Slide 1

Ray Jones Director of Solutions Architecture and Field Enablement Security Monitoring In Your Network Strategies to Safeguard Your Network Using NetScouts 3900 Series Packet Flow Switch

Slide 2

A BAD YEAR for Cyber Security ENTERTAINMENT GOVT & HEALTH CARE PLATFORM RETAIL FINANCIAL

Slide 3

Cyber Security Monitoring: Two Challenges 1.Obscurity Protagonist often intentionally averts detection 2.Transience Sequence of events may be difficult to reproduce

Slide 4

What youll learn today AGENDA 3900 SERIES PACKET FLOW SWITCH INTRODUCTION Extend visibility & take control of your monitoring environment DYNAMIC TARGETING Expedite & automate incident response FILTERING TOOLS Optimize Security monitoring tool performance

Slide 5

Scalable, flexible, feature rich. 3900 SERIES PACKET FLOW SWITCH INTRODUCTION

Slide 6

nGenius 3900 Series Packet Flow Switch 3901 Chassis 3903 Chassis Centralized Management Pay-as-you-grow modules & chassis Supports > 4000 ports with PFS Management Software Large site deployments needing >144 ports 3RU modular switch Medium to large single site or multi-site deployments needing > 48 ports 1RU modular switch Small single site or multi-site deployments needing 16 to 48 ports Up to 48 Ports 1/10 GbE + 4 Ports 40 GbE* Up to 144 Ports 1/10 GbE + 12 Ports 40 GbE* * 100G Early Field Trial Available

Slide 7

nGenius 3900 Series Packet Flow Switch Built-in GUI Management or PFS Management System 1U and 3U Base Chassis Options Modular + Stackable Monitoring Fabric Growth 1/10/40Gbps Native per Blade Full Line Rate, All-Inclusive Blade Based Features 100G Early Field Trial Available Redundant Ethernet Management Ports Redundant AC/DC Power Supplies Redundant AC/DC Power Supplies Redundant Switch Controllers Resides on each blade Automatic failover Redundant Switch Controllers Resides on each blade Automatic failover Interface Blade FlexPorts supporting 1/10/40G Up to 48 x 1/10G per RU Up to 4 x 40G per RU Interface Blade FlexPorts supporting 1/10/40G Up to 48 x 1/10G per RU Up to 4 x 40G per RU Serial Console Port

Slide 8

nGenius 3900 Series Packet Flow Switch 16x 1G/10G 4x 40G or 16x 1G/10G Console Full-Duplex 720Gbps Line-rate Processing *** Advanced Switching Engine with Extensible Microcode

Slide 9

nGenius 3900 Series Packet Flow Switch Network Site A Site B

Slide 10

Ensuring rapid, reliable incident response. DYNAMIC TARGETING

Slide 11

Dynamic Targeting: Problem & Requirement Problem: Security events may require reactive changes to monitoring fabric. Requirement: Implement dynamic, automated changes via secure management channel.

Slide 12

Use Case: Targeted packet capture for suspect flows Site A Site B Continuous Monitoring PFS Network TAPs Escalation Analysis

Slide 13

Use Case: Targeted packet capture for suspect flows 1.Traffic flows through TAPs to Sites A & B Site A Site B Continuous Monitoring PFS 1 Network TAPs Escalation Analysis

Slide 14

Use Case: Targeted packet capture for suspect flows 1.Traffic flows through TAPs to Sites A & B 2.PFS steers traffic from TAPs to Monitoring tools Site A Site B Continuous Monitoring PFS 2 Network TAPs Escalation Analysis

Slide 15

Use Case: Targeted packet capture for suspect flows 1.Traffic flows through TAPs to Sites A & B 2.PFS steers traffic from TAPs to Monitoring tools 3.Monitoring tool detects suspicious activity Site A Site B Continuous Monitoring PFS 3 !!! Network TAPs Escalation Analysis

Slide 16

Use Case: Targeted packet capture for suspect flows 1.Traffic flows through TAPs to Sites A & B 2.PFS steers traffic from TAPs to Monitoring tools 3.Monitoring tool detects suspicious activity 4.a) Script configures packet flow switch to target IP address b) Script activates Escalation Analysis tool Site A Site B Continuous Monitoring PFS 4a 4b Network TAPs Escalation Analysis

