miller,bob network forensics iitnetsecure10

8/16/2019 Miller,Bob Network Forensics IITNetsecure10

1/61

Network ForensicsHow to create visibility into your network

Bob Miller Senior Systems Manager

847-707-5498

[email protected]


2/61

2

Today’s Agenda

• Introduction

• Network Forensics Basics

• Flow Based Forensics

• Packet Forensics

– Application level forensics (VoIP / Video)

• WLAN Forensics – RF and 802.11

• Questions


3/61

3

What is Network Forensics?

• The ability to look at past collected data to determine IT

security threats and piece together a time frame of events

• Can also be used to analyze application performance

based on past collected data.• Forensics data can be analyzed from different sources:

– Ethernet OSI Layer 2 (Data Link) to Layer 7 (Application)

– WLAN Layer 1 RF spectrum & Layer 2 for IPS / Forensics

– Current Netflow / IP Fix type devices (Routers, L3 Devices,etc… )


4/61

4

• Sarbanes-Oxley

• California SB 1386

• Graham Leach Bliley

• HIPPA• PCI-DSS

• Federal Information Security Management Act of 2002

• DoD

• Basel II

• Information Standard for Information Security (ISO 27001

Compliance)

Forensics Compliance


5/61

5

Forensic Tools• Ethernet

– Stream to Disk Technology with vast storage capacity

– High Speed Disk Captures

– High Speed Interfaces

– Extensive capture and display filters for data analysis• WLAN

– Layer 2 WLAN Analysis

– Layer 1 RF Interference Detection and Analysis

• Netflow Technologies

– Collection from many L3 Netflow type devices for LAN, WAN, other

flow technologies devices

• Network TAPS

– Provides data replication without detection


6/61

6

There are several areas where forensics can be applied. Samples ofsome broad categories include:

• Compliance: Oops, someone sent out company confidential financialinformation in an unencrypted email or used IM to gossip about acoworker's medical condition, a HIPPA violation.• Troubleshooting: Why did your network meltdown this morning? Why

do your CRM users often experience poor performance in the afternoon?• Hackers: What was hacked, how, and by whom? Often goes hand-in-hand with intrusion detection systems (IDS) to see what damage if any,was done. It’s also a good way to verify that intrusion prevention systems(IPS) are working too.• Verticals: Why did the core switch peg during a critical trading hour?

Why are doctors losing wireless connectivity? Is our converged data +VoIP transport operating smoothly?• Law Enforcement: In particular, CALEA (the Communications

Assistance for Law Enforcement Act of 1994), which states therequirements of carriers to assist law enforcement in executing electronicsurveillance. CALEA is of interest more so outside the enterprise – i.e.

Internet service and Internet backbone providers.


7/617

Where are the best collection points

Data collection points will be based on requirements of

potential threats

– Inside of the Firewall

– devices where access to corporate network from outside the

physical location (i.e. VPN / SSL, WLAN, etc…)

– In critical locations where corporate data or sensitive data is

held

– Locations that may government or industry compliance isrequired


8/618

What kind of tools are needed

for Network Forensics?

• Long term data capture and analysis

• Long term Netflow Collectors with deep analysis

functionality• Server and Network Equipment logging

• TAPS / Span capable Ethernet switches

• NTP / Time Synchronization

• Syslog Server • SNMP Traps

8


9/619

Why use a TAP versus

a Network SPAN Port

• TAPS can provide hidden data collection points that

threats would have a difficult time to detect

• Purpose built device

• Passes Layer 1 information that SPAN ports cannot

• TAPS can provide better performance on busy networks in

replicating data• TAPS can allow packet injection back into network traffic


10/6110

Flow Based Forensics


11/6111

What is Flow technologies and why use it.

• Flow technologies that provide information based on

different criteria within a packet as it passes through the

network

• Network equipment collects this data and sends it to a flowcollector in which stores and analyzes the data

• Utilizes Customers current Routers and Layer 3 Switches

NetFlow – Cisco Routers and L3 Switches, VM, 3Com, others

sFlow – HP, Extreme, Foundry, Force 10 IPFix – Nortel / Avaya (based on Netflow v9 – RFC 3917)

jFlow – Juniper Routers and Layer 3 switches


12/6112

Pros and Cons of Flow Based

Technologies• Pro – Allows customers to use their current network

equipment so very little or no new equipment is needed

• Pro – Can provide very long term information about “who’s

talking to who and with what application”

