Administration
• All callers are on mute
‒ If you have problems, please let us know via the Chat window

• There will be Q&A
‒ Feel free to type a question at any time

• Slides and recording will be available
‒ Notification within 48 hours via a follow-up email

#wp_forensics

Network Forensics for Wired and Wireless Networks


2

Agenda
•
•
•
•
•
•
•
•

What Is Network Forensics?
Myths/Realities in Network Forensics
Configuring Your Network for Forensics
Wired vs. Wireless Network Forensics
Use Cases

Performing Forensic Analysis
WildPackets Corporate Overview
WildPackets Product Line Overview

#wp_forensics



3

What Is Network Forensics?


www.wildpackets.com

4

What is Network Forensics ?
• Marcus Ranum is credited with defining Network
Forensics as “the capture, recording, and analysis of
network events in order to discover the source of
security attacks or other problem incidents.”
(wikipedia)

• It’s not like TV – employ forensics before the “crime”
- network traffic is transmitted and then lost, leaving
no clues behind

• Other names: packet mining, packet forensics, digital
forensics

#wp_forensics



What Purpose Does It Serve ?
• Allows us to find the
details of network events
after they have happened

• Eliminates the need to
reproduce network
problems

• Distill data to manageable
levels by employing
filters and analysis

#wp_forensics



Network vs. Security Forensics
• Network forensics is a superset of security forensics
• Forensics is not just DPI (Deep Packet Inspection)
• Requires the lossless capture, storage, and analysis
of extremely large data volumes

• Network forensics: enterprise vs. lawful intercept
‒ Concerned with the process of reconstructing a network event
• Network or infrastructure outage
• Intrusion such as a “hack” or other penetration
‒ Provides a recording of the actual incident

• Based on live IP packet data captures
‒ A new way of looking at trace file analysis
‒ Continues from where traditional network troubleshooting ends
#wp_forensics



Network Forensics Drivers
• Faster networks/greater data volumes
‒ 10/40G adoption grew 62% in 2012
‒ 75% of the investments in networking are for 10G1

• Richer data
• Subtler and more malicious security threats
‒
‒
‒
‒

Zero-day attacks
APTs (Advanced Persistent Threats)
75% of data breaches financially motivated
66% of breaches took months or longer to discover2

• Sampled data and high-level stats
‒ Flow-based network monitoring vs. detailed DPI analysis
1

http://www.infonetics.com/pr/2013/2H12-Networking-Ports-Market-Highlights.asp

2 http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

#wp_forensics



8

Why Forensics?
• Validate what your logs are telling you
• Generate alarms/alerts on data you’ll never find in
logs

• Invest time analyzing, not reproducing
• Immediately begin investigating the issue – you have
a recording of the incident!

• Isolate key data – from multi-TB archives - rapidly
and intuitively

• Understand the depth of penetration for any incident

#wp_forensics



Myths/Realities in Network
Forensics


www.wildpackets.com

10

Network Forensics

85%

The number of respondents that feel
network forensics is a necessity at 10G

31%

The number who are using network
forensics at 10G

The State of Faster Networks, WildPackets, Oct 2013
#wp_forensics



11

Network Forensics Usage
12%

For security
purposes

28%
For monitoring
intermittent network
issues
For monitoring
intermittent
application issues
For 24/7 transaction
analysis

24%

36%
#wp_forensics



12

Challenges with Network Forensics

#wp_forensics



13

10G – Driving Network Forensics Usage
 100 Participants
 Company size:

 43% - Large organizations
 26% - Medium
 31% - Small

 Functional Breakdown
 84% - Network Engineer
 15% - IT Director
 1% - Executive

#wp_forensics



14

10G – Driving Network Forensics Usage

#wp_forensics



15

The Implications of Doing Nothing
 64% of organizations reported that managing
network performance has become more complex
over last 12 months

 Organizations are losing on average $72,000 per
minute of unplanned network downtime

 48% of organizations reported that, on average,
they spend more than 60 minutes on repairing
performance issues - per incident
#wp_forensics



Configuring Your Network for
Forensics


www.wildpackets.com

17

Requirements for a Network Forensics Solution
• Capturing and recording data
‒
‒
‒
‒

10/40G network support
No dropped packets – 100% fidelity
Continuously available
Always test in your environment

• Discovering data
‒ Timely results delivery
‒ Filtering for IP addresses, applications, etc.