Slide 17

Use Case: Targeted packet capture for suspect flows 1.Traffic flows through TAPs to Sites A & B 2.PFS steers traffic from TAPs to Monitoring tools 3.Monitoring tool detects suspicious activity 4.a) Script configures packet flow switch to target IP address b) Script activates Escalation Analysis tool 5.PFS sends targeted traffic to Escalation Analysis tool Site A Site B Escalation Analysis Continuous Monitoring PFS 5 Network TAPs

Slide 18

Scripting for Dynamic Targeting Optimized Management for Monitoring Tools nGeniusONE

Slide 19

Scripting for Dynamic Targeting Optimized Management for Monitoring Tools PFS Manager for PFS PFS Manager nGeniusONE

Slide 20

Scripting for Dynamic Targeting nGenius PFS Management Software Administrator Guide PFS Manager SSH from Client to PFS, Monitoring Tools SSH Client SSH

Slide 21

def main(): client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) prompt = '=> ' hostname = '10.88.39.192' #Replace with actual IP address of PFS or PFS Mgmt Server username = 'administrator' #Replace if you need to use a different user; normally "administrator" is correct password = 'netscout1' #Replace with actual password client.connect(hostname,int(22022),username,password) #Presumes that PFS CLI SSH uses default port 22022 interact = SSHClientInteraction(client,timeout=10,display=True) interact.expect(prompt) # raw_input('Press Enter to continue') interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'") interact.expect(prompt) cmd_output = interact.current_output_clean Sample PFS SSH/CLI Script interact.send("Add Rule 'Dynamic Target' 'permit ip && ip.addr==192.168.0.171'")

Slide 22

What should the system do? Upon trigger detection: 1.Create Rule(s) based upon trigger, e.g., IP address 2.Create Filter(s) and assign Rule(s) to it 3.Connect Source Ports(s) via Filter(s) to Destination Port(s) 4.Prepare Escalation Analysis platform. Following All Clear: 5.Restore original configuration

Slide 23

Components of Dynamic Targeting 1.Preparation Define/configure interfaces to PFS, Tools 2.Identification Establish triggers for response 3.Response Initiate changes to monitoring infrastructure

Slide 24

Everything you need, and nothing you dont. FILTERING TOOLS

Slide 25

Filtering: Problem & Requirement Problem: Cyber tools may become congested by high traffic volumes Requirement: Filter for traffic of interest, expect to make changes later. Total Network Activity Traffic of Interest Threat

Slide 26

Use Case: Limit traffic to necessary content CyberSecurity Monitoring ! Network Link Utilization Packet Rate

Slide 27

Filtering Techniques Criteria Layer 2: MAC, VLAN ID & Priority, Ethertype Layer 3: IP address, Payload type Layer 4: TCP/UDP Port, Protocol DPI: Custom Mask & Offset Dimension Direction: Side A v. Side B, Source v. Destination Criteria: Permit v. Deny per Criterion Range: Efficient Address Masking Types: Connection v. Destination

Slide 28

Filtering Structure Building Blocks Criteria Rules Filter Topology

Slide 29

Flexible Filtering: Connection v. Destination Filter at Destination Filter on Connection

Slide 30

Dynamic Targeting: On-demand Filter creation Both Connection and Destination Filters work for Dynamic Targeting Filtering occurs in hardware at line-rate Filter changes are non-disruptive (except adding a Connection Filter into a Connection - obviously) Site A Site B Escalation Analysis Continuous Monitoring PFS Network TAPs

Slide 31

Traffic Conditioning: Problem & Requirement Problem: Cyber Monitoring tool may be unable to parse some packet headers, rendering payload analysis impossible. Requirement: Condition Traffic within the monitoring switch.

Slide 32

DPI Challenges for Legacy Cyber Tools TechnologyInfiniStream Legacy Cyber Monitoring Tools Mitigation Cisco VN-Tag Parses header, analyzes content Possibly confused by header, cannot parse traffic ! PFS strips VN-Tag Cisco FabricPath PFS strips FabricPath Duplicate packets Ignores duplicates May report false errors ! PFS Dedups at L2 & L3

Slide 33

Summary 1.DYNAMIC TARGETING Expedite incident response, especially after hours 2.FILTERING TOOLS Optimize monitoring tool performance 3.ADVANCED TIPS & TRICKS Traffic Conditioning, Metrics, Load-Balancing, Baselining

Slide 34

Summary 1.3900 SERIES PFS OVERVIEW Improve visibility while controlling scale 2.DYNAMIC TARGETING Expedite incident response, especially after hours 3.FILTERING TOOLS Optimize monitoring tool performance

Slide 35

THANK YOU