MODULE 15 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards
Introduction to Network Monitoring
Network Security Topology “All networks are targets” is a common adage used to describe the current landscape of network security.
Therefore, to mitigate threats, all networks must be secured and protected.
This requires a defense-in-depth approach.
It requires using proven methods and a security infrastructure consisting of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and endpoint security software.
These methods and technologies are used to introduce automated monitoring to the network, create security alerts, or automatically block offensive devices when something goes wrong.
This requires a defense-in-depth approach. It requires using proven methods and a security infrastructure consisting of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and endpoint security software.
These methods and technologies are used to introduce automated monitoring to the network, create security alerts, or automatically block offensive devices when something goes wrong.
However, for large networks, an extra layer of protection must be added. Devices such as firewalls and IPS operate based on pre-configured rules.
They monitor traffic and compare it against the configured rules. If there is a match, the traffic is handled according to the rule.
This works relatively seamlessly. However, sometimes legitimate traffic is mistaken for unauthorized traffic.
Called false positives, these situations require human eyes to see and evaluate them before they can be validated.
However, for large networks, an extra layer of protection must be added. Devices such as firewalls and IPS operate based on pre-configured rules. They monitor traffic and compare it against the configured rules.
If there is a match, the traffic is handled according to the rule. This works relatively seamlessly.
However, sometimes legitimate traffic is mistaken for unauthorized traffic.
Called false positives, these situations require human eyes to see and evaluate them before they can be validated.
An important part of the job of the cybersecurity analyst is to review all alerts generated by network devices and determine the validity of the alerts.
Was that file that was downloaded by user X really malware?
Is that website that was visited by user Y really malicious?
Is the printer on the third floor really compromised because it is trying to connect to a server that is out on the internet?
These are questions that are commonly asked by security analysts daily.
It is their job to determine the correct answers.
Network Monitoring Methods
The day-to-day operation of a network consists of common patterns of traffic flow, bandwidth usage, and resource access.
Together, these patterns identify normal network behavior.
Security analysts must be intimately familiar with normal network behavior because abnormal network behavior typically indicates a problem.
To determine normal network behavior, network monitoring must be implemented.
Various tools are used to help discover normal network behavior including IDS, packet analyzers, SNMP, NetFlow, and others.
Some of these tools require captured network data.
There are two common methods used to capture traffic and send it to network monitoring devices:
Network taps, sometimes known as test access points (TAPs).
Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring.
Some of these tools require captured network data.
There are two common methods used to capture traffic and send it to network monitoring devices:
Network taps, sometimes known as test access points (TAPs).
Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring.
Network Taps A network tap is typically a passive splitting device implemented inline between a device of interest and the network.
A tap forwards all traffic, including physical layer errors, to an analysis device while also allowing the traffic to reach its intended destination.
The figure displays a sample topology displaying a tap installed between a network firewall and the internal router.
https://snipboard.io/fEvlXW.jpg
The figure displays a sample topology displaying a tap installed between a network firewall and the internal router.
https://snipboard.io/fEvlXW.jpg
Notice how the tap simultaneously sends both the transmit (TX) data stream from the internal router and the receive (RX) data stream to the internal router on separate, dedicated channels.
This ensures that all data arrives at the monitoring device in real time.
Therefore, network performance is not affected or degraded by monitoring the connection.
Taps are also typically fail-safe, which means if a tap fails or loses power, traffic between the firewall and internal router is not affected.
The figure displays a sample topology displaying a tap installed between a network firewall and the internal router. https://snipboard.io/fEvlXW.jpg
Notice how the tap simultaneously sends both the transmit (TX) data stream from the internal router and the receive (RX) data stream to the internal router on separate, dedicated channels.
This ensures that all data arrives at the monitoring device in real time. Therefore, network performance is not affected or degraded by monitoring the connection.
Taps are also typically fail-safe, which means if a tap fails or loses power, traffic between the firewall and internal router is not affected.
Traffic Mirroring and SPAN Network switches segment the network by design.
This limits the amount of traffic that is visible to network monitoring devices.
Because capturing data for network monitoring requires all traffic to be captured, special techniques must be employed to bypass the network segmentation imposed by network switches.
Port mirroring is one of these techniques.
Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.
The table identifies and describes terms used by the SPAN feature.
– Ingress traffic
– Egress traffic
– Source (SPAN) port
– Destination (SPAN) port
Port mirroring is one of these techniques.
Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.
The table identifies and describes terms used by the SPAN feature.
– Ingress traffic
– Egress traffic
– Source (SPAN) port
– Destination (SPAN) port
Ingress traffic :
Traffic that enters the switch.
Port mirroring is one of these techniques.
Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.
The table identifies and describes terms used by the SPAN feature.
– Ingress traffic
– Egress traffic
– Source (SPAN) port
– Destination (SPAN) port
Egress traffic :
Traffic that leaves the switch.
Port mirroring is one of these techniques.
Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.
The table identifies and describes terms used by the SPAN feature.
– Ingress traffic
– Egress traffic
– Source (SPAN) port
– Destination (SPAN) port
Source (SPAN) port :
Source ports are monitored as traffic entering them is replicated (mirrored) to the destination ports.
Port mirroring is one of these techniques.
Supported by many enterprise switches, port mirroring enables the switch to copy frames that are received on one or more ports to a Switch Port Analyzer (SPAN) port that is connected to an analysis device.
The table identifies and describes terms used by the SPAN feature.
– Ingress traffic
– Egress traffic
– Source (SPAN) port
– Destination (SPAN) port
Destination (SPAN) port :
A port that mirrors source ports.
Destination SPAN ports often connect to analysis devices such as a packet analyzer or an IDS.
The figure shows a switch that interconnects two hosts and mirrors traffic to an intrusion detection device (IDS) and network management server.
SPAN
https://snipboard.io/35HTU4.jpg
The switch will forward ingress traffic on F0/1 and egress traffic on F0/2 to the destination SPAN port G0/1 that connects to an IDS. The association between source ports and a destination port is called a SPAN session.
In a single session, one or multiple ports can be monitored. On some Cisco switches, session traffic can be copied to more than one destination port. Alternatively, a source VLAN can be specified in which all ports in the source VLAN become sources of SPAN traffic.
Each SPAN session can have ports or VLANs as sources, but not both. Note: A variation of SPAN called Remote SPAN (RSPAN) enables a network administrator to use the flexibility of VLANs to monitor traffic on remote switches.
Introduction to Network Monitoring Tools Network
Security Monitoring Tools
Common tools that are used for network security monitoring include:
1) Network protocol analyzers such as Wireshark and
Tcpdump 2)
NetFlow 3) Security Information and Event Management Systems (SIEM)
Common tools that are used for network security monitoring include:
1) Network protocol analyzers such as Wireshark and
Tcpdump 2)
NetFlow 3) Security Information and Event Management Systems (SIEM)
It is also common for security analysts to rely on log files and Simple Network Management Protocol (SNMP) for network behavior discovery.
Practically all systems generate log files to record and communicate their operations.
By closely monitoring log files, a security analyst can gather extremely valuable information.
SNMP allows analysts to request and receive information about the operation of network devices. It is another good tool for monitoring the behavior of a network.
