monitoring remote sites is costly. The classic deployment model
would have an IDS/IPS device at every remote location, especially
in MPLS meshed environments where there is no single
chokepoint.
Xe solves this problem by providing an ability to monitor remote
locations through the use of Netflow messages from remote routers.
Where we would have needed 12 network sensors before, now we only
need 1 Xe appliance.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: LIGHT-WEIGHT, EASY TO DEPLOY
2 IDP/IPS Sensors Required
1 NetFlow Collector Required
Monitoring remote sites is costly. The classic deployment model
would have an IDS/IPS device at every remote location, especially
in MPLS meshed environments where there is no single
chokepoint.
Xe solves this problem by providing an ability to monitor remote
locations through the use of Netflow messages from remote routers.
Where we would have needed 12 network sensors before, now we only
need 1 Xe appliance.
© 2007 Property of Lancope. Proprietary and Confidential.
BENEFIT: POWERFUL LOGGING AND FORENSICS
Sheet1
INFRASTRUCTURE IPS: HOW IT WORKS
Sales
NETWORK TRAFFIC ANALYSIS AND VISUALIZATION
Flow Records
SUMMARY
NetFlow provides powerful forensics, auditing, and attack detection
capability without the need for additional hardware or software
updates.
Cisco routers are everywhere.
Both open-source and commercial products are available for
analyzing NetFlow.
NetFlow analysis allows for detection of new worms without the need
for signature updates.
© 2007 Property of Lancope. Proprietary and Confidential.
www.lancope.com