http://www.liveaction.com
LiveAction Application Note
Finding Network Security Breaches
Using LiveAction Software to detect and analyze security issues in your network
Table of Contents
1. Introduction ... 1
2. Identifying Real-Time Security Issues ... 2
Detecting Port and IP Scan Behavior ... 2
Unauthorized Application and QoS Marking Usage ... 3
Denial of Service Attacks ... 4
3. Forensic Analysis and Historical Reporting ... 7
http://www.liveaction.com 1
1. Introduction
It is generally understood that organizations cannot successfully defend against all cybersecurity attacks. Also, as the level of security is increased, so does the level of overhead and management that accompanies that security. So, while
precautions must be taken to prevent such attacks, an equally important function is the discovery, investigation and understanding of network security breaches so that they can be stopped, if still ongoing, and prevented in the future. Investigating these abnormal network events will often uncover weaknesses in your current infrastructure and identify infected computers. If left unchecked these compromised resources can be the sources of future attacks or conduits for offloading of confidential company data.
LiveAction™ software from ActionPacked! Networks enables network administrators and engineers to identify and mitigate security problems in real time and perform network forensics on events that have been recorded in its traffic flow and QoS historical databases. This application note will demonstrate these techniques and help you to better secure your network and IT infrastructure.
http://www.liveaction.com 2
2. Identifying Real-Time Security Issues
Detecting Port and IP Scan Behavior
Port and IP scanning is a technique used to assess the capabilities and potential vulnerabilities of a given IP address or range of addresses. This type of scanning behavior generally indicates that an entity or script is searching for vulnerabilities or ports of entry into a given network. If this activity is not expected, one can interpret such scanning as a potential attack. When using LiveAction’s NetFlow, or “Flow” view, you can quickly pick up abnormal scanning activity and identify the source.
In order to view detailed real-time and historical traffic flow information, proceed to the device-level Flow view.
Figure 1 – Navigating to the Device-Level NetFlow Screen
Scanning of a subnet is quickly identified by the disproportionate number of destination endpoints in comparison to the sources. Scans appear as shown below in LiveAction.
Figure 2 – LiveAction Displaying an Active IP Subnet Scan
In addition, the active hosts that responded to the scan can be seen below the E0/0 interface, while all the other addresses and ports were sent to the null interface on the right side.
IP scan got through to this host and requires further investigation.
Select the router of interest and then select the “Flow” or “NetFlow” tab.
Here we see in tabular and topology views a single source scanning a whole subnet.
http://www.liveaction.com 3
Unauthorized Application and QoS Marking Usage
LiveAction’s unique ability to help you identify and mitigate security issues in real time can also be extended to discovering unauthorized applications consuming significant amounts of bandwidth on your network. Unauthorized video conference technologies tend to perform QoS marking and consume significant amounts of bandwidth. If trust boundaries are set to preserve traffic marked for video conferencing, dedicated queues on WAN edge devices can be exhausted creating poor network performance for applications that do not have their own dedicated queue. Below is an example of such an event displayed in LiveAction.
Figure 3 – Identifying Rogue Video Conference Traffic
Once this issue has been identified, there are many actions one can take. The first is to review the QoS policies throughout the network. Perhaps trust boundaries at the access switches need to be reevaluated. It is also possible that traffic shaping functions on the edge routers could mitigate this issue as well. LiveAction’s QoS management function can be used to display and modify these QoS policies. For more information, please see the QoS Best Practices Application Note.
In this topology view we can quickly identify QoS issues that we traced to a high-bandwidth videoconferencing session.
Through NetFlow we are able to identify and trace the offending session.
http://www.liveaction.com 4
Denial of Service Attacks
Denial of service attacks are attempts to make network resources unavailable to other users. This is generally accomplished by flooding the systems with such large quantities of traffic requests that the systems are unable to respond to legitimate traffic. These attempts can not only prevent traffic from reaching legitimate users, but can also cause harm to the system being attacked if data corruption occurs or the system is forced into a crash state. Using LiveAction software, one can detect these Denial of Service attacks and quickly create an Access Control List (ACL) to mitigate the attack. Below is an example of such an attack and how it can be thwarted using LiveAction.
