Re: NetFlow for IDS

• Previous message: Nick Black: "Re: IDS Signature Confidence"
• In reply to: Fergus Brooks: "Re: NetFlow for IDS"
• Next in thread: Ron Gula: "RE: NetFlow for IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 23 Jul 2005 10:54:36 -0700
To: ferg@furg.net

We like to think of it more along the lines of having a toolbox full
of tools - the different tools do different things, and so we
encourage their use, singly or in combination, as the circumstances
warrant, and are complementary to one another.

Let's take Arbor; their network-wide statistical anomaly detection
system, Peakflow SP DoS, makes use of NetFlow telemetry and is
intended for use on ISP networks and the DMZs/PoPs of enterprises
with significant public-facing infrastructure. They've also a
behavioral anomaly-detection system called Peakflow/X, which does
communications relationship mapping; that's intended for use on
internal enterprise networks (useful for detecting things such as
compromised hosts which join botnets, initiating communications with
botnet controllers and scanning for other hosts to compromise). The
Arbor tools are mainly used by a network operational security (opsec)
teams, who can be thought of as the quick-reaction forces who deal
with DoS attacks, worm outbreaks with DoS-like side-effects, and so
forth.

The CS-MARS system, based upon technology we acquired from Protego,
does network-wide event correlation and has Security Information
Management Systems, or SIMS, functionality. It takes in telemetry
from a variety of sources, including IDS systems, firewalls, VPN
concentrators, as well as syslog and SNMP traps from just about
anything else (Arbor, for example), and sorts the wheat from the
chaff, generating alerts for operationally-significant events. It
can also make use of NetFlow telemetry to perform statistical anomaly-
detection, and correlates that with other forms of telemetry, if
they're available. CS-MARS also is extremely useful when an
organization has various regulatory requirements. (Sarbanes-Oxley,
HIPAA, etc.) and there's a need to monitor and demonstrate compliance
(information security, or infosec teams are often tasked with
compliance monitoring and enforcement, and find this functionality
quite valuable).

The Guard, based upon technology we acquired from Riverhead, is a
mitigation system used to protect public-facing properties such as
Web sites, DNS servers, SMTP servers, etc. from DoS (we use DoS and
DDoS interchangeably, as so many DoS are distributed, these days),
and it does so by utilizing statistical profiling techniques to
determine what's normal in terms of traffic headed towards said
servers, so that during an attack it can seine out and drop the bad
traffic while allowing the good traffic to pass.

Arbor Peakflow SP can serve as the trigger for a BGP-enabled Remotely-
Triggered Blackhole (RTBH), and we have worked with them to integrate
it with the Guard. We've also a Detector which is based upon
technology acquired from Riverhead, and is integrated with the Guard;
it is intended for use with the Guard for task-specific detection.
The Detector is easy to set up and plug into a SPAN port, and is
focused on traffic headed to zones protected by the Guard (it's not a
network-wide detection system like Arbor or CS-MARS; it's
correspondingly simple to deploy).

An example of how some of these complementary tools are used together
may be found here:

     http://www.cisco.com/go/cleanpipes

IDS systems have been around for a while, so I think most folks are
familiar with how they operate. Complementing anomaly-detection with
signature-based detection ensures that both well-known as well as new
threats can be identified and dealt with appropriately.

By combining the above with protocol analyzers and other forms of
instrumentation, we now have a rich toolkit for detection/
identification, classification, traceback, and reaction at both the
macroanalytical and microanalytical levels and on public-facing
networks as well as internal networks. Network operators and
security personnel can select the tools which are optimal for their
environments, goals, organizational responsibilities, and operational
models.

I hope this helps!

On Jul 20, 2005, at 11:58 PM, Fergus Brooks wrote:

>snip<

>
> Also Cisco are investors in Arbor and have incorporated Riverhead. The
> Riverhead stuff is very good at dealing with anomalous traffic, and
> they are also pushing MARS as some kind of anomaly detection solution.
> I have also heard that there is some protocol anomlay detection in
> Cisco IDS.
>
> As a representative of Cisco Gary, perhaps you could let us all know
> what Cisco's roadmap is for these supposedly competing products they
> have invested in? I am confused!
>

>snip<

------------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

  . . . functions placed at low levels of a system may be redundant
or of
  little value when compared with the cost of providing them at that low
  level.

      -- Saltzer, Reed & Clark, "End-to-End Arguments in Systems Design"

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Nick Black: "Re: IDS Signature Confidence"
• In reply to: Fergus Brooks: "Re: NetFlow for IDS"
• Next in thread: Ron Gula: "RE: NetFlow for IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]