13. Network Security Monitoring Flashcards
NSM
Network Security Monitoring
- Detection
- Prevention
- Investigation
The Security process
Ongoing cycle;
- Assesment
- Protection
- Detection
- Response
Traffic profiles
Understanding anomalies, normal profiles;
- expected source ports, destination ports
- Differrent OS’ may pick source ports differently
- what shold normal traffic to/from a DNS/web server look like?
When is the traffic not normal;
- When is DNS traffic part of a DDoS
- what if your web server is connecting out on port 80?
Network Security Tools
Traffic Analysis Penetration Testing First hop security Perimeter or subnet border defence Infrastructure monitoring
Traffic Analysis
IP Flow Records (NetFlow, sFlow, IPFIX)
Packet capture (Wireshark, tcpdump)
Intrusion detection systems (snort)
Penetration testing
Network Scanning (nmap, Metasploit)
First hop security
defending against local/internet attachks eg rogue DHCP servers
Perimeter or subnet border defence
traffic filtering log analysis ( eg firewalls ACLs)
Infrastructure monitoring
SNMP device management (NAV)
Simple Network Management Protocol
Network Flow
Set of packets with common properties
eg. IP src/dst address, TCP/UDP src/dst port, protocol
Flow export methods
Configure the export of flows on a router
Use a flow collector to gather flows to database for analysis
eg Cisco Netflow
- can spot ‘out of profile’ traffic
- after an incident can see which other systems in the network might have been involved
- doesn’t explicitly prevent any attack
Packet Capture - Wireshark
Software that understands the structure - encapsulation - of different networking protocols.
Parses & displays fields along with their meanings.
- can capture data from a live network connection or from a file of already-captured packets
Eg
- A DNS response
- An http request
- Ethernet/IP/TCP header address
Network Flow Info Use
Network flow useful for traffic analysis mainly after the fact
- usually an investigative tool, using only flow data
- current possible DDoS or past incident correlation
IDS
Intrusion Detection System
Intrusion Detection System
Generally used for live incident detection
- must see, capture and analyse full packets from the live traffic feed
- typically port mirror traffic into the detector
Prefer to do at network edge to minimise volume
- capture and analysis at 10Gbit/s gets challenging
IPS
Intrusion Prevention System
An IDS may signal a firewall device to block a source
- it then becomes an intrusion prevention system
- can block a host using BitTorrent for a period of time
IDS/IPS is used for
IDS will match traffic/packets against:
- signature database (looking for exploits of known web packages)
- set of IP blacklists (known botnet command & control servers
- possible protocol anomalies (bad IP headers)
Prioritising from a large number of reports from tools like Snort is a challenge
Botnet
Collection of internet conected programs communicating with other similar programs to perform tasks
Clients usually infected by ‘drive by download’
DDoS, Adware, Spyware, E-mail spam, Click fraud, Fast flux, scareware
Wide variety of beaviour eg, changing DNS settings
Client activity can be detected by an IDS
Client downloads config file via HTTP GET
Client sends data to server via HTTP POST
Penetration testing
Involves someone probing your network, usually from outside the perimeter, to detect potential vulnerabilities
- if by a contracted security consultancy - expensive
- could be done by a potential attacker
Penetration testing aims
Identify open IP/port combinations and the services running on them
- check whether those services are secure
- produce some report for action
Interesting challenge for IPv6 due to subnet size
First hop security
Detection/prevention of attacks from systems connected internally
- specifically within the same IP subnet
- possible rogue DHCP servers, attacks, IPv6 RAs (Router Advertisements)…
- All rely on trust btwn all connected devices in the subnet
- how do you know the DHCP response is from the right server?
ARP spoofing
When an attacker send a fake Address Resolution Protocol message onto a LAN
Can only be used on networks using ARP
Mitigation for First Hop
Increased smartness in the managed layer 2 devices
- DHCP snooping or DHCP Guard
- Only allow DHCP responses from known DHCP server switch ports
- Simpler to deploy than certificates, eg Authenticated DHCP
Perimeter Security
Perimeter Defence
Classic perimeter firewall
- default deny mode blocks all traffic except that configure to pass (can end up with very large rule sets which need to be managed)
Firewall/ACL (Access Control List) principles at subnet boundaries
- this is a good reason to create subnets
- partition the risk
Host security/firewalls
- increasingly common but still huge issues
- security of home networking devices in the news recently
Other border functions
Other types of traffic protection/controls may be applied at a perimeter firewall device
Eg
TCP SYN flood attack detection
- avoid simplest types of DoS attack
- BCP 38 filtering (outbound)
- avoid spoofed IP packets leaving your network
Network infrastructure mornitoring
Do this to;
- detect anomalies
- implies you understand normal traffic behaviour
Can poll switch/router quipment via SNMP (Simple Network Management Protocol)
- store results in a db using tools like NAV
- can then query info (where was a given MAC address or IP address seen, want some form of accountability)
- can poll traffic counts and spot unusual traffic volumes
