Kategorier: Alle - integration - categories - events - flow

af Zoltan Techy 5 år siden

275

Tech

The document outlines various aspects of managing and mitigating Distributed Denial of Service (DDoS) attacks through different tools and methodologies. Key components include preconfigured actions on routers and the creation of DDoS profiles, which differ from FMC profiles.

Tech

Tech

QRadar integration

ADS eevents
Correlation
WIP
Log

Product Training Brno 2018.09

Exclude filter
Filter add
Use cases
Peering optimization

HOW?????????????????????,

DDoS
tune up
adaptive baseline
Trending
Scripting
FTI

HTTP host names via probes

SQL like syntax to write your own
Items
Probe

IPFIX over TLS

Collector
Intro
We are best in

Multitenancy

RESTful API

cloud or on premise

400k fps per collector

40G/100G probes

Trends

Flow-enabled devices grow in number

L7 app info

NBAR2

USER PERSP

FTR

on demand and auto capture

APM Transgen

recording

auto testing

HTTP/S and SQL

NG SEC

endpoint, perimeter, signature less

NBA

NG mon

NRT

Flows

STD

sFLow

packet sampled

NEL, NSEL

Cisco fw logs

jFlow

Juniper

NetStream

Huawei

IPFIX

v9

templates, flexible

vlan, mac provided

v5

no mac, vlan

non key fields

AS number

ifindex

byte count

pkt count

Key fields

dst port

src port

dst ip

src ip

v5, v9, IPFIX

SRC IP DST IP Proto Lifetime, PAckets, sum of bytes

IP, MAC, Proto, packets

What we do

Security

Operations

Visibility and monitoring

Not: endpoint security

Not: Perimeter security

Compatible and competitive

APM

Must practice: NPM views with and without APM
Find out in which cases will we miss certain statistical parameters and why
Notifications
Visible in alerts
Attached to apps and groups
Several metrics selectable
Bases for events and alerts
Analisys
SLAs

Uses groups (nothing to do with the former part)

Define an override of SLA for specific parts of apps

Groups

Defined via filters, configurable when off

Sub-views of a given application

Error counts, error codes
Caveat: DBMS and app communication visibility; i.e. local switching problems
Instances of transactions: specifics
Transactions view: aggregate
Counters based view

3x SLA

2x SLA

SLA

Parallel users
Review median, 99% and 95% views
Subordinate apps

Used to chain apps, e.g. database and webserver

User ID

Usually not used, helpful option though

Transaction ID

URL method

Session identification e.g. virtual hosting

Cookies

Wildcards, regexps

User-Agent

Response codes

URL param

URL File ext

URL path

Must define VLAN tags
Probe config
Driver (!)
remote
Local

DDos

DDoS profiles as opposed to FMC profiles
Must check: shadow profiles as parents?
Must review: detection methods
Community
Preconfigured action on the router

ADS

Tuning
Applies to false positives as well

Notable exception: can delete associated events

Previously evaluated events remain in the DB
Actions
Traffic Recorder
Script
Syslog
SNMP
Events View
Aggregated view

Visual patterns of events

View by hosts and number of event occurrences
Categories

Assign events to categories... then categories are searchable

Create in processing

E.g. L1, L2, L3 cases

Different top categories

...

Most hits

Latest

Blacklists
Use your own
Downloaded every 6h
Perspectives
Classify events
FCP instance - 1 flow source profile
Can use relations filter
Associated to individual detection methods
Works with batches of 5 mins
Check: flow processing is coming to ADS too?
Flow sources
Sampling rate; syntax 1:x
Deduplication: flows passing multiple points counted only once
Uses real parent profile
Explicit specification of what is used
Wizard
External services: support purposes and patterns
Hosts count
NTP
DHCP srv
Proxy
DNS
Mail
Servers
Public IPs

FW?

LAN
Template
Erases all previous data
Need to be in Processing
ISP version -> sampling
FCP instances
15k fps hardware limit
Amount of flows analyzed?
Internal options in licensing?
Cache.key?

NPMD

Traffic recorder
Data port - raw format or pcaps?
Traffic recorder only receives the pcaps
Traffic recorder - Probe is essential to captures
Voice analysis
Licensing?
Active devices
Main purpose?
Reporting
Need to personally look at options
Chapters daunting, any knowledge on reports used the most?

Idea: find key applications and report on their use

APM data in reports?

Alerting
Run script

Who runs the script?

User

Root

Execution where?

Routing table use

Flowmon appliance?

Granularity plays an important role here!

30sec

5min

Typical use cases, must-have alerts?
Profiles
What happens when we actually assign source to a role?
Granularity must match the parent
Shadow can not be used for alerting, children and other modules such as ADS or DDoS defender

OK for analysis

OK for reporting

Maximal size, data retention: do we copy the data or is it a subset of the parent data?

Shadow vs Real?

Flow statistics and views
Are these tabs connected?
Aggregation
E.g. source and dest ip; what happens actually?
Use cases?

Looking at specific conversations

Typical

What is the basis of calculation?
NPM Server Response Time
NPM RTT
NPM Jitter