• Analyzing data
‒ Automated analysis – Expert events
‒ Simple, intuitive workflow
‒ Data visualization from multiple perspectives
#wp_forensics



18

10G Network Analysis Workflow
Deploy 24x7
Monitoring

Identify Key
Analysis Pts

NO

Alarms/
Alerts

Problem?
YES

Rewind
Data
#wp_forensics

Analyze


Tune if
Necessary

A Solution for Every Network

#wp_forensics



20

Data Capture from High-Speed Links

#wp_forensics



Forensic Analysis – Capturing An Attack
2. Data Recorder records
and aggregates data
throughout attack

IDS/IPS System

3. Event logged, attack
partially tracked by IDS

Servers

1. Attack
bypasses firewall

#wp_forensics

4. Post event analysis reveals
attacker, method, damage!



10G Network Data Storage
• 1Gbps steady-state traffic assuming no storage
overhead:
7.68 GB/min
460 GB/hr
11 TB/day
2.9 days in a 32TB appliance

• 10Gbps:
76.8GB/min
4.6 TB/hr
110 TB/day
28 hours in a 128TB appliance
#wp_forensics



Wired vs. Wireless Network
Forensics


www.wildpackets.com

24

802.11ac – Breaking the Gigabit Barrier

Gratuitous clipart - Please ignore

11 Mbps
1-2 Mbps 802.11b
<1 Mbps 802.11 1997 550%
100%
Proprietary
1989

#wp_forensics

1991

1999

433/866/1300+ Mbps
802.11ac
288% (vs. 450)
(to 6.93 Gbps)
300/450/600 Mbps
802.11n
54 Mbps
833%
802.11g/a
490%

2003

2009

2013

Source: Farpoint Group


#wp_forensics



26

Additional Drivers for Wireless Forensics
• BYOD
‒ No configuration control
‒ Limited or no access to the end-user device
‒ Problems reported “after the fact”

• Point-of-Presence required
‒ Wireless data must be captured within a few hundred feet of the
device
‒ Vastly more collection points than for wired forensics

• Data volumes that rival wired data
‒ 1.3Gbps will be common with 802.11ac
‒ Mobile devices outnumbering wired devices

#wp_forensics



27

Wireless Forensics Solution
• As wireless approaches wired
speeds, it’s time to start
relying on the wire

• Distributed analysis using
deployed assets – APs – is the
only effective solution as
wireless speeds grow

• 24/7 capture/analysis ensures
problems aren’t missed

• Recording enables wireless
forensic analysis
#wp_forensics



28

Wireless Forensics Benefits
• Reduce MTTR

• Prioritize analysis tasks

‒ No need to reproduce a
problem
‒ No need to wait for it to
happen again

• Increase WLAN service
uptime
‒ WLANs are now missioncritical
‒ Mobility implies you won’t be
near the problem

‒ Deal with emergencies
immediately
‒ Handle routine investigations
as time permits
‒ Save data for long-term
analysis

• Reduce reaction time
‒ Data are always available for
analysis

• Reduce analysis costs
‒ A single solution for wireless
and wired analysis

#wp_forensics



29

Use Cases


www.wildpackets.com

Use Cases for Network Forensics
• Finding proof of a security attack
• Troubleshooting intermittent performance issues
• Monitoring user activity for compliance with IT and
HR policies

• Identifying the source of data leaks
• Monitoring business transactions
• Verifying VoIP and video over IP performance

#wp_forensics



31

Best Practices for Network Forensics
Capturing Network Traffic
1. Capture traffic continuously
2. Deploy a solution that captures traffic reliably
3. Set up filters to catch anomalies
Storing Traffic

4. Allocate sufficient storage for the volume of data
being collected
5. Adjust file sizes for the desired performance
optimization
#wp_forensics



32

Best Practices for Network Forensics
(cont.)
Analyzing Traffic
6. Select a network forensics solution that supports
filters and searches that are fast, flexible, and
precise
7. Record baseline measurements of network
performance
8. Use filters to zoom in on the problem at hand

