NetFlow Security Monitoring For Dummies®, Lancope
advertisement
NetFlow Security Monitoring FOR DUMmIES ‰ LANCOPE SPECIAL EDITION by Mike Chapple, Ph.D. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. NetFlow Security Monitoring For Dummies®, Lancope Special Edition Published by John Wiley & Sons, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2012 by John Wiley & Sons, Inc. Published by John Wiley & Sons, Inc., Hoboken, NJ No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Lancope, StealthWatch, FlowCollector, FlowSensor, Concern Index, Point-of-View, and Relational Flow Mapping are registered or unregistered trademarks of Lancope, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Business Development Department in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book for your business or organization, contact info@dummies.biz. For information about licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com. ISBN 978-1-118-33541-3 (pbk); ISBN 978-1-118-33772-1 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Publisher’s Acknowledgments Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Vertical Websites Project Editor: Jennifer Bingham Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan Composition Services Senior Project Coordinator: Kristie Rees Layout and Graphics: Claudia Bell, Carl Byers, Lavonne Roberts Proofreader: Dwight Ramsey Special help: Angela Frechette Cannon These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Introduction N etwork flow records provide a valuable source of information for security analysts seeking to augment other controls and conduct forensic investigations. I hope that this short book will get you started with NetFlow for security and whet your appetite for more information about this cutting-edge technology. About This Book NetFlow Security Monitoring For Dummies, Lancope Special Edition, explains how NetFlow can be leveraged to improve your organization’s security controls. This book takes you through the basics of NetFlow analysis for information security purposes — what NetFlow is, how it works, and how you can enable it to yield actionable security intelligence. It also provides some detail on the specific security risks addressed by NetFlow analysis and provides best practices for conducting NetFlow collection and analysis with the Lancope StealthWatch System. The contents of this book were provided by and published specifically for Lancope. Icons Used in This Book The margins of this book sport several helpful icons that can help guide you through the content: When I present something that can save you time and effort, I toss in this icon to highlight it. This icon offers a little extra info of a technical nature. You don’t have to read it to follow the book, but it’s an interesting aside. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 2 NetFlow Security Monitoring For Dummies, Lancope Special Edition This bit of info is worth remembering. No need to tattoo it on your forearm or anything, just keep it in mind. This icon flags information to take note of because it could cause problems. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 1 Getting to Know Your NetFlow In This Chapter ▶Learn how NetFlow provides a valuable source of information about conversations between networked systems ▶Understand the basics of configuring NetFlow on commonly used network devices ▶Identify the role that NetFlow information plays in a network security infrastructure I f you’re not already leveraging NetFlow information in your security infrastructure, you’re missing out on a tool that provides valuable network intelligence. In many cases, you already have the majority of the equipment you need to get started on your network! So why do many organizations fail to take advantage of this rich data source? In some cases, they simply haven’t yet made the investment of time required to get NetFlow up and running properly. Other organizations may have tried using NetFlow data in the past and were frustrated by the insufficient analysis capabilities of outdated analysis tools. In this chapter, I explore the basics of NetFlow technology and the role it can play in your security infrastructure. I also cover the basic configuration required to get NetFlow up and running on your network. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 4 NetFlow Security Monitoring For Dummies, Lancope Special Edition What Is NetFlow? NetFlow is a feature built into many network devices manufactured by Cisco, Juniper, Nortel, SonicWall, and others. It captures basic information about every IP conversation that takes place through the monitored device, including the identities of the systems involved in the conversation, the time of the communication, and the amount of data transferred. You might think of NetFlow records as a “phone bill” for your network, as shown in Figure 1-1. It can’t tell you what was said on your network, but it gives you a good idea who was talking and how much they said. NetFlow provides information about the “conversations” that take place on your network similar to the information phone bills provide about voice conversations. Figure 1-1: How NetFlow provides you with information similar to a phone bill. (Source: Lancope, Inc.) Take a moment to think about the potential applications of these records. In addition to the obvious network diagnostic and maintenance uses of this data, NetFlow information can also be a critical tool for security analysts trying to identify anomalous activity or reconstruct the sequence of events when responding to an incident. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 1: Getting to Know Your NetFlow NetFlow versions Cisco developed the original NetFlow standard but it quickly became adopted as an industry standard. Over time, this standard evolved through Version v1 v2-v4 v5 v6 v7 v8 v9 v10 nine versions until culminating in the most recent release of IPFIX. The following table gives you a rundown on the different versions of NetFlow. Status Original version of NetFlow, now obsolete Working versions that were never released Most commonly deployed version today, only supports IPv4 Working version that was never released Used only on some Cisco Catalyst switches Never widely adopted Next-generation flow formatting that supports IPv6, MPLS & multicast IPFIX, the industry standardized version of v9 NetFlow records provide a rich source of data for security analysts to mine. Some of the most commonly used data elements generated by NetFlow include: ✓ Source IP address ✓ Destination IP address ✓ Source port ✓ Destination port ✓ Protocol ✓ Timestamps for the flow start and conclusion ✓ Amount of data passed These are only a small sampling of the many data fields available to NetFlow analysts. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 5 6 NetFlow Security Monitoring For Dummies, Lancope Special Edition IP address information included in NetFlow records depends on the perspective of the NetFlow collector. If the collector is behind a firewall or other device using network address trans lation, the true source IP address may not be available. Where Is NetFlow Information Available? NetFlow data is available from a wide variety of sources, including both traditional NetFlow-enabled networking and security devices and special-purpose NetFlow collection appliances. Traditional NetFlow Although NetFlow was originally created by Cisco for use on their routers and switches, the networking community quickly adopted it as an Internet standard and many manufacturers now support NetFlow. Some of the major platforms that allow direct export of flow records in NetFlow format include: ✓ Cisco routers and switches ✓ Cisco ASA firewalls ✓ Juniper routers and switches ✓ Citrix NetScaler ✓ BlueCoat PacketShaper ✓ Palo Alto next-generation firewalls ✓ Nortel Networks Ethernet Routing Switches This is a small, representative list of the manufacturers and devices supporting NetFlow data collection. If you’re using different devices on your network, consult with the manufacturer to determine whether they’re NetFlow-compatible. If you’re not running the current firmware on your network device, check whether upgrades are available. Many vendors added NetFlow support to their devices after the initial release and a firmware upgrade may be all you need to get up and running. