Submit Search
Upload
PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection
•
0 likes
•
10 views
PROIDEA
Follow
Next Generation Network Traffic Monitoring and Anomaly Detection
Read less
Read more
Presentations & Public Speaking
Report
Share
Report
Share
1 of 42
Download now
Download to read offline
Recommended
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PROIDEA
Ch10
Ch10
Ali Khawaja
Zanders NGO Event December 2014: Zanders
Zanders NGO Event December 2014: Zanders
Zanders Treasury, Risk and Finance
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry
Ch12
Ch12
Ali Khawaja
Network Controller
Network Controller
Abhishek Srivastava
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT Harmonization
Sadatulla Zishan
Ch11
Ch11
Ali Khawaja
Recommended
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PLNOG 9: Pavel Minarik - Network Traffic & Security Monitoring in Examples
PROIDEA
Ch10
Ch10
Ali Khawaja
Zanders NGO Event December 2014: Zanders
Zanders NGO Event December 2014: Zanders
Zanders Treasury, Risk and Finance
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry CoLab 2013 - Specific customer case studies for sipXecs and ROI an...
SIPfoundry
Ch12
Ch12
Ali Khawaja
Network Controller
Network Controller
Abhishek Srivastava
Revolutionizing I4.0 Security and IT/OT Harmonization
Revolutionizing I4.0 Security and IT/OT Harmonization
Sadatulla Zishan
Ch11
Ch11
Ali Khawaja
CompTIA Security+ Guide
CompTIA Security+ Guide
Smithjulia33
IIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
muthamizh adhithan
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APM
Boni Bruno
Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4
danieljimmie
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019
Derek Banks
Cross selling 5
Cross selling 5
Sen Nathan
Final Presentation
Final Presentation
chris odle
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
EnergySec
Production Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in Bezeq
LeadersNet.co.il
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.
shiriskumar
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
Sam Bowne
oneM2M - Release 1 Primer
oneM2M - Release 1 Primer
oneM2M
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
Net motion mobility_intro_overview
Net motion mobility_intro_overview
Stef Coetzee
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
Resume 2016
Resume 2016
Jeremy Simmons
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
MarketingArrowECS_CZ
soc
soc
Dhirendra Thapa
Invea - Jiri Tobola
Invea - Jiri Tobola
Jan Fried
Living objects network performance_management_v2
Living objects network performance_management_v2
Yoan SMADJA
BYOD Monitoring
BYOD Monitoring
NetFlow Analyzer
More Related Content
What's hot
CompTIA Security+ Guide
CompTIA Security+ Guide
Smithjulia33
IIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
muthamizh adhithan
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APM
Boni Bruno
Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4
danieljimmie
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019
Derek Banks
Cross selling 5
Cross selling 5
Sen Nathan
Final Presentation
Final Presentation
chris odle
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
EnergySec
Production Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in Bezeq
LeadersNet.co.il
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.
shiriskumar
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
Sam Bowne
oneM2M - Release 1 Primer
oneM2M - Release 1 Primer
oneM2M
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
Net motion mobility_intro_overview
Net motion mobility_intro_overview
Stef Coetzee
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
Resume 2016
Resume 2016
Jeremy Simmons
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
MarketingArrowECS_CZ
soc
soc
Dhirendra Thapa
What's hot
(19)
CompTIA Security+ Guide
CompTIA Security+ Guide
IIOT on Variable Frequency Drives
IIOT on Variable Frequency Drives
Netpod - The Merging of NPM & APM
Netpod - The Merging of NPM & APM
Genesis Networks Mar 2010 Base Presentation Rev4
Genesis Networks Mar 2010 Base Presentation Rev4
Compliance technical controls and you rva sec 2019
Compliance technical controls and you rva sec 2019
Cross selling 5
Cross selling 5
Final Presentation
Final Presentation
Open Platform for ICS Cybersecurity Research and Education
Open Platform for ICS Cybersecurity Research and Education
Production Readiness Reviews of Information Systems in Bezeq
Production Readiness Reviews of Information Systems in Bezeq
AUDITime information Systems (I) Pvt. Ltd.
