Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring - PowerPoint PPT Presentation

 Overview of NetFlow ™  NetFlow ™ and ITSG -33  Existing Monitoring Tools  Network Monitoring and Visibility Challenges  Technology of the future  Q&A

What t is NetFlow?  Network protocol originally developed by Cisco for collecting IP traffic information and monitoring network traffic.  NetFlow looks at IP flows rather than counting bytes at interfaces.  A flow is a stream of IP packets that have the following seven identical fields: ◦ A common source IP address ◦ A common destination IP address ◦ A common source port ◦ A common destination port ◦ Same layer 3 protocol ◦ Same type of service ◦ The same logical interface

NetFlow Benefits ts  Network administrators can use NetFlow in many different ways to get valuable insights into their network: ◦ Bandwidth Monitoring and Traffic Analysis ◦ Network Forensics and Security Management ◦ Application Monitoring ◦ Tracking Application Migration ◦ Validating QoS ◦ Capacity Planning ◦ Identify worms and malware ◦ Analysis of VPN traffic and Teleworker behavior ◦ Calculating total cost of ownership for applications

Use of NetFlow for Security (Examples) s) Network Auditing - Tracking the flow of data to and from the systems  that process the information. Informed Decisions - More and better information leads to better  decisions. Availability – Determining where more bandwidth is required as a result  of the network’s growth. Insiders Engaged in Malicious Actions, Data Exfiltration - Tracking how  much data leaves the network and where is it going. Full History Attack Investigation – Identification of “lurking infections”  and determining exactly which systems are affected and require cleaning. Identification of Compromised Hosts – Tracking computer systems’  behavior over time and determining when new behavior patterns are out of the ordinary. Anomalous Network Behavior – Using the knowledge of the usual and  expected to spot the unusual and unexpected. Policy Enforcement – Identification of access attempts that violate  policies.

ITSG-33 Overview  ITSG-33 Document Structure: ◦ Annex 1 – Departmental IT Security ◦ Annex 2 – Information System Security ◦ Annex 3 – Security Control Catalogue ◦ Annex 4-1,2,3 – Security Control Profiles for PB/M/M, PA/L/L, Secret/M/M ◦ Annex 5 – Glossary  Purpose ◦ Support Compliance to GC Policy Instruments ◦ Provide a Catalogue of Security Controls ◦ Facilitate Consistent and Repeatable Selection of Security Controls ◦ Establish a Common Lexicon  Audience ◦ IT Security Community ◦ Program and Project Managers ◦ System Architects and Designers

ITSG-33 Security Controls ls Library  Security Control Definition: “A management, operational, or technical security functional requirement prescribed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls are implemented using various types of security solutions that include security products, security policies, security practices, and security procedures.”  ITSG-33 Controls Catalog: ◦ 3 Security Control Classes ◦ 17 Security Control Families ◦ 194 Security Controls ◦ 442 Control Enhancements ◦ 636 Requirements

Infrastru tructu ture Resource Protection and Availability ty  ITSG-33 ◦ To implement internal control, security and audit-ability measures during configuration, integration and maintenance for hardware and infrastructural software to protect resources and ensure availability and integrity. ◦ Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. ◦ Their use should be monitored and evaluated. ◦ Applicable controls: CM-8  NetFlow ◦ Monitors host and traffic activity. ◦ Operates as an internal technical control that provides an added layer of network security and ensures continuous network availability. ◦ Used during times of change, such as in the case of mergers and acquisitions when disparate networks merge to provide a level of stability and control during unstable and uncertain network transition.

Capacity ty and Performa mance of IT Resources  ITSG-33 ◦ To plan, review and model the performance and capacity of IT resources; forecast future needs to minimize the risk of service disruptions; monitor to maintain and tune current performance and to report on service availability. ◦ Applicable controls: CP-2  NetFlow baselines network traffic for historical trending, capacity planning as well as network security purposes : ◦ Traffic statistics include interface utilization in general, traffic composition, out of profile ports and services, QoS bandwidth utilization to name a few. ◦ By alarming on deviations from this baseline, it helps organizations retain control of resource consumption and assist with proactive and quantifiable network upgrade decisions as opposed to reactive and potentially unfounded bandwidth upgrades.

Security ty Testi ting, g, Surveillance and Monito toring  ITSG-33 ◦ To ensure that IT security implementation is tested and monitored proactively. ◦ A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. ◦ Applicable controls: AU-6, CA-2, CA-6, CA-7, CM-4, RA-5, SI-4  NetFlow: ◦ Not only provides network visibility and monitoring but also a “quick clue” as to what is actually happening on the network and where, expediting incident resolution. ◦ Security teams find tremendous value in this immediate contextual awareness because it enables them to focus their research on the records specific to the problem at hand.

Malic icious ious Software e Preventi tion, Detecti tion and Correcti ction  ITSG-33 ◦ To ensure that preventive, detective and corrective measure are in place across the organization to protect information systems and technology from malware. ◦ Applicable controls: SC-18, SI-3, SI-7, SI-8  NetFlow: ◦ Helps detect malware, when oftentimes signature-based systems cannot do it. ◦ Moreover, some enterprises have also deployed NetFlow as a “catch all” for their Data Leakage Prevention (DLP) project to supplement traditional DLP tools.

Netwo work Securi urity  ITSG-33 ◦ To ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation and intrusion detection) are used to authorize access and control information flows from and to networks. ◦ Applicable controls: AC-4, SC-7, SI-4  NetFlow: ◦ Helps detect unauthorized access, firewall misconfiguration, and third-party integration issues.

Infra rastructure structure Monito tori ring ng  ITSG-33 ◦ To define and implement procedures to monitor the IT infrastructure and related events. ◦ Ensure sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations. ◦ Applicable controls: AU-13, CA-7, IR-5, SI-4  NetFlow: ◦ Host-centric view of the network provides broader context around network activity not available with packet-centric technologies. ◦ Helps to quickly focus incident resolution efforts on only those security event logs pertinent to the problem at hand.

 While full network visibility is needed at all times, achieving deep, selective and continuous monitoring goals is difficult, if not impossible, with the current market offerings: ◦ Too many tools, not enough SPAN/Mirror ports or network taps for access. ◦ SPAN port contention and limited network access. ◦ Time-consuming change order and configuration management processes. ◦ High management overhead. ◦ Lack of scalability resulting in multiple gaps in the monitoring coverage. ◦ Security tools being over- or undersubscribed, and not being used at capacity, i.e., not cost effective.

 Network monitoring may take many forms: ◦ Software-based monitoring ◦ Network monitoring and capture hardware ◦ Security monitoring hardware  Some techniques are more operationally focused, while others were put in place for security and compliance reasons (e.g., monitoring traffic for attacks vs. to ensure throughput is adequate)

 SPAN Port Monitoring ◦ Most switches cannot feasibly support more than two SPAN ports. ◦ SPAN ports can create:  Additional performance issues  Changes in the architecture that also introduce performance and potential security gaps • Network Taps for Monitoring ◦ Many taps do not have port density necessary for advance deployment ◦ Multiple management requirements increase operational overhead ◦ Lack of granularity ◦ High cost

Enterprises Greater use Network Visibility Network deploy of Next IT trends mgmt, and requirements discontinuity more SPAN/mirror Generation drive scale security lead to greater impacts network ports and of Network and tools need use of mgmt. and taps leads to network Monitoring complexity network SPAN/mirror operations security scaling/visibi Devices visibility ports and taps tools lity issues