13. Network Security Monitoring

Question 1

NSM

Answer 1

Network Security Monitoring

• Detection
• Prevention
• Investigation

Question 2

The Security process

Answer 2

Ongoing cycle;

• Assesment
• Protection
• Detection
• Response

Question 3

Traffic profiles

Answer 3

Understanding anomalies, normal profiles;
- expected source ports, destination ports
- Differrent OS’ may pick source ports differently
- what shold normal traffic to/from a DNS/web server look like?
When is the traffic not normal;
- When is DNS traffic part of a DDoS
- what if your web server is connecting out on port 80?

Question 4

Network Security Tools

Answer 4

Traffic Analysis
Penetration Testing
First hop security
Perimeter or subnet border defence
Infrastructure monitoring

Question 5

Traffic Analysis

Answer 5

IP Flow Records (NetFlow, sFlow, IPFIX)
Packet capture (Wireshark, tcpdump)
Intrusion detection systems (snort)

Question 6

Penetration testing

Answer 6

Network Scanning (nmap, Metasploit)

Question 7

First hop security

Answer 7

defending against local/internet attachks eg rogue DHCP servers

Question 8

Perimeter or subnet border defence

Answer 8

traffic filtering
log analysis ( eg firewalls ACLs)

Question 9

Infrastructure monitoring

Answer 9

SNMP device management (NAV)

Simple Network Management Protocol

Question 10

Network Flow

Answer 10

Set of packets with common properties

eg. IP src/dst address, TCP/UDP src/dst port, protocol

Question 11

Flow export methods

Answer 11

Configure the export of flows on a router
Use a flow collector to gather flows to database for analysis
eg Cisco Netflow
- can spot ‘out of profile’ traffic
- after an incident can see which other systems in the network might have been involved
- doesn’t explicitly prevent any attack

Question 12

Packet Capture - Wireshark

Answer 12

Software that understands the structure - encapsulation - of different networking protocols.
Parses & displays fields along with their meanings.
- can capture data from a live network connection or from a file of already-captured packets
Eg
- A DNS response
- An http request
- Ethernet/IP/TCP header address

Question 13

Network Flow Info Use

Answer 13

Network flow useful for traffic analysis mainly after the fact

• usually an investigative tool, using only flow data
• current possible DDoS or past incident correlation

Question 14

IDS

Answer 14

Intrusion Detection System

Question 15

Intrusion Detection System

Answer 15

Generally used for live incident detection
- must see, capture and analyse full packets from the live traffic feed
- typically port mirror traffic into the detector
Prefer to do at network edge to minimise volume
- capture and analysis at 10Gbit/s gets challenging

Question 16

IPS

Answer 16

Intrusion Prevention System
An IDS may signal a firewall device to block a source
- it then becomes an intrusion prevention system
- can block a host using BitTorrent for a period of time

Question 17

IDS/IPS is used for

Answer 17

IDS will match traffic/packets against:
- signature database (looking for exploits of known web packages)
- set of IP blacklists (known botnet command & control servers
- possible protocol anomalies (bad IP headers)
Prioritising from a large number of reports from tools like Snort is a challenge

Question 18

Botnet

Answer 18

Collection of internet conected programs communicating with other similar programs to perform tasks
Clients usually infected by ‘drive by download’
DDoS, Adware, Spyware, E-mail spam, Click fraud, Fast flux, scareware
Wide variety of beaviour eg, changing DNS settings
Client activity can be detected by an IDS
Client downloads config file via HTTP GET
Client sends data to server via HTTP POST

Question 19

Penetration testing

Answer 19

Involves someone probing your network, usually from outside the perimeter, to detect potential vulnerabilities

• if by a contracted security consultancy - expensive
• could be done by a potential attacker

Question 20

Penetration testing aims

Answer 20

Identify open IP/port combinations and the services running on them
- check whether those services are secure
- produce some report for action
Interesting challenge for IPv6 due to subnet size

Question 21

First hop security

Answer 21

Detection/prevention of attacks from systems connected internally

• specifically within the same IP subnet
• possible rogue DHCP servers, attacks, IPv6 RAs (Router Advertisements)…
• All rely on trust btwn all connected devices in the subnet
• how do you know the DHCP response is from the right server?

Question 22

ARP spoofing

Answer 22

When an attacker send a fake Address Resolution Protocol message onto a LAN
Can only be used on networks using ARP

Question 23

Mitigation for First Hop

Answer 23

Increased smartness in the managed layer 2 devices

• DHCP snooping or DHCP Guard
• Only allow DHCP responses from known DHCP server switch ports
• Simpler to deploy than certificates, eg Authenticated DHCP

Question 24

Perimeter Security

Answer 24

Perimeter Defence
Classic perimeter firewall
- default deny mode blocks all traffic except that configure to pass (can end up with very large rule sets which need to be managed)
Firewall/ACL (Access Control List) principles at subnet boundaries
- this is a good reason to create subnets
- partition the risk
Host security/firewalls
- increasingly common but still huge issues
- security of home networking devices in the news recently

Question 25

Other border functions

Answer 25

Other types of traffic protection/controls may be applied at a perimeter firewall device
Eg
TCP SYN flood attack detection
- avoid simplest types of DoS attack
- BCP 38 filtering (outbound)
- avoid spoofed IP packets leaving your network

Question 26

Network infrastructure mornitoring

Answer 26

Do this to;
- detect anomalies
- implies you understand normal traffic behaviour
Can poll switch/router quipment via SNMP (Simple Network Management Protocol)
- store results in a db using tools like NAV
- can then query info (where was a given MAC address or IP address seen, want some form of accountability)
- can poll traffic counts and spot unusual traffic volumes