Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring - - PowerPoint PPT Presentation

overview of netflow netflow and itsg 33 existing
SMART_READER_LITE
LIVE PREVIEW

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring - - PowerPoint PPT Presentation

Mar 09, 2023 344 likes •568 views

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

slide-1
SLIDE 1
slide-2
SLIDE 2

 Overview of NetFlow™  NetFlow™ and ITSG-33  Existing Monitoring Tools  Network Monitoring and Visibility Challenges  Technology of the future  Q&A

slide-3
SLIDE 3

What t is NetFlow?

 Network protocol originally developed by Cisco for

collecting IP traffic information and monitoring network traffic.

 NetFlow looks at IP flows rather than counting bytes

at interfaces.

 A flow is a stream of IP packets that have the

following seven identical fields:

  • A common source IP address
  • A common destination IP address
  • A common source port
  • A common destination port
  • Same layer 3 protocol
  • Same type of service
  • The same logical interface
slide-4
SLIDE 4

NetFlow Benefits ts

 Network administrators can use NetFlow in many

different ways to get valuable insights into their network:

  • Bandwidth Monitoring and Traffic Analysis
  • Network Forensics and Security Management
  • Application Monitoring
  • Tracking Application Migration
  • Validating QoS
  • Capacity Planning
  • Identify worms and malware
  • Analysis of VPN traffic and Teleworker behavior
  • Calculating total cost of ownership for applications
slide-5
SLIDE 5

Use of NetFlow for Security (Examples) s)

Network Auditing - Tracking the flow of data to and from the systems that process the information.

Informed Decisions - More and better information leads to better decisions.

Availability – Determining where more bandwidth is required as a result

  • f the network’s growth.

Insiders Engaged in Malicious Actions, Data Exfiltration - Tracking how much data leaves the network and where is it going.

Full History Attack Investigation – Identification of “lurking infections” and determining exactly which systems are affected and require cleaning.

Identification of Compromised Hosts – Tracking computer systems’ behavior over time and determining when new behavior patterns are out

  • f the ordinary.

Anomalous Network Behavior – Using the knowledge of the usual and expected to spot the unusual and unexpected.

Policy Enforcement – Identification of access attempts that violate policies.

slide-6
SLIDE 6

ITSG-33 Overview

 ITSG-33 Document Structure:

  • Annex 1 – Departmental IT Security
  • Annex 2 – Information System Security
  • Annex 3 – Security Control Catalogue
  • Annex 4-1,2,3 – Security Control Profiles for PB/M/M, PA/L/L, Secret/M/M
  • Annex 5 – Glossary

 Purpose

  • Support Compliance to GC Policy Instruments
  • Provide a Catalogue of Security Controls
  • Facilitate Consistent and Repeatable Selection of Security Controls
  • Establish a Common Lexicon

 Audience

  • IT Security Community
  • Program and Project Managers
  • System Architects and Designers
slide-7
SLIDE 7

ITSG-33 Security Controls ls Library

 Security Control Definition: “A management,

  • perational, or technical security functional requirement

prescribed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls are implemented using various types

  • f security solutions that include security products,

security policies, security practices, and security procedures.”

 ITSG-33 Controls Catalog:

  • 3 Security Control Classes
  • 17 Security Control Families
  • 194 Security Controls
  • 442 Control Enhancements
  • 636 Requirements
slide-8
SLIDE 8

Infrastru tructu ture Resource Protection and Availability ty

 ITSG-33

  • To implement internal control, security and audit-ability measures during

configuration, integration and maintenance for hardware and infrastructural software to protect resources and ensure availability and integrity.

  • Responsibilities for using sensitive infrastructure components should be

clearly defined and understood by those who develop and integrate infrastructure components.

  • Their use should be monitored and evaluated.
  • Applicable controls: CM-8

 NetFlow

  • Monitors host and traffic activity.
  • Operates as an internal technical control that provides an added layer of

network security and ensures continuous network availability.

  • Used during times of change, such as in the case of mergers and

acquisitions when disparate networks merge to provide a level of stability and control during unstable and uncertain network transition.

slide-9
SLIDE 9

Capacity ty and Performa mance of IT Resources

 ITSG-33

  • To plan, review and model the performance and capacity of IT resources;

forecast future needs to minimize the risk of service disruptions; monitor to maintain and tune current performance and to report on service availability.

  • Applicable controls: CP-2

 NetFlow baselines network traffic for historical trending,

capacity planning as well as network security purposes:

  • Traffic statistics include interface utilization in general, traffic

composition, out of profile ports and services, QoS bandwidth utilization to name a few.

  • By alarming on deviations from this baseline, it helps organizations retain

control of resource consumption and assist with proactive and quantifiable network upgrade decisions as opposed to reactive and potentially unfounded bandwidth upgrades.

slide-10
SLIDE 10

Security ty Testi ting, g, Surveillance and Monito toring

 ITSG-33

  • To ensure that IT security implementation is tested and monitored

proactively.

