Co se skrývá v datovém provozu? - Pavel Minařík
0 likes842 views
This document summarizes a presentation about network traffic monitoring and analysis. It discusses traditional monitoring tools like SNMP and newer tools that provide deeper traffic visibility. It explains how flow monitoring works and standards like NetFlow. The presentation also demonstrates how tools can analyze flow data to detect security issues, troubleshoot problems, and capture packets for forensic analysis. Real examples are shown of using these techniques to identify a malware infection and resolve a email delivery problem.
Co se skrývá v datovém provozu? - Pavel Minařík
- 1. Pavel Minařík What is hidden in network traffic? Security Session 2015, 11th April 2015, Brno, FIT VUT minarik@invea.com
- 2. • Traditional monitoring Availability of services and network components SNMP polling (interfaces, resources) 100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …) • Next-generation monitoring Traffic visibility on various network layers Detection of security and operational issues Network/Application performance monitoring Full packet capture for troubleshooting Monitoring Tools
- 5. Performance Monitoring Syn Syn, Ack Ack RTT TCP handshake Req Ack Data Client request SRT Server response Data Data Data Delay Round Trip Time – delay introduced by network Server Response Time – delay introduced by server/application Delay (min, max, avg, deviation) – delays between packets Jitter (min, max, avg, deviation) – variance of delays between packets
- 6. Flow Standards Cisco standard NetFlow v5 NetFlow v9 (Flexible NetFlow) fixed format only basic items available no IPv6, MAC, VLANs, … flexible format using templates mandatory for current needs provides IPv6, VLANs, MAC, … Independent IETF standard IPFIX („NetFlow v10“) the future of flow monitoring more flexibility than NetFlow v9 Huawei NetStream same as original Cisco standard NetFlow v9 Juniper jFlow similar to NetFlow v9 different timestamps
- 7. Flow Sources • Enterprise-class network equipment Routers, switches, firewalls • Mikrotik routers Popular and cost efficient hardware • Flow Probes Dedicated appliances for flow export • Trends Number of flow-enabled devices is growing L7 visibility, performance monitoring, …
- 8. Flow Gathering Schemes Probe on a SPAN port Probe on a TAP Flows from switch/router Pros • Accuracy • Performance • L2/L3/L4/L7 visibility • Same as „on a SPAN“ • All packets captured • Separates RX and TX • Already available • No additional HW • Traffic on interfaces Cons • May reach capacity limit • No interface number • Additional HW • Usually inaccurate • Visibility L3/L4 • Performance impact Facts • Fits most customers • Limited SPANs number • 2 monitoring ports • Always test before use Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)
- 9. Traffic Analysis (using flow) • Bridges the gap left by endpoint and perimeter security solutions • Behavior based Anomaly Detection (NBA) • Detection of security and operational issues Attacks on network services, network reconnaissance Infected devices and botnet C&C communication Anomalies of network protocols (DNS, DHCP, …) P2P traffic, TOR, on-line messengers, … DDoS attacks and vulnerable services Configuration issues
- 10. Full Packet Capture • On-demand troubleshooting and forensic analysis • How to get packet traces? Tcpdump – Linux/Unix environment Winpcap – Windows environment Probes – appliances with packet capture capability FPGA-based HW adapters – high speed networks
- 11. Packet Analysis • Analysis of packet traces (PCAP files) • Software tools (commercial + open source) • Wireshark as de facto standards with large community support Support of hundreds of protocols Powerful filters, statistics, reconstruction, etc.
- 12. Examples From the Real Life Security issue Troubleshooting
- 13. Security Issue FlowMon © INVEA-TECH 2013 78 port scans? DNS anomalies? • Malware infected device in the internal network
- 14. Security Issue Let’s see the scans first Ok, users cannot access web Are the DNS anomalies related?
- 15. Security Issue Ok, which DNS is being used? 192.168.0.53? This is notebook! How did this happen?
- 16. Security Issue Let’s look for the details… Laptop 192.168.0.53 is doing DHCP server in the network
- 17. Security Issue Malware infected device Trying to redirect and bridge traffic Probably to get sensitive data
- 18. • Gmail e-mail delivery issue FlowMon Troubleshooting We are not receiving e-mails from Gmail And can’t figure it out Can you try to help us and fix it?
- 19. FlowMon Troubleshooting Using AS numbers it is possible to easily identify corresponding network traffic and do the analysis
- 20. FlowMon Troubleshooting All flows are 640B? TCP flags are normal This is not a network issue We need to see the packets Detailed visibility and drill down to flow level helps to understand traffic characteristics
- 21. FlowMon Troubleshooting Built-in packet capture capability enables to get full packet traces when needed
- 22. FlowMon Troubleshooting Ok, Gmail requests TLS 1.0
- 23. FlowMon Troubleshooting And mail server does not support that
- 24. Life Demo Attack detection and analysis is real-time
- 25. Life Demo • Use-case: directory traversal attack Flow-level visibility Automatic detection Packet capture and analysis
- 26. INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com High-Speed Networking Technology Partner Questions? Pavel Minařík minarik@invea.com +420 733 713 703