The proliferation of Internet Worms has caused huge losses in recent years, which makes it a headache for many service operators and enterprise network administrators, in addition, the damage caused by attacks is becoming more and more serious. Although worms do not usually destroy any data, the direct and indirect damages caused by worms cause network and system congestion. The computing resources of infected end systems are seriously affected, while virus transmission consumes a lot of link bandwidth, what's even more terrible is the network instability or even paralysis caused by the impact of basic network devices. Taking SQL Slammer as an example, the average packet loss rate is 20% in the case of infection and transmission peaks. The unstable network caused the bank ATM machine to be unable to work, and the airline ticket sales system to be paralyzed, in just two days, 0.3 million hosts were infected with SQL Slammer, resulting in billions of dollars in losses.
Today, more and more enterprises are integrating key business applications, voice, video and other new applications into the IP network. A secure and reliable network is the key to the success of enterprise business. The boundaries between the internal and external networks of enterprises are becoming increasingly vague, and the mobility of users is getting stronger and stronger. In the past, we thought that the secure internal lan has already posed a latent threat. It is difficult for us to ensure that the virus will not be brought into our enterprise network, and the wide distribution and high-speed connection of the LAN may also make it a hot ground for the rapid spread of worms. How should we deal with the new network security environment? How to Prevent Worms on our LAN and detect, track, and prevent them from flooding in time is a problem that every network manager is thinking about.
Maybe this is a very big proposition. In fact, it does need a systematic and collaborative security policy. From the network to the host, from the core layer to the distribution layer and the access layer, we need to adopt a comprehensive enterprise security policy to protect the entire network and the connected system, in addition, even when a worm occurs, we need to take measures to minimize its impact and protect our network infrastructure to ensure stable network operation ..
This article describes a unique solution on a Cisco Catalyst Switch to prevent the harm of worms in a very economical, effective, and scalable way.
First, we need to understand the abnormal behavior of the worm and have the means to detect its abnormal behavior as soon as possible. When suspicious behavior is detected, you must be able to quickly locate the source, that is, track its source IP address, MAC address, login user name, connected switch and port number, and so on. To collect evidence and make a judgment, if it is a worm, it is necessary to respond in a timely manner, such as closing the port and processing the infected machine.
However, we know that access switches are deployed in each wiring room and provide edge access for Enterprise Desktop systems. Due to cost and management, we cannot place an IDS Device next to each access layer switch. If you deploy IDS on the distribution layer or core layer, for the distribution layer or core layer that aggregates hundreds of Mbit/s/Gigabit Ethernet traffic, the IDS working on layer-3 software cannot process massive data. Therefore, it is impractical to monitor all traffic without any choice.
How can we find a targeted, effective, and economically scalable solution? With the security features and Netflow integrated by the Catalyst Switch, you can do it!
Suspicious Traffic is detected. Using the network traffic statistics collected and output by Cisco Netflow, we can find that a single host sends a connection request that exceeds the normal number, this abnormal large amount of traffic is often a sign of a worm outbreak or network abuse. Because the worm feature is that a large number of random IP addresses are scanned during the attack to find possible targets, resulting in a large number of TCP or ICMP streams. There is actually no payload information in the stream record. This is an important difference between Netflow and traditional IDS. A stream record does not contain high-level information. The advantage is that it can be processed by hardware at high speed and is suitable for busy high-speed LAN environments. Generally, the Catalyst 4500 and Catalyst 6500 switches deployed on the core and distribution layers support hardware-based Netflow. Therefore, Netflow cannot perform in-depth analysis on data packets, but it has enough information to detect suspicious traffic and is not limited by the "0 day. If properly analyzed and utilized, Netflow records are very suitable for early detection of worms or other network abuse behaviors.
It is important to know the baseline of the traffic mode. For example, it is normal for a user to have 50-1000 connections at the same time, but if a user initiates a large number of (for example,) activity streams, It is abnormal.
Trace suspicious sources. Once suspicious traffic is identified, it is equally important to track the source (including the physical location and user ID ). In today's mobile environment, users can freely roam across the campus network. It is difficult to quickly locate users simply by knowing the source IP address. We also need to prevent counterfeit IP addresses. Otherwise, the detected source IP addresses will not help us trace the suspicious source. In addition, we need to not only locate the connection port, but also the login user name.
Collect suspicious traffic. Once the suspicious traffic is detected, We need to capture these packets to determine whether the abnormal traffic has undergone a new worm attack. As mentioned above, Netflow does not perform in-depth analysis on data packets. We need network analysis tools or intrusion detection devices for further judgment. However, how can we easily and quickly capture suspicious traffic and direct it to network analysis tools? Speed is very important. Otherwise, you will miss the chance of killing the worm in the early stages. In addition to quickly locating the physical location of suspicious devices, evidence should be collected as soon as possible. We cannot place network analysis or intrusion detection devices next to each access switch, or carry the analyzer to the wiring room when suspicious traffic is detected.
With the above analysis, we will see how to use the Catalyst function to meet these needs!
Detects suspicious traffic. Cat6500 and Catalyst 4500 (Sup IV, Sup V and Sup V-10 GE) provide a hardware-based Netflow function to collect traffic information flowing through the network. The information collection and statistics are completed through the hardware ASCI, so there is no impact on the system performance. The Catalyst 4500 Sup V-10GE comes with a Netflow card by default, so no additional investment is required.
Trace suspicious sources. The security features integrated by Catalyst provide identity-based network services (IBNS), as well as DHCP listening, Source IP protection, and dynamic ARP detection. These functions provide information for binding users' IP addresses, MAC addresses, and physical ports, and prevent counterfeit IP addresses. This is very important. If you cannot prevent IP Address Spoofing, the information collected by Netflow will be meaningless. Once you log on to the network, you can obtain this information. In combination with ACS, you can also locate the user name for logon. Write a script file on the Netflow Collector. When suspicious traffic is detected, send the relevant information to the network administrator by email.
In the notification email, CITG, a user with abnormal network activity, was reported to belong to a CITG-1 (which was used by 802.1x login ). The IP address of the access layer switch is 10.252.240.10, the physical interface is FastEthernet4/1, and the client IP address and MAC address are also included, and the IP address is within 5 minutes (this time is defined by the script) the number of flow and packet sent.
Once the information is obtained, the network administrator can take the following actions immediately:
Capture suspicious traffic through remote SPAN. The remote port image function supported by the Catalyst Switch can capture traffic images to a remote switch, for example, the traffic from a port or VLAN on the access layer switch passes through the relay image to a port on the distribution layer or core layer, and only a few simple commands are required. Traffic is captured to network analysis or intrusion detection devices (such as Cat6500 integrated network analysis module NAM or IDS module) for further analysis and action.
How long does the process take? For an experienced network manager, the worm can be completed within 5 minutes, and he does not need to leave his seat!
We can see that this solution combines multiple security features integrated on the Catalyst, from extended 802.1x to DHCP listening, dynamic ARP detection, Source IP protection, and Netflow. The comprehensive use of these security features provides us with a solution to effectively prevent worm attacks on the Enterprise LAN, which requires no additional investment, because we use the features integrated in IOS on the Catalyst, we also think about how to use the network to protect the network? These features we may ignore when selecting a vswitch will bring us unexpected and effective security solutions!
Article entry: csh responsible editor: csh