network visibility or advanced security? - posam · • mobile users / cloud –mobility • by...
TRANSCRIPT
![Page 1: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/1.jpg)
Roman Cupka, Regional Country Manager SEE
Network Visibility or Advanced Security?
TechDays 2017
![Page 2: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/2.jpg)
• Founded in 2007 as a University Spinoff
• International Network & Security Monitoring Technology Vendor
• Gartner MQ for NPMD 2017
• Alliance partner of the premium technology vendors
Who We Are
![Page 3: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/3.jpg)
What We Do
Network Visibility
IT Operations
Network Performance Monitoring and Diagnostics
Application PerformanceMontoring
Security
Network BehavioralAnalysis
DDoS Detection & Mitigation
NPMD APM NBA DDoS
![Page 4: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/4.jpg)
Challenge to Network Visibility
Expanding network perimeter • FW between the enterprise network and internet• mobile users / cloud – mobility• by 2018, 25% of data will bypass traditional security
defenses and flow directly between mobile devices and the cloud
Increasing use of SSL encrypted traffic • ¾ of internet traffic• attackers also use SSL encryption to hide threats and attack
traffic • IT departments now commonly decrypt inbound and
outbound SSL traffic to identify risks and threats
Growing volume and complexity in network traffic • largely comprised of structured and unstructured data
(video/voice)• volume of network traffic can flood existing security tools
with more traffic than they were designed
Virtualization • “east-west” traffic: data that travels between these virtual
resources on the same physical host or inter-blade traffic on the same server
• network cable is not sufficient for monitoring virtual traffic
Cloud computing / Cloud Applications • public / privat / hybrid / IaaS / PaaS / SaaS• migrating workloads from data centers to public clouds • by 2018, 25% of data will bypass traditional security defenses
and flow directly between mobile devices and the cloud• it becomes more difficult to observe and monitor data flows –
new blind spots
Internet of Things (IoT) • new computing models —mobile edge computing (MEC) and
“fog” computing — to extend the network perimeter still further • needs to embrace open standards that enable data access,
security monitoring, and performance analytics
![Page 5: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/5.jpg)
Flowmon focus - Effective „MTTR“
„Mean Time To Response“„Mean Time To Resolution“
„Mean Time To Repair“
FROM HOURS TO MINUTES!!(More than 75% operational and security issues regarding to network functionality are recognized in
1-5 hours)
![Page 6: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/6.jpg)
How it works with Flowmon
Flow data collection,
visualisation reporting, analysis
Flow data export + app layer monitoring
/ packet analysis
Flow data export from already deployed devices
Flowmon modules for advanced flow data analysis
SPAN/Mirror port or TAP
![Page 7: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/7.jpg)
Flow Monitoring Principle
Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes …
Flow Export
9:35:24.8 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 1 40 …9:35:24.8 0.1 TCP 192.168.1.1:10111 -> 10.10.10.10:80 2 80 …
9:35:25.0 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 1 40 …9:35:25.0 0.3 TCP 10.10.10.10:80 -> 192.168.1.1:10111 2 156 …9:35:25.0 0.5 TCP 10.10.10.10:80 -> 192.168.1.1:10111 3 362 …9:35:25.0 0.7 TCP 10.10.10.10:80 -> 192.168.1.1:10111 4 862 …9:35:25.0 0.9 TCP 10.10.10.10:80 -> 192.168.1.1:10111 5 1231 …
192.168.1.1
10.10.10.10
Flow Data (format: NetFlow, IPFIX)
![Page 8: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/8.jpg)
• Flowmon enriches traditional flow statistics
• For both operational and security use-cases
Flowmon IPFIX Extensions
L2
• MAC
• VLAN
• MPLS
• GRE tunnel
• OVT
L3/L4
• Standard items
• NPM metrics
• RTT, SRT, …
• TTL, SYN size, …
• ASN
• Geolocation
L7
• NBAR2
• HTTP
• DNS
• DHCP
• SMB/CIFS
• SQL
![Page 9: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/9.jpg)
Use Case I.Network Operation
![Page 10: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/10.jpg)
• SLOW INTERNET CONNECTION
Network utilization
The network is really slow todayLoading a website takes agesRemote users cannot work in our IS
![Page 11: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/11.jpg)
Network utilization
Internet line is really saturated today more than usual
![Page 12: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/12.jpg)
Network Performance Monitoring
• NPM METRICS VISUALIZATION
![Page 13: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/13.jpg)
Network Performance Monitoring
• NETWORK PERFORMANCE MONITORING METRICS
• Round-Trip Time (RTT) – delay introduced by the network
• Server Response Time (SRT) – delay introduced by the server
• Delay – delay between individual packets of server response
• Jitter – variance in delay
• TCP Retransmissions – packet damage or loss
• Out-of-order packets – number of packets received in the wrong order
![Page 14: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/14.jpg)
Network Performance Monitoring
• WHAT NPM METRICS CAN INDICATE?