#wp_forensics



33

Performing Forensic Analysis


www.wildpackets.com

WildPackets – The Network Forensics Myth Buster
Myth

Busted

Can’t analyze at 10G line rate
Dropped packets
Captured data is not reliable
Inability to collect packets at all network locations
Inadequate real-time stats

Real-time analysis no longer an option
Limited visibility into VoIP
Inability to analyze/search recorded traffic
No end-to-end visibility into application transactions
Limitations in security monitoring

#wp_forensics



35

Q&A
Show us your tweets!
Use today’s webinar hashtag:

Follow us on SlideShare!

#wp_forensics

Check out today’s slides on SlideShare
www.slideshare.net/wildpackets

with any questions, comments, or feedback.
Follow us @wildpackets


www.wildpackets.com

WildPackets Corporate Overview
Optimizing Network and Application Performance


www.wildpackets.com

Corporate Background
• Experts in network monitoring, analysis, and troubleshooting
‒ Founded: 1990 / Headquarters: Walnut Creek, CA
‒ Offices throughout the US, EMEA, and APAC

• Customers spanning leading edge organizations
‒ Mid-market and enterprise lines of business
‒ Financial, manufacturing, ISPs, major federal agencies,
state and local governments, universities
‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000

• Award-winning solutions that improve network performance
‒ Internet Telephony, Network Magazine, Network Computing awards
‒ United States Patent 5,787,253 issued July 28, 1998
• “Apparatus and Method of Analyzing Internet Activity”
#wp_forensics



Why Our Customers Need Us
• VoIP, video, cloud, virtualization, and key business
applications are saturating critical network services

• Evolving network technologies create discontinuities
‒ 1 Gig  10 Gig  40 Gig  100 Gig networks
‒ Wireless, BYOD initiatives

• Users and business can not tolerate network
problems for mission critical services
Increasing demand for better real-time network visibility,
network analytics, network forensics, and DPI
#wp_forensics



How We Create Value
We provide innovative, industry-leading, real-time
network performance management solutions
‒ Easy-to-use, easy-to-learn user interface
‒ Uniquely extensible solutions
‒ Wireless network leadership
‒ Detailed analytics related to network applications
‒ Fastest network traffic capture appliance in its class
‒ Technical superiority at competitive price point
WildPackets has continually advanced its solution to meet the needs of its
customers

#wp_forensics



Unprecedented Network Visibility
NETWORK HEALTH

GLOBAL

WatchPoint can manage and report on key
device performance and availability across
the entire network, from anywhere on the network.

UNDERSTAND END-USER PERFORMANCE

DISTRIBUTED

Omnipliance network analysis and recorder appliances monitor
and analyze performance across critical network
segments, virtual environments, and remote sites.

PINPOINT NETWORK ISSUES ANYWHERE

PORTABLE

Omnipliance Portable can rapidly identify and troubleshoot
issues before they become major problems—wired or
wireless—down the hall or across the globe.

ROOT-CAUSE ANALYSIS

DPI
#wp_forensics

OmniPeek network analyzer performs deep packet inspection
and can reconstruct all network activity, including e-mail and
IM, as well as analyze VoIP and video traffic quality.



A History of Innovation
2001

2005

2009

2011

• First 802.11
wireless analyzer
• First network
analyzer with
automated expert
analysis

Combined
distributed
network and
VoIP
network
analysis

Innovative
dashboard
with drill-down for
VoIP
and video

• Total visibility with
zero packet loss
• First wireless
network analyzer to
support capture and
analysis of 802.11n
3-stream wireless

2008

2010

2012

2013

Distributed real-time
Enterprise-wide
troubleshooting Monitoring and Reporting

First to achieve 11
Gbps sustained
capture-to-disk

• Capture, record, and
analyze from 40G
network segments
• First wireless network
analyzer to support
801.11ac, k, r, u, v, w

Industry
leading
network
analysis and
recorder
appliances

2003

#wp_forensics



Product Line Overview


www.wildpackets.com

Omni Distributed Analysis Platform
OmniPeek
Enterprise Packet Capture, Decode and Analysis
• Ethernet,1/10 Gigabit, 802.11, and voice and video over IP
• Portable capture and OmniEngine console
• Aggregate analysis data across multiple capture points

