listening to the network leveraging network flow
play

Listening to the Network: Leveraging Network Flow Telemetry for - PowerPoint PPT Presentation

Jan 19, 2023 •319 likes •926 views

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they are an enterprise, ISP, IDC or

  1. Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

  2. Introduction § Security has an increased focus from ALL businesses, whether they are an enterprise, ISP, IDC or OTT application service provider. – Better awareness of issues & tighter regulation – Main-stream press coverage = senior management focus – Huge financial / brand costs when something goes wrong § So, why is ‘Flow relevant to security? – Flow leverages our investment in the routers / switches within our infrastructure to identify threats to our networks and services – Flow is generated regardless of traffic symmetry – Flow can be used to detect malware infected hosts, zero-day exploits, attacks, inside misuse / abuse, DDoS etc.. – Flow can provide a network wide picture of what is actually going on (context) Page 2 - Company Confidential

  3. How can ‘Flow Help us? § Flow can help us to understand how our networks are used: – We can use flow to build a model of who uses what, when, how often and how much. This can give us a baseline for normal network activity – And, we can detect abnormal / malicious / unusual traffic on our networks. – We can classify what is going on, in context, to establish our risk. – And, we get valuable forensic data. § Flow should be one of the key mechanisms we have for monitoring our network, service and data security. Page 3 - Company Confidential

  4. Agenda § Introduction § What is ‘Flow? § How can we use ‘Flow for Security Applications § Flow Security Use Cases – Network / Data Integrity - Bot Detection – Service Availability - DDoS Detection Page 4 - Company Confidential

  5. ‘Flow, the Voice of the Network § Why ‘Flow? – Netflow v5/v7/v8/v9, sFlow v4/v5, Jflow, cflow, Netstream v5/v9, IPFix, Flexible Netflow – Routers and switches support different versions / types. § Cisco, Juniper, Alcatel, Huawei, Foundry, HP, Brocade § ‘Flow maintains traffic data in Flow Records in a flow cache, and optionally exports that flow data to a collection/analysis system. § Flow Records represent a form of network telemetry which can describe the traffic streams headed to / passing through a router – Flow Record = uni-directional traffic flow – Bi-directional conversations will be represented by at least two Flow Records (and maybe more). Page 5 - Company Confidential

  6. Flow Records, Key and Non-Key Fields § Using Netflow v5 Record (still most common). Key Fields Non-Key Fields / Counters • Source IP Address � • Packet Count � • Destination IP Address � • Byte Count � • Source TCP/UDP Port � • First Packet Time � • Destination TCP/UDP Port � • Last Packet Time � • Input IfIndex � • Output ifIndex � • Protocol � • TCP Flags � • Type of Service � • Next Hop Address � • Source AS Number � • Dest. AS Number � • Source Prefix Mask � • Dest. Prefix Mask � Page 6 - Company Confidential

  7. Flow Record Export Page 7 - Company Confidential

  8. Extensible Flow : Netflow v9 § Created to provide flexibility – Additional ‘fields’ can be added to Netflow records. § Supported by Cisco, Juniper, Alcatel, Huawei etc … § Required for routers to export Flow Records for MPLS, Multicast and IPv6 traffic. To support technologies such as Flows from Flows from MPLS or Multicast, this export format can Interface A Interface B be leveraged to easily insert new fields Option Data Option Header Template FlowSet Data FlowSet Data FlowSet FlowSet Template FlowSet ID #1 FlowSet ID #2 Template FlowSet ID Template FlowSet Record Record Data Record Data Record Option Option Template ID (version, Data Record Template ID #1 Template ID #2 Data Data # packets, Record Record (specific (specific Field (specific Field sequence #, (Field values) types and (Field values) (Field values) Field types types and Source ID ) (Field (Field lengths) lengths) and lengths) values) values) Page 8 - Company Confidential