• Pro – Easy to configure and setup

• Pro – Minimum overhead within WAN circuits (


13/6113

Flow based Forensics


14/6114

Flow based Forensics


15/6115

Net Flow using long term data collection


16/6116


17/6117


18/6118

NetFlow collectors key capabilities

for use in Forensics

• • Insight into how traffic usage is impacting network performance

• • The ability to collect, store, and report on every flow that is traversing your

infrastructure

• – not just top N or an average• • The capability to keep all flows, all the time, for an infinite amount of time for regulatory,

• compliance and forensic requirements

• • Finding challenging impacts like rogue users or denial of service attacks by seeing all

• flows

• • Understand the impact of voice, viruses, hacking, multi-cast, DNS,

• peer-to-peer and worms

• • Common data source with no averaging or discarding of information

• • Rich and granular data set is easily accessible and relevant across the enterprise


19/6119

NetFlow Forensics Reporting


20/6120

NetFlow providing Full Flow Forensics

Over 5 Million Flows Available


21/6121

Packet Based Forensics


22/6122


• Capture data at various points in the network to collect

data, detect anomalies and notify of potential threats

• Can be used in conjunction to IDS / IPS for network

security• Different than Flow based forensics

since all packets can be collected and

stored for deep packet inspection

•

May also be used to provideinformation of application performance

issues by capturing packets transversing

the network


23/6123



24/6124



25/61

25


26/61

26


27/61

27


for VoIP and Video

• Monitor, alert, and decode Voice and Video RTP

streams for both call quality using MOS scoring.

• Provide insight to the signaling traffic and howReliable UDP traffic is functioning


28/61

28

VoIP Forensics


29/61

29

VoIP & Real Time Application Forensics

• Signaling Traffic

– SIP

– H.323

– MGCP

– Proprietary (CSSP, Unistim)

• Voice / Video Quality Scoring

– MOS – Mean Opinion Score

– R Factor

– Jitter

– Latency


30/61

30


31/61

31


32/61

32

WLAN & RF Forensics


33/61

33

WLAN & RF Forensics

• How do we identify and analyze WLAN & RF?

– RF Analysis• Layer 1 Spectrum Analysis

– 802.11 WLAN Analysis• WLAN Performance

• Rogue Detection

• Packet Decode

• Channel Utilization


34/61

34

RF Forensics

• What is RF Forensics?

– The ability to monitor, capture and analyze the physical layer

of the frequencies that the WLAN 802.11 (2.4GHz &5GHz)

use for transmission

• How do we identify and analyze RF interference?

– Spectrum Analyzer that not only captures the RF signature

but also identifies the source and location of the interference


35/61

35

WLAN Spectrum Forensicsusing no RF sensors


36/61

36



37/61

37



38/61

38



39/61

39

WLAN RF Forensics

Prevention

• Can be used as a denial of service attack. RF Forensics

equipment can be used to not only capture the type of RF

but also attempt to fingerprint the type of device that isbeing used.

• Other devices such as the cafeteria microwave, cordless

phones, older bluetooth devices can provide RF

interference at the 2.4GHz frequency. Spectrum Analysis

tools can be used to locate and identify these types of

interferences


40/61

40

WLAN Spectrum Forensicsusing RF sensors


41/61

41


Normal RF Environment of

the 2.4GHz Band


42/61

42



43/61

43



44/61

44


RF Interference in

the 2.4GHz band


45/61

45



46/61

46



47/61

47

WLAN 802.11 Forensics

• 802.11 a/b/g/n including

out of country channels

• WLAN AP’s can be used

to provide some roguedetection, noise

information and connected

clients

• Purpose built devices such

as WLAN sensors provide

not only connectivity and

rogue detection but also

off channel detection


48/61

48


using no WLAN sensors


49/61

49




50/61

50




51/61

51




52/61

52


Prevention

• Due to the nature of WIFI, extra diligence and equipment is

needed

•

Alerting and Data Capture is needed to understand whatWLAN attacks have compromised the network and

information in a timely manner


53/61

53


using WLAN sensors


54/61

54


using WLAN sensors


55/61

55


using WLAN sensors


56/61

56


using WLAN sensors


57/61

57


using WLAN sensors


58/61

58

WLAN 802.11 Forensicsusing WLAN sensors


59/61

59

Conclusion

• Reasons for implementing Network Forensics

– Troubleshooting network and applications – Time to

Resolution greatly diminished

– Compliance – can provide needed data collection forgovernment and industry regulations

– Visibility into corporate applications – provide insight into

user experience

– network security – provide detailed information of potentialand current threats


60/61

Questions ?


61/61

Thank You!

miller,bob network forensics iitnetsecure10

Documents