IntroductionThe was in Iraq and the war on terrorism have changed everyone's attention and trelivelli government. Federal, state and local government - all three sonoalla looking for better ways to protect themselves, their equipment and data mentreLavorare among full pressure and dangerous situations. Of course, the sicurezzavivido, the watchword on Capitol Hill for some time, but in general, physical security priority was given initially, followed by protection system through the external intrusion detection and patch management. Security at the application level has not happened yet and is really the most critical. The attacks are becoming increasingly sophisticated worms and viruses, and can close systems.There are a whole lot of ways to monitor and analyze network traffic and intrusion proteggerloda Internet. Companies commonly use a firewall to protect rete.Anche if the firewall logs often provide information regarding intrusion attempts a huge, sometimes it may be too much data to sort through when there's sure this problem can be solved quickly. Some organizations also use intrusion detection systems (IDS) on border routers to analyze the incoming traffic for patterns that indicate specificheproblemi. But the firewall or intrusion detection system is mainly used to frontiereCon Internet, rather than on internal networks. This is one reason cuiCisco NetFlow is now in its overview rescue.NetflowNetflow is a traffic monitoring and analysis developed by Darren Kerre Barry Bruins at Cisco Systems. Describes the process for a router NetFlowe / or intelligent option to export the statistics on the data stream, and questobuilt-in function can be found on most Cisco routers (http://www.cisco.com), nonchéJuniper (http :/ / www.juniper.net), Extreme Networks (http://www.extremenetworks.com) Riverstone (http://www.riverstonenet.com) technology NetFlow, eccfornisce the data necessary to analyze in an effective way trends and applications basedati that pass through the network. It can then be exported to a reportpacchetto and can provide the information needed to manage business criticalapplications.What is NetFlow? Netflow is defined as a unidirectional sequence of packets between a given sorgenteIl which means there will be flows and destination for each connection will two sessions, one from the server to the client, a client from the server. In order didistinguere from each other flows, the source and destination addresses, protocol and port numbers are used. The type of service and the source of ingressoindice interface are then used to uniquely identify the stream to which a pacchettofrazione. A deterministic flow is undermined when it is concluded determinatoperiodo been inactive for a time, when you become older than a certain age (30 minutes didefault) or when the flow is a fin or RST TCP connection has been sent. Ilrouter may expire flows more aggressively if it is running out of cache space.A router manufacturers have implemented a number of their versions of NetFlow, but versione5 is now the most common. For NDE version 5, every single UDP packet flow contenenteun'intestazione and thirty flow records at most. Each record consists of the flow dabase of different sectors and the rest comprising: next hop address, uscitaInterfaccia number, the number of packets in the flow, total bytes in the source flow, network length and destination AS number, source and destination and TCP flags (Cumulative OR of TCP flags). What is the inspector flow Caligare? Caligare Flow Inspector (http://www.caligare.com/netflow/cfi.php) is a unique software solution provider for companies, who need to plan, build, maintain and manage their network and Sametimemantenere their network more secure and efficient. Inspector is a flow Caligare-web-based tool for monitoring the bandwidth that uses NetFlow data export for fornirestatistiche traffic detailed help answer who, what, when, where the width of bandausage.CFI which software designed to create a secure network platform for monitoraggioBasato on industry standards that suits your security policies esistenti.I results are the ability to monitor in real time, reducing significativamenteil time required to identify and solve problems. Court of First Instance registraciò is happening in your corporate network, detect attacks, and network users avvertimentovoi problematic. All information on the activities of retevengono stored in an analysis database.Baseline centraleL'analisi base is a model that describes what the "normal" network traffic model èsecondo some history, if any other traffic cheal outside of the field Application of this traffic pattern will be marked as maligno.Una trend analysis Reporte the most common and basic to flow-basedAnalisi. In NetFlow is focused primarily on records that have a little '"specialeelevato traffic" volume attribute, in particular the value of these flow fields cheSignificativamente deviate from a baseline established historical. Normally cisono two ways to make use of the base-line methods of analysis sessions and sessions data.Top top topa top sessions refer to a single host attempts to open an abnormally high volume diconnessioni to a single node or block of nodes. The reasons are questiattività worms, denial of service attacks and network clients scans.Common wireless connection to the Internet should keep a relatively normalefrequenza. But if a host is infected by a worm, which will definitely act diverso.Si open a huge number