session 2 security monitoring
DESCRIPTION
Session 2 Security Monitoring. Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification. Identifying an Attack. Identification Tools. Network Benchmark Parameter. Device Status. CPU Memory Temperature. CPU Load. Abnormal CPU Load. - PowerPoint PPT PresentationTRANSCRIPT
Session 2Security Monitoring
Identify
Device Status
Traffic Analysis
Routing Protocol Status
Configuration & Log
Classification
Identifying an Attack
Identification Tools
Network Benchmark Parameter
Device Status
CPU
Memory
Temperature
CPU Load
Abnormal CPU Load
Abnormal CPU Load
Identifying an Attack through CPU Load
Identifying an Attack through CPU Load
Identifying an Attack through CPU Load
Temperature
Traffic Analysis
Technology (Netflow & Sniffer)
Layer 3 or 4 based
Application based
Netflow Detect & Affirm
Use Netflow
Detect DoS
Example
Layer 3 or 4 TOP N
IP address based
Protocol based
Port based
Packet Size based
AS based
Index
overview
Normalin/NormaloutSpoofin/SpoofoutBandwidth 、 PPS and Packet Size
Traffic Statistics Picture• According to bandwidth bandwidth 、 packet size and PPS• According to direction normalin/normalout spoofin/spoofout• According to time 4 hours , 2 days , 1 week , 2 months• max , min , average , now
Traffic Statistics Picture (overview)
Traffic Statistics
IP TOP 20
• Order by source/destination address
• Order by source destination peer
• Order by bandwidth and PPS
Traffic Analyse (TOP20)
Traffic Analyse (TOP20)
Packet size TOP20
Order by bandwidth 、 PPS
Port Distribution TOP20
• Order by sour/dest port summary
• Order by sour/dest port direction
• Order by bandwidth and pps
Port distribution TOP20
Protocol statistic TOP20
• According to protocol normalin 、 normalout 、 spoofin and spoofout
• Order by bandwidth and pps
Protocol Statistic TOP20
Protocol Picture• According to bandwidth and pps • According to type TCP UDP ICMP
• According to time 4hours , 2day , 1week , 2month
• Max, min, average, now
Protocol (TCP UDP ICMP) Statistics Overview
Protocol (TCP UDP ICMP) Statistics
AS Statistic TOP20
• According to directionnormalin 、 normalout 、 spoofin and spoofout
• According to bandwidth and pps
AS Statistic TOP20
Abnormal Traffic Query System
Abnormal Traffic Query System
Routing Protocol Status
Route Entries
Routing Protocol Stability
Route Monitoring
Routing (BGP summary)
Routing Monitoring
BGP Statistics
BGP Monitoring (TEIN2-NORTH)
BGP Monitoring (TEIN2-SOUTH)
BGP Monitoring (TEIN2-JP)
AS Path Entries
Community Entries
IPv4 Prefix
IPv6 Prefix
Route Flapping Top 20No. PREFIX AS Oscillation
1 195.251.96.0/24 5408 3400
2 156.148.0.0/16 137 2829
3 195.251.98.0/23 5408 2714
4 195.251.0.0/23 5408 2301
5 193.194.64.0/19 3208 1952
6 195.251.104.0/24 5408 1895
7 194.177.196.0/24 3323 1528
8 84.205.64.0/24 12654 1417
9 84.205.65.0/24 12654 1266
10 84.205.77.0/24 12654 1250
11 84.205.67.0/24 12654 1147
12 84.205.76.0/24 12654 1134
13 84.205.78.0/24 12654 1074
14 84.205.75.0/24 12654 1025
15 84.205.69.0/24 12654 1008
16 84.205.74.0/24 12654 998
17 195.60.236.0/22 39154 941
18 84.205.71.0/24 12654 940
19 193.124.160.0/21 5402 922
20 193.124.208.0/20 3335 874
No. AS Oscillation
1 680 46486
2 786 38707
3 5408 36036
4 2018 31828
5 137 21231
6 4621 17600
7 1103 17268
8 559 17071
9 12654 13666
10 2200 13621
11 5387 12209
12 2614 10461
13 1659 10013
14 766 9504
15 237 7633
16 668 7213
17 5501 6840
18 553 6190
19 2561 6062
20 2422 6026
IPv6 Route Flapping Top 10
No. PREFIX ASOscillat
ion
1 2001:4c00::/32 34695 673
2 2001:1a70::/32 12046 529
3 2001:1410::/32 25538 508
4 2001:4b58::/32 6802 443
5 2001:1b20::/32 8665 441
6 2001:a98::/32 8517 439
7 2001:720::/32 766 431
8 2001:4170::/32 13092 407
9 2001:778::/32 2847 392
10 2001:1a18::/32 3268 391
No. AS Oscillation
1 195 716
2 34695 673
3 559 610
4 12046 529
5 25538 508
6 6802 443
7 8665 441
8 8517 439
9 766 431
10 13092 407
AAA & Log Audit
Account
SYSLOG
Log audit tools
Configuring Syslog on a router
Configuration change notification and logging
Log skill
SNMP Authentication Failurevia SYSLOG
SNMP Authentication Failurevia SYSLOG
Classification Objectives
Classification ACLs
Classification and Traceback ACLs
Classification and Traceback ACLs
Classification and Traceback ACLs
Classification and Traceback ACLs
Classification and Traceback ACLs
Classification ACLs - Hints
Netflow Classification Technique
show ip cache flow
show ip cache verbose flow
Sink Hole – How to Classify?