maximize network visibility with netflow technology · combining cisco netflow and lancope’s...
TRANSCRIPT
Maximize Network VisibilityMaximize Network Visibilitywith NetFlow Technology
Adam PowersChief Technology Officer
[email protected] comwww.lancope.com
Agenda
What is NetFlowh Introduction to NetFlow hNetFlow Examples
N tFl i A tiNetFlow in ActionhNetwork Operations User CasehSecurity Operations User CaseSecurity Operations User CasehPCI Compliance and Auditing User Case
A Glimpse into the Power of NetFlowA Glimpse into the Power of NetFlowh10+ G Ethernet EnvironmentshVirtual EnvironmentshMPLS and Multi-point VPNs
What is NetFlow?
NetFlow Fields
src and dst IPInternet
src and dst port
start time
end time
packet count
byte count
...
NetFlowPackets
StealthWatchFlow CollectorFlow Collector
NetFlow vs. Traditional SNMP Monitoring
Traditional SNMPSNMP
NetFlow Reporting
Flow-based Visibility and Drill-down
NetFlow for the Network Team
NetFlow Packetflow1flow2
StealthWatchFlow Collector
...
Network Team Security TeamCompliance and Auditing
Interface utilization
Billing and chargeback
QOS monitoring
File sharing
Malware outbreak detection
Network acceptable use
PCI Compliance
HIPAA Compliance
SCADA SecurityQOS monitoring
BGP ASN monitoring
MPLS visibility
Network acceptable use
Flow forensics
Data loss prevention
SCADA Security
Sarbanes-Oxley
Application troubleshooting
NetFlow in Action : Network Operations
OldCastle APGLeading North American manufacturer of concrete masonry, lawn, garden and paving products and a regional leader in clay brick206 Operating locations7000+ employees
ProblemN t i li h h t i t k l d No way to visualize who or what was causing network slowdowns Internal IT staff using multiple tools in attempts to troubleshoot incidents
NetFlow in Action : Network Operations
SolutionCombining Cisco NetFlow and Lancope’s StealthWatch System for visibility into the ‘who, what, when and where’ of network traffic
Business ResultsDetermine the root cause of network slowdowns in real-timeDetect bandwidth and network user violations and tie user identity to rogue activityUnified view of network and security operationsh All regional network managers helpdesk and network/security engineers at Oldcastle APG h All regional network managers, helpdesk and network/security engineers at Oldcastle APG
use StealthWatch to pinpoint the traffic and users associated with network and security issues and expedite problem resolution
Gains detailed network performance analysis for capacity planning helping Oldcastle APG Gains detailed network performance analysis for capacity planning, helping Oldcastle APG forecast bandwidth upgradesAlso helps quickly discover and diffuse virus infections
NetFlow in Action : Network Operations
Tony Jaroszewski, Network/Security Engineer for OldCastle APG
“StealthWatch enables our support team to make strategic decisions about network and security management based on a unified view of network security and user and security management based on a unified view of network, security and user information across the enterprise. Not only does it provide network performance monitoring to ensure our applications run optimally, StealthWatch also identifies internal and external threats through behavior based algorithms ”and external threats through behavior-based algorithms.
NetFlow Compliance and Auditing
NetFlow Packetflow1flow2
StealthWatchFlow Collector
...
Network Team Security TeamCompliance and Auditing
Interface utilization
Billing and chargeback
QOS monitoring
File sharing
Malware outbreak detection
Network acceptable use
PCI Compliance
HIPAA Compliance
SCADA Securityg
BGP ASN monitoring
MPLS visibility
p
Flow forensics
Data loss prevention
y
Sarbanes-Oxley
Application troubleshooting
NetFlow in Action : PCI Compliance
N tFl f ilit t li ith PCI DSS R i tNetFlow facilitates compliance with PCI DSS Requirements:Verifies actual network communications (1.1.2)Monitors services and ports in use (1.1.5)Determines when accounts are active and what they did during this activity (8.5.6)Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)
NetFlow in Action : PCI Compliance
AirTran AirwaysFortune 1000 companyGeographically dispersed network across the continental US
ProblemRequired improved security and network management across the enterprise in accordance with P t C d I d t (PCI) i tPayment Card Industry (PCI) requirementsWanted greater network visibility and behavioral intrusion detectionAbility to monitor a geographically dispersed networkAbility to monitor a geographically dispersed network
NetFlow in Action : PCI Compliance
SolutionStealthWatch identifies who does what when, and provides data to enforce accountability
Business ResultImmediately upon deployment, StealthWatch provided continuous network monitoring to help AirTran demonstrate network-wide PCI by:
S l i l ti i ibilit d f t k d h t b d b h i• Supplying real-time visibility and awareness of network and host-based behaviors,• increasing accountability for introducing network security risks as well as jeopardizing
network availability, and• tracking, measuring and prioritizing network and host-based risk.
Quickly identify and resolve issues related to network behavior or malicious eventsMonitors WAN activity and performance
NetFlow in Action: PCI Compliance
Michelle Stewart, Manager of Data Security, AirTran Airways
“StealthWatch performed so well during our evaluation that we did not pursue trials with any other NBA products. During testing, StealthWatch demonstrated the ability to detect ot e p oducts u g test g, Stea t atc de o st ated t e ab ty to detectunauthorized remote access, worm activity and root cause analysis of increases in WAN activity. All of these functions have aided our efforts to demonstrate compliance with the PCI Data Security Standard.”
