Beruflich Dokumente
Kultur Dokumente
Organizations lack visibility Acquisitions, joint ventures, Cloud usage is becoming more Over 50 billion connected
into the behavior of and partnerships are prevalent, but so is the lack of “smart objects” are projected
devices on their network increasing in frequency visibility into the cloud by 2020
0101
0100
1011
0101
0100
1011
Citrix
WebEx
0101
0100
1011
SAP
0101
0100
1011
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Dissecting a Data Breach
Malware
dropped via
back door
Escalate privilege
to become admin
Stealthwatch Stealthwatch
Discover and monitor traffic Detect breaches and insider
baseline for the network threats faster
Identity
Proxy Server
Firewall
Use network data to extend Enrich flow of data with identity, events, proxy, Accelerated detection,
visibility to the access layer and application to create context investigation and response.
What Can Stealthwatch Provide to an
Organization?
Policy and Advanced
Extended Accelerated
Visibility Access Threat
Management Response
Protection
• Continuously • Monitor the entire • Obtain contextual • Improve incident
monitor devices, network and data threat intelligence response and
applications, and center to help with a historical forensic analysis
users throughout ensure that there audit trail of through actionable
distributed are no policy or NetFlow data intelligence
networks network access
violations • Achieve enhanced • Isolate the root
• Aggregate and visibility and cause of an
analyze advanced context to incident within
telemetry to accelerate threat seconds for
establish a detection mitigation
security baseline
of your network
Stealthwatch
NetFlow Fundamentals
NetFlow – The Network Phone Bill
Telephone Bill
Flow Record
Visibility through NetFlow 172.168.134.2
Internet
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION
172.168.134.2
NetFlow Provides ADDRESS
If one field is different on an incoming packet, a new flow is created in the local flow cache.
Create a New TCP Flow Key Fields
Ingress and Egress ports are based on the interface on which
the packets entered and left the router
Non-Key Fields
NETFLOW CACHE
NETFLOW CACHE
NETFLOW CACHE
NETFLOW CACHE
NETFLOW CACHE
NETFLOW CACHE
Most NetFlow caches do not offer ICMP type and code fields so
the Destination Port column is overloaded with with ICMP
information.
NETFLOW CACHE
ECHO-
Data ICMP REQUEST
10.1.1.4 10.2.8.14
Update Existing ICMP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags
NETFLOW CACHE
ECHO-
Data ICMP REQUEST
10.1.1.4 10.2.8.14
Create New ICMP Flow
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags
NETFLOW CACHE
ECHO-
10.1.1.4 10.2.8.14 RESPONSE
ICMP Data
Continued Operation
Source Source Destination First Last TCP
Protocol Destination Port Packets Bytes Ingress Interface Egress Interface
IP Port IP Seen Seen Flags
NETFLOW CACHE
ECHO-
Data ICMP REQUEST
10.1.1.4 10.2.8.15
Exporting Flow Records
#1 End of Flow #4 Cache Full
• RST or FIN packets seen on a flow will cause the flow record to be exported. • If the local Exporter Flow
Cache fills up, the device will
#2 Inactive Timeout begin to export the oldest
• Configures how long a flow can be inactive before it is expired from the cache flows to make room for new
flow tracking.
• Recommend 15 seconds (which is also the IOS default)
• All exporters should have similar inactive timeouts
#3 Active Timeout
• Configures longest amount of time a flow can stay in the cache regardless of activity
• Recommend 1 minute (Cisco default of 30 minutes is far too long)
• All exporters should have similar active timeouts Last Seen – First Seen == Time Active
Scaling Visibility: Flow Stitching
eth0/1
eth0/2
10.2.2.2 10.1.1.1
port 1024 port 80
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
Router B
• Without deduplication
Router C
• Traffic volume can be misreported
• False positives would occur
• Allows for efficient storage of flow data Router A
• Necessary for accurate host-level reporting
• Does not discard data 10.2.2.2
port 1024
Flow Export Review
google.com Flow-Enabled Router 10.1.1.1
eth0/1
eth0/2
• Flow export devices capture flow data in
each direction (unidirectionally). Flow Statistics Counted
Flow Statistics Counted
Exported to the Flow Collector. 10:20:12.221 eth0/1 10.1.1.1 1024 google.com 80 TCP 5 1029 SYN, ACK,
PSH
Flow #5
…
Conversational Flow Record
Where
What
Who
When Who
More context
Security group
(Net)Flow Versions
Version Status
v1 Similar to v5 but without sequence numbers or BGP info
v2 Never released
v3 Never released
v4 Never released
v5 Fixed format, most common version found in production
v6 Never released
v7 Similar to v5 but without TCP flags, specific to Cat5k and Cat6k
v8 Aggregated formats, never gained wide use in the enterprise
v9 “Next Gen” flow format found in most modern NetFlow exporters, supports IPv6, MPLS,
Multicast, many others. Admin has control over what is included in the Flow Record.
