MSIA 672: Network Traffic Analysis

Network Traffic Analysis 6

MSIA 672: Network Traffic Analysis

Ian Burke

MSIA 672: Managing a Secure Enterprise

Regis University

December 3, 2010

Abstract

There are many ways to protect a network. Firewalls can block ports. IDS can alert on a specific event. Anti-virus can protect against a malicious application trying to install on a system. All of these solutions in isolation serve a purpose but none of them provide a complete security solution. Being able to place the information gained from any one of these security solutions into context of what is happening on the network expands its value. An IDS alert may imply a malicious packet or a false positive. Out of context it is hard to know the difference. With the advantage of network traffic awareness context can be placed around that alert adding substance and meaning to the event. This paper is going to look at what network traffic analysis is and how it can extend the value of other security services.

Keywords: network traffic analysis, network flow.

Discussion

Securing a corporate network is becoming more of an art form then a science. The days of deploying a firewall and monitoring logs are long gone. To adequately protect a network, information from many different sources must be taken into consideration. One of those key pieces of information is the nature of and characteristics of the traffic on the network.

Monitoring this network traffic has changed over the past few years. As network equipment was advanced, protocols such as SNMP were developed to help monitor the network equipment and the traffic passing through that equipment. SNMP was never truly intended to monitor the actual traffic but was more closely focused on how that traffic interacted with the specific devices. It could be used to interact with the routers, switches, and firewalls across the network. (Cecil)

SNMP is most useful at getting information about the status of the network equipment such as firewalls. If you do not wish to employ SNMP some of this equipment has the ability to be configured to push this information directly to a collection source. Use of IPTABLES would be one approach that could be used to forward byte counts and other flow type data from a firewall. Other tools such as NTOP can be deployed to get network information. Like SNMP this tool is going to pull statistics on the status of the network equipment. ( Lockhart. 2007.)

Knowing the status of a network appliance is one piece to monitoring network monitoring but knowing the nature and characteristics of the actual network packets is also of value. It is important to know the throughput of a port and perhaps more important to know when a switch port fails. When investigating a security event, flow information from the network can help establish details about a security event that may not be contained in the event detail provided by the security equipment. An IDS may alert on a single suspicious packet or a collection of packets. (Cox, Gregg. 2004) placing that alert in context of other information on the network is where the value can be found.

Being able to place a security event in context of time can help to make the event more relevant. An alert from an email filter may provide header information for the message but this is only as good as the message content. Good flow data can be used to help identify if the message was spoofed, if the header might have been modified, or if the routing of the message might have been altered.

What is flow data? Monitoring specific characteristics of the unidirectional IP flow is a form of network traffic analysis. In monitoring this flow information, network intelligence can be gained that can be used in an effective defence in depth strategy against DoS, worm and other attack methods. Not only does flow data give you perspective when combined with other alerts such as those coming from an IDS, but it can be used independent of other security data to help identify security events as well. Flow data is based on IP header information. As a base line is established, the nature of a network is developed. Anomalies to that base-line can be identified when monitored carefully. This can be used to identify security events on the network. (Munz, Carle.)

Conclusion

Network traffic analysis is a critical part of a defence in depth strategy. It has evolved from the SNMP technology that was once used to monitor and manage network equipment to flow data which is an integral part of a security solution. Network traffic analysis and flow data combines a IP header information from a unidirectional flow to establish a network base-line. From this base-line it becomes possible to identify anomalies and malicious traffic.

Network traffic analysis, flow data in particular, can be used to put other security events into context as well. This adds value to the security events from other equipment enabling the data gathered from those events to become more meaningful.

References

Cecil. A summary of network traffic monitoring and analysis techniques. Retrieved

from: http://www1.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring.pdf.

Cox, Gregg. (2004). Manageing security with Snort and IDS tools, Chapter 2.

Cambridge, MA. O’Reilly Media, Inc.

Goodall, Lutters, Rheingans, Komlodi. (2006). Focusing on context in network traffic

analysis. IEEE Computer Society. Retrieved from: http://vizsec.org/johng

Lockhart. (2007). Network security hacks, 2nd Edition. Cambridge, MA. O'Reilly

Media, Inc.

Munz, Carle. Real-time analysis of flow data for network attack detection. Computer

Network and Internet, Wilhelm Shickard Institute for Computer Science.

University of Tubingen, Germany. Retrieved from:

http://www.google.com/url?sa=t&source=web&cd=2&ved=0CCQQFjAB&url=

http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3

D10.1.1.86.7855%26rep%3Drep1%26type%3Dpdf&rct=j&q=network%20flow

%20data%20pdf&ei=t-z6TL3pJI-t8Abog7n3Cg&usg=

AFQjCNFfprlFNjmaohE1ysP9tX-wwaD6rg