miller,bob network forensics iitnetsecure10
TRANSCRIPT
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
1/61
Network ForensicsHow to create visibility into your network
Bob Miller Senior Systems Manager
847-707-5498
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
2/61
2
Today’s Agenda
• Introduction
• Network Forensics Basics
• Flow Based Forensics
• Packet Forensics
– Application level forensics (VoIP / Video)
• WLAN Forensics – RF and 802.11
• Questions
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
3/61
3
What is Network Forensics?
• The ability to look at past collected data to determine IT
security threats and piece together a time frame of events
• Can also be used to analyze application performance
based on past collected data.• Forensics data can be analyzed from different sources:
– Ethernet OSI Layer 2 (Data Link) to Layer 7 (Application)
– WLAN Layer 1 RF spectrum & Layer 2 for IPS / Forensics
– Current Netflow / IP Fix type devices (Routers, L3 Devices,etc… )
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
4/61
4
• Sarbanes-Oxley
• California SB 1386
• Graham Leach Bliley
• HIPPA• PCI-DSS
• Federal Information Security Management Act of 2002
• DoD
• Basel II
• Information Standard for Information Security (ISO 27001
Compliance)
Forensics Compliance
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
5/61
5
Forensic Tools• Ethernet
– Stream to Disk Technology with vast storage capacity
– High Speed Disk Captures
– High Speed Interfaces
– Extensive capture and display filters for data analysis• WLAN
– Layer 2 WLAN Analysis
– Layer 1 RF Interference Detection and Analysis
• Netflow Technologies
– Collection from many L3 Netflow type devices for LAN, WAN, other
flow technologies devices
• Network TAPS
– Provides data replication without detection
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
6/61
6
There are several areas where forensics can be applied. Samples ofsome broad categories include:
• Compliance: Oops, someone sent out company confidential financialinformation in an unencrypted email or used IM to gossip about acoworker's medical condition, a HIPPA violation.• Troubleshooting: Why did your network meltdown this morning? Why
do your CRM users often experience poor performance in the afternoon?• Hackers: What was hacked, how, and by whom? Often goes hand-in-hand with intrusion detection systems (IDS) to see what damage if any,was done. It’s also a good way to verify that intrusion prevention systems(IPS) are working too.• Verticals: Why did the core switch peg during a critical trading hour?
Why are doctors losing wireless connectivity? Is our converged data +VoIP transport operating smoothly?• Law Enforcement: In particular, CALEA (the Communications
Assistance for Law Enforcement Act of 1994), which states therequirements of carriers to assist law enforcement in executing electronicsurveillance. CALEA is of interest more so outside the enterprise – i.e.
Internet service and Internet backbone providers.
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
7/617
Where are the best collection points
Data collection points will be based on requirements of
potential threats
– Inside of the Firewall
– devices where access to corporate network from outside the
physical location (i.e. VPN / SSL, WLAN, etc…)
– In critical locations where corporate data or sensitive data is
held
– Locations that may government or industry compliance isrequired
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
8/618
What kind of tools are needed
for Network Forensics?
• Long term data capture and analysis
• Long term Netflow Collectors with deep analysis
functionality• Server and Network Equipment logging
• TAPS / Span capable Ethernet switches
• NTP / Time Synchronization
• Syslog Server • SNMP Traps
8
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
9/619
Why use a TAP versus
a Network SPAN Port
• TAPS can provide hidden data collection points that
threats would have a difficult time to detect
• Purpose built device
• Passes Layer 1 information that SPAN ports cannot
• TAPS can provide better performance on busy networks in
replicating data• TAPS can allow packet injection back into network traffic
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
10/6110
Flow Based Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
11/6111
What is Flow technologies and why use it.
• Flow technologies that provide information based on
different criteria within a packet as it passes through the
network
• Network equipment collects this data and sends it to a flowcollector in which stores and analyzes the data
• Utilizes Customers current Routers and Layer 3 Switches
NetFlow – Cisco Routers and L3 Switches, VM, 3Com, others
sFlow – HP, Extreme, Foundry, Force 10 IPFix – Nortel / Avaya (based on Netflow v9 – RFC 3917)
jFlow – Juniper Routers and Layer 3 switches
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
12/6112
Pros and Cons of Flow Based
Technologies• Pro – Allows customers to use their current network
equipment so very little or no new equipment is needed
• Pro – Can provide very long term information about “who’s
talking to who and with what application”
• Pro – Easy to configure and setup
• Pro – Minimum overhead within WAN circuits (
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
13/6113
Flow based Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
14/6114
Flow based Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
15/6115
Net Flow using long term data collection
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
16/6116
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
17/6117
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
18/6118
NetFlow collectors key capabilities
for use in Forensics
• • Insight into how traffic usage is impacting network performance
• • The ability to collect, store, and report on every flow that is traversing your
infrastructure
• – not just top N or an average• • The capability to keep all flows, all the time, for an infinite amount of time for regulatory,
• compliance and forensic requirements
• • Finding challenging impacts like rogue users or denial of service attacks by seeing all
• flows
• • Understand the impact of voice, viruses, hacking, multi-cast, DNS,
• peer-to-peer and worms
• • Common data source with no averaging or discarding of information
• • Rich and granular data set is easily accessible and relevant across the enterprise
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
19/6119
NetFlow Forensics Reporting
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
20/6120
NetFlow providing Full Flow Forensics
Over 5 Million Flows Available
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
21/6121
Packet Based Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
22/6122
Packet Based Forensics
• Capture data at various points in the network to collect
data, detect anomalies and notify of potential threats
• Can be used in conjunction to IDS / IPS for network
security• Different than Flow based forensics
since all packets can be collected and
stored for deep packet inspection
•
May also be used to provideinformation of application performance
issues by capturing packets transversing
the network
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
23/6123
Packet Based Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
24/6124
Packet Based Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
25/61
25
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
26/61
26
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
27/61
27
Packet Based Forensics
for VoIP and Video
• Monitor, alert, and decode Voice and Video RTP
streams for both call quality using MOS scoring.