  9. Extensible Flow : Flexible Netflow / IPFix § Flexible Netflow (Cisco) – Allows user configurable Netflow Templates § Key, non-key, counter, time-stamp fields – Customised Netflow cache(s) for specific applications – Can reduce overhead: § Only ‘relevant’ information is sampled § Only ‘specified’ fields are stored – Introduces many new key / non-key fields § Can include NBAR and header / payload extracts. – Uses Netflow v9 format for export. § IPFix – Standardised - RFC 5101, 5102 – Similar export format to Netflow v9 but not identical § Version 10, sequence number counting etc.. § Variable length fields etc.. Page 9 - Company Confidential

  10. Netflow Considerations § Sampled or Un-Sampled ‘Flow? – Un-sampled ‘Flow is useful for troubleshooting, forensics, traffic analysis, and behavioral/relational anomaly-detection – Sampled ‘Flow is useful for traffic analysis and behavioral/relational anomaly-detection. – The choice comes down to router support / monitored and traffic volume / collection capabilities. § Monitoring with ‘Flow can scale for very large amounts of traffic – Phone bill v’s wire-tap = scalability § Who’s talking to whom, over what protocols and ports, for how long, at what speed, for what duration, etc. – ‘Flow allows the routers / switches within the network infrastructure to be used as probes Page 10 - Company Confidential

  11. Netflow Considerations, Where to Listen? § At network entry and exit points, in front of critical infrastructure to e.g. data-centre, extranet connection, internet gateway, peering edge, wherever we want visibility etc.. § Ingress ‘Flow generation should typically be enabled on all router interfaces. – Egress ‘Flow generation in certain situations. § If traffic crosses multiple Flow enabled routers, multiple Flow Records may be generated representing the same traffic. Flow Enabled Flow Record: Flow Record: A -> B A -> B Flow Record: Flow Record: Flow Enabled B -> A B -> A Page 11 - Company Confidential

  12. Agenda § Introduction § What is ‘Flow? § How can we use ‘Flow for Security Applications § Flow Security Use Cases – Network / Data Integrity - Bot Detection – Service Availability - DDoS Detection Page 12 - Company Confidential

  13. How can ‘Flow Help us with our Security Posture? § As I said earlier … . § Flow can help us to understand how our networks are used: – We can use flow to build a model of who uses what, when, how often and how much. This can give us a baseline for normal network activity – And, we can detect abnormal / malicious / unusual traffic on our networks. – We can classify what is going on, in context, to establish our risk. – And, we get valuable forensic data. – We can discover which customers / services share which infrastructure. This helps us to ensure availability Page 13 - Company Confidential

  14. How can we use Flow? § We can look at the flow cache on each router. But … . § When Flow is enabled on router / switch infrastructure we can use a dedicated analysis systems to collect, detect, report on, and correlate observed activity. § We can: – See collated data across multiple devices. – Contrast current / historic traffic levels and patterns. – Detect bots / DDoS / insider misuse more easily. – Mine historical flow logs for forensic information. § Open source and commercial collection / analysis tools are available which greatly enhance the utility of Flow. Page 14 - Company Confidential

  15. How can we use Flow? § Multiple open source tools available: – Nfdump / Nfsen § http://nfdump.sourceforge.net/ § http://nfsen.sourceforge.net/ – Stager § http://software.uninett.no/stager/ – WebView Netflow Reporter § http://wvnetflow.sourceforge.net/ – FlowViewer § http://ensight.eos.nasa.gov/FlowViewer/ – Argus § http://www.qosient.com/argus/downloads.shtml – Others : § http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html § Commercial Tools § More flexible, easier to configure, more scalable and supported. Page 15 - Company Confidential

