Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Maximize Network Visibilitywith NetFlow Technology
Adam PowersChief Technology Officer
Lancope
Agenda
What is NetFlowh Introduction to NetFlow hNetFlow Examples
NetFlow in ActionhNetwork Operations User CasehSecurity Operations User CasehPCI Compliance and Auditing User Case
A Glimpse into the Power of NetFlowh10+ G Ethernet EnvironmentshVirtual EnvironmentshMPLS and Multi-point VPNs
What is NetFlow?
NetFlow Fields
src and dst IP
src and dst port
start time
end time
packet count
byte count
...
Internet
NetFlowPackets
StealthWatchFlow Collector
NetFlow vs. Traditional SNMP Monitoring
Traditional SNMP
NetFlow Reporting
Flow-based Visibility and Drill-down
NetFlow for the Network Team
NetFlow Packetflow1flow2
...
Network Team
Interface utilization
Billing and chargeback
QOS monitoring
BGP ASN monitoring
MPLS visibility
Application troubleshooting
Security Team
File sharing
Malware outbreak detection
Network acceptable use
Flow forensics
Data loss prevention
StealthWatchFlow Collector
Compliance and Auditing
PCI Compliance
HIPAA Compliance
SCADA Security
Sarbanes-Oxley
NetFlow in Action : Network Operations
OldCastle APGLeading North American manufacturer of concrete masonry, lawn, garden and paving products and a regional leader in clay brick206 Operating locations7000+ employees
ProblemNo way to visualize who or what was causing network slowdowns Internal IT staff using multiple tools in attempts to troubleshoot incidents
SolutionCombining Cisco NetFlow and Lancope’s StealthWatch System for visibility into the ‘who, what, when and where’ of network traffic
Business ResultsDetermine the root cause of network slowdowns in real-timeDetect bandwidth and network user violations and tie user identity to rogue activityUnified view of network and security operationsh All regional network managers, helpdesk and network/security engineers at Oldcastle APG
use StealthWatch to pinpoint the traffic and users associated with network and security issues and expedite problem resolution
Gains detailed network performance analysis for capacity planning, helping Oldcastle APG forecast bandwidth upgradesAlso helps quickly discover and diffuse virus infections
NetFlow in Action : Network Operations
Tony Jaroszewski, Network/Security Engineer for OldCastle APG
“StealthWatch enables our support team to make strategic decisions about network and security management based on a unified view of network, security and user information across the enterprise. Not only does it provide network performance monitoring to ensure our applications run optimally, StealthWatch also identifies internal and external threats through behavior-based algorithms.”
NetFlow in Action : Network Operations
NetFlow Compliance and Auditing
NetFlow Packetflow1flow2
...
Network Team
Interface utilization
Billing and chargeback
QOS monitoring
BGP ASN monitoring
MPLS visibility
Application troubleshooting
Security Team
File sharing
Malware outbreak detection
Network acceptable use
Flow forensics
Data loss prevention
StealthWatchFlow Collector
Compliance and Auditing
PCI Compliance
HIPAA Compliance
SCADA Security
Sarbanes-Oxley
NetFlow facilitates compliance with PCI DSS Requirements:Verifies actual network communications (1.1.2)Monitors services and ports in use (1.1.5)Determines when accounts are active and what they did during this activity (8.5.6)Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)
NetFlow in Action : PCI Compliance
NetFlow in Action : PCI Compliance
AirTran AirwaysFortune 1000 companyGeographically dispersed network across the continental US
ProblemRequired improved security and network management across the enterprise in accordance with Payment Card Industry (PCI) requirementsWanted greater network visibility and behavioral intrusion detectionAbility to monitor a geographically dispersed network
SolutionStealthWatch identifies who does what when, and provides data to enforce accountability
Business ResultImmediately upon deployment, StealthWatch provided continuous network monitoring to help AirTran demonstrate network-wide PCI by:• Supplying real-time visibility and awareness of network and host-based behaviors,• increasing accountability for introducing network security risks as well as jeopardizing
network availability, and• tracking, measuring and prioritizing network and host-based risk.