of connections for the most part to the destination for its attemptsto infect the next batch of vittime.Per the same reason, when a less qualified " script kiddie "is a scan of a large bloccodi addresses for some vulnerable services, we will see the volume particularly elevatosessioni address.We sent from that single IP can then use the method to identify the best sessions of many types of abuse of the network, looking for acne-controlling registers of the flow for the port 25 connection requests sent by each singoloospitare in real time. In a given period, for each host, port 25LE if statistics are required above a value of 'normal', could be considered a spammer or qualcunoinfettati with some types of worm-mail. It would be better for the Internet as a complessose service providers started using this technology and off spammers sudetection.Top datastreamUn second method of analysis using data of reference is the top. This can be defined as a grandequantità network data in a certain period of time transferred from a single host to unsingola destination or the block of hosts destinations.The best that the data traffic of transfer from or towards the outside in from businesses classified in groups devonoessere relatively fixed. If this model changes, and suddenly a new ospiteappare in the matrix of the first host, should be on alert to find out if I triggered.How is attacked? The traffic inspection and analysis is a very complex problem. On the market there are moltistrumenti as IDS, dump the network traffic or network probes, but the lack of them can process grandivolume traffic (eg 10TB/hour). We decided to use NetFlow data export (NDE) that èampiamente available on most high-end routers for user tracking, real-time flow datiAnalisi. Netflow brings clear vision of what is happening in your network. Esistonodiversi methods how to detect if "the" network is under attacco.Dimensione the distribution package. Many small packages (over 60%) may mean traffic sospetto.Molti connections from single host to destinations considerevole.Utilizzando confidential or private IP address of Internet.Numero excessive messages ICMP.Nella latest version of the Inspector flow Caligare is implemented not packetdistribuzione statistics. In our company we are using small network honey pot (without alcunstazioni in real terms) for the analysis attack. You can use the following steps to locate the problem and originedel some tips on how to filter suspicious stations in infected traffic.Finding reteNetFlow Inspector is the ideal software tool for the detection of sources of worm (infected stations) in your network. Trends can be used for this type of analysis menu. The example seguentefornisce information on how to find local stations in network.Log infected Inspector Caligare flow and do the following: Select the collector that stores NetFlow data export (in our case: router R01). In the selection table to choose the current table oraria.Seleziona stats: Host distributions origine.Set source interface (Gigabit Ethernet 1/1). Set the destination interface (not Gigabit Ethernet 1/1). Query ricerca.Dopo you receive distributions of source host can display the top ten IP addresses origineordinato number of unique destination IP addresses used. FonteGli These IP addresses are on the candidates and select infection can result stations.Check infected stations (Station pool di500 infected more unique destinations in most cases). Ignore the servers that are normally pesantiutilizzato. Web or application servers usually generate lots of links to many sources of destinations.Write top 5 notebook and then go to step stazione.Per infected confirms each candidate IP address run the following query: Set Statistics: pacchetto.Indirizzo from the ports of destination IP Source: Execute query ricerca.Controllare destination ports in use by the station potentially infected. In most cases (if the station is infected) you want to see some of the following ports: netbios (137, 138, 139), microsoft-ds (445), ms-sql-s (1433), www (80, 3128) , etc (see Figure 4). Now is a good time to consider whether the candidate is infected or not. The decision ètua, because only you know "your" network and servers. If a station is open 500 connections piùdi unique destination port 1433, this seems moltoactivity.How suspects to discover who has attacked my network? Station unail try to open the infected attachment to all servers in the network. You can simply locate this type of attaccotrovando the source host, who is trying to open a connection to local network.Check varidestinazioni in the caption "To find worm sources on the net" and how to find these sorgentepadroni home. Sources worm is not sophisticated bring together the entire network, main random or pseudo-random try to open from time to time a single connection host.Individuazione of these attackers is difficult but not impossible! You can use the TCP flags eMonitoraggio ICMP. When the attacker tries to open the TCP connection inutilizzatoindirizzo destination IP TCP SYN flag is set. If the connection is successful finevuoi see cumulative TCP flags SYN and ACK, if the connection is not only riuscitavedrete flows with SYN flag. You can count the connections fallitiper any source IP address outside the network and the origin, the one with the connections piùdelle attacker has found your candidate. If the attacker uses UDPpiscine Protocol and the entire network, the excessive number of ICMP messages