Search This Blog

Wednesday, June 23, 2010

firewall-wizards Digest, Vol 50, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Taking a traffic snapshot with network IDS (Yack, Daniel)
2. Re: Taking a traffic snapshot with network IDS (Jens Link)


----------------------------------------------------------------------

Message: 1
Date: Tue, 22 Jun 2010 08:27:56 -0700
From: "Yack, Daniel" <dyack@aiminspections.com>
Subject: Re: [fw-wiz] Taking a traffic snapshot with network IDS
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<409693ACD01C2146B96FFAA11F906E3A02ACB731@EXBE02.itsgrp.local>
Content-Type: text/plain; charset="us-ascii"

I do like Netflow and messed with it a few years ago in a different
company. However I wasn't the one that administrated it, so I never
really saw the flexibility.

I'll install it for one part of the lab; however it looks like it's
geared towards Cisco devices. Let's say I have a secondary segment that
has no Cisco units.

Marcus suggested a few such as Argus. That has an interesting write-up
so I may try that first.

As for exactly what I'm after? I want to establish a good baseline of
what to expect inside each network segment. So flows are important, as
are generic ports being used. On certain segments I should ONLY see
TCP/UDP; some others may run different layer 4 traffic.

I've used wireshark quite a bit for troubleshooting, but I thought using
it for something like this would be a bit too bulky or hard to evaluate
the output. Maybe that's just me though. Actually, with that in mind,
is there something I could feed a capture file into that would summarize
the content?

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Farrukh Haroon
Sent: Monday, June 21, 2010 9:52 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Taking a traffic snapshot with network IDS

Instead of capturing each packet, you would be better off going via the
Netflow Path IMHO.

There are a number of free netflow analyzers available on the Internet
e.g.:

http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.ph
p

http://www.solarwinds.com/products/freetools/netflow_analyzer.aspx
http://www.paessler.com/ ( I think they offer one netflow sensor in the
free version)

Regards

Farrukh

On Fri, Jun 18, 2010 at 4:58 PM, Yack, Daniel <dyack@aiminspections.com>
wrote:

There are probably one thousand ways to do this, but I wanted to toss
this out...

For simplicity, let's just say I'm watching traffic from an internet
router to my core router(s). That's the only segment I'm interested in.
The goal is for me to discover out all 'normal' traffic in my
environment, and take a snapshot of that. By snapshot, I mean gather
traffic for 24 hours. Then review all of it manually, and create a
template that says "alert when you find something that isn't in this
list".

I realize this is a pretty simple problem - but getting back to basics
is always a good thing. I do have some linux experience, but am not a
'power user'. Any ideas on tools or what to use for this? An IDS/IPS
is probably the answer here, right? If so, which kind...perhaps snort?
I consider myself a firewall guy but am ashamed I've never used it!!

Oh...as far as hardware available: Doing this is in a lab first, which
has: Cisco for the internet router, going through Fortigate and/or
Checkpoint firewalls, into a Cisco core layer 3 switch. Also I have a
few linux platforms but they're tasked for other things over there.
Don't over-analyze the network topology, I can always move or make more
than one IDS if needed.

Any ideas? Perhaps someone has done this before?

-Dan


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100622/03bb7ea1/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 22 Jun 2010 16:10:52 +0200
From: Jens Link <lists@quux.de>
Subject: Re: [fw-wiz] Taking a traffic snapshot with network IDS
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <87r5jzjgyb.fsf@oban.berlin.quux.de>
Content-Type: text/plain; charset=us-ascii

Farrukh Haroon <farrukhharoon@gmail.com> writes:

> Instead of capturing each packet, you would be better off going via the
> Netflow Path IMHO.
>
> There are a number of free netflow analyzers available on the Internet
> e.g.:

I like to use nfdump and nfsen for analyzing Netflow data. Nfdump
contains an accounting daemon and some tools for analyzing / converting
data on the command line, nfsen is a web interface for nfdump.

See http://nfdump.sf.net and http://nfsen.sf.net for details.

cheers

Jens
--
-------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@guug.de | ------------------- |
-------------------------------------------------------------------------


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 50, Issue 7
***********************************************

No comments: