SlideShare a Scribd company logo

Co se skrývá v datovém provozu? - Pavel Minařík

Security Session
Security Session

This document summarizes a presentation about network traffic monitoring and analysis. It discusses traditional monitoring tools like SNMP and newer tools that provide deeper traffic visibility. It explains how flow monitoring works and standards like NetFlow. The presentation also demonstrates how tools can analyze flow data to detect security issues, troubleshoot problems, and capture packets for forensic analysis. Real examples are shown of using these techniques to identify a malware infection and resolve a email delivery problem.

Technology
1 of 26
Download to read offline
Pavel Minařík What is hidden in network traffic? Security Session 2015, 11th April 2015, Brno, FIT VUT minarik@invea.com
• Traditional monitoring  Availability of services and network components  SNMP polling (interfaces, resources)  100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …) • Next-generation monitoring  Traffic visibility on various network layers  Detection of security and operational issues  Network/Application performance monitoring  Full packet capture for troubleshooting Monitoring Tools
Monitoring Tools SNMP polling Flow monitoring Packet capture and analysis
Flow Monitoring Principle
Performance Monitoring Syn Syn, Ack Ack RTT TCP handshake Req Ack Data Client request SRT Server response Data Data Data Delay Round Trip Time – delay introduced by network Server Response Time – delay introduced by server/application Delay (min, max, avg, deviation) – delays between packets Jitter (min, max, avg, deviation) – variance of delays between packets
Flow Standards Cisco standard NetFlow v5 NetFlow v9 (Flexible NetFlow) fixed format only basic items available no IPv6, MAC, VLANs, … flexible format using templates mandatory for current needs provides IPv6, VLANs, MAC, … Independent IETF standard IPFIX („NetFlow v10“) the future of flow monitoring more flexibility than NetFlow v9 Huawei NetStream same as original Cisco standard NetFlow v9 Juniper jFlow similar to NetFlow v9 different timestamps
Flow Sources • Enterprise-class network equipment  Routers, switches, firewalls • Mikrotik routers  Popular and cost efficient hardware • Flow Probes  Dedicated appliances for flow export • Trends  Number of flow-enabled devices is growing  L7 visibility, performance monitoring, …
Flow Gathering Schemes Probe on a SPAN port Probe on a TAP Flows from switch/router Pros • Accuracy • Performance • L2/L3/L4/L7 visibility • Same as „on a SPAN“ • All packets captured • Separates RX and TX • Already available • No additional HW • Traffic on interfaces Cons • May reach capacity limit • No interface number • Additional HW • Usually inaccurate • Visibility L3/L4 • Performance impact Facts • Fits most customers • Limited SPANs number • 2 monitoring ports • Always test before use Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)
Traffic Analysis (using flow) • Bridges the gap left by endpoint and perimeter security solutions • Behavior based Anomaly Detection (NBA) • Detection of security and operational issues  Attacks on network services, network reconnaissance  Infected devices and botnet C&C communication  Anomalies of network protocols (DNS, DHCP, …)  P2P traffic, TOR, on-line messengers, …  DDoS attacks and vulnerable services  Configuration issues
Full Packet Capture • On-demand troubleshooting and forensic analysis • How to get packet traces?  Tcpdump – Linux/Unix environment  Winpcap – Windows environment  Probes – appliances with packet capture capability  FPGA-based HW adapters – high speed networks
Packet Analysis • Analysis of packet traces (PCAP files) • Software tools (commercial + open source) • Wireshark as de facto standards with large community support  Support of hundreds of protocols  Powerful filters, statistics, reconstruction, etc.
Examples From the Real Life Security issue Troubleshooting
Security Issue FlowMon © INVEA-TECH 2013 78 port scans? DNS anomalies? • Malware infected device in the internal network
Security Issue Let’s see the scans first Ok, users cannot access web Are the DNS anomalies related?
Security Issue Ok, which DNS is being used? 192.168.0.53? This is notebook! How did this happen?
Security Issue Let’s look for the details… Laptop 192.168.0.53 is doing DHCP server in the network
Security Issue Malware infected device Trying to redirect and bridge traffic Probably to get sensitive data
• Gmail e-mail delivery issue FlowMon Troubleshooting We are not receiving e-mails from Gmail And can’t figure it out Can you try to help us and fix it?
FlowMon Troubleshooting Using AS numbers it is possible to easily identify corresponding network traffic and do the analysis
FlowMon Troubleshooting All flows are 640B? TCP flags are normal This is not a network issue We need to see the packets Detailed visibility and drill down to flow level helps to understand traffic characteristics
FlowMon Troubleshooting Built-in packet capture capability enables to get full packet traces when needed
FlowMon Troubleshooting Ok, Gmail requests TLS 1.0
FlowMon Troubleshooting And mail server does not support that
Life Demo Attack detection and analysis is real-time
Life Demo • Use-case: directory traversal attack  Flow-level visibility  Automatic detection  Packet capture and analysis
INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com High-Speed Networking Technology Partner Questions? Pavel Minařík minarik@invea.com +420 733 713 703