Omnipliance
Network Analysis and Recorder Appliances
• High-performance packet capture and real-time analysis
• Stream-to-disk for forensics analysis
• Integrated OmniAdapter network analysis cards up to 40G

WatchPoint
Centralized Enterprise Network Monitoring Appliance
• Aggregation and graphical display of network data
• WildPackets OmniEngines
• NetFlow and sFlow
#wp_forensics



Omni Distributed Analysis Platform
Software and Turnkey Solutions
• Enterprise monitoring and reporting
‒ WatchPoint Server
‒ OmniFlow, NetFlow, and sFlow Collectors

• Network Analysis and Recorder Appliances
‒ Omnipliance CX, MX, TL
‒ Optional OmniStorage
‒ OmniAdapter analysis cards

• Distributed analysis software
‒ OmniPeek – Enterprise, Professional, Basic, Connect
‒ OmniPeek Remote Assistant
‒ OmniEngine Enterprise

• Portable solutions
‒ OmniPeek network analyzer
‒ Omnipliance Portable
#wp_forensics



OmniPeek Network Analyzer
• Distributed analysis manager
– Connect to and configure distributed OmniEngines and Omnipliances,

• Comprehensive dashboards present network traffic in real-time
– Vital statistics and graphs display trends on network and application
performance
– Visual peer-map shows conversations and protocols
– Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution
– Packet and payload visualizers provide business-centric views

• Automated analytics and problem detection 24/7
– Easily create filters, triggers, scripting, advanced alarms, and alerts

#wp_forensics



OmniPeek Remote Assistant
Distributed, End-user Packet Capture Made Simple
• Simple to deploy, simple to use
‒ Remote push, download from server, or even
email
‒ Simple user interface - eliminates confusion for
end user
‒ Full fidelity capture - see exactly what the PC
sees
‒ Wired or wireless

Trouble call from remote site network response is slow.

• Encrypted file
‒ Only the analyst can open it
‒ Different encryption keys for different locations
or customers

User downloads and installs
OmniPeek Remote. Encrypted capture
data sent back for analysis.

• Detailed client-side/end-user experience
analysis

• Perfect for Tech Support or IT Desktop
support
#wp_forensics


Network analyst uses OmniPeek
Enterprise to quickly troubleshoot
problem without leaving the office.

OmniWiFi USB WLAN Capture Adapter
• A single device for all WLAN packet capture needs
• Driver included with Omni v7.9 CDs
• Tested and supported with OmniPeek and OmniEngine

• Product features:
•
•
•
•
•
•

USB device with extension cable
Dual band operation – 2.4GHz and 5GHz
Supports all standard international 802.11 channels (a/b/g/n)
Supports 802.11n - 3 transmit/receive streams (450Mbps)
Supports 802.11n 20MHz and 40MHz channel operation
Supports multi-channel aggregation and roaming

• Technical Details:
‒ Size (LWH): 6 inches, 1.5 inches, 5.5 inches
‒ Weight: 5.6 ounces

NOTE:
• Capture ONLY – no network services
• Does not capture 802.11ac

• Available via Amazon - $99/each
#wp_forensics



New Network Analysis and Recorder Appliances

Powerful
Precise
Affordable
The new family of WildPackets Network Analysis and Recorder
appliances gives IT organizations powerful and precise analysis of
high-speed networks in an affordable solution with half the
hardware footprint of rival offerings.

