Upload
antony-tyler
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Traditional Troubleshooting Methodology
a) Ignore it, hope the problem goes away
b) Check a few network statistics, and then “pull cables” until it seems like the issue has been resolved
c) Reallocate analyzer resources to monitor the problem, and hope that the problem happens again so you can investigate.
(If the problem does not reappear, see option a)
New Methodology – Network Forensics
Forensics is the ability to go back in time and investigate network problems
Retrospective Network Analysis – The technology that allows forensics to happen
RNA eliminates the time-consuming task of having to recreate the issue
Allows IT professionals to go immediately to problem resolution mode
Implementing Network Forensics
Network Troubleshooting Performs root-cause analysis Allows for historical problem identification
Internal and governmentally mandated compliance Provides enforcement of acceptable use policies Helps fight industrial espionage Assists with Sarbanes Oxley compliance
Security Provides pre-intrusion tracking and identification Helps deliver a post-intrusion “paper-trail”
Troubleshooting – Why poor call quality?
Helpdesk receives notice of poor call quality from a VoIP user
This issue is sporadic
Aggregate statistics show that overall VoIP quality is high
A quick check shows that while some links have had high utilization, overall network usage appears within the norm
Troubleshooting – Why poor call quality?
Timeline 8:45 a.m. – Helpdesk receives call of poor voice quality
9:10 a.m. – After troubleshooting, helpdesk escalates the call to Tier-3 support
9:50 a.m. – Tier-3 investigates the issue, only to find that the problem has disappeared
Why poor call quality?
RNA demonstrated that VoIP Call Manager’s precedence bit was not configured correctly for that user
RNA tracks not only key applications but VoIP communication
Compliance – Dealing with a policy violation
John has been accused of visiting inappropriate websites during work
With Forensics, we can prove if John is guilty or not
But providing only domain names or URLs is not acceptable according to the HR policy
Offenses must be documented
Compliance – Dealing with a policy violation
The Challenge
Traditional methods of tracking web activity only provides domain names and URL
The Solution
RNA and its Stream Reconstruction capability
Compliance – Use Stream Reconstruction
Select the HTML file Display the page the user visited as it appeared
Dealing with a policy violation
RNA evidence proves that John has visited prohibited web sites during business hours
IT department can provide HR the evidence they need to make their decision
RNA delivers the evidence and proof you need to assist with forensics investigations and to maintain internal and
external compliance
Security Attack Identified
DMZ attacked
IPS detected and repelled these attacks
Unbeknown to the IPS/IDS at the same time a brute force attack got past the VPN
Trojan applications such as remote control utilities and keystroke loggers were installed
Resulted in malicious activity against our internal systems
Security – What happened during the attack?
Use MultiHop Analysis to identify every system that was compromised
What happened during the attack?
RNA provides the following detail on security attacks What attacks took place Which systems were compromised What data was uploaded or downloaded during the
attack What path the attack took across the network
RNA shows security problems in context of all network behavior and activity so you can
not only track but resolve the problem