|
Business Problem
Port 80 (HTTP) is the standard port for websites, and it can raise the potential for different security issues. Because Port 80 handles basically all the internet traffic it is difficult for a Security Operation Center (SOC) or Network Operation Center (NOC) operator to know what is actually transiting that port and whether the traffic is malicious. This can allow an attacker to gain either administrative access to websites, web servers, or plant bots in servers. In essense, Port 80 could be an open door for hackers to penetrate the network.
Who is Affected
Firewalls and other perimeters defense devices do not maintain records of penetrations. All carriers, enterprises, critical infrastructures, and government agencies are affected even if there are no outside connections to the Internet!
Solution
The SOC and NOC operators must look for application behavior on both known and unknown ports. As a start, the operators need to look at traffic patterns and see if they are deviating from the baselines the represent the norm of the network. Once the patterns are determined the IT organization needs to implement a strong IP port mapping policy that is well understood by SOC and NOC operators with any new ports being added requiring full IT organization and CIO approval for any changes.
Understanding the changing traffic mix on the network requires an initial baseline and then continuous monitoring of the traffic patterns. There are several tools available that can do this ranging from full packet capture and Netflow appliances. A careful comparison of known networking protocols and applications from time to time is one way to identify unknown networking entrants. Checking for anomalous traffic entering or exiting the network can entail monitoring all IP ports used on srvers and clients and verifying these match exactly the ports set in the IP port policy. Another method involves carefully tracking client addresses and determining if any new unknown clients are using the internal network (this requires checking the difference caused by additions, moves and changes as well).
Having the tools in place that can perform constant and accurate protocol, application, port and IP address verifications from time to time are critical to be able to identify abnormal traffic entering and exiting the network.
NarusInsight can provide real time monitoring of IP traffic from Layer 2 through Layer 7. In addition, Narus has the leading technology for detecting application traffic that is traversing common IP ports such as Port 80 (HTTP) and Port 53 (DNS) where fraudulent applications attempt to hide their traffic. The Port Independent Protocol Detection (PIPD) built into every Narus Intelligent Traffic Analyzer uses behavior based algorithms that examine and identify all traffic traversing known (and unknown) ports to determine if the traffic is genuine. This can be used as an automatic detector of non-standard or malcious traffic/application attempting to enter or exit your network. This technology is a standard element in the NarusInsight Solution for Intercept, Cyber Protection, and Traffic Management.
Credible Evidence
NarusInsight solutions detects application traffic that is traversing common IP ports which fraudulent applications attempt to hide their traffic
Benefits
• Provides better understanding and view of potentially malicious traffic entering the network.
• mproves situational awareness with indepth understanding of all traffic regardless of the port it is transiting.
• Ensures SLAs are maintained and provides alerts to security issues that can compromise the integrity of the network.
|
