When Enforcement Doesn’t...

Watching the Walls

In an earlier blog entry, I discussed the importance of surveillance in conjunction with enforcement. Among the reasons that monitoring enforcement is important is validating its effectiveness. As I have had the opportunity to turn on pervasive monitoring in organizations that have historically lacked it, I regularly discover that the perception of enforcement is much different than its reality.

Reasons for this include misconfigurations, poor architecture, product failures, policy violations and product vulnerabilities being exploited. The number of variables in modern networks make assurance of enforcement effectiveness very hard to come by. A little monitoring of reality can reclaim that lost assurance.

NetFlow as the Source

When trying to establish facts, it’s important to have a reliable source of information. Enforcement mechanisms make poor witnesses in failure conditions for two reasons. First, if they have been compromised, their reliability for logging is not trustworthy. Secondly, if the enforcement mechanism was circumvented (by routing around it), it would have no visibility into the communication. NetFlow makes a superior data source for at least three reasons. First, it is a “bystander witness” separate from the enforcement mechanism. Secondly, it is pervasively deployed, allowing for monitoring no matter where the communication is routed. Thirdly, it is created on every interface the communication crosses, enabling corroboration from multiple data sources.

Validation Scenarios

Using NetFlow data from existing infrastructure, several enforcement scenarios can be validated.

IP Blacklisting

By grouping client IP addresses into a host group, and blacklisted external IP addresses into additional host groups, alarms can be generated when either attempted communications occur (uni-directional) or successful connections (bi-directional) are made to “blocked” hosts. These monitoring rules can be created to mirror what is enabled in the enforcement architecture.


Lancope Host Locking Rule

Additionally, since NetFlow allows for historical analysis, histograms of prohibited traffic can be generated.

NetFlow Historical Anlysis

In troubleshooting the cause of these “un-enforced” conversations, detailed records of each flow can be examined to determine how they occurred.

Service Blocking

In addition to monitoring for IP blocking, NetFlow can be used to monitor for prohibited services by examining the port numbers being used. In the example below, the unencrypted protocol, Telnet, is being blocked by the firewall and monitored by Lancope’s NetFlow-based StealthWatch System.

Host Locking Rule


Internal Compliance Monitoring

To protect assets on the internal network, controls are put in place to ensure that unauthorized users cannot access that data. The example below is a simple rule to alarm when enforcement fails to keep desktop users from accessing protected cardholder data (PCI compliance).

Host Locking Rule - Compliance


Application Filtering

Using the deep packet inspection functionality of the StealthWatch FlowSensor, application awareness can be reliably added to flow logging. This allows for historical or continuous monitoring of a proxy or application firewall to determine its effectiveness in prohibiting unauthorized communications. Below is a policy to alert on successful peer-to-peer (P2P) communications outside the network.

Host Locking Rule - Peer-to-Peer


Here is a histogram showing the trend of traffic that was not successfully blocked.

Not Blocked Network Traffic


Inbound Communications

Pervasive NetFlow monitoring can also be used to validate that inbound communications aren’t bypassing firewalls or other mechanisms through exploit or bypass. Below is a simple rule looking for SQL connections that the firewall doesn’t block.

Host Locking Rule - Inbound Traffic bypassing Firewall


Wrap Up

Intelligently processing NetFlow records from the network infrastructure provides a reliable and accurate means of determining if enforcement mechanisms are properly handling traffic. Alerting can occur in real time, or historical analysis can be applied to validate designs.

Real-time NetFlow Alerts


For further details on the security capabilities of Lancope’s StealthWatch System, go to: http://www.lancope.com/solutions/security-operations/.