Today's enterprises are increasingly integrating new applications such as key business applications, voice, and video into IP networks. A secure and reliable network is the key to the success of the enterprise's business. The boundaries between internal and external of enterprise networks are becoming increasingly blurred, and users' mobility is becoming stronger and stronger. In the past, we believed that internal LANs were already lurking with threats. It is difficult for us to ensure that the virus will not be brought into our corporate networks, and the widespread distribution and high-speed connection of LANs also make it likely to become a breeding ground for the rapid spread of worms. How to deal with the current new network security environment? How to prevent worms on our local area network and timely discover, track and prevent their proliferation is a question that every network manager thinks about.
Perhaps this is a very big proposition, and in fact, it does require a systematic and collaborative security strategy to achieve it. From the network to the host, from the core layer to the distribution layer, and access layer, we must adopt a comprehensive enterprise security strategy to protect the entire network and the systems it is connected to. In addition, even when worms occur, we must take measures to mitigate their impact as much as possible, and protect our network infrastructure to ensure the stable operation of the network. .
This article will introduce a unique solution on Cisco Catalyst switches to protect against the hazards of worms in a very economical, efficient and scalable way.
First of all, we need to understand the abnormal behavior of worms and have methods to detect their abnormal behavior as soon as possible. After discovering suspicious behavior, you must be able to quickly locate the source, that is, tracking its source IP address, MAC address, login username, connected switch and port number, etc. To collect evidence and make judgments, if it is indeed a worm, you must respond in a timely manner, such as closing the port and processing the infected machine.
But we know that access switches are spread across every wiring, providing edge access to the enterprise's desktop system. Due to cost and management reasons, it is impossible for us to place an IDS device next to each access layer switch. If IDS is deployed at the distribution layer or core layer, for the distribution layer or core layer that gathers hundreds of 100/gigabit Ethernet traffic, the IDS implemented by the software working in Layer 7 cannot process massive data, so it is not practical to monitor all traffic without selectively.
How can we find a targeted, effective and economically expanding solution? Using the security features and Netflow integrated into Catalyst switches, you can do it!
Suspicious traffic was found. Using statistics on network traffic collected and output by Cisco Netflow, we can find that a single host issues a request for connections that exceeds the normal number of connections. This abnormal large number of flows is often a sign of worm outbreaks or network abuse. Because the characteristic of worms is that when an attack occurs, it will scan a large number of random IP addresses to find possible targets, which will generate a large number of TCP or ICMP streams. There is actually no payload information for the data packet in the stream record. This is an important difference between Netflow and traditional IDS. A stream record does not contain high-level information. This benefit is that it can be processed in a high-speed hardware manner, which is suitable for busy high-speed LAN environments. Catalyst 4500 and Catalyst 6500 switches typically deployed in the core and distribution layers support hardware-based Netflow. Therefore, Netflow cannot conduct in-depth analysis of data packets, but there is enough information to discover suspicious traffic, and it is not limited by the "0-day" limit. If analyzed and utilized properly, Netflow records are well suited for early detection of worms or other network abuse.
It is very important to understand the baseline of traffic patterns. For example, it is normal for a user to have 50-100 active connections at the same time, but it is abnormal if a user initiates a large number of (for example, 1000) active streams.
Track suspicious sources. Once suspicious traffic is identified, it is also important to track it to the source (including physical location and user ID). In today's mobile environment, users can roam around the entire campus network at will. It is difficult to quickly locate users by just knowing the source IP address. Moreover, we must prevent the IP address from being fake, otherwise the detected source IP address will not help us track down the suspicious source. In addition, we must not only locate the connected port, but also locate the logged-in username.
Collect suspicious traffic. Once suspicious traffic is monitored, we need to capture these packets to determine whether a new worm attack has occurred in this abnormal traffic. As mentioned above, Netflow does not conduct in-depth analysis of data packets. We need network analysis tools or intrusion detection devices to make further judgments. But how can we easily and quickly capture suspicious traffic and direct it to network analysis tools? Speed is important, otherwise you miss the opportunity to nibble the worms in the early stages. In addition to quickly locate the physical location of the suspicious device, we also need to have the means to collect evidence as soon as possible. We cannot place network analysis or intrusion detection equipment next to each access switch, nor can we carry the analyzer to run to the wiring room when we find suspicious traffic.
With the above analysis, let’s see how to use the functions of Catalyst to meet these needs!
Detect suspicious traffic. Cat6500 and Catalyst 4500 (Sup IV, Sup V and Sup V – 10 GE) provide hardware-based Netflow capabilities to collect traffic information flowing through the network. These information collection and statistics are all completed through hardware ASCI, so they have no impact on system performance. The Catalyst 4500 Sup V-10GE brings a Netflow card by default, so there is no need to increase investment.
Track suspicious sources. The integrated security features of Catalyst provide identity-based network services (IBNS), as well as DHCP monitoring, source IP protection, and dynamic ARP detection. These functions provide binding information of the user's IP address, MAC address and physical port, while preventing fake IP addresses. This is very important. If you cannot prevent fake IP addresses, the information collected by Netflow will be meaningless. Once the user logs into the network, he or she can obtain this information. Combined with ACS, you can also locate the username of the user logged in. Write a script file on the Netflow Collector. When suspicious traffic is found, you can send relevant information to the network administrator by email.
In the notification email, a user CITG with abnormal network activity is reported, and the group belongs to CITG-1 (this is used for 802.1x login). The IP address of the access layer switch is 10.252.240.10, the physical interface is FastEthernet4/1, and there is also the client IP address and MAC address, as well as the number of flows and packets it sends in 5 minutes (this time is defined by the script).
After mastering this information, the network administrator can immediately take the following actions:
Capture suspicious traffic via remote SPAN. The remote port mirroring feature supported on Catalyst switches can mirror traffic capture to a remote switch, such as mirroring traffic from a port or VLAN on an access layer switch through a relay to a port in the distribution layer or core layer, which can be done with just a few very simple commands. Traffic is captured to a network analysis or intrusion detection device (such as the NAM or IDS module integrated by the Cat6500) for further analysis and corresponding actions.
How long does the whole process take? For an experienced network administrator, it can be done within 5 minutes of the worm, and he doesn't need to leave his seat!
We can see that this solution combines a variety of security features integrated on Catalyst, from extended 802.1x to DHCP listening, dynamic ARP detection, source IP protection, and Netflow. Comprehensive use of these security features,Provide us with a solution to effectively prevent worm attacks on enterprise LANs,This plan requires no additional investment,Because it uses integrationCatalyst OnIOSFunctional features in,It also brings us a thought:How to use the network to protect the network? These features that we may ignore when choosing a switch will bring us unexpected and effective security solutions!
Article entry: csh Editor in charge: csh