Pavel Minařík

What is hidden in network traffic?

Security Session 2015, 11th April 2015, Brno, FIT VUT

minarik@invea.com

• Traditional monitoring

Availability of services and network components

SNMP polling (interfaces, resources)

100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …)

• Next-generation monitoring

Traffic visibility on various network layers

Detection of security and operational issues

Network/Application performance monitoring

Full packet capture for troubleshooting

Monitoring Tools

Monitoring Tools

SNMP polling

Flow monitoring

Packet capture and analysis

Flow Monitoring Principle

Performance Monitoring

Syn

Syn, Ack

Ack

RTT

TCP handshake

Req

Ack Data

Client request

SRT

Server response

Data Data Data

Delay

Round Trip Time – delay introduced by networkServer Response Time – delay introduced by server/applicationDelay (min, max, avg, deviation) – delays between packetsJitter (min, max, avg, deviation) – variance of delays between packets

Flow Standards

Cisco standard NetFlow v5

NetFlow v9(Flexible NetFlow)

fixed formatonly basic items available no IPv6, MAC, VLANs, …

flexible format using templatesmandatory for current needsprovides IPv6, VLANs, MAC, …

IndependentIETF standard

IPFIX(„NetFlow v10“)

the future of flow monitoringmore flexibility than NetFlow v9

Huawei NetStream same as original Cisco standardNetFlow v9

Juniper jFlow similar to NetFlow v9different timestamps

Flow Sources

• Enterprise-class network equipment

Routers, switches, firewalls

• Mikrotik routers

Popular and cost efficient hardware

• Flow Probes

Dedicated appliances for flow export

• Trends

Number of flow-enabled devices is growing

L7 visibility, performance monitoring, …

Flow Gathering Schemes

Probe on a SPAN port Probe on a TAP Flows from switch/router

Pros • Accuracy• Performance• L2/L3/L4/L7 visibility

• Same as „on a SPAN“• All packets captured• Separates RX and TX

• Already available• No additional HW• Traffic on interfaces

Cons • May reach capacity limit• No interface number

• Additional HW • Usually inaccurate• Visibility L3/L4• Performance impact

Facts • Fits most customers• Limited SPANs number

• 2 monitoring ports • Always test before use

Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)

Traffic Analysis (using flow)

• Bridges the gap left by endpoint and perimeter security solutions

• Behavior based Anomaly Detection (NBA)

• Detection of security and operational issues Attacks on network services, network reconnaissance

Infected devices and botnet C&C communication

Anomalies of network protocols (DNS, DHCP, …)

P2P traffic, TOR, on-line messengers, …

DDoS attacks and vulnerable services

Configuration issues

Full Packet Capture

• On-demand troubleshooting and forensic analysis

• How to get packet traces?

Tcpdump – Linux/Unix environment

Winpcap – Windows environment

Probes – appliances with packet capture capability

FPGA-based HW adapters – high speed networks

Packet Analysis

• Analysis of packet traces (PCAP files)

• Software tools (commercial + open source)

• Wireshark as de facto standards with largecommunity support

Support of hundreds of protocols

Powerful filters, statistics, reconstruction, etc.

Examples From the Real LifeSecurity issue

Troubleshooting

Security Issue

FlowMon © INVEA-TECH 2013

78 port scans?DNS anomalies?

• Malware infected device in the internal network

Security Issue

Let’s see the scans firstOk, users cannot access webAre the DNS anomalies related?

Security Issue

Ok, which DNS is being used?192.168.0.53? This is notebook!How did this happen?

Security Issue

Let’s look for the details…Laptop 192.168.0.53 is doing DHCP server in the network

Security Issue

Malware infected deviceTrying to redirect and bridge trafficProbably to get sensitive data

• Gmail e-mail delivery issue

FlowMon Troubleshooting

We are not receiving e-mails from GmailAnd can’t figure it outCan you try to help us and fix it?

FlowMon Troubleshooting

Using AS numbers it is possible to easily identify corresponding network traffic and do the analysis

FlowMon Troubleshooting

All flows are 640B?TCP flags are normalThis is not a network issueWe need to see the packets

Detailed visibility and drill down to flow level helps to understand traffic characteristics

FlowMon Troubleshooting

Built-in packet capture capability enables to get full packet traces when needed

FlowMon Troubleshooting

Ok, Gmail requests TLS 1.0

FlowMon Troubleshooting

And mail server doesnot support that

Life Demo

Attack detection and analysis is real-time

Life Demo

• Use-case: directory traversal attack

Flow-level visibility

Automatic detection

Packet capture and analysis

INVEA-TECH a.s. U Vodárny 2965/2616 00 BrnoCzech Republicwww.invea-tech.com

High-Speed Networking Technology Partner

Questions?

Pavel Minaříkminarik@invea.com

+420 733 713 703