Re: NetFlow for IDS

[Roland Dobbins <rdobbins () cisco com>]

We like to think of it more along the lines of having a toolbox full  
of tools - the different tools do different things, and so we  
encourage their use, singly or in combination, as the circumstances  
warrant, and are complementary to one another.

Let's take Arbor; their network-wide statistical anomaly detection  
system, Peakflow SP DoS, makes use of NetFlow telemetry and is  
intended for use on ISP networks and the DMZs/PoPs of enterprises  
with significant public-facing infrastructure.  They've also a  
behavioral anomaly-detection system called Peakflow/X, which does  
communications relationship mapping; that's intended for use on  
internal enterprise networks (useful for detecting things such as  
compromised hosts which join botnets, initiating communications with  
botnet controllers and scanning for other hosts to compromise).  The  
Arbor tools are mainly used by a network operational security (opsec)  
teams, who can be thought of as the quick-reaction forces who deal  
with DoS attacks, worm outbreaks with DoS-like side-effects, and so  
forth.

The CS-MARS system, based upon technology we acquired from Protego,  
does network-wide event correlation and has Security Information  
Management Systems, or SIMS, functionality.  It takes in telemetry  
from a variety of sources, including IDS systems, firewalls, VPN  
concentrators, as well as syslog and SNMP traps from just about  
anything else (Arbor, for example), and sorts the wheat from the  
chaff, generating alerts for operationally-significant events.  It  
can also make use of NetFlow telemetry to perform statistical anomaly- 
detection, and correlates that with other forms of telemetry, if  
they're available.  CS-MARS also is extremely useful when an  
organization has various regulatory requirements. (Sarbanes-Oxley,  
HIPAA, etc.) and there's a need to monitor and demonstrate compliance  
(information security, or infosec teams are often tasked with  
compliance monitoring and enforcement, and find this functionality  
quite valuable).

The Guard, based upon technology we acquired from Riverhead, is a  
mitigation system used to protect public-facing properties such as  
Web sites, DNS servers, SMTP servers, etc. from DoS (we use DoS and  
DDoS interchangeably, as so many DoS are distributed, these days),  
and it does so by utilizing statistical profiling techniques to  
determine what's normal in terms of traffic headed towards said  
servers, so that during an attack it can seine out and drop the bad  
traffic while allowing the good traffic to pass.

Arbor Peakflow SP can serve as the trigger for a BGP-enabled Remotely- 
Triggered Blackhole (RTBH), and we have worked with them to integrate  
it with the Guard.  We've also a Detector which is based upon  
technology acquired from Riverhead, and is integrated with the Guard;  
it is intended for use with the Guard for task-specific detection.   
The Detector is easy to set up and plug into a SPAN port, and is  
focused on traffic headed to zones protected by the Guard (it's not a  
network-wide detection system like Arbor or CS-MARS; it's  
correspondingly simple to deploy).

An example of how some of these complementary tools are used together  
may be found here:

    http://www.cisco.com/go/cleanpipes

IDS systems have been around for a while, so I think most folks are  
familiar with how they operate.  Complementing anomaly-detection with  
signature-based detection ensures that both well-known as well as new  
threats can be identified and dealt with appropriately.

By combining the above with protocol analyzers and other forms of  
instrumentation, we now have a rich toolkit for detection/ 
identification, classification, traceback, and reaction at both the  
macroanalytical and microanalytical levels and on public-facing  
networks as well as internal networks.  Network operators and  
security personnel can select the tools which are optimal for their  
environments, goals, organizational responsibilities, and operational  
models.

I hope this helps!


On Jul 20, 2005, at 11:58 PM, Fergus Brooks wrote:

>snip<

> Also Cisco are investors in Arbor and have incorporated Riverhead. The
> Riverhead stuff is very good at dealing with anomalous traffic, and
> they are also pushing MARS as some kind of anomaly detection solution.
> I have also heard that there is some protocol anomlay detection in
> Cisco IDS.
>
> As a representative of Cisco Gary, perhaps you could let us all know
> what Cisco's roadmap is for these supposedly competing products they
> have invested in? I am confused!

>snip<

------------------------------------------------------------------------
Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice

 . . . functions placed at low levels of a system may be redundant  
or of
 little value when compared with the cost of providing them at that low
 level.

     -- Saltzer, Reed & Clark, "End-to-End Arguments in Systems Design"

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------