IPFIX Similar to v9 but standardized and with variable length fields
Another Flow Type: sFlow
• Packet sampling based – not a flow record
Ex “1 in 128” packets captured
• The first ~100 bytes of the Ethernet frame is extracted & placed into a
UDP packet
• Performs poorly in low-bandwidth environment or
when full flow details are needed (compliance)
• No complete visibility to all packets/conversations
sFlow Collection
sFlow packets are sent to the
sFlow collector
• Support is at Layer 3
3. Apply to an Interface
Router(config)# interface gi0/1
Which interface do I want to monitor?
Router(config-if)# ip flow monitor my-monitor input
Configuring a Flexible NetFlow Flow Record
Match Parameter = Key Field
Router(config)# flow record my-record
Router(config-flow-record)# match ipv4 tos
Router(config-flow-record)# match ipv4 protocol
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address
Router(config-flow-record)# match transport source-port
Router(config-flow-record)# match transport destination-port
Router(config-flow-record)# match interface input
Router(config-flow-record)# collect routing destination as
Router(config-flow-record)# collect routing next-hop address ipv4
Router(config-flow-record)# collect ipv4 dscp
Router(config-flow-record)# collect ipv4 ttl maximum
Router(config-flow-record)# collect ipv4 ttl minimum
Router(config-flow-record)# collect transport tcp flags
Router(config-flow-record)# collect interface output
Router(config-flow-record)# collect counter bytes
Router(config-flow-record)# collect counter packets
Router(config-flow-record)# collect timestamp sys-uptime first
Router(config-flow-record)# collect timestamp sys-uptime last
Configuration Example:
3500-X 10GE Service Module
!
flow record CYBER_3KX_RECORD
!
match datalink mac source-address
flow monitor CYBER_MONITOR
match datalink mac destination-address
record CYBER_3KX_RECORD
match ipv4 tos
exporter CYBER_EXPORTER
match ipv4 ttl
cache timeout active 60
match ipv4 protocol
cache timeout inactive 15
match ipv4 source address
!
match ipv4 destination address
interface TenGigabitEthernet1/1/1
match transport source-port
switchport trunk encapsulation dot1q
match transport destination-port
switchport mode trunk
collect interface input snmp
ip flow monitor CYBER_MONITOR input
collect interface output snmp
ip flow monitor CYBER_MONITOR output
collect counter bytes
!
collect counter packets
interface TenGigabitEthernet1/1/2
collect timestamp sys-uptime first
switchport trunk encapsulation dot1q
collect timestamp sys-uptime last
switchport mode trunk
!
ip flow monitor CYBER_MONITOR input
flow exporter CYBER_EXPORTER
ip flow monitor CYBER_MONITOR output
destination <ip-address>
source <SVI-interface>
transport udp 2055
NetFlow Data Plane Overhead
No direct correlation between bandwidth and NetFlow overhead
• Ex. A high volume long lived flow at (1Gbps) will generate one NetFlow Record
every 60 seconds
Problem:
192.168.1.1
10.20.30.101 98.17.17.17
10.20.30.101
NetFlow Security Event Logs (NSEL)
Edge
ASA (config)# access-list NaaS-PCI_Zone-Flows permit ip any 10.10.5.0 255.255.255.0 Sample PCI Environment
ISR-G2
ASA (config)# class-map NaaS-ClassMap-Flows
Flow-teardown also
Site-to-Site
ASA (config-cmap)# match access-list NaaS-PCI_Zone-Flows
VPN
implies creation
ASA (config)# policy-map NaaS-PolicyMap-Flows
ASA (config-pmap)# class NaaS-ClassMap-Flows
ASA (config-pmap-c)# flow-export event-type flow-teardown destination 10.10.50.10
ASA
ASA (config-pmap)# class class-default
ASA (config-pmap-c)# flow-export event-type all destination 10.10.2.102
Data Exfiltration
Large Outbound File Transfer VS. Baseline
Stealthwatch
Architecture and Components
Stealthwatch Architecture