  16. Flow Security Applications § Flow can help us to ensure network and data integrity and confidentiality + service availability. § Numerous papers on the use of Flow for security applications: – http://www.first.org/global/practices/Netflow.pdf – http://www.cert.org/flocon/2011/presentations/Krmicek_Detecting.pdf – http://www.ietf.org/proceedings/78/slides/NMRG-9.pdf – http://www.math.bme.hu/~slovi/temalabor3.pdf – Using machine learning techniques to identify botnet traffic. Livadas C., Walsh, R., Lapsley, D., Strayer, T. In: Proceedings of the 31st IEEE Conference on Local Computer Networks, 2006 – Traffic aggregation for malware detection. Yen, T.-F., Reiter, M. K. . In: Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ‘08), 2008 – These are just a sample § Going to look at some (simple) examples – Much more complex mechanisms available, see papers above Page 16 - Company Confidential

Recommend

Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

1 Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we can bring from a source to a sink (infinite) (intermediates cannot hold water) 6 Network Flow terminology Definitions: c(u,v)

576 views • 34 slides
Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow of items through a network Example Transporting goods through the road/rail/air network Flow of fluids (oil, water,..) through pumping

949 views • 84 slides
CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4

CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4

CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t? 4 Soviet Rail Network, 1955 Reference: On the history of the transportation

1.05k views • 84 slides
CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) = directed graph, no parallel edges. Two distinguished nodes: s = source, t = sink. c(e) = capacity of edge e. 9 2 5 10 15 15 10 4 source 5

1.01k views • 21 slides
Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms g Residual Graph Richard Anderson Ford Fulkerson Algorithm Lecture 22 Cuts Network Flow Maxflow-MinCut Theorem Network Flow

860 views • 4 slides
CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x

CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x

CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t ? 2 Soviet Rail Network, 1955 Reference: On the history of

889 views • 75 slides
Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Network Flows Network Flow Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson Residual Spring 2014 Network Augmenting Path Max-flow Min-cut Matching 4.2 Network Flows Mat 3770 Network

896 views • 61 slides
Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz

Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz

Network Flow 1 Network flow: 2 graph G=(V,E). 2 2 s 1 t Special vertices s (source) and t (sink). 2 2 Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz capacity constraint: every

503 views • 15 slides
Network Flow Truck company: Wants to send as many trucks as possible from s to t. Limit 1 of

Network Flow Truck company: Wants to send as many trucks as possible from s to t. Limit 1 of

Network Flow Truck company: Wants to send as many trucks as possible from s to t. Limit 1 of number of trucks on each road. 2 2 2 s 1 t Network Flows 2 2 2 Inge Li Grtz 1 CLRS Chapter 26.0-26.2 Network Flow Network Flow 1

395 views • 8 slides
Using Network Flow to Bridge the Gap Using Network Flow to Bridge the Gap between Genotype and

Using Network Flow to Bridge the Gap Using Network Flow to Bridge the Gap between Genotype and

Using Network Flow to Bridge the Gap Using Network Flow to Bridge the Gap between Genotype and Phenotype Teresa Przytycka NIH / NLM / NCBI NIH / NLM / NCBI Journal Wisla (1902) Picture from a local fare in Lublin Poland from a local

576 views • 47 slides
CSE 421 Introduction to Algorithms Winter 2012 The Network Flow Problem 2 The Network Flow

CSE 421 Introduction to Algorithms Winter 2012 The Network Flow Problem 2 The Network Flow

CSE 421 Introduction to Algorithms Winter 2012 The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t? 3 Soviet Rail Network, 1955 Reference: On the

1.01k views • 56 slides
Chapter 12 Network Flow CS 573: Algorithms, Fall 2013 October 3, 2013 12.1 Network Flow

Chapter 12 Network Flow CS 573: Algorithms, Fall 2013 October 3, 2013 12.1 Network Flow

Chapter 12 Network Flow CS 573: Algorithms, Fall 2013 October 3, 2013 12.1 Network Flow 12.1.1 Network Flow 12.1.1.1 Network flow (A) Transfer as much merchandise as possible from one point to another. (B) Wireless network, transfer

501 views • 12 slides
Network Flow November 23, 2016 CMPE 250 Graphs- Network Flow November 23, 2016 1 / 31 Types of

Network Flow November 23, 2016 CMPE 250 Graphs- Network Flow November 23, 2016 1 / 31 Types of