• delays in the network infrastructure (e.g. malfunctioning access point)
• delays in the server (e.g. not enough HW resources)
• bad audio and video quality (e.g. VoIP calls or videoconferences)
• problems on the physical layer (e.g. interference, faulty port)
• failures in communication links
![Page 15: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/15.jpg)
Network Analyses
Where is it coming from?
![Page 16: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/16.jpg)
Network Analyses
Windows update? And not from our WSUS server?
Ok, I need to check all these IP addresses
![Page 17: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/17.jpg)
Identity source – syslog export
User identity awareness
authentication
Time, login, IP address
Flow (Time, IP, …)
![Page 18: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/18.jpg)
• Based on extended HTTP visibility
• UserAgent as a source of device identification
Passive device fingerprinting
+ MAC address, IP address, VLAN tag, flow source
![Page 19: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/19.jpg)
Passive device fingerprinting
![Page 20: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/20.jpg)
Flowmon NPMD usecase
Use case: Flow Monitoring of production network spread over multiple locations
Problem: long responses in the production part of the network
Problem monthly cost: 38 000 €
Flowmon costs: 28 000 € (2x probe, small collectorand 1 year maintenance
costs)Flowmon provides detailed network visibility to enable quick
troubleshooting, reduce network operations costs and optimize theperformance of an entire IT environment
Return of investment is 3 weeks
![Page 21: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/21.jpg)
Network Performance Monitoring & Diagnostic (NetFlow/IPFIX)
Provides visibility – “eyes” into the network traffic
Reduces mean-time to resolve, builds up efficiency
Reduces downtimes and network operational costs
Ensures company productivity
Flow analyses & Packet capturing
Value Proposition
Gartner: “80% of operational issues can be analyzed and solved by flow monitoring.”
Recommendation: „Implement NetFlow/IPFIX to allow better measurement of user
experience.“
![Page 22: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/22.jpg)
Use Case II.IT Operation
![Page 23: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/23.jpg)
Me
What’s going on? App is running slow…
Application Admin
Application seems to run OK, it should be problem in the network…
Network AdminNetwork is running well, no other issues reported. Problem has to be in the application.
Communication Deadlock
![Page 24: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/24.jpg)
User App Server
Request Transport
Time Application Delay
Response Transport
Time
NetworkApplication
Application Performance Monitoring
![Page 25: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/25.jpg)
Application Performance Monitoring
App Server Database Server
SQL Query Transport
Time Database Delay
SQL Response Transport
Time
NetworkDatabase
![Page 26: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/26.jpg)
• LIST OF TRANSACTIONS INCLUDING URL, USER AGENT, INDIVIDUAL METRICS, STATUS CODE
Detailed drill down (HTTP)
![Page 27: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/27.jpg)
• LIST OF TRANSACTIONS INCLUDING INDIVIDUAL SQL QUERIES AND PERFORMANCE CHARACTERISTICS
Detailed drill down (SQL)
![Page 28: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/28.jpg)
Transaction correlation
User – application – database transactions correlation
User – application transactions
Relevant app – database server transactions
![Page 29: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/29.jpg)
Error Codes
All Error Codes Transactions
![Page 30: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/30.jpg)
Flowmon APM usecase
Use case: Poor response time of internal information system
• Company with 500 employees, each spent 30 minut daily in average by non-productive waiting for response from information system
• We calculated expenses 10 € per hour per one employee, our daily loss is 2 500 €
By deploying Flowmon APM we reduce non-productive time to 10 minutes which means we save 1650 € every day
Return of investment is 2-4 weeks
Flowmon APM is a clever, agent-less application monitoring solutionidentifying and solving availability issues, slow response times,
bottlenecks or configuration errors of critical applications.
![Page 31: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/31.jpg)
Non-intrusive Real Time Application Performance Monitoring
Agentless measurement of user experience
Solves poor performance of „external“ applications (e-shop, e-banking, e-portals...)
