If you have the money ($75K+) and a big data center moving a lot of data, Cisco’s Nexus 7000 series switch offers wickedly fast processing power and a lot of compelling security features. Hopefully this signals an increased interest in network security by the switch vendors.
Running NX-OS version 4.0, the Nexus 7000 switch supports a wide variety of useful security features you’d expect from a high-end switch: 802.1x, RADIUS, MAC-based ACLs for policy enforcement, etc. More important to us at BreachBytes is the native hardware support for NetFlow. I commented Monday on the fact that sFlow is generally more prevalent in switches than NetFlow, however Cisco seems to be challenging this assertion with their OS upgrade and supporting products like the Nexus 7000.
(more…)
2 Comments »
In a previous post I gave a rundown of various software tools for collecting NetFlow data for use in network security incident response. NetFlow is pervasive in routers but another technology, sFlow, is nearly as prevalent in routers and can be collected from switches — an arena that NetFlow does not play in very much as of yet. sFlow is a packet sampling technology and can provide a depth of network visibility — a key component of network forensic and incident response — even beyond what NetFlow can offer. For more information on sFlow check out sflow.org.
There is not as much activity in free software with sFlow compared to NetFlow, however InMon has a great suite of tools that can help enterprises leverage sFlow data from routers and switches. Their sFlow Agent software can sniff packets off a network interface card and convert them into sFlow packets if you do not have a sFlow enabled switch or router but want to test what sFlow can bring to the table.
(more…)
2 Comments »
Yesterday, my BreachBytes co-author Andy wrote about the rise of organized crime in cybersecurity. It is an interesting and alarming trend that we have been discussing for quite some time at Packet Analytics. I have been watching a few developing stories on another trend in the hacker community: hacktivism. The Register reported yesterday on the RIAA website’s recent defacement problems and on the Church of Scientology’s DOS problems. Just this morning Rueters has a blurb about purported cyberattacks aimed at Panama by US hackers angry with the election of Pedro Miguel Gonzalez as the president of the Panamanian legislature (Gonzalez is a murder suspect in the US).
Reading, research and personal experience has led me to believe that modern hackers (I am not including whitehat hackers here — that’s another post) are motivated in one of three ways:
- Bragging rights (traditional hackers, script kiddie)
- Money (organized crime, identity thieves, scammers)
- Ideology (hacktivists, spies)
(more…)
2 Comments »
NetFlow data remains a largely untapped resource for network security professionals. All modern routers support it yet in most cases, NetFlow is used for network operations management and QOS and then discarded. This is very unfortunate for security analysts who need flow data for a variety of security and compliance reasons. Good flow data is a fundamental aspect of any network forensics investigation. NetFlow data is appealing in that — for networks with routers that support it — it is free and easy to collect.
Luckily, there are several free NetFlow tools available to collect and store NetFlow data, often in a highly efficient compressed binary format. These tools vary greatly in terms of quality and support. The table below summarizes the free NetFlow tools available to network security analysts.
| Name |
Version |
Last Updated |
License |
| NEye |
1.0.1 |
February 6, 2005 |
GNU-like |
| SiLK |
0.11.7 |
September 6, 2007 |
GNU |
| Flowd |
0.9 |
March 4, 2006 |
BSD-like |
| nfdump |
1.5.6 |
August 8, 2007 |
BSD |
| flow-tools |
0.68 |
April 11, 2005 |
Apache-like |
| Cflowd |
2.1.b1 |
October 24, 2000 |
GNU |
| EHNT |
0.4 |
August 5, 2003 |
GNU |
| Flowc |
1.6 |
August 18, 2006 |
Apache-like |
From personal experience, I have found SiLK, flow-tools and nfdump to be excellent solutions to capturing flow data. It is interesting to note that only two of the eight tools above have been updated in the last year. Future posts in BreachBytes will cover some of these tools in depth as well as look into performance comparisons of the tools.
1 Comment »
Two big legal cases have made headlines in the cybercrime arena over the last week. First, Reuters reported on 1/3/08 that the Justice department has indicted Alan Ralsky, known as the “spam king”, under charges that he orchestrated a stock spamming operation. Reuters, in a 1/8/08 article, is also reporting on a case where a system administrator was hit for $81K in fines and 30 months in prison for unleashing a classic logic bomb on his former employers servers.
Maybe this is just a coincidence but does this signal a shift towards holding criminals accountable for cybercrime? I personally would like to think so since a huge reason that cybercrime is so rampant is due to the U.S. legal system’s inability to evolve and adapt in the prosecution of crimes that take place on or using the Internet.
(more…)
No Comments »
Entries (RSS)