will quindigenerated.How to find out who attacked me? If you suspect (or know) that the station is victim of attack, then probabilmenteVuoi know who is the 'attacker. Detection is easier if the attacker's IP address origineNON is false. Select the "Trends" and use "source host packages" stats. DigitareIl your IP address (the victim) in the target host and run the search query. The result is unaelenco host of origin, having talked to you in order of number of packets. Often the first guest is the attacker. If the source IP address is spoofed (IP usatoindirizzo often confidential or private) can only identify the source through interfacciail malicious traffic going into the station. You can not filter the aggressor if usacasuale source IP address, you can only ask your ISP or peer operator.Protection prevenzioneÈ and can use different security mechanisms, these are widely available through the router on accessoelenchi Cisco.Crea new access-list ip access-list estesaAggiungi blocking rule: deny any ipRipetere step 2 for each attaccanteConsentire trafficoControllare any other rules of access-list: show ip access-list access listApplicare source interface: ip access-group inEsempio : terminalip configure access-list extended ip 10.0.0.0 0.255.255.255 ip 192.168.0.0 0.0.255.255 block_attackerdeny anydeny ip ip 80.95.102.33 0.0.0.0 anydeny anypermit anypermit anypermit pim igmp any any any access-group anyexitGigabit Ethernet 1/1ip block_attacker inexitFate carefully before updating access list! On most routers the default rule is cadutail traffic if access-list exists. It is recommended to remove access list from interface, creating a new access list and reassign to interface. In figure 3 is the result dil'applicazione access list on our router R01 which has been applied at 10:03. SummaryQuesto manual discussed the attack detection flow-based traffic analysis dannosoe abnormal activity. Sessions with higher and better methods of data administrators retepuò simply detect network anomalies in real time more effectively. There universaleprocesso on how to find the source of attack, but flow Caligare Software Inspector possiamorendere your corporate network managed better.Full story with images and examples is: http://www.caligare.com/articles/worms. php [EXTRACT] IntroductionThe war in Iraq and the war on terrorism are aimed at all three levels of government altered. Federal, state and local - all three are looking for better ways to protect themselves, their equipment and data at work, full of media pressure and dangerous situations. Of course, the watchword Sicherheitwar on Capitol Hill for some time, but in general, physical security is priority, followed by protection of the external system for intrusion detection and patch management. Security at the application level has not happened yet and is really the most important. The attacks are becoming increasingly sophisticated, can be used as a worm or virus, and also turn off all systems.There are a variety of ways to monitor and analyze network traffic and protect you esvon Internet attacks. Organizations often use a firewall to firewall network Schutz.Obwohl records often provide a huge information on intrusion attempts, sometimes maybe too much data to sort, if there is a problem that can quickly dissolve Ihnennicht. Some companies also use intrusion detection systems (IDS) edge routers to analyze the problems of the incoming traffic for patterns that show. But the firewall or intrusion detection system is eingesetztmit first border of the Internet and intranets have not. This is one of the reasons that led to ÜberblickNetFlow rescue.Netflow warumCiscos NetFlow is a technology analysis and monitoring Developed by Darren Kerr and Barry Bruins at Cisco Systems. NetFlow describes the method for a circular path / or intelligent switches to export statistics data stream, and this function is built into most routers Cisco (http://www.cisco.com) and gefundenJuniper (http:/ / www. juniper.net), Extreme Networks (http://www.extremenetworks.com), Riverstone (http://www.riverstonenet.com), etc. If the NetFlow technology, the data are required to analyze effectively trends and application data base as it passes through the network. There may be packet-run of a new relationship and can provide the necessary information to make critical business processes for verwaltenapplications.What is Netflow? NetFlow Destination definiertund a unidirectional sequence of packets between a given source, it will mean two streams for each link the session, a client from the server to a client to the server. Umunterscheiden currents from each other, the source and destination, protocol and port numbers are used. The type of service and source input interface may also be used to uniquely identify the flow to which it belongs a packet. A river is determined to have finished when opting for a vacuum are of a length of time, as has become more than a certain time (30 minutes mitStandard) or if the flow is a TCP connection, a fin or RST is sent. Main external aggressive flows can expire if it is run from the cache implemented space.A number of router vendors have their own version of NetFlow Version 5, but at this time is the most common. For NDE version 5, contains every single UDP header and 30 Paketein records of river flow to the maximum. Each record is ausBasis various flow fields and the rest, including: next-hop address, output interface, the number of packets in the flow, the