Solves poor performance of and „internal“ applications (information systems, CRM…)
Correlation of User–APP–DB transactions
Value Proposition – User Experience
Network-based APM is a cost-effective alternative for customers requiring an easy-to-
deploy solution to distinguish between network, application and database delay when
monitoring user experience.
![Page 32: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/32.jpg)
Use Case III.Security
![Page 33: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/33.jpg)
More sophisticated attackers techniques
Botnet„A network of infected endpoints (knownas bots) working together and controlledby an attacker through command-and-
control (C2) servers“
Distributed denial-of-service (DDoS) „A coordinated attack, often from
hundreds of thousands or millions of compro- mised endpoints, used to ood a
target system or network“ Exploit
„Software or code that takes advantage of a vulnerability in an operating system or
application and causes unintendedbehavior in the operating system or
application, such as privilege escalation, remote control, or a denial-of-service“
Phishing„social engineering technique in which anemail that appears to be from a legitimatebusiness, typically a nancial institution or retail store, attempts to trick the recipient into clicking an embedded link in the email
or opening an attachment containingmalware or an exploit“
Hijacked IP address ranges„IP addresses that are stolen from their
legitimate owners, typically by corruptingthe routing tables of Internet backbone
routers“
Advanced persistent threat (APT) „When applications run slowly or stop working, you need real-time networkdiagnosis to pinpoint the root cause“
Malware „Malicious software or code that typicallydamages or disables, takes control of, or
steals information from a computersystem. Malware broadly includes
adware, anti-AV software, backdoors, bootkits, logic bombs, RATs, rootkits, spyware, Trojan horses, viruses, and
worms“
![Page 34: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/34.jpg)
DMZ VPN
LAN
Firewall
IDS/IPS
UTM
Application firewall
Web filter
E-mail security
SSH Access
![Page 35: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/35.jpg)
DMZ VPN
LANAntivirus
Personal Firewall
Antimalware
Endpoint DLP
Antirootkit
![Page 36: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/36.jpg)
DMZ VPN
LAN
![Page 37: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/37.jpg)
Net
wo
rkB
ehav
iora
lAn
alys
is
Machine Learning
Adaptive Baselining
Heuristic Approach
Behavior Patterns
Reputation Databases
Flowmon Detection Principles
![Page 38: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/38.jpg)
Advanced malware
78 port scans?DNS anomalies?
![Page 39: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/39.jpg)
Advanced malware
Let’s see the scans firstOk, users cannot access webAre the DNS anomalies related?
![Page 40: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/40.jpg)
Advanced malware
Ok, which DNS is being used?192.168.0.53? This is notebook!How did this happen?
![Page 41: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/41.jpg)
Advanced malware
Let’s look for the details…Laptop 192.168.0.53 is doing DHCP server in the network
![Page 42: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/42.jpg)
Advanced malware
Malware infected deviceTrying to redirect and bridge trafficAttack modificationSensitive data upload
![Page 43: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/43.jpg)
Flowmon ADS usecase
Use case: Network intrusion
• Risk: identity theft, user credentials theft• Risk cost (SMB): 45k € per leak• Flowmon CAPEX: 19k €
Sometimes we experience situation when an employee brings his or her own device and tries to connect it into the
network. The biggest issues are caused by devices with DHCP server service. It took us quite a while to locate such a device before. Today, we identify a fake DHCP server in our
network immediately thanks to Flowmon ADS.
Break-even: single leak
Flowmon ADS utilizes sophisticated algorithms and machine learning to automatically identify network anomalies and risks that bypass
traditional solutions such as firewall, IDS/IPS or antivirus.
![Page 44: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/44.jpg)
Flowmon Detection Capabilities
Attacksport scanning, dictionary attacks, DoS,
DDoS, Telnet, VoIP/PBX…
Traffic anomaliesDNS, DHCP, ICMP, multicast…
Unwanted applicationsP2P networks, instant messaging,
anonymization services (TOR)…
Anomalies in device behaviour
change of the long-term behaviour,
profile of a device…
Operational problemsdelays, excessive load, unresponsive
services broken updates…
Internal security issuesviruses, malware, ransomware,
botnets, outgoing SPAM, potential data leakage…
![Page 45: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/45.jpg)
SCADA network
OPC ServerApplication / File Server
Router
Engineering Station
HMI Stations
Database Server
RTU/PLC RTU/PLC
Enterprise / Outside world
Wired or Wireless Link
Current Sensor RelayVoltage Sensor Presure Sensor Level SensorPump
OT Firewall
Ransomware ?