• Aggregate up to 25 FlowCollectors
• Access Documents, Perform Queries, and Tune Alarms
• Manage the System Stealthwatch
Management Console
Flow Exporters
• NetFlow is generated by:
• Switches, Routers, Firewalls
• Flow Sensors in areas without flow support
• Aggregate, replicate, and forward flows to Stealthwatch Stealthwatch
Firewall, Switches,
destination(s) with a UDP director Flow Sensor UDP Director
and Routers
Stealthwatch System Components
Stealthwatch
UDP Director Stealthwatch Additional Context
Management
• Console
UDP (NetFlow, Syslog, Management • Proxy License, ISE
Console
(SMC)
SNMP) Repeater Integration, Threat Feed,
•• Used in HA
Maximum environments
2 (HA Deployment) Cloud License
Flow
FlowSensor
Collector
• Uses Packet Capture to create flow
• Maximum 25
• Statistical Analysis
Flow Collector Cisco ISE
UDP Director
www
User and Device Feeds of emerging threat
Information information
Flow Sensor Web Proxies
NetFlow,
syslog, SNMP NetFlow enabled
infrastructure
Required Components
and Licenses
Stealthwatch: Primary Required Components
Flow Collector
• A physical or virtual appliance that aggregates and normalizes NetFlow and application data
collected from exporters such as Cisco routers, switches, and Firewalls
Flow Storage 1 TB (RAID-6 Redundant) 2 TB (RAID-6 Redundant) 4 TB (RAID-6 Redundant) 6 TB (RAID-6 Redundant)
Virtual Editions
FC VE Flows per Exporters Hosts Reserved Reserved Max
Model Second Memory CPUs Disk
Storage
1000 Up to 30,000 Up to 1,000 Up to 32 GB 5 1 TB
500,000
2000 Up to 60,000 Up to 1,500 Up to 64 GB 6 2 TB
750,000
4000 Up to 120,000 Up to 2,000 Up to 128 GB 7 4 TB
1,000,000
Note: FC 5020 requires professional services
Flow Collector: 1010 & 2010 & 4010
Flow Collector 5020 is a 2 box solution connected via 10G SFP+ Uplink connection.
1. Engine Node:
• UCSC-C220-M4S (1RU)
2. Database Node:
• UCSC-C240-M4S2 (2RU)
• It must be able to receive flow records from its associated exporters (Routers,
Switches, Firewalls, etc.)
• If more than 1 Flow Collector is deployed, ensure that they are placed in order to best
service the flows from the customer environment:
• Ensure data retention goals are met. Each FC is disk limited. (appliance)
• Think about the NetFlow traffic associated with transmitting the records to the FC.
Geographically deployed FC is a common approach.
• Think about de-duplication and stitching since this is performed per collector.
Required: Stealthwatch Management Console
• Rapidly detect and prioritize security
threats, pinpoint network misuse and
suboptimal performance and manage event
response across the enterprise
Virtual Edition
Flow Collectors Concurrent Users Reserved Memory Reserved CPUs
1 2 4 GB 2
3 5 8 GB 3
5 10 16 GB 4
Stealthwatch Management Console: 1010 &
2010
Stealthwatch Management Console 1010 Front View Stealthwatch Management Console 2010 Front View
Stealthwatch Management Console 1010 Rear View Stealthwatch Management Console 2010 Rear View
SMC: Placement in the Network
• It must be able to communicate with the Flow Collectors and other appliances
• FPS is not directly related to Bandwidth. An Host Type FPS per Host
interface showing a current bandwidth of 1Gbps Server 5
could be related to a single flow or possibly
thousands of flows. Workstation/Laptop 1.2
• Long-lived vs. Short-lived network Router or Switch 75
connections
• New connections per second IP Phone 0.002
INSTANT MESSENGER
WEB
layer-7 layer-4
FlowSensor: Extracting URL Data
Added Application Details (meta-data) via Deep Packet Inspection
For HTTP: Host name, path, and response code / error messages
For HTTPS: Common name and organization
Flow Sensor: Performance Statistics
• The Flow Sensor can report response time measurements.
