SCOR

Network Visibility and Segmentation.

Network administrators and cybersecurity professionals should always have complete visibility of networking devices and the traffic
within their infrastructure.
Common technologies that can be used to obtain and maintain complete network visibility:
- NetFlow
- IPFIX
- Cisco Stealthwatch
- Intrusion detection system/intrusion prevention system (IDS/IPS)
- Cisco Advanced Malware Protection (AMP) for Endpoints and Networks

NetFlow.
Created by Cisco.
Provides comprehensive visibility into all network traffic that traverses a Cisco-supported device.
Initially created for billing and accounting of network traffic.
As network traffic traverses a NetFlow-enabled device, the device collects traffic flow information and provides a network
administrator or security professional with detailed information about such flows.

Allows the administrator to perform the tasks:

- See what is actually happening across the entire network.
- Identify DoS attacks.
- Quickly identify compromised endpoints and network infrastructure devices.
- Monitor network usage of employees, contractors, or partners.
- Detect firewall misconfigurations and inappropriate access to corporate resources.

NetFlow supports both IP Version (IPv ) and IP Version (IPv ).

NetFlow is often compared to a phone bill.
NetFlow provides information about all network activity that can be very useful for incident response and network forensics.
You can deploy it anywhere you have a supported router, switch, ASA, FTD.
Alternatively, you can use Cisco Stealthwatch Flow Sensor.
- A network appliance that functions similarly to a traditional packet capture appliance or IDS in that it connects into a Switch Port
Analyzer (SPAN), mirror port.
- Augments visibility where NetFlow is not available in the infrastructure device (router, switch, and so on).
- Or where NetFlow is available but you want deeper visibility into performance metrics and packet data.
- You typically configure it with the Cisco Stealthwatch Flow Collector.

FlowReplicator (Also known as the UDP Director)

- A physical appliance used to forward NetFlow data as a single data stream to other devices.
- This can be done for any type of UDP datagram for ex syslogs, SNMP traps, NetFlow, sFlow, IPFIX and others.

Flow.
A unidirectional series of packets between a given source and destination.
In a flow, the same source and destination IP, source and destination ports, and IP protocol are shared.

SCOR Page
The NetFlow database is often called the NetFlow cache.
NetFlow protocol data units (PDUs) [flow records] are generated and sent to a NetFlow collector.
Three types of NetFlow cache:
Normal cache
The default cache type in many infrastructure devices enabled with NetFlow and Flexible NetFlow.
The entries in the flow cache are removed (aged out) based on the configured timeout.
Immediate cache.
Flow accounts for a single packet
Desirable for real-time traffic monitoring and distributed DoS (DDoS) detection
May result in a large amount of export data.
This subsequently increases the CPU and memory utilization of the network infrastructure device.
Permanent cache.
Used to track a set of flows without expiring the flows from the cache.
The entire cache is periodically exported (update timer).
The cache is a configurable value.
After the cache is full, new flows will not be monitored.

Session Vs Flow.
When the client establishes the HTTP connection (session) to the server and accesses a web page, it represents two separate flows.

NetFlow for Network Security and Visibility

Anomaly-detection system monitors network traffic and alerts and then reacts to any sudden increase in traffic and any other anomalies.

SCOR Page
SCOR Page
IP FLOW INFORMATION EXPORT (IPFIX)
A network flow standard led by the IETF.
Was created for a common, universal standard of export for the flow information from routers, switches, firewalls, and other
infrastructure devices.
Defines how flow information should be formatted and transferred from an exporter to a collector.
Cisco NetFlow Version is the basis and main point of reference for IPFIX.
Each IPFIX-enabled device regularly sends IPFIX messages to configured collectors (receivers) without any interaction by the receiver.
Uses SCTP, which provides a packet transport service designed to support several features beyond TCP or UDP capabilities.

CISCO STEALTHWATCH
Cisco acquired Lancope several years ago and further developed their Stealthwatch solution.
Uses NetFlow telemetry and contextual information from the Cisco network infrastructure.
Allows administrators and cybersecurity professionals to analyze network telemetry in a timely manner.
A network-based anomaly system.
Monitors all the network activity between any host server or application and creates a baseline based on that behaviour.
Aggregates and normalizes considerable amounts of NetFlow data to apply security analytics to detect malicious and suspicious
activity.
Components of the Cisco Stealthwatch solution:
FlowCollector.
A physical or virtual appliance that collects NetFlow data from infrastructure devices.
Stealthwatch Management Console (SMC).
The main management application that provides detailed dashboards and the ability to correlate network flow and events.
Used to create policies and view alerts.
Flow licenses.
Define the volume of flows that may be collected. (Flow per second).
Required to aggregate flows at the Stealthwatch Management Console.

SCOR Page
Stealthwatch Cloud.
A Software as a Service (SaaS) cloud solution.
Used to monitor many different public cloud environments, such as Amazon s AWS, Google Cloud platform, and Microsoft Azure.
All of these cloud providers support their own implementation of NetFlow.
In Amazon AWS, the equivalent of NetFlow is called VPC Flow Logs.
Google Cloud Platform also supports VPC Flow Logs (or Google-branded GPC Flow Logs).
In Microsoft s Azure, traffic flows are collected in Network Security Group (NSG) flow logs.

Cisco Stealthwatch Cloud AWS Visualizations Network Graph allows you to explore the nodes you have deployed in AWS.

You need to deploy at least one Cisco Stealthwatch Cloud Sensor appliance (virtual or physical appliance).
Will send network metadata information to the Cisco Stealthwatch Cloud.

SCOR Page
Security Insight Dashboard can be used to quickly see the events that have triggered alarms within your premises.

