Increased complexity due to the rising number of the devices, inconsistent policies across the network or inability to scale-out according to current business needs are the biggest challenges for traditional networks. Software Defined Networking (SDN) addresses these challenges and brings the same agility that abstraction and virtualization have brought to server infrastructure.
Cisco APIC-EM delivers SDN as a single, software defined point of automation and network management for both physical and virtual environments. APIC-EM executes policies across entire network infrastructure which enables to control routing & switching, ensures quality of service, control network access and much more.
The integrated solution architecture is consisting of Flowmon ADS for network anomalies detection based on NetFlow data analysis and Cisco APIC-EM for applying policies across whole network architecture based on detected network events (anomalies). The integration of these two solution is script-based (not native). Demonstration below describes, how it works.
Fig. 1: Flowmon ADS & Cisco APIC-EM architecture.
The story is following. Malware infected PC is connected to enterprise network. PC is receiving echo replies as it can communicate with other hosts in the network.
Fig. 2: Echo replies from host 10.71.154.94.
From network point of view, malware is inactive, not revealing itself and thus Flowmon ADS doesn’t detect any anomalies in network traffic. On following picture we can see, no special policies in Cisco APIC-EM were implemented.
Fig. 3: Cisco APIC-EM policy list.
Using Nmap (network security scanner utility), we simulate port scanning, undesired network traffic behavior which could represent malware infection. We set up TCP SYN (parameter –sS) scan as it is common type of scan used to determine which ports of targeted IP addresses (10.71.154.1 to 10.71.154.118) are open.
Fig. 4: Using Nmap utility to scan ports in the network.
Flowmon ADS detects anomaly in network traffic and reports port scanning. Script triggered upon event detection sends information about malicious host to Cisco APIC-EM. Using information from script, Cisco APIC-EM sets up new policy to reconfigure SDN switch to which malware infected host is connected. Based on policy, host can be disconnected from the network, moved to quarantine, etc.
Fig. 5: Cisco APIC-EM adds deny policy.
In this demonstration, malware infected host conducting port scanning is disconnected from the customer’s network.
Fig. 6: Ping request timed out. Malware infected host is disconnected from the network.
Network / security operator is notified by alert from Flowmon ADS and can analyze attack details to get more information about attacker and its victims. From event details in Flowmon ADS, operator immediately see detailed information about the attack and also each individual flows on which the event was detected.
Fig. 7: Event details in Flowmon ADS
Long story short. Once Flowmon ADS intelligence detects event, it runs a script and notifies APIC-EM which automatically, based on installed policy reconfigures network access point and thus denies network access to infected host. The solution’s major benefits are following:
- Reactive protection against cybernetic threats and network attacks.
- Saves significant investments in scripting language or tools that can automate configuration changes.
- Eliminates time needed to discover and troubleshoot incorrect manual entries for a given device.
- Operational-security incidents can be processed without the need of manual reconfiguration of network access points.
Any question about the integration or Flowmon products? Let me know in the comment section.
Many thanks goes to our partners, Cisco Japan and Orizon Systems, for cooperating on Cisco APIC‑EM and Flowmon ADS integration.