Recommended

Network monitoring system
Network monitoring systemNetwork monitoring system
Network monitoring system
MyPresentations Services
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
Dug Song
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECH
Splend
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1
Yoram Orzach
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 

Recommended

Network monitoring system
Network monitoring systemNetwork monitoring system
Network monitoring system
MyPresentations Services
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
Dug Song
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECH
Splend
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
n|u - The Open Security Community
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1
Yoram Orzach
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Packet analyzing with wireshark-basic of packet analyzing - Episode_01Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Dhananja Kariyawasam
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Dhananja Kariyawasam
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring tools
QaswarBosan
 
Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar
Yoram Orzach
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
mhaviv
 
Wireshark
WiresharkWireshark
Wireshark
lakshya dubey
 
Wireshark
WiresharkWireshark
Wireshark
Deris Stiawan
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
Rob Dunn
 
Network packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisNetwork packet analysis -capture and Analysis
Network packet analysis -capture and Analysis
Manjushree Mashal
 
Snort alert signatures
Snort alert signaturesSnort alert signatures
Snort alert signatures
Deris Stiawan
 
Wireshark
WiresharkWireshark
Wireshark
Vijay kumar
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
dharmesh nakum
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
Yoram Orzach
 
I ptable
I ptableI ptable
I ptableSandeep Gupta
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic AnalysisDavid Sweigert
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
Kateryna Haskova
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
Sam Bowne
 
Network based file carving
Network based file carvingNetwork based file carving
Network based file carving
GTKlondike
 
Performance test
Performance testPerformance test
Performance test
Tony Fortunato
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
AssadLeo1
 

More Related Content

What's hot

Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Packet analyzing with wireshark-basic of packet analyzing - Episode_01Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Dhananja Kariyawasam
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Dhananja Kariyawasam
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring tools
QaswarBosan
 
Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar
Yoram Orzach
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
mhaviv
 
Wireshark
WiresharkWireshark
Wireshark
lakshya dubey
 
Wireshark
WiresharkWireshark
Wireshark
Deris Stiawan
 
Network management
Network managementNetwork management
Network managementMohd Arif
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
Rob Dunn
 
Network packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisNetwork packet analysis -capture and Analysis
Network packet analysis -capture and Analysis
Manjushree Mashal
 
Snort alert signatures
Snort alert signaturesSnort alert signatures
Snort alert signatures
Deris Stiawan
 
Wireshark
WiresharkWireshark
Wireshark
Vijay kumar
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
dharmesh nakum
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
Yoram Orzach
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic AnalysisDavid Sweigert
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
Kateryna Haskova
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
Sam Bowne
 
Network based file carving
Network based file carvingNetwork based file carving
Network based file carving
GTKlondike
 
Performance test
Performance testPerformance test
Performance test
Tony Fortunato
 

What's hot (20)

Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Packet analyzing with wireshark-basic of packet analyzing - Episode_01Packet analyzing with wireshark-basic of packet analyzing - Episode_01
Packet analyzing with wireshark-basic of packet analyzing - Episode_01
 
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02Packet analyzing with wireshark-basic of packet analyzing - Episode_02
Packet analyzing with wireshark-basic of packet analyzing - Episode_02
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring tools
 
Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar Network Analysis Using Wireshark Jan 18- seminar
Network Analysis Using Wireshark Jan 18- seminar
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
 
Wireshark
WiresharkWireshark
Wireshark
 
Wireshark
WiresharkWireshark
Wireshark
 
Network management
Network managementNetwork management
Network management
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
 
Network packet analysis -capture and Analysis
Network packet analysis -capture and AnalysisNetwork packet analysis -capture and Analysis
Network packet analysis -capture and Analysis
 
Snort alert signatures
Snort alert signaturesSnort alert signatures
Snort alert signatures
 
Wireshark
WiresharkWireshark
Wireshark
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
I ptable
I ptableI ptable
I ptable
 
Wireshark Traffic Analysis
Wireshark Traffic AnalysisWireshark Traffic Analysis
Wireshark Traffic Analysis
 
Wireshark - presentation
Wireshark - presentationWireshark - presentation
Wireshark - presentation
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 
Network based file carving
Network based file carvingNetwork based file carving
Network based file carving
 