total number of bytes in the river, Quelleund the destination AS number, source and destination length of the network and TCP flags (or cumulative TCP flags). What is the inspector flow Caligare? Caligare Flow Inspector (http://www.caligare.com/netflow/cfi.php) is a unique networking software solution for companies who need to plan, build, maintain and manage their network and at the same time maintaining their networks more secure and more efficient. Inspector is einWeb Caligare flow-based monitoring tool that uses the width of banda export NetFlow data to provide detailed traffic statistics to help answer the who, what, when, where Bandbreiteusage.CFI software was developed to provide a Secure network monitoring platform to create based on industry standards that are the current security policies passen.Die results, the ability to monitor in real time, too long reduzierenwie hard to identify and resolve problems. VerfolgtWas CFI's corporate network is done to detect attacks, and WarnungSie problem users of the network. All information about network activities are in a database.Baseline analysis center-filed a basic analysis is a model that describes the "normal" historical istlaut network traffic model, all other traffic that is falling out of the middle the scope of this traffic pattern is marked as malicious. A trend analysis Berichteist the most common and basic makes flow-based analysis. NetFlow analysis is focused on data sets that something "special have a high volume of traffic" attribute, and especially the value of these flow fields substantially determined by a historical basis. Normally there are two ways to make use of the basic methods of analysis: top-up sessions and meetings data.Top SitzungenEin top is a single host attempts an unusually high volume of open connections to a single node or a block of nodes . The reasons for these activities are worms, denial of service and customer scans.Common network must connect to the Internet connection rate to maintain a relatively normal. But if a host is infected by a worm, it is absolutely different handeln.Es usually opens a large number of connections to the target for its attemptsto infect the next batch of Opfern.Aus the same reason, if a less skilled "script kiddies "is a scan of some addresses Blocksvon large for some vulnerable services, we see sessions address.We particularly high volumes of this single IP address can also be sent to top-session method for many types of network abuse, as seen on an examination of the records of flow port 25 for connection requests from each host sent in real time. Over a period of time for each host, if the statistics of the port are 25Anfragen to a "normal" value, could be considered a spammer or someone is infected with certain types of e-mail worms. It would be better for Internet as a whole, if the service provider with the technology and drive the flow of data spammers aufdetection.Top A second method to analyze the initial situation with better data. This can be defined as a main groups are many network data transmitted in a given period from a host, the objective alseinzelnes or blocking of hosts destinations.The best, the transmission of data traffic to or from the outside of a company solltein ranks fixed. If this pattern changes and a new guest in the host matrix should be a warning plötzlicherscheint triggered.How understand if I am attacked? Traffic inspection and analysis is a very complex problem. On the market there are many tools such as IDS, network traffic or network probes landfill, but can handle large volumes of traffic shortage of them (eg 10TB/hour). We opted for the NetFlow data export (NDE), which is to use commonly available on most routers for high-end user tracking and real-time data flow analysis. Netflow brings clear vision of what is happening in your network. There are several methods on how to recognize when wird.Packet attacked "your" size of the distribution network. Many small packages (over 60%) may indicate suspicious Datenverkehr.Viele connections from each host to address significant Destinationen.Mit confidential or private IP in the number of ICMP Internet.Übermäßige Nachrichten.In the latest version of the flow Caligare Software Inspector implemented statistical distribution of packages. In our company we are with a little honey pot network (without real-time stations) for the analysis attack. You can perform the following steps to determine the origin of being localized problem, and some tips on how suspicious the infected stations traffic.Finding filternNetFlow Network Software Inspector is the ideal tool for identifying sources worm (infected stations) in your network. Trends menu can be used for this type of analysis can be used. The following example will find information about stations in your network.Log infected in the local inspector Caligare flow and execute the following operations: Select Collectors, the NetFlow data export (in our case, router R01) speichert.In the Table voters choose Tabelle.Wählen statistics current schedule .. Distributionen.Set source source host interface (Gigabit Ethernet 1/1) Set the destination port (no Gigabit Ethernet 1/1) Make the Suchanfrage.Nach View source distribution, you can host top ten source IP address, sorted by number of unique addresses destination IP address. These candidates are the addresses on the result QuelleIP stations.Check infected and infected possible to select the stations (station infected pool als500 most exclusive destinations in most cases). Ignore the server, which is usually difficult to use. Web or application servers usually generate a lot of links to many sources at notebook destinations.Write first 5 and then to run the station confirmed Schritt.Für infected each candidate IP address is the following query: labor statistics: The purpose ports Paket.Quell IP address: Run Suchanfrage.