AUDITime information Systems (I) Pvt. Ltd.
Design Like a Pro: SCADA Security Guidelines
Design Like a Pro: SCADA Security Guidelines
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
oneM2M - Release 1 Primer
oneM2M - Release 1 Primer
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Net motion mobility_intro_overview
Net motion mobility_intro_overview
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Resume 2016
Resume 2016
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
Síla virtuality - virtualizovaná bezpečnost softwarově definovaných datových ...
soc
soc
Similar to PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection
Invea - Jiri Tobola
Invea - Jiri Tobola
Jan Fried
Living objects network performance_management_v2
Living objects network performance_management_v2
Yoan SMADJA
BYOD Monitoring
BYOD Monitoring
NetFlow Analyzer
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Daniel Vinyar
Jonathan Newton - Vodafone
Jonathan Newton - Vodafone
Independent Networks Co-operative Association
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
Amazon Web Services
ciscothousandeyesusecase
ciscothousandeyesusecase
RENJITHKNAIR5
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PROIDEA
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
iQHub
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Aruba, a Hewlett Packard Enterprise company
Vibro box sitel midih-presentation oc2
Vibro box sitel midih-presentation oc2
MIDIH_EU
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Emulex Corporation
Verso IoT experience – What have we learned from implementations all over the...
Verso IoT experience – What have we learned from implementations all over the...
Bosnia Agile
OptiCom Company Presentation
OptiCom Company Presentation
Vladimir PAVLENKO
Stephen Wallo
Stephen Wallo
AFCEA International
Flexthink2016_IIOT_Vision
Flexthink2016_IIOT_Vision
Yvan Rudzinski
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
Jay Bryant
An Integrated Approach to Manage IT Network Traffic - An Overview
An Integrated Approach to Manage IT Network Traffic - An Overview
ManageEngine
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System
Inductive Automation
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
Real-Time Innovations (RTI)
Similar to PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection
(20)
Invea - Jiri Tobola
Invea - Jiri Tobola
Living objects network performance_management_v2
Living objects network performance_management_v2
BYOD Monitoring
BYOD Monitoring
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Jonathan Newton - Vodafone
Jonathan Newton - Vodafone
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
ciscothousandeyesusecase
ciscothousandeyesusecase
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
PLNOG 17 - Artur Kane - DDoS? You shall not pass!
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
TECHNOLOGIES TO AUTOMATE THE MAINTENANCE OF DIGITALIZED WATER SENSORS AND METERS
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Wireless Network Security Palo Alto Networks / Aruba Networks Integration
Vibro box sitel midih-presentation oc2
Vibro box sitel midih-presentation oc2
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Verso IoT experience – What have we learned from implementations all over the...
Verso IoT experience – What have we learned from implementations all over the...
OptiCom Company Presentation
OptiCom Company Presentation
Stephen Wallo
Stephen Wallo
Flexthink2016_IIOT_Vision
Flexthink2016_IIOT_Vision
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
An Integrated Approach to Manage IT Network Traffic - An Overview
An Integrated Approach to Manage IT Network Traffic - An Overview
10 Steps to Architecting a Sustainable SCADA System
10 Steps to Architecting a Sustainable SCADA System
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
October Southern CA Road Shows - Build Safe and Secure Distributed Systems
Recently uploaded
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
Chameera Dedduwage
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
henrik385807
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
henrik385807
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Pooja Nehwal
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
Pooja Nehwal
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Hasting Chen
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
Vipesco
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
samaasim06
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Delhi Call girls
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
MoumonDas2
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
Pooja Nehwal
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
eCommerce Institute
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
eCommerce Institute
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
mohammadalnahdi22
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
saastr
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
Recently uploaded
(20)
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
Navi Mumbai Call Girls Service Pooja 9892124323 Real Russian Girls Looking Mo...
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
PLNOG 9: Peter Springl - Next Generation Network Traffic Monitoring and Anomaly Detection
1.
Next Generation Network
Traffic Monitoring and Anomaly Detection springl@invea-tech.com Petr Springl
2.