Attacker
Botnet Infection
Attacker
! Data Upload
Botnet Infection
Botnet Infection
FM Probe
Netflow Data Collection
Learning Baselines
FlowMon Collector
FM Probe
Netflow Data Collection
Learning Baselines
Diagnostics of NetFlow data
! Alert or notification sended
Monitoring & Anomaly Detection – SCADA / ICS
Admin
Segmentation (DMZ, WiFi, PCN...)
Security Gap: Patching, Media (USB etc.), Interconnection & no
NAC...Missing deep network visibility!!
Missing in security design!!
❓
Advantage:Stable flows in
SCADA Network!
AdminALERT!
Malware infection!Fileshare anomaly!
Data upload!
![Page 46: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/46.jpg)
Next Generation Network Security -Behavior Analysis & Anomaly Detection
Detects and alerts on abnormal behaviors
Reports anomalies and advanced persistent threats
Detect intrusions and attacks not visible by standard signature based tools
Covering gaps left by standard perimeter and endpoint tools security
Covering both IT (Enterprise/ISP) and OT (SCADA/ICS) environment
Value Proposition
Gartner: “Blocking and prevention is not sufficient. After you deployed firewall and IPS,
you should implement network behavior analysis to identify problems that are undetectable using other techniques.”
![Page 47: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/47.jpg)
Security Tools
Inline Tools• Intrusion prevention systems (IPS)• Firewalls and next-generation firewalls
(NGFWs)• Data loss prevention (DLP) systems• Unified threat management (UTM)
systems• SSL decryption appliances• Web application firewalls (WAF)
Out-of-Band Tools• Intrusion detection systems (IDS)• Behavior analysis systems• Forensic tools• Data recording • Packet capture (PCAP) tools • Malware analysis tools• Log management systems
Flowmon
![Page 48: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/48.jpg)
• High-performance standalone probe –source of IPFIX
• L2/L3 invisible – transparent for monitored network
• L2, L3, L4 and L7 Application deep network layer visibility
• Deep Packet Inspection, Data Traffic Recording
• Rack mountable hardware and virtual appliances
• SPAN / MIRROR port or TAP connection
• 10/100/1G-100G network traffic monitoring
Flowmon Probe
![Page 49: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/49.jpg)
Flowmon Collector
• Long-term statistics storage from multiple flow data sources
• Application for collecting and analysis of NetFlow/IPFIX/sFlow/jFlow… statistics –Flowmon Monitoring Center
Delivered as a software equipment of Collector
Visualization and analysis of network traffic, reporting, alerting
![Page 50: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/50.jpg)
DC switch
CORE switchCORE switch
DATACENTER
FM Collector
FM Probe
AS DS
VS
FM Probe
FM Probe FM Probe
Internet
APM
NPMD
APM
NPMD
NPMD
ADS
NPMD
ADS
DS
Z V
S
J
DC switch
Branch Office
Branch Office
FTR FTR
Enterprise Deployment
![Page 51: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/51.jpg)
Technology Landscape
![Page 52: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/52.jpg)
Main drivers for Network Visibility
Troubleshooting networkperformance
„When applications run slowly or stop working, you need real-time networkdiagnosis to pinpoint the root cause“
Protecting and securing thenetwork
„If you aren’t proactively and continuously monitoring network
traffic using a total visibility, you’releaving your organization vulnerable
to cybersecurity threats.“
Proactive monitoring for SLAs„The growing use of cloud
environments means you have anincreasing number of sites and
platforms to monitor, each with itsown Service Level Agreements in
place.“
Optimizing performance of complex network
infrastructure„Monitoring tools you use will helpyou achieve excellent performance,
but only if you are seeing all the datain a timely manner.“
Monitoring applicationperformance and reliability
„Network-centric applications must becontinuously and precisely monitored
for reliability and performance. “
![Page 53: Network Visibility or Advanced Security? - PosAm · • mobile users / cloud –mobility • by 2018, 25% of data will bypass traditional security defenses and flow directly between](https://reader030.vdocument.in/reader030/viewer/2022040507/5e41c9fed5d9e5454f1ed5fe/html5/thumbnails/53.jpg)
Flowmon Networks a.s. U Vodárny 2965/2616 00 Brno, Czech Republicwww.flowmon.com
THANK YOU FOR YOUR ATTENTION!