  • A logging and monitoring function enables the early detection of

unusual or abnormal activities that may need to be addressed.

  • Applicable controls: AU-6, CA-2, CA-6, CA-7, CM-4, RA-5, SI-4

 NetFlow:

  • Not only provides network visibility and monitoring but also a

“quick clue” as to what is actually happening on the network and where, expediting incident resolution.

  • Security teams find tremendous value in this immediate

contextual awareness because it enables them to focus their research on the records specific to the problem at hand.

slide-11
SLIDE 11

Malic icious ious Software e Preventi tion, Detecti tion and Correcti ction

 ITSG-33

  • To ensure that preventive, detective and corrective measure

are in place across the organization to protect information systems and technology from malware.

  • Applicable controls: SC-18, SI-3, SI-7, SI-8

 NetFlow:

  • Helps detect malware, when oftentimes signature-based

systems cannot do it.

  • Moreover, some enterprises have also deployed NetFlow as

a “catch all” for their Data Leakage Prevention (DLP) project to supplement traditional DLP tools.

slide-12
SLIDE 12

Netwo work Securi urity

 ITSG-33

  • To ensure that security techniques and related

management procedures (e.g., firewalls, security appliances, network segmentation and intrusion detection) are used to authorize access and control information flows from and to networks.

  • Applicable controls: AC-4, SC-7, SI-4

 NetFlow:

  • Helps detect unauthorized access, firewall

misconfiguration, and third-party integration issues.

slide-13
SLIDE 13

Infra rastructure structure Monito tori ring ng

 ITSG-33

  • To define and implement procedures to monitor the IT

infrastructure and related events.

  • Ensure sufficient chronological information is being stored

in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the

  • ther activities surrounding or supporting operations.
  • Applicable controls: AU-13, CA-7, IR-5, SI-4

 NetFlow:

  • Host-centric view of the network provides broader context

around network activity not available with packet-centric technologies.

  • Helps to quickly focus incident resolution efforts on only

those security event logs pertinent to the problem at hand.

slide-14
SLIDE 14

 While full network visibility is needed at all times,

achieving deep, selective and continuous monitoring goals is difficult, if not impossible, with the current market offerings:

  • Too many tools, not enough SPAN/Mirror ports or

network taps for access.

  • SPAN port contention and limited network access.
  • Time-consuming change order and configuration

management processes.

  • High management overhead.
  • Lack of scalability resulting in multiple gaps in the

monitoring coverage.

  • Security tools being over- or undersubscribed, and not

being used at capacity, i.e., not cost effective.

slide-15
SLIDE 15

 Network monitoring may take many forms:

  • Software-based monitoring
  • Network monitoring and capture hardware
  • Security monitoring hardware

 Some techniques are more operationally

focused, while others were put in place for security and compliance reasons (e.g., monitoring traffic for attacks vs. to ensure throughput is adequate)

slide-16
SLIDE 16

 SPAN Port Monitoring

  • Most switches cannot feasibly support more than two

SPAN ports.

  • SPAN ports can create:
  • Additional performance issues
  • Changes in the architecture that also introduce performance

and potential security gaps

  • Network Taps for Monitoring
  • Many taps do not have port density necessary for

advance deployment

  • Multiple management requirements increase operational
  • verhead
  • Lack of granularity
  • High cost
slide-17
SLIDE 17

IT trends drive scale and complexity Network discontinuity impacts network

  • perations

Enterprises deploy more network

  • mgmt. and

security tools Network mgmt, and security tools need network visibility Visibility requirements lead to greater use of SPAN/mirror ports and taps Greater use

  • f

SPAN/mirror ports and taps leads to scaling/visibi lity issues Next Generation

  • f Network

Monitoring Devices

slide-18
SLIDE 18

 Small and inexpensive, inline taps installed at

the end point equipment that help improve

the overall efficiency within the environment.

 Remotely configurable and administered.  Intelligent taps that make sense economically

and simplify the implementation and ongoing maintenance of network monitoring.

 Devices that integrate well with existing

network and security tools and vendors, and provides ample functionality for various IT teams to leverage for improved efficiencies and

  • perations.
slide-19
SLIDE 19

 Network Security & IT Operations:

  • Self-discovering network layer
  • Limitless network visibility
  • Defence in depth
  • Reduced time to protection and lower cost
  • Support for different data reporting standards, e.g.,

Syslog, NetFlow, IPFIX, JFlow, SFlow, etc.

Senior Management:

  • Increased tool ROI
  • Reduced tool cost
  • Lower cost of ownership
slide-20
SLIDE 20

Alexand ander Zakha harov

alexander.zakharov@wawtechnologies.com

Rober bert Venczel czel

robert.venczel@wawtechnologies.com

WAW Techno nologies s Inc.

www.wawtechnologies.com 613-366-3055

slide-21
SLIDE 21

Q&A