Monday, December 3, 2018

SDN Monitoring

  • NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion

https://en.wikipedia.org/wiki/NetFlow


  • Why Use NetFlow

Network Monitoring:
network operations (NetOps) and security operations (SecOps) teams can monitor when and how frequently users access an application in the network.

Network Planning: Team can use NetFlow to track and anticipate network growth. For example, they can plan upgrades to increase the number of ports, routing devices or higher-bandwidth interfaces needed to meet growing demand

Security Analysis: With NetFlow, security teams can detect changes in network behavior to identify anomalies indicative of a security breach. The data is also a valuable forensic tool to understand and replay the history of security incidents so security teams can learn from them

https://blog.gigamon.com/2018/01/08/what-is-netflow/



  • Automating  Provisioning  of  NetFlow Analyzers


The solution proposed automates the provisioning of the NetFlowanalyzer groups using the central repository. In an environment which is dynamic or has a lot of host’s, automation is a must to avoid the configurations being out of sync.
If the central database contains detailed information about all the allowed network flows, then this solution can be extended to automate the generation of customer defined flow whitelisting rule.
The NetFlowanalyzer will alert on any flows which are anomalous.
This rule can be very useful to detect any lateral or abnormal flows by malicious users or programs communicating using an unknown protocol or host.
NetFlowanalyzer, in conjunction with automation, is a great tool to implement detective controls to address Center for Internet Security control
#9:Limitation and Control of Network Ports,Protocols,Services as well as control
#12: Boundary Defense.
https://www.sans.org/reading-room/whitepapers/critical/automating-provisioning-netflow-analyzers-37272
  • Center for Internet Security (CIS) releases a prioritized list of twenty security controls, named as Critical Security Controls(CSC).

This document focuses on using NetFlowanalyzer as a tool to address portions of the following CIS Security Controls.

2.1.CSC  #1  Inventory  of  Authorized  and  Unauthorized  Devices
An accurate inventory of the hardware is one of the most important security hygiene.
NetFlowcan passively detect any IP device in the network. Routers and switches will export the metadata for all network conversations and forward it to the NetFlowcollector.IP addresses are available from the source and destination IP address fields in the NetFlowrecord.The NetFlowanalyzer will use the flow information from the collector and generate an alert if it detects any unknown IP device (not configured in the analyzer) in the network.

2.2.CSC  #3  Secure  Configuration  of  Hardware  and  Software
The control recommends automated monitoring and alerting on unexpected open ports or use of insecure protocols liketelnet, VNC, RDP, and other insecure protocols.
NetFlowrecords contain the network layer-4 attributes, source and destination ports. This information from the NetFlowcan be used by the NetFlowanalyzer to detect and report on any new listening port in the Network. The source and destination ports can also be used to alert on the usage of any insecure protocol based on the standard port numbers used for such communications.

2.1.CSC  #8  Malware  Defenses
The goal of this control is to detect and contain the installation, execution, and spread of Malware.NetFlowcan be use used to detect malware based on its behavior or anomaly in the network behavior. Communication attempts or actual communication from IP-devices to known command and control or a blacklisted site can be alerted based on the IP address stored in the NetFlowrecords. Other typical malware behavior like a lateral movement across the network, host or port scans originating from unexpected network devices, attempt to use an unauthorized DNS server, network traffic pattern deviations indicating possible data exfiltration’s, Denial of Service or Distributed Denial of Service can be alerted

2.2.CSC  #9  Limitations  and  Control  of  Network  Ports,  Protocols,  and  Services
The goal of this control is to monitor and manage the use of ports, protocol,and services on any networked device.The intention is to remediate the use of unknown port or service immediately to reduce the attack surface by removing any potentiallyvulnerable services or remote listening ports.
NetFlowbased detection can complement the standard network scanner based or local listening port detection.
Advancedmalicious software can evade detection by portscanners by closing the ports during the scan window. This evasion is not possible if NetFlowis used to complement the port scans.

2.3.CSC  #12  Boundary  Defense
NetFlowadds another layer of detection for this control. NetFlowadds another layer of detection for this control. A NetFlowanalyzer configured with flow whitelist across the trust boundaries can alert on any network anomaly.NetFlowanalyzers can alert based on the number of packets, bytes of data transferred, rate and thresholds of ingress or egress connections, long running TCP sessions, egress or ingress connections from blacklisted IP to or from the DMZ systems, or any other network behavior anomaly.

2.4.CSC  #13  Data  Protection
This critical control is about tools and processes to prevent data exfiltration, mitigate the effect of exfiltrated data and ensure the confidentiality and integrity of sensitive data
NetFlowdoes not have access to the actual network packets traversing the network. It only has the metadata of the network traffic. NetFlowcannot inspect traffic and hence cannot look for patterns in the network trafficto detect data exfiltrationhowever it can detect anomalous traffic. The NetFlowanalyzer can learn the traffic behavior over time and can alert on any deviation from the standard traffic. NetFlowcan also be configured to generate an alert if it detects traffic toaknown file transfer ore-mail exfiltration websites

As previously mentioned, the main issue with the manual provisioning of the tool is it is hard to manage and can quickly be out of sync with the central configuration database. Configuration not aligned with existing setupmakes the system unreliable.  Many security tools, such as Security Incident and Event Managers (SIEMs), Intrusion Detection Systems (IDS), Network Intrusion Prevention Systems (NIPS), Network Behavior Analysis (NBA) and other systems require similar configuration. Configuration items described above like host groups, hosts, port groups, port names, and application (with its correspondingsignature)must be in the Central Configuration Management Database (CMDB). Automated provisioning tools must use the information in CMDB to generate specific provisioning information as required by the product. Automation of provisioning will reduce the manual provisioning errors and ensure that the tools are in sync with the latest information from the CMDB.

