Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm - - PowerPoint PPT Presentation

▶

Aug 26, 2023 236 likes •478 views

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection

SLIDE 1

Automatic Network Protection Scenarios Using NetFlow

Vojtch Krmíek, Jan Vykopal

{krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas

SLIDE 2

Part I Flow-based Network Protection

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 2 / 23

SLIDE 3

Goals and Components

Goals of Network Protection Using NetFlow data to protect network. Defending perimeter against attacks from outside. Automated attack detection. Suitable for high speed networks (10 Gbps+). System Parts Sensors (⇒ NetFlow data). Control center (⇒ commands). Active network components (⇒ blocking/filtering). HAMOC platform – both sensor and active component.

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 3 / 23

SLIDE 4

General Architecture of Network Protection

                     

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 4 / 23

SLIDE 5

NfSen/NFDUMP Collector Toolset Architecture

NetFlow v5/v9 NFDUMP Backend Periodic Update Tasks and Plugins Web Front-End User Plugins Command-Line Interface

NfSen – NetFlow Sensor – http://nfsen.sf.net/ NFDUMP – NetFlow display – http://nfdump.sf.net/

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 5 / 23

SLIDE 6

Methods for Data Analysis

TCP SYN scanning detection Simple, effective general method, low false positive rate. Honeypot monitoring Uses subnet allocated for high- and low-interaction honeypots. Eliminates false positives, mainly catches hosts from outside. Brute force attack detection Similar flows may be symptoms of this attack. Suitable even for encrypted services such as SSH. Round trip time anomaly detection (D)DOSes overwhelm servers and increase response time. Abrupt increase of RTT may point to attack/misconfiguration.

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 6 / 23

SLIDE 7

HAMOC Hardware Platform

Features Traffic distribution among multiple CPU cores. Network applications with hardware acceleration. Capable of concurrent monitoring/blocking/filtering/etc. Low-speed networks – SW alternative (NetFlow/iptables).

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 7 / 23

SLIDE 8

Network Protection – Deployment Scenarios

Scenarios NetFlow probes + control center + RTBH1 filtering HAMOC as NetFlow probe and firewall HAMOC as redirection to quarantine (phishing) HAMOC as NetFlow probe and active attack tool HAMOC as NetFlow probe and trac limiter

                                                        

1Remote Triggered Black Hole Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 8 / 23

SLIDE 9

Part II Network Protection Scenarios

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 9 / 23

SLIDE 10

NetFlow Probes + Control Center + RTBH Filtering

                     

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 10 / 23

SLIDE 11

HAMOC as NetFlow Probe and Firewall

               

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 11 / 23

SLIDE 12

HAMOC as Redirection to Quarantine (Phishing)

                  

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 12 / 23

SLIDE 13

HAMOC as NetFlow Probe and Active Attack Tool

                  

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 13 / 23

SLIDE 14

HAMOC as NetFlow Probe and Trac Limiter

                     

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 14 / 23

SLIDE 15

Part III Network Protection Use Case: SSH Dictionary Attack and HAMOC Firewall

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 15 / 23

SLIDE 16

I. Attacker Performs SSH Horizontal Scan

      

Attacker

    

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 16 / 23

SLIDE 17

II. Attacker Starts SSH Dictionary Attack

Attacker

     

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 17 / 23

SLIDE 18

III. Center Detects Attack/Inserts Blocking Rule

      

Attacker

  

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 18 / 23

SLIDE 19

IV. New SSH Attack, Blocked at the Border

    

Attacker

    

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 19 / 23

SLIDE 20

V. Regular User Can Access Network, Attacker Not

    

Attacker Regular User

    

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 20 / 23

SLIDE 21

Part IV Conclusion

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 21 / 23

SLIDE 22

Conclusion

Role of IP Flow Monitoring in High Speed Networks Flow-based monitoring suitable for large networks. Observe and automatically inspect 24x7 network data. Possible future deployment in 10Gbps/40Gbps/100Gbps networks. Automatic Network Protection Class of attacks can be detected automatically. Automatic network protection supports operators. Detect and block attacks before hosts are infected. Not usable in every situation – limitations.

Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 22 / 23

SLIDE 23

Thank you for your attention!

Vojtch Krmíek et al.

{krmicek|vykopal}@ics.muni.cz

Project CYBER

http://www.muni.cz/ics/cyber

Automatic Network Protection Scenarios Using NetFlow

This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN200801. Krmicek et al. Automatic Network Protection Scenarios Using NetFlow 23 / 23