Embed Size (px)
DESCRIPTION
By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can: • Increase visibility and security context at the network edge • Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements • Audit firewall rules through flow analysis • Achieve better performance and scalability for network and security monitoring • Save vast amounts of time and money spent correlating data points from various sources • More confidently demonstrate compliance with regulations such as PCI
Citation preview
Lancope and Cisco ASA for Advanced Security Context
Agenda
The need for more information and context
– The Cyber Threat Defense
What is NSEL?
How NSEL and StealthWatch work together
Examples
Summary
Cyber Threat Defense Solution
Devices Internal Network
Visibility, Context, and Control
Use NetFlow Data to Extend Visibility to the Access Layer
Unify Into a Single Pane of Glass for Detection, Investigation and
Reporting
Enrich Flow Data With Identity, Events and Application to Create Context
WHO
WHAT WHERE
WHEN
HOW
Hardware-enabled
NetFlow Switch
Cisco ISE
Cisco ISR G2 + NBAR
Cisco ASA + NSEL
Context
What is NSEL?
NetFlow Security Event Logging
Provides visualization into policy enforcement points
Created as an efficient event reporting mechanism:
– Syslog (Traditional Firewall event reporting mechanism)
Verbose, text based, single event per packet
~30% processing overhead
– NetFlow
Compact, binary, multiple events per packet
~7-10% processing overhead
NSEL Implementation Details
Cisco NSEL slightly deviates from standard NetFlow – NSEL flow is bidirectional
– NSEL flow is equivalent to an ASA connection
– NSEL events are generated per ASA connection
Event Based – Records were originally generated based on the 3 connection status events
– In ASA v8.4.5 flow update events are generated on activity timers
– Denied connections also generate NSEL records
NSEL records are issued for the following events – Flow creation - Issued for every flow that is created
– Flow teardown - Issued for every successfully created flow when it ends.
– Flow denial - Issued when a flow is denied by an ACL
How NSEL works
Flow Created
StealthWatch FlowCollector
StealthWatch Management
Console
Client
Server
Cisco ASA
NSEL Record Exported
How NSEL works
Flow Tear Down
StealthWatch FlowCollector
StealthWatch Management
Console
Client
Server
Cisco ASA
NSEL Record Exported
How NSEL works
Flow Denied
StealthWatch FlowCollector
StealthWatch Management
Console
Client
Server
Cisco ASA
NSEL Record Exported
Flow Action
StealthWatch defines the NSEL flow event field as a Flow Action
Can provide additional context
– Identity
– Device Type
– Application Data
Flow Denied Events
Useful inspection point
Identify suspicious activity
Flow Action as part of Concern Index
Concern Index points are accumulated for Flow Denied events
NAT Stitching
Pre and Post NAT stitching inside StealthWatch
Decrease investigation time
Examples
RIAA notices
PCI Compliance
Firewall rule auditing
Tracking down outbound attacks
Better scalability and performance
Summary
Provides Flow and Event Visibility and Context
Reports details of a flow and associated events
Provides Threat Visibility and Context
Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting +
+ NSEL
FlowCollector StealthWatch Management
Console
Cisco ASA
Thank you!!
Get Engaged with Lancope
Follow us at @Lancope and @NetFlowNinjas
Subscribe to Lancope updates at http://feeds.feedburner.com/NetflowNinja
s
Attend complimentary NetFlow 101 Seminars
http://www.lancope.com/news-events/university-of-netflow/
Join NetFlow Ninjas http://www.linkedin.com/groups/NetFlow-
Ninjas-2261596/about
Access StealthLabs Intelligence Center (SLIC) Reports
http://lancope.com/SLIC
Download “NetFlow Security Monitoring for Dummies”
http://www.lancope.com/netflow-for-dummies/
© 2012 Lancope, Inc. All rights reserved. 16
Please email [email protected] or
