StealthWatch, by the name itself we
can understand that it’s a watching/ analyzing device which works in stealth or
hidden. As the name indicates StealthWatch works behind the scenes, stays
hidden and analyses the complete traffic flow going through the switches/ routers/
any network devices.
StealthWatch is a network flow analysis, visibility tool
which can be used for in-depth network traffic flow analysis. It’s an Industry
requirement not only for IT industries but also every industry must implement
such a tool.
StealthWatch can identify almost any
kind of attacks like DOS attacks, injection attacks, insecure data transfer,
brute force attacks. It can be used to detect any insider trying to do some
malicious activities which is nothing but an Insider Threat.
Contents:
What is StealthWatch
What is Netflow
What is Flow
When is Flow Record Exported
Flow Collection and Deduplication
StealthWatch Components
·
Flow
Sensor
·
Flow
Collector
·
StealthWatch
Management Console
·
UDP
Directory/ Flow Replicator
·
IDentity
·
SLIC
Threat Feed
What is StealthWatch?
StealthWatch is a device/ Appliance/ Virtual created by Cisco for defense in depth network traffic flow analysis. This works
by collecting the data/ flow from the network devices and analyses them
completely, makes patterns, correlates, gives visibility of the complete flow
of the packet. This works on the Net Flow Protocol.
So, what is NetFlow?
NetFlow is a network protocol developed by Cisco for collecting IP
traffic information and monitoring network traffic. By analyzing flow data, a
picture of network traffic flow and volume can be built. Using a NetFlow
collector and analyzer, you can see where network traffic is coming from and
going to and how much traffic is being generated. Later they moved to IPFIX
protocol which is the next version of NetFlow. This can accomplish many more
functionalities that NetFlow Cant.
We have been taking about flow, NetFlow, IPFix
and other stuff. So, what is Flow?
1)A network flow is a unidirectional sequence of packets that have common
characteristics
2)Flow is the stream of information exchanged between the routing protocols,
the routing tables and the forwarding tables as well sa the flow of local
packets from the route's physical interfaces to the routing engine.
3) Flow tells you how your network is being used
4) Flow can provide a 24x7 complete account of all the communication that
are occurring across your organization’s network environment.
5) Flow provides visibility to port numbers, src,dst,packet counts
There are different types of flows like NetFlow, jflow, cflow, ipfix and
so on.. Each vendor has their own name & protocol
There are different kinds of NetFlow’s
NetFlow: Version V5 is a fixed or a standard.
It has a set of number of fields such as source and destination IP, port
number, time stamp, protocol etc.
NetFlow
V9: Flexible NetFlow
or "Next Gen” flow format found in most modern NetFlow exporters, supports
ipv6, MPLS, Multicast, many others.
IPFIX: similar to V9 but standardized and
with variable length fields.
Packets
in NetFlow:
o
Source
and Destination IP
o
Source
and Destination Port
o
Start
time
o
End
time
o
Mac
address
o
Byte
count etc...
So Explaining Briefly:
When 2 computers on the same network
begun to communicate, packets from the communication crosses the multi-layer
switches flow is recorded, later the
records are exported to intelligent data base on the network called flow
collector.
NetFlow/ IPFIX collects the data from
the network devices and sends them to another device called flow collector. All
the data from these tables is stored in tables for later use.
ü
End of flow: When the reset or finish flag is in the packet
ü Inactive Timeout: When flow has been inactive longer than 15 secs, it is exported from the catche
ü Active Timeout: When the flow has been active longer than 1 min.
ü Inactive Timeout: When flow has been inactive longer than 15 secs, it is exported from the catche
ü Active Timeout: When the flow has been active longer than 1 min.
Flow Collection and Deduplication:
For example I sent a
packet named “X”. In a network infrastructure when a packet has to reach the source
or destination it has to move through different kinds of network devices and in
each device the packet “X” flow is recorded. Thus, creating a duplicate copy of
the Packet “X” in all the devices. To avoid this StealthWatch came up with a
flow collection and Deduplication concept.
Flow
Collection or Stitching: it is a process of combining flows to form the
logical bidirectional conversation that occurred in multiple reporting network
devices
Deduplication: Many times conversations are Asymmetric,
Deduplication ensures traffic reporting is accurate regardless of the number of
devices that the flow traverses.
Finally let’s go to the
important components of StealthWatch. There are some optional components which
are not mandatory to be implemented, those are the components that can be
implemented according to the usage and the network infrastructure deployed in
your company.
StealthWatch Components:
There are a total of 6 major components
in StealthWatch.
·
Flow
Sensor
·
Flow
Collector
·
StealthWatch
Management Console
·
UDP
Directory/ Flow Replicator (optional)
·
IDentity
(optional)
·
StealthWatch
Labs Intelligence Center(SLIC) Threat Feed (optional)
1) Flow
Sensor in StealthWatch:
It is a Hardware Device/ Appliance/ Virtual Device which Creates flow data in environments in which NetFlow is not enabled, Flow
Sensors delivers performance analysis and deep packet inspection. All the flow
data collected by the Flow Sensors is sent to the flow collector.