RTT = 15ms SRT = 4500ms
• Private VLANs
Interfaces
Monitor Port 3 Cu; 10/100/1000 5; 1 GB; 5 copper, or 3 copper 2; 10 GB; fiber optic (Rated to 4; 10 GB; fiber optic (Rated to
and 2 fiber optic (Rated to monitor 5 Gbps total) monitor 20 Gbps total)
monitor 2.5 Gbps)
Virtual Edition
Minimum Disk Hypervisors Minimum Minimum CPU
Space Supported: Memory Requirements
Requirements VMware ESXi Requirements
1.4 GB V4.x or v5.x 4 GB Reserved 2 GHZ
Flow Sensor: 1010 & 2010
Flow Sensor 1010 Front View Flow Sensor 2010 Front View
Flow Sensor 1010 Back View Flow Sensor 2010 Back View
Flow Sensor: 3010 & 4010
Flow Sensor 3010 Front View Flow Sensor 4010 Front View
Flow Sensor 3010 Back View Flow Sensor 4010 Back View
Flow Sensor: Placement in the Network
• It can be placed anywhere that flow generation or the advanced Flow Sensor
capabilities are desired:
• Local device cannot generate flow (CPU constrained device, S-Flow only
location, or otherwise incapable of generating flow)
• Simplifies network security and * Note: Only UDPD-VE (via vMotion) and UDPD-2000 Support HA
monitoring
UDP Director Options
Appliances
UDP Director 1010 UDP Director 2010
Virtual Edition
UDP Director VE
Packet Replication 15,000 pps
Rate (input)
Packet Replication 30,000 pps
Rate (output)
Minimum 1 Virtual CPU
Requirements 3 GHZ
1 GB Ram
UDP Director: 1010 & 2010
UDP Director 1010 Front View UDP Director 2010 Front View
• For NetFlow, it would be placed in a logical location between the Flow Exporters and
the various Flow Collectors.
Redundant UDP Director
• Clustered UDP Director model, a
maximum of 2 UDP Directors are
supported per cluster
Malware Incident
• Detection of either attempted or Analysis Investigations
• User Identity
• Network Authorization
Cisco ISE
• End Device Identification
• Operating system and patch level
• Device security posture
• Which security group the user
belongs to
• Location from which the user is
trying to gain access
• How the user is trying to obtain
access – i.e, wired, wireless, VPN
Stealthwatch-ISE Integration
Flow Attribution
• Leverage ISE syslog to
match a username to an IP
Address
Authentication events
syslog (udp/3514)
Identity Stealthwatch
Services Management
Engine Console
pxGrid
Quarantine/Unquarantine instructions
The Stealthwatch Cloud License Solution
VPC Hosts with
agent installed
IPFIX
Encrypted
Tunnel
TLS
Netflow
Cloud Concentrator
Stealthwatch Deployment
Cloud Concentrator Agent
Cloud VM Host
Cloud License – How it works
Fields collected:
• Lightweight agent deployed to cloud
VMs • Protocol
• Source IP
• Agents report activity to a Cloud
• Source Port
Concentrator
• Destination IP
• Concentrator sends IPFIX data to • Destination Port
Stealthwatch Flow Collector
• Bytes
• Concentrator treated like standard • Packets
flow exporter by FC/SMC • Flow Start
• Stealthwatch conducts analytics per • Flow Stop
usual • Direction
Cloud License: Agent Communication
• Agents will only communicate with the Concentrator it was created on
• Communication between Agents and Concentrator is encrypted via certificate stamped
to the Agent during creation process
• The Agent installer is a RPM (MSI/EXE in Windows); tools able to deploy these forms
of executable can deploy Cloud License Agents
• Network:
• To create an Agent, Concentrator requires public IP access via port 8080/tcp
• For IPFIX export, Concentrator requires outbound access to the UDP port used by the Flow
Collector
• For management, Concentrator requires 22/tcp open for SSH
• Agents communicate to Concentrator via port 443/tcp
The Cloud License Solution
Additional Information
• Windows
• In development
• Cloud Environments
• Amazon Web Services (AWS)
The Cloud License Solution
Agent Resource Usage
• The Flow Collectors are also where the NetFlow records are stored
for later historical analysis.
Single Leg Deployment (Most Common)
• Single Stealthwatch Management
Console and Flow Collector
HTTPS
deployment
flow
ISE
Stealthwatch High Availability Design
flow
• ISE integration should be
configured on both SMCs.
Redundant SMC and Regional Collectors
Requires: Primary Secondary
• 2 SMC + SMC Support SMC SMC
license
• Multiple FC + FC
Support license
• Multiple FPS license
Stealthwatch Stealthwatch
Flow Collector Flow Collector
Note:
• The specific FC and
SMC used in this
Americas EMEA Asia Pacific
scenario depends on Internet/MPLS Internet/MPLS Internet/MPLS
Stealthwatch
Flow Sensor
Stealthwatch
Licensed Features
UDP Director
Install Order