Network Security Flashcards
Network Flow Monitoring
A way to collect and analyse traffic metadata
- IP Source & Destination
- Protocols
- Port
Can record all packets or just a random sample (resources vs time)
Helps spot anomalies by building a profile of normal traffic to spot irregular traffic
Consists of:
- Flow Exporter
- Flow Collector
- Analysis Console
Flow Exporter
A device that records network flows it sees and forwards data to a flow collector
- Typically run on a switch, router, or dedicated probe
Flow Collector
Stores and pre-processes data from one or more flow exporter
Analysis Console
Performs analysis and visualisation of data stored in the flow collector
Packet Capture
Step beyond network flow monitoring. Captures all network traffic and payloads
- Takes up a lot of storage
- Requires significant resources for processing
- Raises privacy concerns e.g. banking transactions will be logged, they may be encrypted but they are still stored
Where to monitor traffic
Edge of network: E.g. firewall, misses local problems such as a malicious employee
More Local monitoring: e.g. switch, generates significantly more traffic
Port Mirroring
Allows traffic through network switches from one port to be copied and sent to another for analysis and monitoring
- Must consider combined total bandwidth of the ports to ensure the mirrored port can receive all the necessary data
Network Taps
Copy and forward data to a specific port. Provides separate ports for separate directions of communication
ARP/NDP Tables to identify issues
A Client Access Port typically has one MAC address connected to it. These may signal ARP cache poisoning
- Sudden in creases in the number of MAC addresses appearing against a single port may indicate an issue
- Sudden appearance of a single MAC address on multiple ports
- An important MAC address appearing in an unexpected place may indicate an issue
Intrusion Detection Systems (IDS)
Extend automatic monitoring tools by automatically monitoring a network for malicious activity and policy violations
- Alerts of potential problems
- Sniffing of traffic
IDS Traffic Rules
Traffic is matched against
Signatures: Known exploits, SQL injection strings
IP Reputation Lists: Store IP addresses known to be part of botnets
Protocol Anomalies: Unsolicited incoming packets e.g. TCP SYNACK
Traffic Anomalies: Sudden changes in specific device traffic
IDS Challenges
False Positive: Identifying legitimate behaviour as an attack
False Negative: Failing to identify an attack
IDS Need to be tuned to the network
- Improper tuning may lead to too many false positives causing network admins to ignore alerts when the threat is real
IPS
Intrusion Prevention System
Extends IDS by automatically responding to detected problems
- Block traffic
- Block suspicious accounts
- Segregate compromised hosts into another VLAN
- Trigger incident response processes
- Increase level of networking monitoring e.g. Network Flow Monitoring -> Packet Capturing
IDS & IPS Benefits
- Automatically detect and potentially prevent attacks
- Handles incompetence of manual workers
- Logs information for auditing
- Easily identifies problems with security problems e.g. If all devices are violating the security policy, consider reworking the security policy
- Produce reprots
IDS & IPS Limitations
- Configuration & Maintenance overhead
- False Positive/False negative balance: Ensure not too much is missed, it is an ongoing challenge as network traffic changes over time
- Not great against newly published attacks: signatures don’t exist
- Less effective against targeted attacks: Attackers aware of monitoring will take steps to avoid detection
- Increases Advanced Evasion Techniques (AET)
- Cannot compensate for holes in security