2/42 INVEA-TECH • University spin-off
company 10 years of development, participation in EU funded projects project Liberouter and programmable hardware, 10 mil Euro invested, creation of world's unique technologies • Company profile Strong academic background: CESNET, MU, VUT Founded 2007 Expansion onto foreign markets since 2010: UK, US, Canada, Germany, Japan and others • Key products: FlowMon: network traffic monitoring ADS: detection of anomalies, operational and security issues FlowMon + ADS = a complete solution for monitoring and security 22.10.2012 FlowMon © INVEA-TECH 2012
3.
3/42 Reference • GEÁNT2, Federica
– monitoring of 7 European backbones • CZ Ministry of Defense (via VDI META) • Korea Telecom • AVG, Aegon • CESNET • T-Mobile • and more ... 22.10.2012 FlowMon © INVEA-TECH 2012
4.
4/42 Agenda • Network &
Security interesting/surprising statistics? standard security tools overview • Network Traffic & Security Monitoring • FlowMon Solution Introduction • Use Case – Discovery of Botnet Chuck Norris 22.10.2012 FlowMon © INVEA-TECH 2012
5.
Network & Security 22.10.2012
6.
6/42 Malware 22.10.2012 FlowMon ©
INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
7.
7/42 Botnets – infected
devices 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
8.
8/42 Botnets – infected
devices 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
9.
9/42 Attackers Motivation 22.10.2012 FlowMon
© INVEA-TECH 2012 Source: Radware – 2011 Global Application & Network Security Report
10.
10/42 Data Breaches 22.10.2012 FlowMon
© INVEA-TECH 2012 Source: McAfee Threats Report: Fourth Quarter 2011
11.
11/42 Botnet as a
Service 22.10.2012 FlowMon © INVEA-TECH 2012 Source: McAfee Threats Report: First Quarter 2011
12.
12/42 How to face
attacks • Attacks against any organization (SMBs, enterprises, government, education or other organizations) are rising • Attackers use different approaches and attack types hacking, cracking, dictionary attacks, DOS/DDOS attacks, attacks against services, social engineering, identity theft, botnets… • Organizations don’t know which specific threats to fight • Many attacks are undetectable by standard approaches Advanced Persistent Threats, Zero-Day attacks, Polymorphic malware,… • What possibilities are there for organizations? for ISPs? 22.10.2012 FlowMon © INVEA-TECH 2012
13.
13/42 Organizations • Perimeter Security
firewall, IDS/IPS, UTM, application firewall, web filter, email security, remote access • Endpoint Security antivirus, personal firewall, antimalware, antirootkit, endpoint DLP • Internal Network Security network traffic visibility – flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 22.10.2012 FlowMon © INVEA-TECH 2012
14.
14/42 ISPs • ISPs are
in different situation • Have to face to the same threats, but don’t have so many possibilities how to do that • ISPs shouldn’t protect only themselves, but also help to protect their customers protect Internet from their customers 22.10.2012 FlowMon © INVEA-TECH 2012
15.
15/42 ISPs • Network Elements
Security switches, routers… configuration, secure management, services • Network Security routing, rate limiting, filtering, redundancy • Incident Detection alert from customer, ISP or other IDS, syslogs, SNMP monitoring network traffic visibility – flow monitoring, NBA - Network Behavior Analysis, automatic anomalies detection 22.10.2012 FlowMon © INVEA-TECH 2012
16.
16/42 Summary • All the
tools and approaches mentioned are very important from a security point of view • Most are aimed at protection from known threats and attackers • That’s why continuous monitoring and detailed information about activities in the network is important provides complete visibility into network able to detect sophisticated attacks (APTs, zero-day attacks) - even that which are not detected by other approaches 22.10.2012 FlowMon © INVEA-TECH 2012
17.
Network Traffic &
Security Monitoring 22.10.2012
18.
18/42 Flow Monitoring Principles •
IP flows monitoring packet headers analysis only content (packets payload) is not monitored • Modern method for network monitoring NetFlow v5/v9 – Cisco standard 22.10.2012 FlowMon © INVEA-TECH 2012
19.