Performance test
Performance testPerformance test
Performance test
 

Similar to Co se skrývá v datovém provozu? - Pavel Minařík

Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
AssadLeo1
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solution
ramsharma
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
talkaton
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
talkaton
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
gvillain
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New Year
Savvius, Inc
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
Outlyer
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
APNIC
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
DefconRussia
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSrinivasa Addepalli
 
IP Signal Distribution
IP Signal DistributionIP Signal Distribution
IP Signal Distribution
rAVe [PUBS]
 
OSI Model.pptx
OSI Model.pptxOSI Model.pptx
OSI Model.pptx
milon24
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
Cisco Canada
 

Similar to Co se skrývá v datovém provozu? - Pavel Minařík (20)

Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
I2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security SolutionI2O Solutions - HDN Network Security Solution
I2O Solutions - HDN Network Security Solution
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
 
Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)Kentik Network@Scale (Dan Ellis)
Kentik Network@Scale (Dan Ellis)
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Tune Up Your Network for the New Year
Tune Up Your Network for the New YearTune Up Your Network for the New Year
Tune Up Your Network for the New Year
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
 
Tutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness TroubleshootingTutorial: Network State Awareness Troubleshooting
Tutorial: Network State Awareness Troubleshooting
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_Networks
 
IP Signal Distribution
IP Signal DistributionIP Signal Distribution
IP Signal Distribution
 
OSI Model.pptx
OSI Model.pptxOSI Model.pptx
OSI Model.pptx
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 

More from Security Session

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Security Session
 
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Security Session
 
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Security Session
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Security Session
 
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Security Session
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Security Session
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Security Session
 
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
Security Session
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Security Session
 
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Security Session
 
OSINT and beyond
OSINT and beyondOSINT and beyond
OSINT and beyond
Security Session
 
Exploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýExploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan Kopecký
Security Session
 
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábKontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Security Session
 
Research in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýResearch in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin Drahanský
Security Session
 
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýDolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Security Session
 
Turris - Robert Šefr
Turris - Robert ŠefrTurris - Robert Šefr
Turris - Robert Šefr
Security Session
 
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel TáborskýJak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Security Session
 
Two Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožTwo Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal Ambrož
Security Session
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiSecurity Session
 

More from Security Session (20)

Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
Getting your hands dirty: How to Analyze the Behavior of Malware Traffic / SE...
 
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
Základy reverse engineeringu a assembleru / KAREL LEJSKA, MILAN BARTOŠ [DEFEN...
 
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
Zabezpečení nejen SSH na serveru pomocí Fail2Ban a jednoduchého honeypotu. / ...
 
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]
 
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
Softwarove protektory / KAREL LEJSKA, MILAN BARTOŠ [DEFENDIO]
 
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
Wintel Hell: průvodce devíti kruhy Dantova technologického pekla / MARTIN HRO...
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
 
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
#ochranadat pred sebou samotným / MATEJ ZACHAR [SAFETICA TECHNOLOGIES S.R.O.]
 
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
Co vše skrývá síťový provoz a jak detekovat kybernetické hrozby? / MARTIN ŠKO...
 
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
Bezpečnější pošta díky protokolu DANE / ONDŘEJ CALETKA [CESNET]
 
Prezentace brno
Prezentace brnoPrezentace brno
Prezentace brno
 
OSINT and beyond
OSINT and beyondOSINT and beyond
OSINT and beyond
 
Exploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan KopeckýExploitace – od minulosti po současnost - Jan Kopecký
Exploitace – od minulosti po současnost - Jan Kopecký
 
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin DrábKontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
Kontrola uživatelských účtů ve Windows a jak ji obejít - Martin Dráb
 
Research in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin DrahanskýResearch in Liveness Detection - Martin Drahanský
Research in Liveness Detection - Martin Drahanský
 
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan ČernockýDolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
Dolování dat z řeči pro bezpečnostní aplikace - Jan Černocký
 
Turris - Robert Šefr
Turris - Robert ŠefrTurris - Robert Šefr
Turris - Robert Šefr
 
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel TáborskýJak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
Jak odesílat zprávy, když někdo vypne Internet - Pavel Táborský
 
Two Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal AmbrožTwo Years with botnet Asprox - Michal Ambrož
Two Years with botnet Asprox - Michal Ambrož
 
Falsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivostiFalsifikace biometricke charakteristiky a detekce zivosti
Falsifikace biometricke charakteristiky a detekce zivosti
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 