NetFlowinformation, supported in most of the routers, switches, and firewalls, with the automated configuration of NetFlowAnalyzer, helps organizations continuously monitor six of the top 20 Critical Controls.

1.A user or a process triggers a provisioning process which updates the central configuration database
2.A process running on the central configuration server frequently checks for any updates to the database. If it detects an update, it dumps configuration files in the format required by the NetFlowAnalyzer tool(server groups, application mapping, ports, and protocols, etc.)
3.The process copies the file to the NetFlowAnalyzer server using SSH PKA-based authentication using a low privileged account in a particular directory
4.A Process running on the NetFlowanalyzer polls for any updated provisioning files then it compares with previous and checks for any update
5.If the provisioning files are updated, it loads the new information into the NetFlowAnalyzer using the interface provided

https://www.sans.org/reading-room/whitepapers/critical/automating-provisioning-netflow-analyzers-37272


  • sFlow® is an industry standard technology for monitoring high speed switched networks. It gives complete visibility into the use of networks enabling performance optimization, accounting/billing for usage, and defense against security threats.



https://sflow.org/


  • How NetFlow Works

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. By analyzing flow data, a picture of network traffic flow and volume can be built. Using a NetFlow collector and analyzer, you can see where network traffic is coming from and going to and how much traffic is being generated.
https://www.solarwinds.com/what-is-netflow

  • What is NetFlow/J-Flow/sFlow?

NetFlow data is generated by network devices like routers and firewalls. Flow data will generally contain details like source and destination IP addresses, port numbers, protocols, and more.

The term “NetFlow” is proprietary to Cisco, but other vendors have their own versions of “Flow.” For instance, Juniper calls it “J-Flow”, and several vendors, including HP and Fortinet, use “sFlow.”

Implementation details vary from vendor to vendor, but most flavors of xFlow produce the same sort of data. In this article, we’ll refer to all xFlow variants as NetFlow to keep things simple, but be aware that not all tools support the same flavors of Flow.

How to Enable NetFlow
Before you can use one of the free flow analyzers, NetFlow must be enabled on the devices you want to monitor.
https://www.networkmanagementsoftware.com/5-free-netflow-analyzer-tools-for-windows/
  • NetFlow Vs. sFlow: Which is better?


What is a Flow?
A flow is a sequence of packets from a sending application to a receiving application.

What is NetFlow?
NetFlow is a true flow technology whereby cached flow entries in the hardware (e.g. router/switch) aggregate packets based on a matching tuple which is most often a set of seven key fields:

Which scales better sFlow or NetFlow?
Packet sampling can be performed by sFlow or NetFlow which doesn’t scale in a way that is acceptable to most customers.
For example, a massive burst in traffic (E.g. DoS attack) would cause sFlow to sample more as it needs to keep up with 1:N sampling.  With NetFlow, a massive packet volume depending on the attack would likely show up as just a few flows with high packet volumes.  The amount of additional work for NetFlow is minimal especially if we are comparing apple to apples with both technologies implemented in hardware.

NetFlow provides details on 100% of the traffic whereas sFlow often misses the traffic you need to look at making sFlow almost unusable for network threat detection and forensic analysis.

If I have to sample, which should I choose: flow sampling or packet sampling?
If you must sample, flow sampling over packet sampling is the best option

If NetFlow is better than sFlow, why would anyone ever use sFlow?
Many switches today only support sFlow.

https://www.plixer.com/blog/netflow-vs-sflow-2/netflow-vs-sflow-which-is-better/

  • Switch port Analyzer (SPAN) is an efficient, high performance traffic monitoring system. It duplicated network traffic to one or more monitor interfaces as it transverse the switch. SPAN is used for troubleshooting connectivity issues and calculating network utilization and performance, among many others. There are three types of SPANs supported on Cisco products

Local SPAN: Mirrors traffic from one or more interface on the switch to one or more interfaces on the same switch.

Remote SPAN (RSPAN): An extension of SPAN called remote SPAN or RSPAN. RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices. RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session. This VLAN is then trunked to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port.

Encapsulated remote SPAN (ERSPAN): encapsulated Remote SPAN (ERSPAN), as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains.
https://community.cisco.com/t5/network-architecture-documents/understanding-span-rspan-and-erspan/ta-p/3144951

  • What Is NETCONF

The NETCONF protocol defines a simple mechanism through which a network device can be managed, configuration data information can be retrieved, and new configuration data can be uploaded and manipulated.
http://sdntutorials.com/what-is-netconf/

  • What Is RESTCONF

RESTCONF Overview
    A REST like protocol running over HTTP for accessing data defined in YANG using datastores defined in NETCONF.
http://sdntutorials.com/what-is-restconf/

Step 3. Understanding how to interface with a RESTCONF API
https://developer.cisco.com/learning/modules/dna-restconf-netconf-yang/lab03-using-restconf-to-interface-with-networking-devices/step/3
DEVNET-1152 OpenDaylight YANG Model Overview and Tools 
https://www.slideshare.net/CiscoDevNet/devnet-1152-open-daylight-yang-model-overview-tools
Model-driven Programmability: The Rise of Network Automation
https://blogs.cisco.com/getyourbuildon/model-driven-programmability
Simplifying Network Programmability with Model-Driven APIs
https://d1nmyq4gcgsfi5.cloudfront.net/site/ydk/documents/overview/