1 / 35

Ray Jones Director of Solutions Architecture and Field Enablement

Ray Jones Director of Solutions Architecture and Field Enablement. Security Monitoring In Your Network. Strategies to Safeguard Your Network Using NetScout’s 3900 Series Packet Flow Switch. A BAD YEAR for Cyber Security.  ENTERTAINMENT  GOV’T & HEALTH CARE  PLATFORM

fredar
Download Presentation

Ray Jones Director of Solutions Architecture and Field Enablement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ray Jones Director of Solutions Architecture and Field Enablement Security Monitoring In Your Network Strategies to Safeguard Your Network Using NetScout’s 3900 Series Packet Flow Switch

  2. A BAD YEAR for Cyber Security  ENTERTAINMENT  GOV’T & HEALTH CARE  PLATFORM  RETAIL  FINANCIAL

  3. Cyber Security Monitoring: Two Challenges • ObscurityProtagonist often intentionally averts detection • TransienceSequence of events may be difficult to reproduce

  4. What you’ll learn today

  5. Scalable, flexible, feature rich. 3900 SERIES PACKET FLOW SWITCH INTRODUCTION

  6. nGenius 3900 Series Packet Flow Switch Centralized Management 3903 Chassis Up to 144 Ports1/10 GbE + 12 Ports 40 GbE* 3901 Chassis Up to 48 Ports 1/10 GbE + 4 Ports 40 GbE* • Pay-as-you-grow modules & chassis • Supports > 4000 ports with PFS Management Software • Large site deployments needing >144 ports • 3RU modular switch • Medium to large single site or multi-site deployments needing >48 ports • 1RU modular switch • Small single site or multi-site deployments needing 16 to 48 ports * 100G Early Field Trial Available

  7. nGenius 3900 Series Packet Flow Switch • Redundant Switch Controllers • Resides on each blade • Automatic failover Redundant Ethernet Management Ports Redundant AC/DC Power Supplies Serial Console Port • Interface Blade • FlexPorts supporting 1/10/40G • Up to 48 x 1/10G per RU • Up to 4 x 40G per RU • Built-in GUI Management or PFS Management System • 1U and 3U Base Chassis Options • Modular + Stackable Monitoring Fabric Growth • 1/10/40Gbps Native per Blade • Full Line Rate, All-Inclusive Blade Based Features • 100G Early Field Trial Available

  8. nGenius 3900 Series Packet Flow Switch Full-Duplex 720GbpsLine-rate Processing * * * Advanced Switching Engine with Extensible Microcode Console 16x 1G/10G 4x 40G or 16x 1G/10G 16x 1G/10G

  9. nGenius 3900 Series Packet Flow Switch Network Site A Site B

  10. Ensuring rapid, reliable incident response. DYNAMIC TARGETING

  11. Dynamic Targeting: Problem & Requirement • Problem:Security events may requirereactive changes to monitoring fabric. • Requirement:Implement dynamic, automated changes via secure management channel.

  12. Use Case: Targeted packet capture for suspect flows Network ContinuousMonitoring TAPs PFS Escalation Analysis Site B Site A

  13. Use Case: Targeted packet capture for suspect flows Network ContinuousMonitoring • Traffic flows throughTAPs to Sites A & B TAPs 1 PFS Escalation Analysis Site B Site A

  14. Use Case: Targeted packet capture for suspect flows Network ContinuousMonitoring • Traffic flows throughTAPs to Sites A & B • PFS steers traffic fromTAPs to Monitoring tools TAPs 2 PFS Escalation Analysis Site B Site A

  15. Use Case: Targeted packet capture for suspect flows ! ! ! Network ContinuousMonitoring • Traffic flows throughTAPs to Sites A & B • PFS steers traffic fromTAPs to Monitoring tools • Monitoring tool detectssuspicious activity TAPs 3 PFS Escalation Analysis Site B Site A

  16. Use Case: Targeted packet capture for suspect flows Network ContinuousMonitoring • Traffic flows throughTAPs to Sites A & B • PFS steers traffic fromTAPs to Monitoring tools • Monitoring tool detectssuspicious activity • a) Script configurespacket flow switchto target IP addressb) Script activatesEscalation Analysis tool TAPs 4a PFS Escalation Analysis 4b Site B Site A