Network Flow November 23, 2016 CMPE 250 Graphs- Network Flow November 23, 2016 1 / 31 Types of Networks Internet Telephone Cell Highways Rail Electrical Power Water Sewer Gas . . . CMPE 250 Graphs- Network Flow November 23, 2016 2

776 views • 31 slides
Leveraging other data sources with flow to identify anomalous network behavior Peter Mullarkey,

Leveraging other data sources with flow to identify anomalous network behavior Peter Mullarkey,

Leveraging other data sources with flow to identify anomalous network behavior Peter Mullarkey, Peter.Mullarkey@ca.com Mike Johns, Mike.Johns@ca.com Ben Haley, Ben.Haley@ca.com FloCon 2011 Goal and Approach Goal: Create high quality

416 views • 23 slides
CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Network Flow Defining network flow Consider a directed,

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Network Flow Defining network flow Consider a directed,

CS 1501 www.cs.pitt.edu/~nlf4/cs1501/ Network Flow Defining network flow Consider a directed, weighted graph G(V, E) Weights are applied to edges to state their capacity c(u, w) is the capacity of edge (u, w) if there is no

454 views • 27 slides
Objectives Network Flow Max flow Min cut March 29, 2019 CSCI211 - Sprenkle 1

Objectives Network Flow Max flow Min cut March 29, 2019 CSCI211 - Sprenkle 1

3/29/19 Objectives Network Flow Max flow Min cut March 29, 2019 CSCI211 - Sprenkle 1 Motivating Flow Network Problems Modeling transportation networks Edges: carry traffic Nodes: pass traffic between edges Can represent

646 views • 23 slides
v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

4.2 Network Flows A directed graph can model a flow network where some material (e.g., widgets, current, . . . ) is produced or enters the network at Mat 3770 a source and is consumed at a sink . Network Flows Production and consumption

465 views • 11 slides
Chapter 20 Network flow, duality and Linear Programming NEW CS 473: Theory II, Fall 2015

Chapter 20 Network flow, duality and Linear Programming NEW CS 473: Theory II, Fall 2015

Chapter 20 Network flow, duality and Linear Programming NEW CS 473: Theory II, Fall 2015 November 5, 2015 20.1 Network flow via linear programming 20.1.1 Network flow: Problem definition 20.1.1.1 Network flow (A) Transfer as much

233 views • 11 slides
Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and

Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and

Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and a function c(u,v) 0 on each directed edge (u,v) s is called the source t is called the sink c: ER + is called the capacity

1.16k views • 79 slides
Leveraging ICN In-network Control for Loss Detection and Recovery in Wireless Mobile networks

Leveraging ICN In-network Control for Loss Detection and Recovery in Wireless Mobile networks

Leveraging ICN In-network Control for Loss Detection and Recovery in Wireless Mobile networks Giovanna Carofiglio, Luca Muscariello, Michele Papalini, Natalya Rozhnova, Xuan Zeng Cisco, SystemX,UPMC September 25, 2016 1 5G Network

366 views • 23 slides
Network flow analysis at SCinet or Network flow analysis at 880Gb/s 1.2Tb/s Eric Dull

Network flow analysis at SCinet or Network flow analysis at 880Gb/s 1.2Tb/s Eric Dull

Network flow analysis at SCinet or Network flow analysis at 880Gb/s 1.2Tb/s Eric Dull Steven P. Reinhardt C O M P U T E | S T O R E | A N A L Y Z E Agenda What is SCinet What analytic questions were we

676 views • 23 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Network Flow Lecturer: Shi Li Department of Computer Science and Engineering University at

Network Flow Lecturer: Shi Li Department of Computer Science and Engineering University at

CSE 632: Analysis of Algorithms II: Combinatorial Optimization and Linear Programming (Fall 2020) Network Flow Lecturer: Shi Li Department of Computer Science and Engineering University at Buffalo Outline Network Flow 1 Ford-Fulkerson

995 views • 77 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides

More recommend