Note: The Environments in which NetFlow is
enabled by default, need not implement Flow Sensors.
Flow Sensors Connects into existing
Infrastructure via one of the following
1)
Switch port Analyzer (SPAN)
2)
Mirror Port
3)
Ethernet Test Access Port (TAP)
Points
to Note:
ü
Flow
sensor VM is used to collect NetFlow data from virtual hosts inside a VMware
Server. It scales dynamically based on the resources allocated.
ü
Flow
sensor gathers application level information along with packet level visibility
§
Deep
Packet Inspection(DPI)
§
Behavior
analysis
§
True
Level 7 Application Visibility
§
performance
Metrics like RTT,SRT, packet loss for TCP sessions
ü
Identifies applications and protocols:
Plain
Text
Advanced
Encryption
Obfuscation
Techniques
ü
Application
Details:
Server
Response Time
Round
Trip Time
Mean
time take known
ü
Packet
Level Metrics:
HTTP/HTTPS
Header
data
Packet
Payload
2) Flow
Collector in StealthWatch:
ü
Flow
collector aggregates flow data from multiple networks or network components
ü
collects
and analyses data for further retrieval and analysis
ü
Flow
Collector of StealthWatch send and analyzes data sent from the SMC
ü
Send
an alarm if any unusual activity occurred or detected.
ü Flow collector can either be a Virtual Applicance/ Hardware Device.
ü Flow collector can either be a Virtual Applicance/ Hardware Device.
3) StealthWatch
Management Console:
ü
Centralized
location for summary data, alarms, policy, management and data collection
ü
Translates
raw data into sophisticated reports and graphical representations
ü
Manages
data
ü
coordinates
data
ü
configures
data
ü
organizes
data
ü
It
identifies applications and protocols and displays the info
ü
It
is the main Dashboard of StealthWatch
4) UDP
Director/ Flow Replicator:
ü
Simplifies
the management of UDP data streams from NetFlow, sFlow, Syslog, SNMP Traffic
ü
Forwards
data from multiple network and security locations in a single data stream to
network devices including the flow collector;
ü
Aggregates
and provides a single destination for UDP data and allows distribution of it across
the organization
ü
High
speed high performance appliance that simplifies the collection of network and security
across your network
ü
reduces
point of failure on your network
ü
provides
a single destination for all UDP formats on network including NetFlow, SNMP,
Syslog
ü
Reduces
network congestion for optimum network performance.
5) IDentity
in StealthWatch:
ü
Requires
no agent or service running on an identity or authentication server
ü
Correlates
user names with IP addresses using information obtained from DHCP and AD
sources
ü
Multiple
administrators can access this data simultaneously so both network
identification and security response teams can handle
ü
Identity
data can be obtained from StealthWatch identity appliance or through cisco
Identity service engine(ISE)
ü
Identity
is a hardware (physical) appliance only.
ü
Supports
VPN’s DHCP IP addressing within network segments and large dynamic pools of remote
access device.
ü
requires
no server side service
ü
Provides
a direct linkage between individual users and specific network events
ü
Integrates
user information with network traffic statistics by NetFlow and sflow enabled
switches
ü
automatically
connects any network events with the user/users who caused it and gives out the
complete details like
·
Search
username/ip address
·
run
flow queries
·
generate
reports
·
obtain
user snapshot of network activity
6) StealthWatch
Labs Intelligence Center(SLIC) Threat Feed:
ü
Uses
global threat intelligence and correlates it with data from the StealthWatch
systems to provide network and security context to detect new and emerging
malware threats.
ü
Aggregates
emerging threat information from around the world
ü
Adds
an additional layer of protection from botnet command and control centers and
other attacks
ü
Detects:
o
Attempted/successful
botnet communication
o
Internet
scanning activity
o
Backscatter
(DDOS)
ü
Working:
o
Correlates
flow data with a global threat feed
o
Monitors
customer networks for C&C servers
o
adds
new botnets to its radar as they are identified
o
pinpoints
specific port, protocol an URL used
o
generates
alarms and concern index events
ü
Required
HTTP/HTTPS threat feeds.
Conclusion:
Stealth watch provides visibility over
all the network devices present in your infrastructure. StealthWatch should be
implemented as a defense in-depth principle which helps in identifying
malicious activities done by users and prevent any damage to the organization.
I do not recommend this for small scale industries because it’s not cost
effective. Medium and large scale industries should implement StealthWatch in
their infrastructure to secure their network from hackers as well as insider
threat.
======== Hacking Don't Need Agreements ========
Just Remember One Thing You Don't Need To Seek Anyone's Permission To Hack Anything Or Anyone As Long As It Is Ethical, This Is The Main Principle Of Hacking Dream
Thank You for Reading My Post, I Hope It Will Be Useful For You
I Will Be Very Happy To Help You So For Queries or Any Problem Comment Below Or You Can Mail Me At Bhanu@HackingDream.net
No comments:
Post a Comment