Feature Article
Securing Remote Networks Against Cyber Security –
NetFlow to the Rescue
Mike Patterson, CEO and Founder
Plixer International
Managed Security Service Providers (MSSP) are depending on NetFlow
and IPFIX as one of the top three enablers for improving network threat
detection for onsite, as well as remote sites. The distributed NetFlow collection nature of this technology allows IT security teams to gain threat insight
into remote areas without actually visiting the location. Most firewalls
today, including those from Barracuda, Cisco ASA, Palo Alto Networks,
SonicWALL and others, provide NetFlow or IPFIX exports, which with
the right flow analytics solution, allow for several types of additional threat
detection methods.
• Unfinished Flows: Identifies hosts that have a high percentage of
unfinished flows. This indicates scanning, Malware or poorly configured
applications on a host.
• XMAS Tree Scan: The XMAS Tree scan sends a TCP frame to a
remote device with the URG, PUSH, and FIN flags set. This is called a
XMAS Tree scan because of the alternating bits turned on and off in the
flags byte (00101001), much like the lights of a Christmas tree.
Why Companies Turn to MSSPs
With 50 percent of Internet thefts occurring at companies with less than
2,500 employees and the cost of hiring a security expert increasing, many
organizations are turning to MSSPs in hopes of gaining access to a team of
security experts. In turn, MSSPs provide their customers with services in
areas such as virus blocking, IDS, VPN and firewall maintenance. Monthly
fees generally include a block of hours for system changes, modifications
and upgrades. When they aren’t working on specific customer issues, they
collaborate with other experts to identify the latest threats and the best
security countermeasures. Because these experts can’t wait for the next
software update to fight the latest cyber battle, security teams often turn to
flow technologies to monitor for the latest malware.
“IPS, or deep packet inspection, is our number one security defense, Netflow is a very close number two,” said Gavin Reid, manager, Cisco CSIRT.
Threat Detection with NetFlow
Traditionally, NetFlow and IPFIX have been used by MSSPs to perform
Network Behavior Analysis by running dozens of algorithms against the
flows collected. Examples include:
• Breach Attempts: Looks for many small flows from one source to one
destination. This can indicate things such as a brute force password attack.
A typical scenario would be a dictionary attack on an SSH server.
• DDoS: Identifies a Distributed Denial of Service attack such as those
that can be launched by a BOTNET.
• DNS Violation: Alerts when a host initiates an excessive number of
DNS queries. This can help to identify hosts that may be infected with a
mailer worm or other issues that require an inordinate number DNS lookups.
• FIN Scan: The FIN scan’s “stealth” frames are unusual because they
are sent to a device without first going through the normal TCP handshaking routine.
• ICMP Destination Unreachable: This is a message that comes back
from the router to the requesting host stating that it doesn’t have a route to
the destination network of the target host.
• ICMP Port Unreachable: This is a message that comes back from the
destination server stating that it will not open communication on the specified port requested by the host.
• Nefarious Activity Violation: Looks for hosts communicating with
many hosts with a low number of flows. An example would be a port 80
scan of an entire subnet.
• NULL Scan: The null scan turns off all TCP flags in an attempt to open
a connection with the target host. Sometimes it consists of flows where the
source port is 0 with various destination ports.
• RST/ACK: RST/ACK packets are connection denials that come
back from destinations to the originating hosts. It can be caused by
network scanning.
• SYN Scan/Flood: SYN packets are sent out in an attempt to make a
network connection with a target host. It can be caused by network scanning.
16
www.RemoteMagazine.com
Security Logs
The above algorithms are an excellent step toward the automation of
detecting malware that could be trying to penetrate and compromise hosts
on the network. Notice that these algorithms focus on network behavior
analysis since deep packet inspection to match packets to signatures
isn’t generally possible with NetFlow. Much like a flu virus, malware
can use a polymorphic technique, which means it can constantly vary its
structure and content in order to avoid detection. Solutions that perform
deep packet inspection in an attempt to pattern match through the use of
constantly updated signatures can easily be evaded by these new malware
techniques. Even with all the above, more needs to be done to detect the
latest forms of malware and this means thinking outside the proverbial
threat detection box.
“I am convinced that every company in every conceivable industry with
significant size and valuable intellectual property and trade secrets has been
compromised (or will be shortly), with the great majority of the victims
rarely discovering the intrusion or its impact. In fact, I divide the entire set
of Fortune Global 2,000 firms into two categories: those that know they’ve
been compromised and those that don’t yet know,” said Dmitri Alperovitch,
former VP of Threat Research, McAfee.
IP Host Reputation
Today, some NetFlow collector vendors are comparing IP addresses
found in flows to reputation lists. This host reputation lookup process is
a routine that goes out to an Internet-based reputation list provider every
hour and downloads an updated list of known hosts that end-systems on
the network should not be communicating with. Typically this is a list of
compromised hosts that have a reputation for sending nefarious traffic
(e.g. C&C). To keep the list as accurate as possible, it is generally updated
by several Internet Service Providers and government agencies. Host
Reputation is also one of the best detection methods used against Advanced
Persistent Threats (APTs).
“We’ve learned that NetFlow can tell us who is talking to who across our
network but how can we tell if either “who” is a bad actor? By checking the
reputation of the IP addresses at both ends of the conversation,” said Mike
Schiffman, researcher, Cisco.
In locations where NetFlow or IPFIX hardware is not available, inex-
http://www.RemoteMagazine.com
Table of Contents for the Digital Edition of Remote - Summer 2013