Figure 4 – Active Denial of Service Attack
Once again from the device-level Flow view we can easily visual the traffic flows. In this example we can see the enormous amount of traffic requests being sent to the host with each request being shown as a separate flow. This view tells us the router itself is the target of the denial of service attack.
http://www.liveaction.com 5 LiveAction also displays CPU and memory issues in real-time as a result of this attack as shown in Figure 5. Areas
indicating CPU or memory overload are circled in red.
Figure 5 – CPU and Memory Alerts Resulting from DoS Attack
In these instances where an attack is underway and the router is suffering, LiveAction’s ACL editor allows the user to quickly create an Access Control List to mitigate the attack. To access the ACL editor, follow the steps below:
1. From the system topology or device-level topology view, right click on the flow of interest, then click “Create ACL
based on flow”. This will launch the flow-based ACL editor. Multiple indicators of CPU utilization issues due to DOS attack.
http://www.liveaction.com 6
2. Create a blocking ACL based on the denial of service flow being seen by choosing “deny”:
Save the ACL to the device to mitigate the Denial of Service attack. This will prevent precious control plane services from being exhausted and will keep the router functioning normally.
http://www.liveaction.com 7
3. Forensic Analysis and Historical Reporting
Not only can LiveAction provide real-time visualization for traffic flows and link utilization, but the software also provides a full historical record of all flow and QoS data collected. This information can be displayed using the LiveAction Historical Reporting Engine. The engine can bring you back to any point in time when data was being collected and display the information as if it were being viewed in real time. This fully featured reporting engine allows users to perform forensic analysis on security breaches that happened in the past to get a better understanding on devices or hosts that may have been affected and to understand how to prevent them in the future.
To launch the flow historical reporting engine, use the main menu to access Reporting Flow Historical Playback:
Figure 6 – Navigating to the Flow Historical Playback Screen
Select the device and the interface of choice, and the Historical Playback engine will be displayed as shown below:
Figure 7 – Selecting the Date and Time in the Historical Playback Screen
Select the date and the time that you are interested in investigating and the flow data from that sampling period will be displayed. Unlike some other NetFlow vendors, LiveAction keeps and stores ALL data records collected and provides a complete view into the network activity from the past. These statistics can be retrieved for QoS as well to discover possible flaws in traffic shaping or queuing configurations based on reported outages or service quality issues.
Use the calendar and time-of-day slider to navigate to the appropriate time in the past.
http://www.liveaction.com 8 In addition to the playback capability, LiveAction can generate reports based on historical data for quick investigation of security issues. These reports can be accessed from the device-level Flow toolbar.
Figure 8 – Using the Flow Historical Reporting Capabilities
The Top Analysis report returns detailed information of all the flows from a specific time period specified by the user. The data can be sorted and filtered to narrow in on the metrics appropriate for your forensics investigation.
Figure 9 – Examining the Historical Top Analysis Report
For thorough investigations you can sort and filter on the whole database of historical flows.
http://www.actionpacked.com 9
4.
Conclusion
There are many malicious attacks that can be targeted toward a given network. Understanding and reacting to these security problems requires an understanding for what types and quantities of traffic are in use. Once a baseline or “known good” state of the network has been established, LiveAction can be used to discover network irregularities, security vulnerabilities, or full-on denial of services attacks. By providing comprehensive intelligence and manageability into network devices, network administrators can reduce the number of service tickets opened, increase network uptime, and reduce operating expenditures.
To learn more about LiveAction, and for information to help you deploy and manage QoS, please visit ActionPacked! Networks at:
http://www.liveaction.com
Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, the LiveAction logo and LiveAction Software are trademarks of LiveAction, Inc. Other company and product names are the trademarks of their respective companies.
LiveAction, Inc.
3500 West Bayshore Road Palo Alto, CA 94303, USA