January 2012

Network Behavior Analysis

Network Behavior Analysis: Best Approached at the Switch?

By Michael Patterson, Plixer International

Michael Patterson outlines how hardware vendors approach Network Behavior Analysis (NBA) without the use of NetFlow or sFlow, as well as when to use software such as Scrutinizer to perform NBA on legacy networks. To understand the concept of NBA, the white paper from Plixer International, NBA: Is Network Behavior Analysis For You? (http://www.plixer.com/support/wp_request.php) should be read first.

The only two vendors (Cisco and Enterasys) supporting NetFlow at the switch level tout Network Behavior Analysis (NBA) solutions that don’t involve NetFlow. Is this because NetFlow was designed by Cisco primarily for traffic accounting, usage-based network billing and network planning?

Denial of Service monitoring as well as network monitoring for other security purposes is certainly possible however, NetFlow v5 the most widely deployed lacks key information to perform extensive NBA. Even HP, who supports sFlow at the switch, has a NBA solution which doesn’t directly include the use of sFlow. sFlow is a technology that is similar to NetFlow.

Denial of Service attacks, BitTorrent, and port scans are some of the largest network security fears. They can be detected and stopped by switches from HP, Cisco and Enterasys without using the on board flow abilities.

Stop viruses and worms or treat them?

They can’t be completely Stopped
Viruses, worms and the like will make it onto the corporate network. You can bet on it. Security administrators can only do so much to protect the businesses electronic jewels. Best practices and reasonable protective measures are really all that can be done. Over zealous security measures can stifle a company and can be costly to maintain. Luckily, threats have “behaviors”.

A Cold Analogy
A computer virus can be compared at some level to the common cold. On average, a person will contract dozens of cold viruses over their lifetime. Most of us know that a person can never have the same cold twice but, the symptoms of a second cold maybe nearly or exactly the same as a previous cold. A stuffy nose, sore throat, congestion, itchy eyes, etc. These are behaviors of the common cold. Tylenol sells 2 – 3 different medicinal products to help a person deal with the symptoms of any cold until the human body can remove the virus completely from the body.

Luckily, most computer network viruses like the common cold exhibit consistent behaviors. They scan the network and they launch denial of service attacks, etc. Cisco, HP, Enterasys and others have put technology like Tylenol on their switches that can deal with these abnormal behaviors. It is often done in a way that allows the network to continue operating until the network administrator can eradicate the computer virus from the network.

Enterasys NBA Solution
Enterasys has developed at technology called Flow Setup Throttling (FST) where by the switch tracks flow setup and provides mechanisms to respond to excessive flow buildup, typically a suspicious behavior. FST can notify administrators, define maximum flow count and control flow buildup rates. Imagine, stopping the problem without completely shutting off the users port!

FST can detect worm attacks, slow them down or stop them regardless of whether or not the defined signature is well-known or a brand new zero-day threat.

“Enterasys builds-in proactive protection mechanisms to automatically sense and respond to infrastructure threats, limit access based on user/application role, and automate compliance activities. With NetFlow data collection built-in to our switches, it can be analyzed from both performance management and security management perspectives.”- Trent Waterhouse – VP of Marketing, Enterasys Secure Networks

Cisco NBA Solution
Cisco has an NBA solution that may involve upgrading the switch engine in the 6500 chassis with its new Sup32 PISA blade. It watches traffic behaviors and takes lightning speed action by looking deep into the packets which is something you just can’t do with most NetFlow analysis tools.

“Sup32 PISA offers you the ability apply QoS and Security policies to traffic flows based on application or based on patterns deep in the packets. Basically, you can prioritize based on HTTP URL, or match things like Citrix or VoIP statefully. You can also block BitTorrent or Skype – if that is your corporate policy. And you can do all this in hardware at multi- Gigabit speeds.”- Sachin Gupta – Senior Manager, Cisco Catalyst 6500 Team

Sachin goes on to say that: “Flexible Packet Matching allows you to filter at any offset in the packet whereas ACLs are limited to L4 ports. For example, the Slammer worm is a UDP packet that has a certain bit string at a 224 byte offset – ACLs can’t match this exactly but FPM can. You can find examples of FPM filters at: http://www.cisco.com/cgi-bin/tablebuild.pl/fpm

HP NBA Solution
HP ProCurve Switches have the following features for Advanced Threat Detection:

  • BPDU Filtering and BPDU Protection
  • Connection rate filtering and throttling technology
  • When throttling or blocking is enabled, penalty periods can be configured
  • DHCP Snooping
  • Dynamic ARP Protection
  • Connection-Rate ACLs create exceptions or special policies
  • Instrumentation Monitors
  • Selective port enabling

“We have Layer 2 virus-throttling built right into our switches. So we have already integrated the offensive and defensive features together at the edge ports. Historically, security solutions have been provided by security vendors with host-based software or drop-on products. We are looking at how you also integrate more of the threat management that you see today in, say, universal threat management (UTM) devices. So putting firewalls, antivirus, IDS/IPS down onto the switches.” – Paul Congdon – CTO, Hewlett Packard’s ProCurve Networking

NBA at the Switch Benefits

  • Behavior based operation that does not require identifying details unique to the code exhibiting the worm like operation.
  • Handles unknown worms because it recognizes behavior. It is not looking for specifics which require signature updates.
  • Protects network infrastructure by slowing or stopping (i.e. mitigate) IP traffic from hosts exhibiting high connection rate behavior (e.g. a throttle could stop the W32/Nimda-D work in less than one second).
  • Allows network and individual switches to continue to operate, even when under attack.
  • Provides event log and SNMP trap warnings when worm like behavior is detected.
  • Gives IT staff more time to react before the threat escalates to a crisis.