19/42 Architecture • Source of
network statistics switches, routers, specialized probes or other devices network traffic monitoring - generate and export flow data • Flow data collectors flow data storage, collection & analysis 22.10.2012 FlowMon © INVEA-TECH 2012
20.
20/42 Network Traffic Monitoring
Benefits • Complete Network Visibility – real-time & historically TOP N statistics (users/customers, services, sites) user defined profiles (based on user filters) drill down up to any communication alerting & reporting • Security Enhancement, Incidents Tracking • Benefits also for network management fast, precise and effective troubleshooting network performance monitoring trending, capacity planning, traffic engineering IP traffic based accounting and billing network management costs reduction 22.10.2012 FlowMon © INVEA-TECH 2012
21.
21/42 Network Behavior Analysis
(NBA) • Automatic advanced analysis of flow (NetFlow) data • Modern approach to network security • Undesirable behavior patterns detection internal and external threats undesirable services and application • Behavior analysis behavior profiles anomalies and suspicious behavior detection “NBA is about higher visibility in the behavior of your network to cover gabs left by signature based mechanism.” Paul E. Proctor, Vice President, GARTNER 22.10.2012 FlowMon © INVEA-TECH 2012 Behavior detection Signature detection Network level Host level
22.
22/42 NBA Benefits • Internal
& external attacks detection • Fast overview about any events in the network including problem indication • Enables to fight modern sophisticated attacks • Detection of threats which are undetectable by standard approaches • Effective for encrypted traffic 22.10.2012 FlowMon © INVEA-TECH 2012
23.
FlowMon solution 22.10.2012
24.
24/42 FlowMon – Network
Under Control • Innovative network traffic & security monitoring solution using IP flows • Based on NetFlow v5/v9 and IPFIX technology • Provides information about who communicates with whom, how long, what protocol, traffic volume and more • Best price/performance ratio in the industry • Solution for networks of all dimensions • Exceptional customer benefits • Your network under control! 22.10.2012 FlowMon © INVEA-TECH 2012
25.
25/42 FlowMon Architecture • FlowMon
Probes passive standalone source of network statistics (NetFlow / IPFIX data) • FlowMon Collectors visualization and evaluation of network statistics • FlowMon plugins FlowMon ADS - automatic traffic analysis for reveal operational & security issues 22.10.2012 FlowMon © INVEA-TECH 2012
26.
26/42 FlowMon Probe • High-performance
standalone probe - source of IP flow records in NetFlow v5,9 and IPFIX format • L2/L3 invisible - transparent for monitored network • Standard and hardware accelerated models • Remote configuration via a user-friendly web GUI • 10/100/1000 Ethernet, 10 GbE, IPv4, IPv6, MPLS, VLAN • Maintenance-free appliance with simple configuration • Built-in collector (data storage redundancy) 22.10.2012 FlowMon © INVEA-TECH 2012
27.
27/42 FlowMon Probe Models •
Compact rack mount (1U) NetFlow probes • Standard models suitable for the most networks, excellent price/performance ratio performance more than 500 k packets per second for 1GbE port up to 5 M packets per second for 10GbE port models from 1x 100MbE port up to 4x 10GbE ports • Hardware-accelerated models (Pro) suitable for large networks and backbone links wire speed performance 10GbE models available, 40/100GbE models available soon 22.10.2012 FlowMon © INVEA-TECH 2012
28.
28/42 FlowMon Collector • Standalone
appliance for long term storage of flow statistics from multiple sources (probes, routers, switches) • Support for NetFlow/IPFIX/sFlow data storage & analysis • Professional solution for mid-size and large networks RAID, redundant power, remote management storage capacity from 1TB up to hundreds TBs unique performance – more than 200k flows/s processing 22.10.2012 FlowMon © INVEA-TECH 2012
29.
29/42 FlowMon Collector -
GUI • Graphs, tables and form for further data processing • Top N statistics (users, sites, services) • Predefined set of profiles/views for standard protocols • User defined profiles (based on IP address or ports) • Intelligent reporting (online/offline email/pdf/csv reports) • Profile support and automatic alerts (e-mail, syslog, SNMP etc.) 22.10.2012 FlowMon © INVEA-TECH 2012
30.