• Provide insight to the signaling traffic and howReliable UDP traffic is functioning
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
28/61
28
VoIP Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
29/61
29
VoIP & Real Time Application Forensics
• Signaling Traffic
– SIP
– H.323
– MGCP
– Proprietary (CSSP, Unistim)
• Voice / Video Quality Scoring
– MOS – Mean Opinion Score
– R Factor
– Jitter
– Latency
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
30/61
30
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
31/61
31
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
32/61
32
WLAN & RF Forensics
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
33/61
33
WLAN & RF Forensics
• How do we identify and analyze WLAN & RF?
– RF Analysis• Layer 1 Spectrum Analysis
– 802.11 WLAN Analysis• WLAN Performance
• Rogue Detection
• Packet Decode
• Channel Utilization
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
34/61
34
RF Forensics
• What is RF Forensics?
– The ability to monitor, capture and analyze the physical layer
of the frequencies that the WLAN 802.11 (2.4GHz &5GHz)
use for transmission
• How do we identify and analyze RF interference?
– Spectrum Analyzer that not only captures the RF signature
but also identifies the source and location of the interference
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
35/61
35
WLAN Spectrum Forensicsusing no RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
36/61
36
WLAN Spectrum Forensicsusing no RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
37/61
37
WLAN Spectrum Forensicsusing no RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
38/61
38
WLAN Spectrum Forensicsusing no RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
39/61
39
WLAN RF Forensics
Prevention
• Can be used as a denial of service attack. RF Forensics
equipment can be used to not only capture the type of RF
but also attempt to fingerprint the type of device that isbeing used.
• Other devices such as the cafeteria microwave, cordless
phones, older bluetooth devices can provide RF
interference at the 2.4GHz frequency. Spectrum Analysis
tools can be used to locate and identify these types of
interferences
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
40/61
40
WLAN Spectrum Forensicsusing RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
41/61
41
WLAN Spectrum Forensicsusing RF sensors
Normal RF Environment of
the 2.4GHz Band
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
42/61
42
WLAN Spectrum Forensicsusing RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
43/61
43
WLAN Spectrum Forensicsusing RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
44/61
44
WLAN Spectrum Forensicsusing RF sensors
RF Interference in
the 2.4GHz band
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
45/61
45
WLAN Spectrum Forensicsusing RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
46/61
46
WLAN Spectrum Forensicsusing RF sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
47/61
47
WLAN 802.11 Forensics
• 802.11 a/b/g/n including
out of country channels
• WLAN AP’s can be used
to provide some roguedetection, noise
information and connected
clients
• Purpose built devices such
as WLAN sensors provide
not only connectivity and
rogue detection but also
off channel detection
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
48/61
48
WLAN 802.11 Forensics
using no WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
49/61
49
WLAN 802.11 Forensics
using no WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
50/61
50
WLAN 802.11 Forensics
using no WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
51/61
51
WLAN 802.11 Forensics
using no WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
52/61
52
WLAN 802.11 Forensics
Prevention
• Due to the nature of WIFI, extra diligence and equipment is
needed
•
Alerting and Data Capture is needed to understand whatWLAN attacks have compromised the network and
information in a timely manner
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
53/61
53
WLAN 802.11 Forensics
using WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
54/61
54
WLAN 802.11 Forensics
using WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
55/61
55
WLAN 802.11 Forensics
using WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
56/61
56
WLAN 802.11 Forensics
using WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
57/61
57
WLAN 802.11 Forensics
using WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
58/61
58
WLAN 802.11 Forensicsusing WLAN sensors
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
59/61
59
Conclusion
• Reasons for implementing Network Forensics
– Troubleshooting network and applications – Time to
Resolution greatly diminished
– Compliance – can provide needed data collection forgovernment and industry regulations
– Visibility into corporate applications – provide insight into
user experience
– network security – provide detailed information of potentialand current threats
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
60/61
Questions ?
-
8/16/2019 Miller,Bob Network Forensics IITNetsecure10
61/61
Thank You!