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 1: Getting to Know Your NetFlow About sampled flow data NetFlow records provide an extremely accurate accounting of the communications that take place on a network. This accurate recordkeeping requires that the NetFlow device analyze the details of each packet and fold it into the ongoing accounting of each connection. In some cases, this level of accuracy isn’t needed, as the needs of both network and security administrators may be met with approximations of the amount of data passed and they may be willing to miss some shorter communications. exporter simply samples every nth packet and includes the data from that packet in the NetFlow records. For limited cases, where the use of sampled network flow information may be appropriate, Lancope recommends using a sample rate of 1 in 128 to collect fairly accurate network flow data while dramatically reducing the burden on the exporting device. However, Lancope doesn’t advocate using sampled NetFlow for security applications. Sampled flow data uses a “1 in n” approach to flow data. The NetFlow NetFlow generation In some cases, security analysts may not be able to gain access to NetFlow data from the organization’s network devices. This might be because the devices aren’t capable of generating NetFlow exports, network engineers are unwilling to provide access to those records, or concerns exist about the overhead introduced on the networking device. If this is the case in your organization, you may wish to consider the use of dedicated NetFlow exporters to collect the same information — sometimes enhanced with application performance metrics. These devices can be attached to the network in the following ways: ✓ Switch port analyzer (SPAN) ✓ Mirror port ✓ Ethernet test access port (TAP) ✓ Installed as a virtual machine on VMware ESX server These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 7 8 NetFlow Security Monitoring For Dummies, Lancope Special Edition Although purchasing a NetFlow exporter will require an additional investment in hardware or software, you can gather the same NetFlow information without modifying your network configuration. For more information on this topic, see Chapter 6. Configuring NetFlow Generally speaking, it’s easy to perform a basic NetFlow configuration on most supported devices. You’ll need to configure the device to enable NetFlow collection and direct the flow data to the NetFlow collector of your choice. In this section, I look at configuring NetFlow support on two commonly used devices: Cisco routers and Cisco Adaptive Security Appliances (ASAs). Configuring NetFlow on Cisco routers Cisco invented NetFlow and they make it easy to get started. There are four basic steps to configuring NetFlow on a Cisco router: 1. Enter global configuration mode. Use the configure terminal command to put the device into configuration mode. 2. Select the interface you wish to configure. The exact syntax will depend upon the type of interface. Consult the IOS documentation if you’re not sure how to do this. 3. Enable NetFlow. Use the ip flow ingress command to enable NetFlow. 4. Start a NetFlow export. Use the ip flow-export command to specify the IP address and destination port of the system that will collect flow information. Here’s an example that puts all these steps together to send NetFlow version 9 data to a collector located at 192.168.2.100 and listening on port 2055: These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 1: Getting to Know Your NetFlow 9 configure terminal interface FastEthernet 0/0 ip flow ingress exit ip flow-export version 9 ip flow-export destination 192.168.2.100 2055 exit In most cases, you won’t be able to simply copy these commands and use them on your device. They may vary slightly depending upon your IOS version, device type, and site configu ration. For example, many Cisco devices support the more powerful Flexible NetFlow (FNF) technology. Details on configuring FNF may be found at www.lancope.com/blog/FNFconfig. Configuring NetFlow on Cisco ASA devices Cisco’s line of Adaptive Security Appliance (ASA) devices provides a wide range of network security features, including firewall capabilities. Many organizations use these devices to create both internal and external perimeters and, because of this position as a network gatekeeper, they are a valuable source of NetFlow data. ASA provides additional information in NetFlow not found in router-based NetFlow and is very valuable for security-based analysis of flows. Configuring NetFlow on an ASA uses the Adaptive Security Device Manager’s graphical user interface. To configure NetFlow export, follow these steps: 1. Access the NetFlow configuration screen. In ADSM, choose Device Management➪Logging➪NetFlow. 2. Add a NetFlow collector by clicking the Add button. You’ll need to specify the IP address and destination port where the ASA should send the NetFlow traffic, as well as the firewall interface that should be used to send the traffic. 3. Click OK to configure the collector. You’ve now configured the ASA with the collector’s details but still need to instruct it to export flow data. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 10 NetFlow Security Monitoring For Dummies, Lancope Special Edition 4. Access the Service Policy Configuration Screen. In ADSM, choose Firewall➪Service Policy Rules. 5. Click the Add button in the Service Policy Rules section of the screen. Be careful to use the correct Add button. There are three on this screen that look identical. You want to use the one in the middle pane! 6. Specify that you want to create a Global policy and then click the Next button. 7. Specify the traffic criteria for the NetFlow information you wish to collect. If you wish, you can limit the Source and Destination IP addresses or set other criteria for your NetFlow collection. You can also select class-default to capture NetFlow data on all traffic. Click Next when you are finished specifying traffic criteria. 8. Select the NetFlow tab on the Rule Actions screen. 9. Click the Add button to create a new flow event type. 10. Ensure that the Send box is checked for the collector you created in Steps 2 and 3. This will configure the ASA to send NetFlow records on traffic matching the policy to your NetFlow collector. 11. Click OK to close the Add Flow Event Window. 12. Click Finish to create the Service Policy Rule. 13. Click the Apply button to deploy the policy to your ASA device. You’ll be left with a service policy rule. Once you’ve completed this process, your ASA device will immediately begin exporting flow records to your NetFlow collector. Configuring NetFlow on other devices I covered Cisco routers and firewalls in detail in this book because they make up a large portion of many network infrastructures, but they’re not the only devices out there. As These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 1: Getting to Know Your NetFlow 11 discussed in the previous section, there are many potential NetFlow data sources. You’ll find detailed configuration instructions in the documentation for your network device, but rest assured, it’s just as simple as the processes outlined here! NetFlow in the Security Infrastructure NetFlow collection and analysis plays an important role in a defense-in-depth approach to information security by augmenting the capabilities provided by many other controls. Examples include: ✓ NetFlow augments the capabilities of intrusion detection systems (IDSs) by providing views into the interior of networks, while the IDSs deployed by most organizations are limited to looking at traffic crossing the network perimeter. ✓ Malware detection capabilities benefit from NetFlow data when systems begin exhibiting patterns of behavior indicative of a worm infection or botnet membership. NetFlow-based detection is especially important when a system is infected with a zero-day threat that traditional antivirus software can’t detect. ✓ Security Incident and Event Management (SIEM) systems can provide greater insight into network activity when supplemented with NetFlow data. ✓ Forensics and incident response are key benefits. NetFlow provides a 24x7 view of all network communications. It’s a complete audit trail of everything that’s happened, and it allows you to implement a passive surveillance monitoring system on your network. It’s something like a CCTV for your network. For more on the roles that NetFlow analysis plays in the security infrastructure, including a detailed look at its ability to identify systems that may be compromised by a worm or botnet, see Chapter 4. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 12 NetFlow Security Monitoring For Dummies, Lancope Special Edition Can’t I just capture everything? Many security professionals considering NetFlow deployment for the first time do so after first considering capturing all traffic on a network. This is often driven by a desire to retain forensically valuable information or comply with stringent security requirements. Although full packet capture is technically possible and would provide undeniably valuable information in the event of a security incident, it’s simply not feasible. The amount of storage required to retain data captured across even a low bandwidth connection over a long period of time is tremendous. For example, if you wanted to capture all the data crossing a circuit that averages 100Mbps, you would be collecting 12.5 megabytes of data every second, or 45 terabytes per hour! These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 2 Examining Trends Addressed by NetFlow In This Chapter ▶Understanding the evolving risk posed to enterprises by advanced persistent threats and insider attacks ▶Exploring the impact of the consumerization and virtualization of information technology on traditional defenses ▶Using NetFlow to adapt security controls in the face of evolving network technologies S ecurity and networking professionals in a variety of industries are turning to NetFlow as a defensive tool against a variety of emerging security threats. The rapidly changing nature of the threat landscape and advances in information technology demand tools capable of adapting to new attacks. In this chapter, I look at the trends driving the adoption of NetFlow as a security tool. Evolving Threat Landscape The nature of information security threats changed dramatically over the past few years. As shown in Figure 2-1, it has moved from an environment where the familiar automated attacks of worms and viruses have given way to more advanced and insidious threats. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 14 NetFlow Security Monitoring For Dummies, Lancope Special Edition Low Risk Automated Attacks High Risk Very High Risk APTs Insider Threats Employee Misuse & Abuse Industrialized Attacks Figure 2-1: The evolving threat landscape includes two very high risk items: advanced persistent threats and the threats posed by insiders. (Source: Lancope, Inc.) Two threats warrant particular attention from security analysts: the advanced persistent threat (APT) and the insider threat. Advanced persistent threats Advanced persistent threats (APTs) are targeted attacks against a particular organization. An attacker may single out a company, government agency, or even an individual who has desirable information or resources and use advanced, stealthy attack techniques to slip in under the radar and carry out an attack. APTs are especially insidious because they’re carried out by persistent attackers with the time and resources to deliberately target an organization. Security practitioners previously associated APTs strictly with government agencies engaged in cyberwarfare. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 2: Examining Trends Addressed by NetFlow 15 However, don’t underestimate the risk of APTs against your organization today. In a recent Ponemon Institute study, 83 percent of respondents believed that their organization was the target of an APT. Political hacktivists and other attackers are now targeting a wide range of corporate and government entities. The nature of APTs means that the carefully constructed perimeter security controls put in place by enterprise security professionals are simply insufficient. The persistent hacker leveraging advanced techniques will likely find an opportunity to breach that perimeter and find a path onto the internal network. In this case, NetFlow data can play a critical role both in detecting the presence of an APT and conducting post-incident forensic analysis. NetFlow-based security analysis leverages behavioral analysis and pattern recognition techniques that allow for rapid detection of undocumented attack vectors, often revealing APT attackers early in the attack lifecycle. Insider threat In many cases, the greatest risk to an organization’s security comes not from far-away hackers but from trusted individuals with access to sensitive information. The federal government experienced this in 2010 when the alleged actions of a single Army intelligence analyst led to a massive disclosure of classified information on the WikiLeaks website. As with APTs, perimeter controls aren’t effective against the insider threat because those controls are designed to permit insiders access to sensitive information! NetFlow technology can identify signs of insider attacks in progress, such as internal or external data transfers that are unusually large or to atypical destinations. Changes in Information Technology At the same time as the threats to information security evolve, information technology continues to change. Two important IT trends driving the adoption of NetFlow in enterprises These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 16 NetFlow Security Monitoring For Dummies, Lancope Special Edition include the widespread adoption of mobile computing and the increased use of virtualization technology. Mobility and the vanishing perimeter Mobile computing use has skyrocketed in recent years, to the point where smartphones, tablets, and other portable Internet-enabled devices are nearly ubiquitous and the phrase BYOD (bring your own device) has begun to arise. You’d be hard-pressed to find a business traveler without at least one mobile device in his or her pocket that is capable of reaching back through their employer’s firewall to access sensitive corporate information. This trend keeps security practitioners awake at night. All it takes is a single lost or stolen device to render significant investments in security controls moot. This leads to a trend, known as the vanishing perimeter, where security architects must consider all those mobile devices as part of their frontline security defenses and design controls with that in mind. Your organization should adopt formal policies about the use of personally owned devices on your networks and with your enterprise information systems. If you don’t adopt such a policy, users will bring their devices anyway and not know the proper way to secure them. Consumerization of information technology A trend related to mobility is the rapid, widespread consumerization of technology. End-users have ready access to extremely advanced technology simply by walking into a retail electronics store. They increasingly expect to be able to use these consumer-grade devices to manage all aspects of their work and personal lives. Consumerization opens up a variety of concerns for IT professionals charged with simultaneously helping users meet their business needs and securing their networks. NetFlow can help organizations monitor the activity of personally-owned devices on their networks for behavioral anomalies that could signify threats. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 2: Examining Trends Addressed by NetFlow 17 NetFlow technology plays an important role in identifying and reacting to the risks posed by mobile devices. As traffic to and from these devices traverses the internal network, NetFlow captures the patterns of their network behavior and can quickly alert security professionals to any anomalous activity. No other monitoring technology provides such rapidly deployable, broad coverage at such a low cost to the organization. Virtualization Organizations are quickly embracing the use of virtualization technology to host many virtual servers on a single hardware platform. This provides many apparent benefits to the enterprise, including: ✓ Recapture of computing resources (CPU cycles, memory, storage) that would otherwise go unused. ✓ Reduced hardware footprint, allowing greater data center density. ✓ Smaller environmental impact, reducing carbon emissions. Virtualization comes, however, with challenges for network security analysts. Communications between guest systems running on the same virtual host never touch an actual hardware switch or cross a network wire. Instead, they are routed through a virtual switch that exists in the memory of the virtualization host. The communications taking place over virtual switches are difficult to protect with conventional security tools, and are invisible to traditional NetFlow technology. For this reason, many organizations are adopting NetFlow solutions that have specialized virtual network collectors, such as Lancope’s StealthWatch FlowSensor VE (virtual edition). For more about this, see Chapter 3. Evolution of the Network Advances in networking technology also complicate the jobs of security professionals seeking visibility into enterprise networks. In addition to virtualized networks, three additional trends play important roles in shaping the future of network These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 18 NetFlow Security Monitoring For Dummies, Lancope Special Edition monitoring: high-speed networking, MPLS environments, and IPv6 deployment. Each of these technologies has the potential to disrupt current network flow monitoring solutions if not properly managed. High-speed networking Many organizations are moving to higher speed networks in response to increased user demand for data-intensive applications. In many cases, networks with 10Gbps segments are capable of generating hundreds of thousands of network flows per second. This increase in bandwidth requires a scalable NetFlow analysis system capable of monitoring massive amounts of data in real time. MPLS environments Multiprotocol Label Switching (MPLS) networks are turning the hierarchical Ethernet paradigm on its head. Unlike traditional data networks, MPLS networks don’t utilize a centralized hub where security analysts can attach a monitoring device to capture all traffic. NetFlow architectures for MPLS networks must take this into account and use a series of flow sensors or exporters placed in strategic positions throughout the enterprise network. IPv6 deployment The rapid depletion of available IP address space is beginning to drive the long-anticipated adoption of IPv6 networking, especially in larger organizations. Those enterprises with IPv6 networking in place or planning deployment of such networks in the near future should be sure to select a NetFlow solution that accommodates IPv6 addressing. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 3 Choosing a Solution for NetFlow Collection In This Chapter ▶Identifying the objectives of your NetFlow deployment and selecting an appropriate solution ▶Designing a scalable NetFlow infrastructure able to accommodate the flows generated by your network ▶Leveraging advanced analysis techniques to mine significant security information from NetFlow data N etFlow provides a valuable source of information about activity on your network in a consistent, standardized format supported by many networking and security vendors. Collecting data, however, is where the standardization stops. Many different systems provide the ability to collect and analyze NetFlow data, ranging from open-source packages with limited functionality to commercial systems with advanced analysis capabilities. What’s Your Objective? As you begin to select a NetFlow analysis solution, you should have a clear understanding of the objectives of your deployment. Some possibilities include: ✓ Monitoring your network for anomalous activity that may indicate a security event. ✓ Creating a forensic audit trail to assist in post-incident analysis following a security breach. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 20 NetFlow Security Monitoring For Dummies, Lancope Special Edition ✓ Providing network engineers with a robust tool for troubleshooting network performance issues. ✓ Complying with regulatory requirements to retain network connection information. As you consider various NetFlow collection and analysis platforms, keep your objectives front-of-mind and allow them to drive your product selection process. Designing for Scalability Conducting NetFlow analysis in large environments requires solutions that offer a scalable architecture not found in opensource products or software-only solutions. Flow rates in excess of 100,000 flows per second aren’t uncommon in large enterprises or eCommerce environments. Figure 3-1 provides an example of a scalable architecture consisting of three components: NetFlow exporters, flow collectors, and a management console. Administrators can add capacity at any layer as needed. MANAGEMENT Collect from up to 25 StealthWatch FlowCollectors StealthWatch Management Console Flow Analytics Console FLOW COLLECTION Stores and analyzes flows up to 2,000 flow sources at up to 120,000 flows per second (fps). StealthWatch FlowCollectors Flows NETFLOW EXPORTERS NetFlow is generated either by Cisco equipment or a StealthWatch FlowSensor (in areas without NetFlow support) VE VM VM VMware ESX with FlowSensor VE NetFlow and sFlow Capable Routers and Switches FlowSensor NetFlow Generator Figure 3-1: Scalable NetFlow analysis platforms use three layers of devices: NetFlow exporters, flow collectors, and a management console. (Source: Lancope, Inc.) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 3: Choosing a Solution for NetFlow Collection 21 NetFlow exporters A wide variety of devices are capable of generating NetFlow data and exporting it to a flow collection system. There are three basic categories of NetFlow exporters: ✓ Routers, switches, and firewalls. Network infrastructure components are in a unique position to capture and export NetFlow information due to their central location in the network. In many cases, an organization’s existing network infrastructure is already capable of generating NetFlow records and exporting them to a collection system. ✓ Dedicated flow sensors. NetFlow collection system vendors also offer passive flow sensors that may be connected to a network tap in a manner similar to an intrusion detection system. They then monitor traffic on the tap, generating flow records for each connection encountered. ✓ Virtual flow sensors. Specialized flow sensors operate in virtualized networking environments, monitoring the traffic passing through a virtual switch and exporting flow records to the collection system. You can limit the amount of data exported by NetFlow devices using Cisco’s Flexible NetFlow (FNF) technology. For more about this technology, see Chapter 6. Flow collectors Flow collectors are the workhorses of the NetFlow analysis system. They receive flow records from exporters and perform a number of critical tasks, including: ✓ Flow deduplication. In networks with multiple flow exporters, the same network connection may be captured multiple times. Flow collectors must watch for this and remove duplicate records before performing security analysis on the flows. ✓ Flow stitching. NetFlow generates unidirectional records, resulting in two different flow records for each network These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 22 NetFlow Security Monitoring For Dummies, Lancope Special Edition session. The flow collector puts these back together again, giving analysts the full picture of each connection. ✓ Behavioral analysis and pattern recognition. Securityoriented flow collectors will provide algorithms and mechanisms for analyzing flows to detect security threats. ✓ Flow storage. The flow collector will store weeks, months, perhaps even years worth of flow data. The collector’s flow database is used to perform detailed forensics and incident response. The number of flow collectors you need will depend upon the amount of NetFlow data generated on your network. This is normally measured in flows per second. Chapter 6 discusses a technique for estimating your network’s flow rate. Management console In large networks, multiple flow collectors are needed to collect flows. When multiple collectors are used, a central management console is a must. The management console provides the day-to-day interface used by networking and security professionals to interact with and manage the NetFlow analysis platform. Management consoles typically offer a wide set of features, including: ✓ Dashboards providing analysts with quick overviews of network activity. ✓ Advanced analytic capabilities to visualize abnormal behavior. ✓ Alarms that immediately alert analysts when certain suspicious conditions occur. ✓ A management interface that allows the reconfiguration of the NetFlow analysis system. ✓ Management of the security policy across multiple collectors. ✓ Per-user access restrictions to the flow data. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 3: Choosing a Solution for NetFlow Collection 23 Before selecting a system, be sure to give the management console a test drive. It’s helpful to go back to your objectives and prepare a list of common tasks that you expect analysts will perform and then walk through those tasks in the management console. There’s nothing like hands-on experience to help you evaluate a product. Enhancing Analysis Capabilities One of the true differentiators of NetFlow collection systems is the sophistication of the analysis tools provided through their management consoles. Some systems offer advanced features, such as behavior analysis, security indexes, and activity alarms to facilitate network security monitoring. Network behavior analysis NetFlow records provide a uniquely valuable data source for identifying anomalous behavior. Many systems, especially critical servers, are creatures of habit — they engage in the same types of activity with the same systems from day to day. Figure 3-2 provides an illustration of how this activity can be baselined to develop a picture of your network under normal conditions. Once you’ve developed a baseline of network activity, your NetFlow analysis system can then identify anomalies by watching for deviations from that baseline. Security analysts can use that information to proactively identify potential security incidents requiring further investigation. Security indexes NetFlow analysis platforms have access to a large amount of data about anomalous connections, and analysts may struggle to identify the significant data that requires their immediate attention. One approach to this problem is the use of security indexes that summarize this data into easily prioritized “scores.” These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 24 NetFlow Security Monitoring For Dummies, Lancope Special Edition Establish baseline of behavior Collect and analyze flows B E H A V I O R FLOWS Number of concurrent flows Packets per second Bits per second New flows created Number of SYNs sent Time of day Number of Syns received Rate of connection resets Duration of the flow Over 80+ other attributes Alarm on anomalies and changes in behavior threshold Anomaly detected in host behavior threshold threshold threshold Critical Servers Exchange Servers Web Servers Marketing Figure 3-2: Network behavior analysis algorithms allow you to baseline normal behavior for a host and alert security analysts to future deviations from that baseline. (Source: Lancope, Inc.) For example, Lancope’s StealthWatch System provides three indexes for anomalous behavior: ✓ The Concern Index (CI) tracks hosts that appear to pose a threat to the integrity of your network. ✓ The Target Index (TI) tracks hosts that the system suspects may be the victims of suspicious activity. ✓ The File Sharing Index (FSI) monitors systems that appear to be engaged in peer-to-peer (P2P) file sharing activity. Security alarms One of the most important features of a NetFlow analysis system is its capability to run in an unmanned mode, freeing analysts to perform other tasks. This is done through the use of security alarms that may be triggered by violations of an organization’s security policy or significantly anomalous network behavior (see Figure 3-3). These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 3: Choosing a Solution for NetFlow Collection 25 Over 100 flow-based algorithms... Figure 3-3: With the StealthWatch Concern Index, administrators can easily determine which issues need to be dealt with first for optimum network protection. (Source: Lancope, Inc.) A NetFlow system should be capable not only of generating alarms but also of triaging them by severity level. For example, the Lancope StealthWatch System uses a five-tier system that assigns different colors to alarms: ✓ Red: Critical severity ✓ Orange: Major severity ✓ Yellow: Minor severity ✓ Blue: Trivial severity ✓ Light blue: Informational Analysts can use this color coding to quickly identify the security alarms that require immediate attention. Alarm information can also be exported from the system via syslog, SNMP, or e-mails sent to the network security analyst. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 26 NetFlow Security Monitoring For Dummies, Lancope Special Edition Adapting to Emerging Technologies The final criteria you should consider when selecting a NetFlow system is the vendor’s ability to adapt to emerging technologies, including: ✓ MPLS networks ✓ Virtualization ✓ IPv6 ✓ High-speed networking ✓ Mobile devices For more on these topics, see Chapter 2. Although you’ll definitely want to ensure that the system you choose supports your current network environment, a vendor’s willingness and ability to quickly adapt to new technol­ ogies is also a reassuring indication that they will remain ahead of the technology curve. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 4 Putting NetFlow to Work for Security In This Chapter ▶Leveraging NetFlow information to gain visibility into the security of your network ▶Correlating NetFlow records with information from other systems ▶Using NetFlow analysis techniques to gain situational awareness, maintain a forensic audit trail, and comply with security regulations N etFlow records, combined with an effective analysis platform, can provide important capabilities to security analysts struggling to maintain visibility into a complex enterprise network. One of the most valuable characteristics of a NetFlow analysis platform is its ability to reduce the mean time to know (MTTK) for a security event. In this chapter, I look at a number of the specific security applications of NetFlow data. Total Network Visibility NetFlow offers security analysts the ability to view network traffic information from across the entire network, from the edge to core to access. Many analysis packages offer the ability to not only consolidate data from NetFlow collectors distributed across many points on the local network, but also to collect data across wide area network links to remote sites. Figure 4-1 provides an example of NetFlow information gathered from multiple international locations and consolidated into a single view using Lancope’s StealthWatch Management Console. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 28 NetFlow Security Monitoring For Dummies, Lancope Special Edition Figure 4-1: This screenshot from the StealthWatch Management Console demonstrates the consolidation of information from local and remote networks into a single view. (Source: Lancope, Inc.) Correlating Flows with Context Another powerful feature of NetFlow analysis tools is their ability to integrate external information with network connection data to build a more complete picture of network activity. Integration with IDS, IPS, and firewall event sources NetFlow fills the gaps left by traditional security technol­ ogies such as IDS and firewalls. Some NetFlow systems, such as Lancope’s StealthWatch, provide features to collect syslog and SNMP traps from firewalls or IDSs such as Snort. Signature-based event data can be combined with network flow data to provide a complete picture of the attack. Identity awareness Almost every security investigation that begins with NetFlow records at some point requires identifying the individual user and/or system involved in a communication. Unfortunately, generic NetFlow doesn’t provide this information, because These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 4: Putting NetFlow to Work for Security 29 NetFlow exporters don’t have access to information not found in the packets comprising the flow. Some NetFlow systems provide security analysts with the added ability to correlate identity information from other sources, such as the identity of an individual user, retrieved from a Windows domain controller, proxy server, or a VPN concentrator. Identity-aware NetFlow collectors bridge the gap between IP addresses and users. Gaining Situational Awareness NetFlow data also provides keen insight for individuals seeking greater situational awareness on their networks. Specifically, security analysts can use NetFlow analysis techniques to reduce the MTTK for security risks on their networks. Worm detection Worms are an especially virulent form of malicious code that exploit network vulnerabilities to spread from system to system without user intervention. This often takes the form of infecting a host system and then using that system to scan the local network for other systems that might be vulnerable to attack. The worm then infects those vulnerable systems and continues its spread outward. This pattern of contact is easily modeled. One system (the original infection) begins scanning the network, contacting many other systems. Then a subset of those systems (the next round of victims) exhibit the same behavior. NetFlow analysis can identify these systems due to their unique pattern of anomalous activity (see Figure 4-2). Botnet detection Many hackers maintain networks of systems used to conduct other malicious activity, such as waging distributed denial of service attacks. These networks, known as botnets (short for network of robots), often lie dormant for long periods of time until activated by the hacker (or botmaster). These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 30 NetFlow Security Monitoring For Dummies, Lancope Special Edition Figure 4-2: Advanced flow collection and analysis systems can help users easily track the spread of malware throughout their infrastructure for fast mitigation. (Source: Lancope, Inc.) NetFlow offers security analysts the ability to detect systems on your network that may be members of a botnet and, therefore, under the control of an external party. One of the easiest ways to detect botnet activity is to look for systems communicating with known command-and-control servers used by botmasters to control their botnets. IP reputation lists such as ZeuS Tracker (https://zeustracker.abuse.ch) can be integrated into the StealthWatch FlowCollector for easy detection of botnet activity within the network. IP addresses from the ZeuS Tracker list are automatically pushed into the collector and matched against the IP addresses found within the incoming flows. When an internal host attempts to communicate with a botnet command-and-control server, the flows are flagged and brought to the security administrator’s attention. Application awareness In years past, security analysts were normally able to rely on destination port numbers in flow records to indicate the application in use during a particular connection. An example would include communications taking place on port 80, which normally consists of HTTP traffic. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 4: Putting NetFlow to Work for Security 31 However, the ability of HTTP traffic to pass through almost all firewalls made it an easy target for application developers seeking an easy way to tunnel traffic through an organization’s perimeter. Port 80 is now used for VPN connections, videoconferencing, instant messaging, gaming, VoIP calls, and many other applications. NetFlow v9 and IPFIX provide mechanisms to recognize not only the port number but all the actual applications in use within the flow. A few examples of application-aware NetFlow exporters include: Palo Alto firewalls, Lancope’s FlowSensor NetFlow generator, BlueCoat’s PacketShaper, and Cisco’s IOS 15.1 and above (via the Network-based Application Recognition feature-set). Well-intentioned application developers aren’t the only ones aware of this trick. Malicious code authors often use port 80 to tunnel command-and-control traffic through enterprise fire walls. Some advanced NetFlow analysis systems have the ability to peer inside network traffic and perform deeper inspection, identifying the particular application in use for each session and including that information in the retained flow data. Maintaining a Forensic Audit Trail One of the first ways that many organizations use NetFlow data for security purposes is in a forensic/incident response role. They simply enable NetFlow exporting to a flow collector and then allow the flow data to accumulate over time. This then becomes a valuable source of information for postincident assessment in the event of a security breach. NetFlow acts as a 24x7 continuous audit trail of all communications that occur within the network. Analysts can retrieve data from the StealthWatch System to assist with forensic analysis. For a given pair of systems, the analyst can identify the number of communication sessions that took place, the duration of those sessions, the amount of data passed, and additional technical details. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 32 NetFlow Security Monitoring For Dummies, Lancope Special Edition NetFlow and Compliance Many industries are subject to information security laws and regulations that require the use of strict security controls to protect the confidentiality, integrity, and availability of sensitive information. Network flow data can help in these cases by providing security analysts the tools they need to proactively monitor the compliance status of a network, conduct forensic investigations, identify malicious software in use on the network, and assess the effectiveness of other security controls. NetFlow data can assist organizations seeking to comply with the Payment Card Industry Data Security Standard (see the sidebar “NetFlow and PCI DSS”), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act (SOX), Control Objectives for Information Technology (COBIT), and National Institute of Standards and Technology (NIST) 800 series, among others. NetFlow and PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) creates a number of obligations for organizations involved in the processing of credit card transactions. Although PCI DSS doesn’t explicitly call for NetFlow monitoring, the standard includes a number of requirements that may be facilitated through a NetFlow analysis platform. These include: ✓Enable only necessary and secure services, protocols, daemons, and so on, as required for the function of the system. (Requirement 2.2.2) ✓Instruct customers to encrypt all non-console administrative access with strong cryptography, using technologies such as SSH, VPN, or SSL/TLS for webbased management and other non-console administrative access. (Requirement 12.1) ✓ Do not store cardholder data on Internet-accessible systems (for example, web server and database server must not be on same server). (Requirement 9.1) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 5 Viewing NetFlow Security Data In This Chapter ▶Leveraging dashboards to get at-a-glance insight into suspicious network activity ▶Using StealthWatch’s reporting capabilities to generate the data views you need ▶Grouping related hosts in relational maps to gain additional insight I n this chapter, I look at several ways that Lancope’s StealthWatch System enables security administrators to view NetFlow data. Leveraging Dashboards Reviewing a NetFlow security dashboard should be every security analyst’s first step in the morning. The dashboard