• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Network Forensics - Your Only Choice at 10G
 

Network Forensics - Your Only Choice at 10G

on

  • 1,223 views

Watch the full OnDemand Webcast: http://bit.ly/networkforensics10G ...

Watch the full OnDemand Webcast: http://bit.ly/networkforensics10G

Network forensics remains one of the hottest topics in network analysis, especially with the exploding deployments of 10 Gigabit (10G) gear. Though often considered for security analysis, especially the identification of network intrusions, network forensics can and should be used for much more general network analysis purposes.

At 10G, real-time network analysis is essentially unmanageable. The only effective way to deal with 10G traffic is to quickly screen incoming data for key network performance indicators and then to store the data for in-depth analysis of small slices of pertinent data as the need arises. Again, this in-depth analysis need not be security oriented – network forensics works equally well in identifying spikes in utilization, drops in VoIP call quality and increased latency, whether network or application. At 10G speeds this isn’t easy to accomplish, but with network forensics you’ll make quick work of it.

In this web seminar, we cover:

- Key technologies used in network forensics
- Applicability of network forensics in analyzing typical network performance issues
- Combining real-time capabilities with network forensics for effective 10G network analysis

What you will learn:

- How to effectively capture and manage 10G traffic for network analysis
- How to use real-time key network performance indicators to identify potential problems
- How to use network forensics to analyze and solve typical network performance issues

Statistics

Views

Total Views
1,223
Views on SlideShare
1,209
Embed Views
14

Actions

Likes
1
Downloads
46
Comments
0

5 Embeds 14

http://us-w1.rockmelt.com 5
http://www.linkedin.com 5
http://www.slashdocs.com 2
http://a0.twimg.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Network Forensics - Your Only Choice at 10G Network Forensics - Your Only Choice at 10G Presentation Transcript