Überprüfen destination ports in the use of potentially infected station. In most cases (when the station is infected) you can see some of the following ports: NetBIOS (137, 138, 139), microsoft-ds (445), MS-SQL (1433), www (80, 3128), etc. (see figure 4). Now is a good time to check whether the candidate is infected or not. The isteure decision because only you know, "your" network and servers. When a station has opened more than 500 unique destination connections to port 1433, this seems very suspicious activity.How to discover who has attacked my network? Station Infected try to open a connection to all servers in the network. You can easily find these Angriffvon looking for the source host that tries to open a connection to various destinations is at your local network.Check labeled as "worm Finding sources on the net" and how to find the source host. Sophisticated sources worm does not join the network, but randomly or pseudo-random look from time to time a single host connection to the attacker öffnen.Auffinden difficult but not impossible! You can use the TCP flags undICMP tracking. When the attacker tried the TCP connection to a destination IP address is not open TCP SYN flag set. If the connection can be seen erfolgreichSie cumulative TCP flags SYN and ACK if the connection does not flow erfolgreichSie only with the SYN flag to see. Do not count on success Verbindungenfür any source IP address outside the network and the source is located using the links meistenvon your attackers candidates. If an attacker uses the UDP protocol and pools throughout the network, an excessive number of ICMP messages are danngenerated.How to find out who attacked me? If you suspect (or know) that the station is under attack, they probably want to know who the attackers. Find the attacker is easy if the source IP address is not false. Select the "Trends" and use "source package host of" statistics. Enter the IP address SieIhre (victim) in the target host and run the search box. EinListe result is the source host that communicated with you, in order of number of packets. Ofterste guests find themselves, is the attacker. If the source IP address is spoofed (often used or reserved private IP address) you may just find the source of the traffic interface durchböswilligen in the station. You can filter the attacker, if you use an IP address at random, you can contact your ISP or operator.Protection PräventionSie peers and can use many protective mechanisms are widely used by the access lists on Cisco Routern.Erstellen new access-list ip access-list bloc erweitertIn rule: deny ip is anyWiederholen step 2 for each attacking allow any other traffic rules Check the access list: access-list applied show ip access-list on the source interface: ip access inBeispiel-group: configure access-list extended ip 10.0.0.0 0.255.255.255 terminalip block_attackerdeny ip 192.168.0.0 0.0.255.255 ip 80.95.102.33 0.0.0.0 anydeny anydeny anypermit ip pim any any any IGMP anypermit anypermit anyexitSchnittstelle 1/1ip Gigabit Ethernet access -group is block_attacker inexitSeien very carefully before updating access list! On most routers, the default rule drop any type of traffic, if there is access list. We recommend the removal of access-list interface dannErstellung a new access list and assign it to the door. Figure 3 shows the result derAnwendung list of access routers our R01, which has been applied to 10:03 clock. Summary This guide is the intrusion detection based on flow analysis of the malicious traffic diskutiertund abnormal activity. Identify the data sessions with top and top-method, network administrators can easily network anomalies in real time effectively. There is no universally never work, as are the source of the attack, but with software Caligare Inspector flow can wirmachen corporate network running history better.Full with images and examples found on: http://www.caligare.com/articles/ worms. php
The conversation is natural, at least for some, and social networking should be as natural, but it seems we have lost the art of conversatio...
As more people access the Internet everyday, Network Security becomes a bigger problem. In the U.S., identity theft and computer fraud are a...
Introduction: The companies, after the ever-increasing rate of internet usage and social networking by individuals has decided to use social...
Networking is getting tougher. The networks should provide a growing range of services, from ERP, CRM and e-mail to VoIP services and web ap...
What happens to many people is that they are about to buy some wireless equipment, and then have a sudden - they have no idea how their netw...
What is network marketing Many of you might ask yourself a question: what is network marketing? To describe what it is, describe what in inc...
So what is a network? A network supports the interconnection of numerous devices and a protocol to ensure that they can communicate with eac...
Network Security - The Road AheadIntroduzione What is network security? "NetworkSecurity" Monitoring "Network Security" ...