This chapter illustrates a security scenario related to accounting and performance measurement. It describes how to leverage metering information to identify and block security attacks and use performance management to proactively secure the network. This chapter is not an introduction to networking security in general; neither does it explain how to protect a whole network or access to networking devices. Instead, it describes the metering that is provided by accounting and performance management as a relevant building block for security solutions, because security management and incident mitigation depend entirely on information about the network's state. Some of the details can be monitored with seperate devices, such as intrusion detection systems or sniffers. Nevertheless, the various network management techniques explained in the section "Security Management Process" give security operators the facts they need for attack detection and analysis as well as tracing an attacker. Without SNMP monitoring, accounting record examination, flow analysis, and other network management techniques, security operators would have limited visibility of attacks and their impact on the network. This chapter illustrates how the various device instrumentation techniques build the foundation of a security framework.
Because this book focuses on accounting and performance management, security applications are out of scope. For complete security solutions, you should investigate in applications such as Cisco Security Device Manager (SDM), Cisco Security Monitoring Analysis and Response System (CS-MARS), and intrusion detection systems.
Note that there is a close relationship between security and fault management, because security-related notifications can indicate outages. Based on the subject of this book, fault management is addressed at only a high level in this chapter.
The following Cisco Press books offer a good overview of security architectures and troubleshooting:
Self-Defending Networks: The Next Generation of Network Security
Network Security Architectures: Cisco Network Security Troubleshooting Handbook
Figure 16-1 illustrates the network blueprint for security management. It shows multiple branches and remote offices, regional offices, the central data center, and the Network Operations Center (NOC). Various device instrumentation functions are enabled at strategic locations, such as NBAR for application recognition and NetFlow for traffic analysis. Security functions, such as integrated firewall, are enabled at remote-access routers. At the Internet access, dedicated firewalls protect the network from external attacks in conjunction with Intrusion Detection Systems (IDS). They all report to central network management applications such as CS-MARS and NetFlow Collector at the NOC. Note that a dedicated Syslog server is installed at the NOC. Even though security applications provide Syslog server functionality, this one is used only for logging purposes. Syslog messages from all network elements are stored and archived for troubleshooting purposes. This can be very helpful to analyze the history of issues, such as "When was this event seen for the first time?" and resulting questions such as "Did the number of messages increase over time?"
The security scenarios in this chapter are related to network security, mainly securing network device access and transport of metering data.
It should be mentioned that storing all Syslog messages for years might lead to a storage issue. In this case, a suggestion is to keep the messages from the last three months at the management server and store historical messages on DVDs.
From a high-level perspective, security attacks in the network can be grouped into three categories:
Reconnaissance— Describes the inspection of a network to find active hosts and network elements. The first step for an attacker is to identify potential victims.
Intrusion— A hacker breaks into a system and starts manipulating it. This part relates to securing the operating system against someone logging into it or bypassing the logon routine. It includes everything from choosing secure passwords up to installing the latest bug fixes and following Computer Emergency Response Team (CERT) advisories. Network management applications can identify intrusion indirectly, such as by monitoring log files and ACL violations.
Denial-of-service (DoS) attack— The attacker uses the compromised system to attack other servers, such as public web servers or others. DoS attacks aim at resource starvation, where a "resource" can be anything in the network, such as CPU utilization, bandwidth, memory, or disk space. The commonality of all DoS attacks is that they aim at one or multiple victims, such as routers, servers, or PCs, with the intention to overwhelm the target systems. Sometimes attacks are combined, such as first attacking a router and then an application server. Identifying these activities is a complex problem that requires intelligent analytics about the current activities related to previous or expected behavior.
In cases such as these, traffic characteristics can be very similar:
Ping sweeps perform an ICMP ping to complete ranges of IP addresses, either systematically or randomly. After an ICMP reply message is received, which means an active IP address was found, port scanning takes place. Port scanning searches a system for open TCP or UDP ports as preparation for the attack afterwards. Ping sweeps and port scanning have a common characteristic—abnormal operations. Besides a network management server during network discovery, no application should search for active hosts on the net. In addition, port scanning should not take place under any circumstances.
DoS attacks are actions that prevent parts of a system from functioning in accordance with its intended purpose. This includes any action that causes unauthorized delay of service. In network operations, flooding a device with TCP SYN requests might cause a denial of service.
Ping of death is an attack that sends large ping packets with the intent of overflowing the destination device's input buffers, potentially causing it to crash.
Multiple flows monitored by NetFlow might have identical "fingerprints," such as the same values for the IP header identification field or the packet-length field. This is not the case with normal flows.
Receiving several NetFlow flows with the same value for the time-to-live (TTL) field, number of packets per flow, or average packet size can be a possible attack indicator. Under normal circumstances, flows have a variety of values in the NetFlow records.
It is wrong to assume that most attacks come from the Internet and therefore monitoring of the intranet can be neglected. In fact, the opposite situation is more often the case. Reconnaissance and intrusion attacks often come from the inside. A quote from John Stewart, a vice president in the Cisco CTO office for Corporate Information Security, illustrates this:
"The insider threat is still the largest one irrespective of competitive and otherwise. We use traffic analysis to generate the stats from outbound denial of service attacks versus inbound attacks against us. These attacks are based on infected lab kits, machines, and devices which are misconfigured or infected, and also 'lingering' viruses that don't really cause harm but haven't been fully eradicated."