NetFlow for the Security Team
NetFlow Packetflow1flow2
StealthWatchFlow Collector
...
Network Team Security TeamCompliance and Auditing
Interface utilization
Billing and chargeback
QOS monitoring
File sharing
Malware outbreak detection
Network acceptable use
PCI Compliance
HIPAA Compliance
SCADA SecurityQOS monitoring
BGP ASN monitoring
MPLS visibility
Network acceptable use
Flow forensics
Data loss prevention
SCADA Security
Sarbanes-Oxley
Application troubleshooting
NetFlow in Action : Security Operations
Aurora HealthCare Network Overview Largest private employer in Wisconsin – over 27,000 employees 14 Hospitals Over 150 Clinics200 + Pharmacies
ChallengeChallengeMonitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network financially burdensome individual sensors throughout the network Needed complete visibility of the network – from the internal network to the clinics at the edgeMonitor for zero-day attacks, viruses, Trojans, etc.Support for HIPAA Compliance
NetFlow in Action : Security Operations
SolutionCombining NetFlow & StealthWatch System
Business Results100% visibility from core to network edgeReduced time and resources allocated to network security issues Reduced time and resources allocated to network security issues Streamlined the remediation process and reduced incident investigation by more than halfHIPAA auditing support
NetFlow in Action : Security Operations
Dan Lukas, Lead Security Architect : Aurora HealthCare
“[I can] easily drill down into a clinic’s network activity; address bandwidth issues; identify and remediate misconfigured devices; delve into switch levels to pinpoint and mitigate threats. With its ability to locate distributed sniffers, StealthWatch eliminates the need to purchase troubleshooting hardware for significant cost-savings."
Visibility Lost Due to Emerging TechVisibility Lost Due to Emerging TechEmerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technologysuch as SNMP and SPAN/tap based technology...
“10G Ethernet is so fast few probe technologies can keep up and those that can are too
“MPLS and multi-point VPNs create a meshed
can keep up and those that can are too expensive”
pWAN that’s expensive to monitor adequately”
“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”
These issues result in an inability to react to network problems because of a basic lack of .
10G+ Ethernet10G+ Ethernet“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”
traditional Ethernet sensor
Where to plug to plug
in?
NetFlow in a 10G+ Ethernet EnvironmentNetFlow in a 10G+ Ethernet Environment
“10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive”
StealthWatchFlow Collector
VirtualizationVirtualization
“Virtualization hides whole network segments from the network manager’s view, making Virtualization hides whole network segments from the network manager s view, making VM2VM communication problems difficult to troubleshoot”
VM1 VM2 VM3 virtual machines
h i l
virtual
physicalnetwork VM2VM
virtual switches
physical machine
traditional Ethernet probe
NetFlow in the Virtual EnvironmentNetFlow in the Virtual Environment
VM VM VMvirtual
machines
virtual
VM2VM
��������
�������
�������
�������
VM Server
virtual switchesN��F��� �9
StealthWatchFlow Collector
*** Cisco Nexus 1000v also supports NetFlow ***
MPLS and Multi-point VPNsMPLS and Multi-point VPNs“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”adequately
traditional Ethernetsensor
MPLS and Multi-point VPNsMPLS and Multi-point VPNsFully meshed connectivity circumvents network monitoring deployed at the “hub” location…
MPLS and Multi-point VPNsMPLS and Multi point VPNsFull visibility requires a probe at each location throughout the WAN…
NetFlow Collection in the WANNetFlow Collection in the WANDeploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site…
NetFlow Packet
StealthWatchFlow Collector
NetFlow Packet
Quick Recap: Network OperationsQuick Recap: Network Operations
Fully integrated view of network usage performance host integrity Fully integrated view of network usage, performance, host integrity and user behaviorDiagnose Network congestion and provide root cause analysis of Diagnose Network congestion and provide root cause analysis of the problem causing response time delaysVisibility and Metrics for WAN OptimizationVisibility and Metrics for WAN OptimizationReal-time and Historical data to facilitate network performance monitoring, capacity planning and resource managementg, p y p g gMonitor Quality of Service on a per-hop basis throughout the Network
Quick Recap: Security Operations
Quickly pinpoint zero-day and unknown threats that bypass perimeter i
Qu c ecap Secu ty Ope at o s
securityIdentify policy violations, unauthorized activity/applications,
i fi d h t d th d imisconfigured hosts, and other rogue devicesFaster Incident Resolution & detailed Forensic dataDetection of DoS/DDoS attacks, Worms, Viruses and BotnetsTrack and Audit network behavior and access by Individual HostsTrack and Audit network behavior and access by Individual Hosts
Quick Recap: PCI Compliance and Auditing
NetFlow Solutions supply organizations with the means to:Continuously but passively monitoring host behaviors looking for deviations from normal processes Tie individual users to internal network performance problemsTie individual users to the introduction of security risks inside the internal Tie individual users to the introduction of security risks inside the internal networkImplement appropriate Network Controls and PoliciesImplement appropriate Network Controls and PoliciesProvide for Internal Audit and Risk Assessment