  17. Use Case: Targeted packet capture for suspect flows Network ContinuousMonitoring • Traffic flows throughTAPs to Sites A & B • PFS steers traffic fromTAPs to Monitoring tools • Monitoring tool detectssuspicious activity • a) Script configurespacket flow switchto target IP addressb) Script activatesEscalation Analysis tool • PFS sends targeted traffic toEscalation Analysis tool TAPs PFS Escalation Analysis 5 Site B Site A

  18. Scripting for Dynamic Targeting • OptimizedManagement forMonitoring Tools nGeniusONE

  19. Scripting for Dynamic Targeting • OptimizedManagement forMonitoring Tools • PFS Managerfor PFS PFSManager nGeniusONE

  20. Scripting for Dynamic Targeting nGenius PFSManagement SoftwareAdministrator Guide • SSH fromClient to PFS,Monitoring Tools PFSManager SSH SSH SSH SSH Client

  21. Sample PFS SSH/CLI Script def main(): client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) prompt = '=> ' hostname = '10.88.39.192' #Replace with actual IP address of PFS or PFS Mgmt Server username = 'administrator' #Replace if you need to use a different user; normally "administrator" is correct password = 'netscout1' #Replace with actual password client.connect(hostname,int(22022),username,password) #Presumes that PFS CLI SSH uses default port 22022 interact = SSHClientInteraction(client,timeout=10,display=True) interact.expect(prompt) # raw_input('Press Enter to continue') interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'") interact.expect(prompt) cmd_output = interact.current_output_clean interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'")

  22. What should the system do? Upon trigger detection: • Create Rule(s) based upon trigger, e.g., IP address • Create Filter(s) and assign Rule(s) to it • Connect Source Ports(s) via Filter(s) to Destination Port(s) • Prepare Escalation Analysis platform. Following “All Clear”: • Restore original configuration

  23. Components of Dynamic Targeting • PreparationDefine/configure interfaces to PFS, Tools • IdentificationEstablish triggers for response • ResponseInitiate changes to monitoring infrastructure

  24. Everything you need, and nothing you don’t. FILTERING TOOLS

  25. Filtering: Problem & Requirement • Problem:Cyber tools may become congested by high traffic volumes • Requirement:Filter for traffic of interest, expect to make changes later. Total Network Activity Traffic of Interest Threat

  26. Use Case: Limit traffic to necessary content Link Utilization  Packet Rate  Network Network Network CyberSecurity Monitoring !

  27. Filtering Techniques • Criteria • Layer 2: MAC, VLAN ID & Priority, Ethertype • Layer 3: IP address, Payload type • Layer 4: TCP/UDP Port, Protocol • DPI: Custom Mask & Offset • Dimension • Direction: Side A v. Side B, Source v. Destination • Criteria: Permit v. Deny per Criterion • Range: Efficient Address Masking • Types: Connection v. Destination

  28. Filtering Structure – Building Blocks • Criteria  • Rules  • Filter  • Topology

  29. Flexible Filtering: Connection v. Destination Filter on Connection Filter at Destination

  30. Dynamic Targeting: On-demand Filter creation Network ContinuousMonitoring • Both Connectionand Destination Filterswork for Dynamic Targeting • Filtering occurs inhardware at line-rate • Filter changes are non-disruptive(except adding a Connection Filterinto a Connection - obviously) TAPs Escalation Analysis PFS Site B Site A

  31. Traffic Conditioning: Problem & Requirement • Problem:Cyber Monitoring tool may be unable to parsesome packet headers, rendering payload analysisimpossible. • Requirement:Condition Traffic within the monitoring switch.

  32. DPI Challenges for Legacy Cyber Tools

  33. Summary • DYNAMIC TARGETING Expedite incident response, especially after hours • FILTERING TOOLS Optimize monitoring tool performance • ADVANCED TIPS & TRICKSTraffic Conditioning, Metrics, Load-Balancing, Baselining

  34. Summary • 3900 SERIES PFS OVERVIEWImprove visibility while controlling scale • DYNAMIC TARGETING Expedite incident response, especially after hours • FILTERING TOOLS Optimize monitoring tool performance

  35. THANK YOU

More Related