Co se skrývá v datovém provozu? - Pavel Minařík

  • 1. Pavel Minařík What is hidden in network traffic? Security Session 2015, 11th April 2015, Brno, FIT VUT minarik@invea.com
  • 2. • Traditional monitoring  Availability of services and network components  SNMP polling (interfaces, resources)  100+ tools and solutions on commercial and open sources basis (Cacti, Zabbix, Nagios, …) • Next-generation monitoring  Traffic visibility on various network layers  Detection of security and operational issues  Network/Application performance monitoring  Full packet capture for troubleshooting Monitoring Tools
  • 5. Performance Monitoring Syn Syn, Ack Ack RTT TCP handshake Req Ack Data Client request SRT Server response Data Data Data Delay Round Trip Time – delay introduced by network Server Response Time – delay introduced by server/application Delay (min, max, avg, deviation) – delays between packets Jitter (min, max, avg, deviation) – variance of delays between packets
  • 6. Flow Standards Cisco standard NetFlow v5 NetFlow v9 (Flexible NetFlow) fixed format only basic items available no IPv6, MAC, VLANs, … flexible format using templates mandatory for current needs provides IPv6, VLANs, MAC, … Independent IETF standard IPFIX („NetFlow v10“) the future of flow monitoring more flexibility than NetFlow v9 Huawei NetStream same as original Cisco standard NetFlow v9 Juniper jFlow similar to NetFlow v9 different timestamps
  • 7. Flow Sources • Enterprise-class network equipment  Routers, switches, firewalls • Mikrotik routers  Popular and cost efficient hardware • Flow Probes  Dedicated appliances for flow export • Trends  Number of flow-enabled devices is growing  L7 visibility, performance monitoring, …
  • 8. Flow Gathering Schemes Probe on a SPAN port Probe on a TAP Flows from switch/router Pros • Accuracy • Performance • L2/L3/L4/L7 visibility • Same as „on a SPAN“ • All packets captured • Separates RX and TX • Already available • No additional HW • Traffic on interfaces Cons • May reach capacity limit • No interface number • Additional HW • Usually inaccurate • Visibility L3/L4 • Performance impact Facts • Fits most customers • Limited SPANs number • 2 monitoring ports • Always test before use Use • Enterprise networks • ISP uplinks, DCs • Branch offices (MPLS, …)
  • 9. Traffic Analysis (using flow) • Bridges the gap left by endpoint and perimeter security solutions • Behavior based Anomaly Detection (NBA) • Detection of security and operational issues  Attacks on network services, network reconnaissance  Infected devices and botnet C&C communication  Anomalies of network protocols (DNS, DHCP, …)  P2P traffic, TOR, on-line messengers, …  DDoS attacks and vulnerable services  Configuration issues
  • 10. Full Packet Capture • On-demand troubleshooting and forensic analysis • How to get packet traces?  Tcpdump – Linux/Unix environment  Winpcap – Windows environment  Probes – appliances with packet capture capability  FPGA-based HW adapters – high speed networks
  • 11. Packet Analysis • Analysis of packet traces (PCAP files) • Software tools (commercial + open source) • Wireshark as de facto standards with large community support  Support of hundreds of protocols  Powerful filters, statistics, reconstruction, etc.
  • 12. Examples From the Real Life Security issue Troubleshooting
  • 13. Security Issue FlowMon © INVEA-TECH 2013 78 port scans? DNS anomalies? • Malware infected device in the internal network
  • 14. Security Issue Let’s see the scans first Ok, users cannot access web Are the DNS anomalies related?
  • 15. Security Issue Ok, which DNS is being used? 192.168.0.53? This is notebook! How did this happen?
  • 16. Security Issue Let’s look for the details… Laptop 192.168.0.53 is doing DHCP server in the network
  • 17. Security Issue Malware infected device Trying to redirect and bridge traffic Probably to get sensitive data
  • 18. • Gmail e-mail delivery issue FlowMon Troubleshooting We are not receiving e-mails from Gmail And can’t figure it out Can you try to help us and fix it?
  • 19. FlowMon Troubleshooting Using AS numbers it is possible to easily identify corresponding network traffic and do the analysis
  • 20. FlowMon Troubleshooting All flows are 640B? TCP flags are normal This is not a network issue We need to see the packets Detailed visibility and drill down to flow level helps to understand traffic characteristics
  • 21. FlowMon Troubleshooting Built-in packet capture capability enables to get full packet traces when needed
  • 23. FlowMon Troubleshooting And mail server does not support that
  • 24. Life Demo Attack detection and analysis is real-time
  • 25. Life Demo • Use-case: directory traversal attack  Flow-level visibility  Automatic detection  Packet capture and analysis
  • 26. INVEA-TECH a.s. U Vodárny 2965/2 616 00 Brno Czech Republic www.invea-tech.com High-Speed Networking Technology Partner Questions? Pavel Minařík minarik@invea.com +420 733 713 703