Академический Документы
Профессиональный Документы
Культура Документы
Network as a sensor
Dragan Novakovic
Security Consulting
Systems Engineer
Stealthwatch Enhances Visibility Across your
Entire Network
Monitor Detect CISCO STEALTHWATCH Analyze Respond
• Gain unique visibility • Enable your network to take action • Protect your critical information • Gain enhanced
across your business • Extend visibility and granular access • Simplify policy enforcement visibility into the cloud
• Simplify segmentation control to your remote branches and data center segmentation • Make the cloud a part of
throughout your networks • Prevent the lateral movement • Accelerate incidence response your segmentation strategy
• Address threats faster of threats in the data center • Identify threats quickly
and take action
eth0/1
eth0/2
10.2.2.2 port 1024 10.1.1.1 port 80
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
Client Server
Start Time Client IP Client Port Server IP Server Port Proto Bytes Client Pkts Bytes Server Pkts Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1
eth0/2
Scaling Visibility: NetFlow Deduplication
Router A: 10.2.2.2:1024 -> 10.1.1.1:80
Duplicates
Router B: 10.2.2.2:1024 -> 10.1.1.1:80
10.1.1.1 port 80
Router C: 10.1.1.1:80 -> 10.2.2.2:1024
Router B
• Without deduplication
Router C
• Traffic volume can be misreported
• False positives would occur Router A
Where
What
What
When Who Who
• • Highly
Stitchedscalable
and de-duplicated
(enterprise-class) collection
• • High compression
Conversational => long-term storage
representation
• Months of data retention
• Highly scalable data collection and compression
• Enables months of data retention
More context
Security group
See and detect more in your network
with Stealthwatch
Best practice:
Classify all known IP addresses
into one or more host groups
Locate Assets
Alarm dashboard
showing all policy
alarms
Details of “Employee
to Production Servers”
alarm occurrences
Detect Threats
Behavioral and Anomaly Detection Model
Behavioral Algorithms are Applied to Build “Security Events”
Alarm Model
Summary of aggregated
host information
Observed communication
patterns
User information
Investigating: Applications
Observed applications, some suspicious
Investigating: Audit Trails
Network behavior
retroactively analyzed
Respond to Incidents
Cisco ISE and pxGrid Integration
Context Information
Stealthwatch
PX Grid
Mitigation
ISE
Real-Time Visibility into All Network Layers
• Data intelligence throughout network
• Discovery of assets
• Network profile Context
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
Rapid Threat Containment
SMC
Cisco® StealthWatch
Identity Services Engine Management Console
User Switch Router WAN Router Firewall Data Center Server Cisco Identity
Switch Services Engine
NetFlow Exporters
For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco
Stealthwatch
Identity ISE Threat Feed
Security Packet Services License
Management
Analyzer
Console
System
Proxy Flow
License Sensor
Non-NetFlow
enabled equipment
Security Endpoint
Flow ESX with
Concentrator
and Collector Flow Sensor
VE
Network
Learning
Monitoring Legacy
UDP
Director
Cloud
License
Network
Manager
Traffic Analysis
Software
NetFlow enabled
routers, switches,
firewalls
Required Core Components
Stealthwatch Management Console (SMC)
• A physical or virtual appliance that aggregates, organizes, and presents analysis from Flow
Collectors, Identity Services Engine (ISE), and other sources.
• User interface to Stealthwatch
Management Console
• Maximum 2 per deployment
Flow
Collector
UDP Director
Legacy Traffic NetFlow enabled Routers, switches, firewalls
Analysis Software
Stealthwatch Proxy License
Proxy License Provides Syslog Information Packets
USERNAME john
Proxy Challenges
User Switches Proxy Routers
Internet
10.1.8.3 172.168.134.2
IP PROTOCOL 6 IP PROTOCOL 6
: : : :
nvzFlow
Attributing a flow to:
• Process name Endpoint Flow
Concentrator Collector
• Process hash
• Process account
• Parent process name AnyConnect with Network
• Parent process hash Visibility Module
• Parent process account
Stealthwatch Endpoint Concentrator
• Global destination for nvzFlow records
• Forward flow records to the Flow Collector
nvzFlow
Stealthwatch Stealthwatch
Endpoint Concentrator Flow Collector
Overview:
• Team performs feed validation and independent
research and analytics
• The Stealthwatch system enhances your security across the enterprise, providing comprehensive network visibility
and intelligence
• Your network is a key asset for threat detection and control
• The Stealthwatch architecture ensures robust and flexible deployment