Why Perform NBA or FA with NetFlow?
Why do companies like Plixer sell NBA solutions based on NetFlow? Because legacy switches don’t have NBA built in and in most cases can’t be upgraded.

Also, Plixer’s Flow Analytics (FA) module doesn’t just perform NBA, it reports on top conversations, applications, hosts based on megabits, hosts based on flow volume and conversations. FA also trends the volume of unique hosts on the network over time and several other useful enterprise-wide metrics.

The top measurements across hundreds of flow sending devices are something that must be done by compiling the distributed data in a central location. Beyond NBA, it is this holistic view that makes up the additional value of Scrutinizer FA.




The above top measurements across hundreds of flow sending devices are something that must be done by compiling the distributed data in a central location. Beyond NBA, it is this holistic view that makes up the additional value of Scrutinizer FA.

How do companies gain the benefits of NBA on legacy switches that can’t be upgraded? This can be done in a couple of ways.

  1. Using NetFlow from routers or switches, analyzers, such as Scrutinizer, can watch for anomalies and trigger SNMP sets which can disable interfaces on switches or routers; they can also make access list changes, etc. However, unless you own Enterasys switches or high end Cisco Catalyst switches like the Catalyst 5500 or 6500 series, you won’t have NetFlow capabilities and the mitigation can get a bit more difficult if the algorithms rely on the NetFlow from routers to make changes to the switches. What about sFlow? Unfortunately, often times the packet sample rate isn’t frequent enough with sFlow to make reliable mitigation decisions via NBA.
  2. If you have a star configuration in the network where several switches or routers connect to a central device, NetFlow switches acting as probes can be inserted (i.e. in line) into the network. Non NetFlow capable switches then plug into the NetFlow switch (e.g. Enterasys). Loaded with the NetFlow information, NBA can occur and ultimately corrective action can take place closer to the ingress of the attack.

What is the Concern?
Flow Analytics watches flow patterns. Patterns are accumulated and anomalies trigger an indicator called the Concern Index (CI). As more algorithms trigger on the same host, the Concern Index value increases.

Hosts with a higher concern index or count can trigger alarms and ultimately require attention from the network administrator.

“Our current Flow Analytics with NBA solution detects DDoS attacks, BitTorrent, port scans, illegal IP addresses, etc., using information that is in all versions of sFlow and NetFlow.”

”Rolling baselines of end user behavior is the next step. The lions share of the NetFlow market is still looking at network congestion and digging in for details like top hosts and applications. Our solution is the best value in this market.” – Michael Patterson – CEO of Plixer International

Nothing Can Stop the Storm Worm
Nothing today can detect the proliferation of the Storm Worm. Storm’s delivery mechanism changes regularly. It started out as PDF spam, then its programmers started using e-cards and YouTube invites — anything to entice users to click on a phony link. Storm also started posting blog-comment spam, again trying to trick viewers into clicking infected links. While these sorts of things are pretty standard worm tactics, it does highlight how Storm is constantly shifting at all levels.

Storm maintains two types of infected hosts “command and control” and “workers”. They all communicate using a p2p (Peer to Peer) network like BitTorrent increasing the difficulty to track and shut down. The C2 (command and control) hosts just sit and wait and they keep track of 20-30 worker hosts each. These infected hosts generate almost no traffic and use a “fast-flux” DNS system to keep security people guessing. Storm also rewrites itself to keep Anti Virus software from identifying it. Nobody has figured out how to consistently identify this virus. Storm runs as a root kit on your host so you can’t easily see it and uses almost no CPU or memory. Scary!

What’s worse, if you sense something is wrong and perform a security scan on a suspect host, it could notify the botnet and DDOS your network! There are potentially 20 million hosts infected, waiting for instructions to attack and nobody knows how to stop it. The only way to vaguely identify the traffic is to look deep inside the p2p packet. If that is encrypted, suspicions raise.

To gain the benefits of NBA, customers may be wondering if it is cheaper to upgrade all or just the core of the network with NBA switches or to purchase a NetFlow Analyzer with NBA? The best solution maybe a hybrid approach.

Existing routers likely support NetFlow and the benefits of a NetFlow Analyzer allow a company to get started right away without hardware upgrades. Plixer’s Flow Analytics capability empowers companies to investigate further NBA plans without laying out a huge investment.