    • Network Forensics You’re Only Choice At 10GJay Botelho Show us your tweets! Use today’s webinar hashtag:Director of Product ManagementWildPackets #wp_netforensicsjbotelho@wildpackets.com with any questions, comments, or feedback.Follow me @jaybotelho Follow us @wildpackets © WildPackets, Inc. www.wildpackets.com
    • Agenda• Defining Network Forensics• Key Technologies• Network Forensics and Security• Network Forensics and Network Performance/Analysis at 10G ‒ Capturing the right data ‒ The role of real-time analysis ‒ Identifying problem areas ‒ Root-cause analysis• Company Overview• Product Line Overview Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 2
    • Defining Network Forensics © WildPackets, Inc. www.wildpackets.com
    • What is Network Forensics ?• Network forensics is capturing, storing, and analyzing network data• It’s not like TV – employ forensics before the crime• Marcus Ranum is credited with defining Network Forensics as ―the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.‖ (wikipedia)• Network traffic is transmitted and then lost, making network forensics a must• Other names: packet mining, packet forensics, digital forensics Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 4
    • What Purpose Does It Serve ? • Allows us to find the details of network events after they have happened • Eliminates the need to reproduce network problems • Distill data to manageable levels by employing filters and analysis The Network Time Machine Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 5
    • Why Do We Need It ?• Tuning of intrusion detection solutions• Identify security breaches: log files are vulnerable - network-based evidence might be the only evidence available for forensic analysis• Execute lawful intercept requests, including reconstruction• Stop network hacks or viruses• Identify rogue device access to the network• Enforce corporate compliance policies• Improve network performance Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 6
    • Key Technologies © WildPackets, Inc. www.wildpackets.com
    • Typical Network Forensic Analysis• Requires the lossless capture, storage and analysis of extremely large data volumes• Focus on Enterprise vs. Lawful Intercept usage ‒ Concerned with the process of reconstructing a network event • Intrusion such as a “hack” or other penetration • Network or infrastructure outage ‒ Provides a recording of the actual incident• Based on live IP packet data captures ‒ A new way of looking at trace file analysis ‒ Continues from where traditional network troubleshooting ends Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 8
    • 10G Provides Unique Challenges• Traditional NICs not up to the task• Processing power is a limiting factor• Storage capacity is a limiting factor• I/O bus and disk write speeds are a limiting factor• 10G forces clarity in analysis• At 10G, it truly is looking for a needle in a haystack• ―Line rate‖ – be wary of that claim! Importance: Packet-based PM tools remain only truly effective approach to definitive monitoring and definitive troubleshooting – Jim Frey, Enterprise Management Associates, Inc., July 2010 Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 9
    • 10G Network Data Capture Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 10
    • 10G Network Data Storage• 1Gbps steady-state traffic assuming no storage overhead: 7.68 GB/min 460 GB/hr 11 TB/day 2.9 days in a 32TB appliance• 10Gbps: 76.8GB/min 4.6 TB/hr 110 TB/day 7.0 hours in a 32TB appliance Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 11
    • 10G Network Analysis• Analyze the essentials• Be specific when possible• Know your network – baselines are critical• Know your limits• Real-time vs. forensics• Filter and slice (whenever possible)• Anticipate hardware resource needs Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 12
    • Network Forensics and Security © WildPackets, Inc. www.wildpackets.com
    • ―2011 - The Year of the Hack‖ • So named by IT security experts • 60% of IT executives fear Advanced Persistent Threat (APT) attacks • 28% fear theft and disclosure from insiders • 60% use either a written ―honor system‖ security policy or have none at all • 51% allow employees to download/install software • Companies continue to allow employees to engage in risky behaviorsBased on Bit9’s Third Annual Endpoint Survey of 765 IT executiveshttp://www.businesswire.com/news/home/20110830006206/en/%E2%80%9CYear-Hack%E2%80%9D-Survey-Reveals-Enterprises-Concerned-%E2%80%9CAdvanced Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 14
    • Anatomy of a Breach2009 Data Breach Investigations Report, Verizon All results are based on firsthand evidence collected duringBusiness RISK Team, 7/28/2010 data breach investigations conducted by Verizon Business • Most originate from external sources • Median size of breaches is highest for insiders • 91% of compromised records linked to organized criminal groups • Attacker exploits some mistake by victim and installs malware to collect data • 98% of all records breached includes unauthorized access via default credentials (usually third-party remote access) or SQL injection (against web applications) • Customized malware used in these attacks more than doubled Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 15
    • Anatomy of a Breach (cont.)2009 Data Breach Investigations Report, Verizon All results are based on firsthand evidence collected duringBusiness RISK Team, 7/28/2010 data breach investigations conducted by Verizon Business • 17% of tasks highly difficult but resulted in 95% of total records • Hackers know where to best apply pressure when motivated • Most incidents do not require difficult or expensive preventive controls • Mistakes and oversight hinder security efforts more than a lack of resources• Correlation between small corporate policy violations and more serious violations• Illegal content on a user’s machine can be an indication of a breach down the road Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 16
    • Forensic Analysis – Capturing An Attack 2. Data Recorder records IDS/IPS System and aggregates data throughout attack 3. Event logged, attack partially tracked by IDS Servers1. Attackbypasses firewall 4. Post event analysis reveals attacker, method, damage! Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 17
    • Key Questions1. Who was the intruder?2. How did the intruder penetrate security?3. What damage has been done?4. Did the intruder leave anything behind?5. How can we prevent this attack from reoccurring? Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 18
    • I Didn’t Catch That?Network Forensics and Network Performance/Analysis at 10G © WildPackets, Inc. www.wildpackets.com
    • Meeting the 10G Challenge – TimeLine• Fastest network recording and real-time statistical display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss ‒ Network statistics display in TimeLine visualization format• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding ‒ Several pre-defined forensics search templates making searches easy and fast• A natural extension to the WildPackets product line• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 20
    • 11.7 Gbps Sustained CTD with Zero Packet Loss Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 21