#wp_forensics



Powerful
‒ Fastest network recorder in its class! Captures traffic up to 20Gbps of realworld traffic (all size packet distribution)
‒ Scales up to 128 TB of storage
‒ Provides simultaneous real-time analysis and a comprehensive Forensic
Search that rapidly searches through terabytes of captured traffic for the
details relevant to an investigation

Precise
‒ Captures complete network traffic, so you can analyze everything, not just
samples or high-level statistics
‒ Doesn’t drop packets or sacrifice accuracy for speed
‒ Supports rich, detailed analysis, including VoIP and video-over-IP traffic

Affordable
‒ Delivers outstanding price/performance (lower price; half the rack space)
‒ Allows mix of 1G/10G/40G interfaces without buying extra appliances
‒ Solutions start at $16,995

Your network is bigger and faster. Now your analysis solution is, too.
#wp_forensics



Omnipliance TL
Industry Leading Network Analysis and Recorder Appliance

• Sets a new standard in capture-to-disk speeds
‒ 20Gbps sustained capture to disk rate with zero packet drop

• Best price/performance Network Analysis Appliance
in the market
‒ 20Gbps with only one Omnipliance TL + OmniStorage
‒ Consuming less rack space, less cooling, less electrical power

• Most flexible network interface offering
‒ 1G/10G/40G interfaces supported in a single unit eliminates
additional unit requirement

• Most accurate real-time analytics
‒ Packet-based processing and analysis vs. inaccurate samplebased calculation
#wp_forensics



WildPackets Network Analysis Recorder Appliances
Price/Performance Solutions for Every Application

Portable

Omnipliance CX

Omnipliance MX

Omnipliance TL

Ruggedized
Troubleshooting

Less Demanding Networks
Remote Offices

Datacenter Workhorse
Easily Expandable

Enterprise, HighlyUtilized Networks

Aluminum chassis / 17” LCD

1U rack mountable chassis



24GB RAM

16GB RAM

32GB RAM

64GB RAM

2 PCI-E Slots

2 PCI-E Slots

4 PCI-E Slots

4 PCI-E Slots

2 Built-in Ethernet Ports




6TB Storage

4/8/16TB Storage

16/32TB Storage

32/48/64TB Storage
Optional OmniStorage:
32/48/64TB
Up to 128TB total Storage

OmniAdapter 1G and 10G

OmniAdapter 1G/10G MX

OmniAdapter 1G/10G MX

OmniAdapter 1G/10G/40G

6.5Gbps CTD

3.8Gbps CTD

8.8Gbps CTD

20Gbps CTD with
OmniStorage

#wp_forensics



WatchPoint
Centralized Monitoring for Distributed Enterprise Networks
•

High-level, aggregated
view of all network
segments
– Monitor per campus, per
region, per country

•

Wide range of network
data
– NetFlow, sFlow, OmniFlow

•
•
•

#wp_forensics


Web-based, customizable
network dashboards
Flexible detailed reports
Direct link to detailed,
packet-based analysis


Comprehensive Support and Services
Standard Support





Premier Support

Maintenance and upgrades
Telephone and email contacts
Knowledgebase
MyPeek Portal






24 x 7 x 365
Dedicated escalation manager
2 customer contacts per site
Plug-in reconfiguration assistance

WildPackets Training Academy


Public, web-based, and on-site classes
 Complete curriculum: technology and product focused
 Practical applications and labs covering network analysis,
wireless, VoIP monitoring and advanced troubleshooting

Consulting and Custom Development Services


Deployment, configuration, and assessment engagement
 Systems integration and testing
 Application integration, driver, decode, interface development
#wp_forensics



WildPackets Key Differentiators
• Visual Expert intelligence with intuitive drill-down
– Let computer do the hard work, and return results, real-time
– Packet /payload visualization is faster than packet-per-packet diagnostics
– Experts and analytics can be memorized and automated

• Automated capture analytics
– Filters, triggers, scripting, and advanced alarming system combine to provide
automated network problem detection 24x7

• Multiple issue network forensics
– Can be tracked by one or more people simultaneously
– Real-time or post capture

• User-extensible platform
– Plug-in architecture and SDK

• Aggregated network views and reporting
– NetFlow, sFlow, and OmniFlow

#wp_forensics



24x7 Network Monitoring,
Analysis, and Troubleshooting

#wp_forensics



Thank You!
WildPackets, Inc.
1340 Treat Boulevard, Suite 500
Walnut Creek, CA 94597
(925) 937-3200

www.wildpackets.com

Wired and Wireless Network Forensics

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Wired and Wireless Network Forensics

Similar a Wired and Wireless Network Forensics (20)

Más de Savvius, Inc

Más de Savvius, Inc (19)

Último

Último (20)

Wired and Wireless Network Forensics