allows you to assess the health and security of your network at a single glance, immediately identifying issues that might require further investigation (refer to Figure 4-1 for a visual). Dashboards aren’t just for analysts! You might consider using the security dashboard to provide managers and executives with a view into your security posture. The Lancope StealthWatch Management Console provides a dashboard view. This dashboard includes the following information: These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 34 NetFlow Security Monitoring For Dummies, Lancope Special Edition ✓ Top Internet destinations ✓ Top internal talkers ✓ Top suspicious internal hosts ✓ Geographic activity map ✓ Relational activity map ✓ Average round trip time ✓ Total traffic to the Internet When viewing the dashboard, you might notice, for example, that an unusual host appears on your top talkers list (as illustrated in Figure 5-1). A security analyst could then drill into that traffic to conduct a follow-up investigation and determine whether it was legitimate or might indicate a security incident. Figure 5-1: When fully leveraged, NetFlow can provide complete visibility across the entire network, along with the ability to drill down into specific communications for more effective troubleshooting. (Source: Lancope, Inc.) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 5: Viewing NetFlow Security Data 35 Point-of-View technology You’ve probably realized by this point that StealthWatch provides a wealth of information valuable to both security and networking professionals. Different technical professionals have different needs from the system, and Lancope’s Point-ofView technology helps accommodate these diverse needs. Point-of-View provides security and networking professionals with different views when they access the StealthWatch console. Security professionals will see information about violations of your organization’s defined policies and potential malware infections on your network. Network professionals, on the other hand, will get technical detail on router statistics, traffic trends, and the most active hosts, for example. Reporting on NetFlow Data In addition to the dashboard view, security administrators may use their NetFlow analysis platform for detailed reporting. One way to do this is through the use of predefined reports created by the platform developer for widespread use. Figure 5-2 provides an example of a predefined report from StealthWatch showing network activity by protocol over time. In addition to predefined reports, administrators can create customized reports tailored to their workflows and personal preferences. StealthWatch allows administrators to create custom reports to meet their security requirements. Developing effective, useful reports is an acquired skill that is applicable across many disciplines, including security, networking, server administration, and others. You may wish to hire a reporting specialist to integrate StealthWatch reports with reports generated from other IT tools. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 36 NetFlow Security Monitoring For Dummies, Lancope Special Edition Figure 5-2: The StealthWatch Management Console provides administrators with a number of preconfigured reports, including a timebased view of traffic by protocol. (Source: Lancope, Inc.) Relational Flow Maps It becomes easier to understand network flow information when you’re able to incorporate other information into your assessment, such as the roles of different hosts and the geographic locations of systems. StealthWatch’s relational flow maps make it possible to include this data in your analysis and easily visualize the relationships between systems communicating on your network. Figure 5-3 shows a flow map of a DMZ with systems grouped by function. A quick glance at this diagram tells you that there is a high level of activity from the Internet to your DHCP, DNS, and backup servers. The shading of the mail server box indicates an area of particular concern warranting further investigation. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 5: Viewing NetFlow Security Data 37 Figure 5-3: StealthWatch offers map-based views of network activity, grouping related systems by function. (Source: Lancope, Inc.) In some cases, grouping flows by geographic location can help provide insight into activity. Figure 5-4 shows an example of this type of report, using StealthWatch’s ability to superimpose a flow map over an actual map to aid in analysis. Figure 5-4: StealthWatch also allows the grouping of systems by location and permits you to superimpose that information on an actual map. (Source: Lancope, Inc.) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 38 NetFlow Security Monitoring For Dummies, Lancope Special Edition Taking the time to work through the reporting features of your NetFlow analysis platform is a good investment of time. By spending some up-front time customizing your reports to fit your workflow and specific reporting needs, you can improve the effectiveness of your troubleshooting and decrease the amount of time spent on daily analysis. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 6 NetFlow for Security: Best Practices In This Chapter ▶Gauging NetFlow’s impact on your network and network devices ▶Estimating flows per second generated by typical networks ▶Customizing flow data with Cisco’s Flexible NetFlow technology A s you begin to design and deploy a NetFlow analysis solution for your organization, it’s helpful to understand some of the industry best practices that can make your environment more productive. In this chapter, I look at a few of these best practices. Gauging NetFlow’s Impact on Your Network One of the primary concerns that networking professionals voice when considering a NetFlow deployment is the impact that the technology will have on the performance of the network and the network devices used as NetFlow exporters. You need to be able to answer questions to gain support from network administrators and management alike. First, understand the bandwidth consumed by NetFlow data traveling from exporters to the collector. Generally speaking, NetFlow traffic has a marginal impact on network bandwidth. On highly active networks, Lancope has found that the network generates about 1,200 flows per second for every 250Mbps of traffic. With NetFlow v5 collection, this results in These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 40 NetFlow Security Monitoring For Dummies, Lancope Special Edition about 680Kbps of NetFlow traffic, or a total bandwidth overhead of less than 1 percent. Lancope offers a NetFlow Bandwidth Calculator on its website, which allows you to estimate the expected bandwidth use of NetFlow in your environment based upon the version of NetFlow you’re using and the expected number of flows per second leaving the exporter. (Go to www.lancope.com/NF-bandwidth-calc.) You’ll also want to consider the impact of NetFlow on the networking devices you’re using to export data. Some network devices, such as the Cisco Catalyst 6000 series (with Sup720 or Sup2T), the Cisco Catalyst 4500 (with Sup 7-E), and the Cisco ASR 1000, have hardware dedicated to NetFlow and there is very little impact on the device itself. On the other hand, other Cisco devices, such as the ASA and ISR G1/G2, use the CPU to collect NetFlow data. In these cases, the greater the number of concurrent flows active in the router’s memory, the greater the impact to the CPU. As the exporter becomes increasingly busy, the CPU impact from NetFlow goes up. The general rule used by Lancope engineers when assisting with NetFlow implementations is to assume that NetFlow will add approximately 10 percent of the existing CPU utilization when running on a software-based exporter such as Cisco’s ISR G1/G2. In other words, if your router is running at 90 percent utilization enabling NetFlow would add an additional 9 percent to the CPU bringing the router to max CPU capacity. For devices performing NetFlow collection on the CPU, it’s the number of concurrent flows through the device that determines the CPU impact, not the packets per second rate or overall bandwidth. Using NetFlow Appliances If your network devices can’t handle the additional burden of exporting NetFlow data or your networking staff is unwilling to provide you with direct access to NetFlow data, you may wish to consider using dedicated NetFlow appliances to collect data. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 6: NetFlow for Security: Best Practices 41 Lancope’s StealthWatch FlowSensor appliance sits on your network and collects data through a network tap or switch SPAN port. It then passively monitors the traffic crossing your network and creates NetFlow records for export to StealthWatch FlowCollectors. It’s also available as a virtual appliance that installs as a virtual instance per VM. There’s no impact on your routers, switches, or firewalls. Additionally, the FlowSensor is application-aware and provides additional security metrics not found in traditional NetFlow sources. These additional security metrics improve the ability to detect security events such as SYN Flood DoS attacks, botnets, and SMTP spam sources. Estimating Flows per Second As you prepare to design your NetFlow architecture, one of the most important characteristics for determining the specifications of the equipment you need is the number of flows per second on your network. If you’re using traditional NetFlow, estimating the number of flows per second is quite straightforward. Simply use the ip cache flow command on your device and look at the total flows per second on the last line of the result. Figure 6-1 shows an example of this command in use with the result on the last line enclosed in a box. Figure 6-1: Determining the number of flows per second on a Cisco device using traditional NetFlow. (Source: Lancope, Inc.) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 42 NetFlow Security Monitoring For Dummies, Lancope Special Edition If you’re using Flexible NetFlow, you’ll need to follow a few more steps to estimate the flow per second rate on your network. For more details, see www.lancope.com/blog/FNFconfig. Or consider using Lancope’s flows-per-second calculator, which you can find at www.lancope.com/FPS-calculator. Reduce the Impact with Flexible NetFlow As mentioned in Chapter 1, Cisco now offers next-generation Flexible NetFlow (FNF) technology that allows you to customize the flow data collected on your network. This allows you to reduce the impact on your network by limiting the amount of data collected based on what is needed for your security analysis. Flexible NetFlow is an extremely powerful technology with a large number of configuration options. For more detail, see Cisco’s Flexible NetFlow command reference at www.cisco.com/en/US/docs/ios/fnetflow/command/ reference/fnf_book.html. Flexible NetFlow uses flow monitors to track NetFlow information crossing a device. Each flow monitor consists of two components: ✓ Flow records define the fields that the device should export as part of the NetFlow data. These typically include IP addresses, ports, protocols, and other information. ✓ Flow exporters include the technical details required to send NetFlow data to the collector. This includes the identity of the collector, the transport protocol to use, and the version of NetFlow supported by the collector. Unlike traditional NetFlow, FNF is a Cisco-specific technology and isn’t available on devices from other manufacturers. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 7 Top Ten Reasons to Use NetFlow for Security In This Chapter ▶Reasons enterprises are turning to NetFlow information to improve their security controls ▶Network management benefits that organizations gain in addition to NetFlow’s security improvements N etFlow has come a long way over recent years. Previous beliefs about it being a complicated, resource-intensive technology have faded, and many organizations are embracing its unique capabilities to achieve a number of network and security management goals. Available from existing routers and switches, NetFlow provides an extremely cost-effective tool for maintaining secure, high-performance infrastructures. This chapter discusses the top ten reasons enterprises are turning to NetFlow to improve their networks and overall security posture. Obtaining End-to-End Network Visibility By collecting and analyzing flow data, organizations can obtain in-depth network visibility to address a wide range of network and security issues. NetFlow can be used to effectively baseline, track, and audit behavior across the entire network — even remote sites — without having to deploy and manage a physical device at each location. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 44 NetFlow Security Monitoring For Dummies, Lancope Special Edition Monitoring Network and Application Performance Monitoring NetFlow data provides the insight needed to ensure that both the network and specific applications are delivering high levels of availability and performance. By displaying details on top talkers, hosts, services, and so on, NetFlow can help IT teams quickly identify the root cause and restore performance when the network slows. Enhancing Security Threat Detection Capabilities By analyzing network behavior and not relying on signature updates, NetFlow can be used to detect sophisticated zeroday attacks like worms and botnets that bypass perimeter defenses. It can also be used to uncover internal threats such as policy violations, device misconfigurations, network misuse, unauthorized access, and data leakage, significantly bolstering security. Complying with Legal and Regulatory Requirements NetFlow delivers unparalleled visibility, accountability, and measurability for maintaining compliance with industry and government regulations such as HIPAA, PCI DSS, FISMA/NIST, and NERC CIP, among others. Reducing MTTK The use of NetFlow data can significantly streamline network and security troubleshooting, reducing MTTK from hours or days to just minutes. Faster troubleshooting means less damaging and costly downtime for enterprises. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. Chapter 7: Top Ten Reasons to Use NetFlow for Security 45 Improving Network Capacity Planning By providing real-time and historical visibility into all network traffic, NetFlow can be used to identify the exact hosts and applications consuming bandwidth to help determine whether bandwidth needs to be increased or if existing bandwidth could be better utilized. In the event of a security incident, this information can be used to identify hosts consuming unusual amounts of bandwidth. Achieving Time and Cost Savings The use of NetFlow can save vast amounts of time and money by eliminating the need to place physical devices at each endpoint and spend countless security analyst hours manually analyzing data to troubleshoot issues. Maintaining Network Visibility in Evolving Technology Environments Flow data can help organizations maintain the network visibility that is often lost through migrations to advanced infrastructure such as virtualized environments, 10G networks, and MPLS networks. This allows organizations to embrace new technology trends and innovations without sacrificing network performance and security. Improving Collaboration in the Enterprise NetFlow provides a wide range of data that can be leveraged by network, data center, and security teams, as well as other groups such as help desks. Working with a single set of actionable data versus a variety of point solutions fosters These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited. 46 NetFlow Security Monitoring For Dummies, Lancope Special Edition greater collaboration between IT teams, eliminating isolated, disjointed efforts and increasing productivity. Filling in the Gaps Left by Other Security Controls When leveraged by robust flow collection and analysis solutions such as Lancope’s StealthWatch, NetFlow can effectively fill in the gaps between other technologies to provide more comprehensive and actionable insight for improved performance and security. More information on NetFlow can be found at www.lancope.com/blog. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