    • Real-time Statistics While Capturing Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 22
    • Including VoIP/Video Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 23
    • Rapid Forensics Search and Retrieval• Pre-defined Forensics Search Templates making search easier and faster ‒ Overview ‒ Packets ‒ Expert ‒ Voice & Video Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 24
    • The ResultsNetwork Forensics – You’re Only Choice at 10G © WildPackets, Inc. 25
    • Network Forensics of Email Traffic Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 26
    • Web Page Reconstruction Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 27
    • Why Forensics?• Validate what your logs are telling you• Generate alarms/alerts on data you’ll never find in logs• Invest time analyzing, not reproducing• Immediately begin investigating the issue – you have a recording of the incident!• Isolate key data – from multi-TB archives - rapidly and intuitively• Understand the depth of penetration for any incident Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 28
    • What Can You Do?• Processes, processes, processes• Implement a network recording/network forensics solution• Establish clear baselines so changes are easy to detect• Employ solutions that continuously monitor packet- level security heuristics• Actively search for minor policy violations that could be indicators of bigger problems Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 29
    • Company Overview © WildPackets, Inc. www.wildpackets.com
    • Corporate Background• Experts in network monitoring, analysis, and troubleshooting ‒ Founded: 1990 / Headquarters: Walnut Creek, CA ‒ Offices throughout the US, EMEA, and APAC• Our customers are leading edge organizations ‒ Mid-market, and enterprise lines of business ‒ Financial, manufacturing, ISPs, major federal agencies, state and local governments, and universities ‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000• Award-winning solutions that improve network performance ‒ Internet Telephony, Network Magazine, Network Computing Awards ‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 31
    • Real-World Deployments Education Financial GovernmentHealth Care / Retail Telecom Technology Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 32
    • Product Line Overview © WildPackets, Inc. www.wildpackets.com
    • Product Line Overview OmniPeek/CompassEnterprise Packet Capture, Decode and Analysis • 10/100/1000 Ethernet, Wireless, WAN, 10G • Portable capture and OmniEngine console • VoIP analysis and call playback Omnipliance / TimeLine Distributed Enterprise Network Forensics • Packet capture and real-time analysis • Stream-to-disk for forensics analysis • Integrated OmniAdapter network analysis cards WatchPoint Centralized Enterprise Network Monitoring Appliance • Aggregation and graphical display of network data • WildPackets OmniEngines • NetFlow and sFlow Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 35
    • OmniPeek Network Analyzer• OmniEngine Manager – Connect and configure distributed OmniEngines/Omnipliances• Comprehensive dashboards present network traffic in real-time – Vital statistics and graphs display trends on network and application performance – Visual peer-map shows conversations and protocols – Intuitive drill-down for root-cause analysis of performance bottlenecks• Visual Expert diagnosis speeds problem resolution – Packet and Payload visualizers provide business-centric views• Automated analytics and problem detection 24/7 – Easily create filters, triggers, scripting, advanced alarms and alerts Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 36
    • Omnipliance Network Recorders• Captures and analyzes all network traffic 24x7 – Runs our OmniEngine software probe – Generates vital statistics on network and application performance – Intuitive root-cause analysis of performance bottlenecks• Expert analysis speeds problem resolution – Fault analysis, statistical analysis, and independent notification• Multiple Issue Digital Forensics – Real-time and post capture data mining for compliance and troubleshooting• Intelligent data transport – Network data analyzed locally – Detailed analysis passed to OmniPeek on demand – Summary statistics sent to WatchPoint for long term trending and reporting – Efficient use of network bandwidth• User-Extensible Platform – Plug-in architecture and SDK Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 37
    • Omnipliance Network RecordersPrice/performance solutions for every application Portable Edge Core Ruggedized Small Networks Datacenter Workhorse Troubleshooting Remote Offices Easily Expandable Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon Two Quad-Core Intel Xeon X3460 2.80Ghz E5530 2.4Ghz 4GB RAM 4GB RAM 6GB RAM 2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 500GB and 2.5TB SATA 1TB SATA storage capacity 2TB SATA storage capacity storage capacity Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 38
    • TimeLine• Fastest network recording and real-time statistical display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss ‒ Network statistics display in TimeLine visualization format• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding ‒ Several pre-defined forensics search templates making searches easy and fast• A natural extension to the WildPackets product line• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 39
    • TimeLineFor the most demanding network analysis tasks TimeLine 10g Network Forensics 3U rack mountable chassis Two Quad-Core Intel Xeon 5560 2.8Ghz 18GB RAM 4 PCI-E Slots 2 Built-in Ethernet Ports 8/16/32TB SATA storage capacity Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 40
    • WatchPointCentralized Monitoring for Distributed Enterprise Networks • High-level, aggregated view of all network segments – Monitor per campus, per region, per country • Wide range of network data – NetFlow, sFlow, OmniFlow • Web-based, customizable network dashboards • Flexible detailed reports • Omnipliances must be configured for continuous capture Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 41
    • WildPackets Key Differentiators• Visual Expert Intelligence with Intuitive Drill-down – Let computer do the hard work, and return results, real-time – Packet / Payload Visualizers are faster than packet-per-packet diagnostics – Experts and analytics can be memorized and automated• Automated Capture Analytics – Filters, triggers, scripting and advanced alarming system combine to provide automated network problem detection 24x7• Multiple Issue Network Forensics – Can be tracked by one or more people simultaneously – Real-time or post capture• User-Extensible Platform – Plug-in architecture and SDK• Aggregated Network Views and Reporting – NetFlow, sFlow, and OmniFlow Network Forensics – You’re Only Choice at 10G © WildPackets, Inc. 42
    • Q&A Show us your tweets! Use today’s webinar hashtag: Follow us on SlideShare! Check out today’s slides on SlideShare #wp_netforensics www.slideshare.net/wildpacketswith any questions, comments, or feedback. Follow us @wildpackets © WildPackets, Inc. www.wildpackets.com
    • Thank You!WildPackets, Inc.1340 Treat Boulevard, Suite 500Walnut Creek, CA 94597(925) 937-3200 © WildPackets, Inc. www.wildpackets.com