Quickly identify and resolve issues related to network behavior or malicious eventsMonitors WAN activity and performance
NetFlow in Action : PCI Compliance
NetFlow in Action: PCI Compliance
Michelle Stewart, Manager of Data Security, AirTran Airways
“StealthWatch performed so well during our evaluation that we did not pursue trials with any other NBA products. During testing, StealthWatch demonstrated the ability to detect unauthorized remote access, worm activity and root cause analysis of increases in WAN activity. All of these functions have aided our efforts to demonstrate compliance with the PCI Data Security Standard.”
NetFlow for the Security Team
NetFlow Packetflow1flow2
...
Network Team
Interface utilization
Billing and chargeback
QOS monitoring
BGP ASN monitoring
MPLS visibility
Application troubleshooting
Security Team
File sharing
Malware outbreak detection
Network acceptable use
Flow forensics
Data loss prevention
StealthWatchFlow Collector
Compliance and Auditing
PCI Compliance
HIPAA Compliance
SCADA Security
Sarbanes-Oxley
Aurora HealthCare Network Overview Largest private employer in Wisconsin – over 27,000 employees 14 Hospitals Over 150 Clinics200 + Pharmacies
ChallengeMonitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network Needed complete visibility of the network – from the internal network to the clinics at the edgeMonitor for zero-day attacks, viruses, Trojans, etc.Support for HIPAA Compliance
NetFlow in Action : Security Operations
SolutionCombining NetFlow & StealthWatch System
Business Results100% visibility from core to network edgeReduced time and resources allocated to network security issues Streamlined the remediation process and reduced incident investigation by more than halfHIPAA auditing support
NetFlow in Action : Security Operations
NetFlow in Action : Security Operations
Dan Lukas, Lead Security Architect : Aurora HealthCare
“[I can] easily drill down into a clinic’s network activity; address bandwidth issues; identify and remediate misconfigured devices; delve into switch levels to pinpoint and mitigate threats. With its ability to locate distributed sniffers, StealthWatch eliminates the need to purchase troubleshooting hardware for significant cost-savings."
Visibility Lost Due to Emerging TechEmerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technology...
“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”
“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”
“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”
These issues result in an inability to react to network problems because of a basic lack of .
10G+ Ethernet“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”
traditional Ethernet sensor
Where to plug
in?
NetFlow in a 10G+ Ethernet Environment
“10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive”
StealthWatchFlow Collector
Virtualization
“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”
VM1 VM2 VM3
virtual switches
virtual machines
physical machine
physicalnetwork
traditional Ethernet probe
VM2VM
VM VM VMvirtual
machines
VM Server
virtual switches
VM2VM
��������
�������
�������
�������
N��F��� �9
NetFlow in the Virtual Environment
*** Cisco Nexus 1000v also supports NetFlow ***
StealthWatchFlow Collector
MPLS and Multi-point VPNs“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”
traditional Ethernetsensor
MPLS and Multi-point VPNsFully meshed connectivity circumvents network monitoring deployed at the “hub” location…
MPLS and Multi-point VPNsFull visibility requires a probe at each location throughout the WAN…
NetFlow Collection in the WAN
NetFlow Packet
NetFlow Packet
Deploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site…
StealthWatchFlow Collector
Quick Recap: Network Operations
Fully integrated view of network usage, performance, host integrity and user behaviorDiagnose Network congestion and provide root cause analysis of the problem causing response time delaysVisibility and Metrics for WAN OptimizationReal-time and Historical data to facilitate network performance monitoring, capacity planning and resource managementMonitor Quality of Service on a per-hop basis throughout the Network
Quickly pinpoint zero-day and unknown threats that bypass perimeter securityIdentify policy violations, unauthorized activity/applications, misconfigured hosts, and other rogue devicesFaster Incident Resolution & detailed Forensic dataDetection of DoS/DDoS attacks, Worms, Viruses and Botnets Track and Audit network behavior and access by Individual Hosts
Quick Recap: Security Operations
Quick Recap: PCI Compliance and Auditing
NetFlow Solutions supply organizations with the means to:Continuously but passively monitoring host behaviors looking for deviations from normal processes Tie individual users to internal network performance problemsTie individual users to the introduction of security risks inside the internal networkImplement appropriate Network Controls and PoliciesProvide for Internal Audit and Risk Assessment
Thank You
Adam PowersChief Technology Officer
Lancope