30/42 FlowMon Plugins 22.10.2012 FlowMon
© INVEA-TECH 2012
31.
31/42 FlowMon ADS • Undesirable
behavior detection Attacks Undesirable services Operational and configuration problems • Behavior profiles computing Communication partners Anomaly detection Traffic volume and structure • Intuitive user interface Immediate network problems indication Interactive event visualization Integration with information from DNS, WHOIS, geolocation services • Complex filtering, alerting, reporting 22.10.2012 FlowMon © INVEA-TECH 2012
32.
32/42 FlowMon ADS • Detection
of undesirable patterns in communication Attacks (port scanning, dictionary attacks, DOS/DDOS, telnet protocol) Data traffic anomalies (DNS, multicast, non-standard communications) Undesirable applications (P2P networks, anonymizer) Internal security problems (viruses, spyware, botnets) Mail traffic (outgoing spam) Operational problem (delays, high traffic, reverse DNS records) 22.10.2012 FlowMon © INVEA-TECH 2012
33.
33/42 FlowMon Benefits • Long-term
statistics storage about traffic • Network capacity planning • Connectivity optimization • Peering agreements optimization • Attacks, anomalies and suspicious behavior detection • Data retention law fulfillment • Accounting and billing based on traffic amount • Possibility to graphs and tables integration to your IS 22.10.2012 FlowMon © INVEA-TECH 2012
34.
Use Case – Discovery of
Botnet Chuck Norris prepared in cooperation with CSIRT-MU 22.10.2012
35.
35/42 Botnet Chuck Norris •
Lot of attempts from all over the world to connect to TELNET service discovered by network security monitoring (flow monitoring) at Masaryk University Who nowadays use TELNET??? Why do devices from all over the world try to connect to TELNET port? • Following detailed analysis lead to botnet revelation 22.10.2012 FlowMon © INVEA-TECH 2012
36.
36/42 Botnet Chuck Norris •
Back tracking infected devices are ADSL modems, WIFI routers… • Analysis of infected device • Connection to C&C server • Analysis of botnet behavior 22.10.2012 FlowMon © INVEA-TECH 2012
37.
37/42 Botnet Chuck Norris •
Attacks linux servers – ADSL modems, WIFI routers • Infected devices try to infect other devices port scanning – TELNET dictionary attack – only 15 passwords !!!! connect to C&C central server, which send him commands (IRC) 22.10.2012 FlowMon © INVEA-TECH 2012
38.
38/42 Botnet Chuck Norris •
Compilation timestamp in pnscan tool – July 2008 • First file uploaded to distribution servers – May 2009 • Botnet discovery at Masaryk University – December 2009 • Trying to shutdown the botnet (CSIRT-MU) • Chuck Norris v2 – May 2010 • Different modification till nowadays Hydra Aidra ??? 22.10.2012 FlowMon © INVEA-TECH 2012
39.
39/42 Attacks Continue 22.10.2012 FlowMon
© INVEA-TECH 2012
40.
40/42 Chuck Norris -
summary • Attacks poorly-configured Linux MIPSEL devices - ADSL modems, WIFI routers, … users are not aware about the malicious activities missing anti-malware solution to detect it possible to manipulate with complete traffic to/from the network • Attack based on trivial dictionary attack (15 passwords) • Lot of network operators underestimated possibility of trivial attack 22.10.2012 FlowMon © INVEA-TECH 2012 Discovered at Masaryk University. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris !
41.
41/42 INVEA-TECH @ PLNOG
2012 Is network traffic & security monitoring interesting for you? • Visit our next presentation @ PLNOG 2012 FlowMon – Network Traffic & Security Monitoring in Examples Tomorrow at 11:50 – New Technology section • Visit our booth and discuss with us 22.10.2012 FlowMon © INVEA-TECH 2012
42.
42/42 INVEA-TECH a.s. U Vodárny
2965/2 616 00 Brno Czech Republic www.invea-tech.com High-Speed Networking Technology Partner 22.10.2012 FlowMon © INVEA-TECH 2012 Petr Špringl springl@invea-tech.com 00420 511 205 252 Thank you for your attention
Download now