In Host Report page you can view information about a single host s activity as far back as the last days

SCOR Page
You can also perform very detailed flow searches by navigating to Analyze > Flow Search

NetFlow has a single cache, and all applications use the same cache information.
Flexible NetFlow allows the security professional to create multiple flow caches or information databases to track.
Each NetFlow cache serves a different purpose.
In Flexible NetFlow, the administrator can specify what to track, resulting in fewer flows.

SCOR Page
Configuration on cisco router.
Create a flow record with the flow record command.
R(config)#flow record rec
Configure a key field for the flow record.
R(config-flow-record)#match ipv destination address
The default attributes are the IP packet identity or key fields for the flow and determine if the packet information is unique or
similar to other packets.
Items such as TCP flags, subnet masks, packets, bytes, etc. are non key fields , but are often still collected and exported in NetFlow
or IPFIX.
In short, Match = Key and Collect = non-key.
Configure a non-key field with the collect command.
R(config-flow-record)#collect interface input
R(config-flow-record)#end
R#show flow record rec
R#sh running-config flow record
Create a flow monitor.
R(config)# flow monitor mon
To assign records to the flow monitor.
R(config-flow-monitor)# record rec or record netflow ipv original-input
R#show flow monitor
R# show running-config flow monitor
To configure flow exporter settings.
SCOR Page
To configure flow exporter settings.
R(config)# flow exporter exp
R(config-flow-exporter)# destination
R(config-flow-exporter)# transport udp (The default is UDP port )
R(config-flow-exporter)# source f /
R (config-flow-exporter)#export-protocol netflow-v
Assign exporter to the flow monitor.
R(config-flow-monitor)# exporter exp
To verify flow exporter configuration.
R# show flow exporter
R# show running-config flow exporter exp
R# show running-config flow exporter
To verify flow monitor configuratiinteron.
R# show flow monitor
To view the NetFlow cache.
R# show flow monitor name monitor cache
To apply a specific flow monitor to an outgoing interface.
R(config-if)# ip flow monitor mon output

Active timeout.
The frequency of active flow records that are exported from the flow cache to Network Performance Insight.
Default value is min.
To get real-time traffic reports, set this value to .
Router(config)# ip flow-cache timeout active

Inactive timeout.
The frequency of inactive flow records that are exported from the flow cache to Network Performance Insight.
A flow record is inactive when the conversation between two interfaces is stopped.
Default value is sec.
Router(config)# ip flow-cache timeout inactive
Stealthwatch installation.
First install SMC before colletor.
Stealthwatch default credentials:
CLI default username: sysadmin or root , password: lan cope
GUI default username: admin , password: lan cope
When connecting to the SMC, type the SMC GUI credentials and the default port is

Network Segmentation.
The process of logically grouping network assets, resources, and applications.
Segmentation provides the flexibility to implement a variety of services, authentication requirements, and security controls.
Network segments include the following types:
Trusted network (wired or wireless).
The internal network that is accessible to authorized users.
External accessibility is restricted through the use of firewalls, VPNs, and IDS/IPS devices.
Internal accessibility may be restricted through the use of VLANs.
Semi-trusted network, perimeter network or DMZ.
A network that is designed to be Internet accessible.
Hosts such as web servers and email gateways are generally located in the DMZ.
Internal and external accessibility is restricted through the use of firewalls, VPNs, and IDS/IPS devices.
Guest network (wired or wireless).
A network that is specifically designed for use by visitors to connect to the Internet.
There is no access from the guest network to the internal trusted network.
Untrusted network.
A network outside your security controls. The Internet is an untrusted network.
Enclave network.
A segment of an internal network that requires a higher degree of protection.
Internal accessibility is further restricted through the use of firewalls, VPNs, VLANs, and network access control (NAC) devices (for ex
ISE).

Segmentation in virtualized environments

SCOR Page
SEGMENTATION WITH CISCO ISE.
During the classification process, Security Group Tags (SGTs) are assigned to IP addresses (IPv or IPv ).
The Scalable Group Tag Exchange Protocol (SXP) is a control plane protocol used to convey IP-to-SGT mappings to network devices
when you cannot perform inline tagging.
SPX uses peer-to-peer TCP connections over TCP port .
IP-to-SGT mappings are sent from the SXP speaker end of the connection to the SXP listener end.
You can simplify propagation in your design by using Cisco ISE as an SXP speaker.
ISE learns the IP address of the user s system when they authenticate onto the network.
Then Cisco ISE assigns an SGT via the authorization table.
Cisco ISE interacts with network infrastructure devices and transfers SGTs, IP-to-SGT mapping propagation, policy enforcement, and
SGACL download.
ISE can determine the type of device or endpoint connecting to the network by performing profiling.
Profiling is done by using DHCP, SNMP, Span, NetFlow, HTTP, RADIUS, DNS, or NMAP scans to collect as much metadata as
possible to learn the device fingerprint.
Servers are classified into groups using static classification.
Dynamic classification is typically used for user, endpoint, or guest authentications by using x, MAB, WebAuth, or PassiveID

MICRO-SEGMENTATION WITH CISCO ACI (Application Centric Infrastructure).

Cisco ACI is a software-defined networking (SDN) solution designed for data centers.
Allows organizations to automatically assign endpoints to logical security zones called endpoint groups (EPGs).
EPGs are used to group VMs within a tenant and apply filtering and forwarding policies to them.
These EPGs are based on various network-based or VM-based attributes.
In the Figure, all Virtual Desktop Infrastructure (VDI) environments from the Engineering, Human Resources (HR), and Sales groups
are moved to new uSeg EPGs (Eng_MS, HR_MS, and SALES_MS, respectively) to provide granular policies.

SCOR Page
are moved to new uSeg EPGs (Eng_MS, HR_MS, and SALES_MS, respectively) to provide granular policies.

SCOR Page