Module 15: Network Monitoring

and Tools
Instructor Materials

CyberOps Associate v1.0

15.1 Introduction to Network
Monitoring

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Network Monitoring and Tools
Network Security Topology
• To mitigate threats, all networks must be secured and protected.

• Network requires a security infrastructure consisting of firewalls, Intrusion Detection Systems

(IDS), Intrusion Prevention Systems (IPS), and endpoint security software to protect.
• These methods and technologies are used to introduce automated monitoring, creating
security alerts, or automatically blocking offensive devices.
• For large networks, an extra layer of protection is added.

• Devices such as firewalls and IPS operate based on pre-configured rules and monitor traffic
and compare it against the configured rules. If there is a match, the traffic is handled according
to the rule. 
• An important part of the cybersecurity analyst is to review all alerts generated by network
devices and determine the validity of the alerts.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Network Monitoring and Tools
Network Monitoring Methods
• The day-to-day operations of a network consists of traffic flow, bandwidth usage, and
resource access. These patterns identify normal network behavior.
• To determine normal network behavior, network monitoring must be implemented.

• The tools such as IDS, packet analyzers, SNMP, NetFlow, and others are used for network
monitoring .
• There are two common methods used to capture traffic and send it to network monitoring
devices:
• Network taps, sometimes known as Test Access Points (TAPs)
• Traffic mirroring using Switch Port Analyzer (SPAN) or other port mirroring.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Network Monitoring and Tools
Network Taps
• A network tap is a passive splitting device
implemented inline between a device of interest and
the network.
• A tap forwards all traffic, including physical layer
errors, to an analysis device while allowing the traffic
to reach its intended destination.
• Here, the tap simultaneously sends both the transmit
(TX) data stream from the internal router and the
receive (RX) data stream to the internal router on
separate, dedicated channels.
• This ensures that all data arrives at the monitoring Implementing a TAP in a Sample
device in real time. Network
• Taps are fail-safe, which means that the traffic between
the firewall and internal router is not affected .
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Network Monitoring and Tools
Traffic Mirroring and SPAN
• Capturing data for network monitoring
SPAN Term Description
requires all traffic to be captured.
• Special techniques such as port Ingress traffic Traffic that enters the switch
mirroring must be employed to bypass
network segmentation imposed by Egress traffic Traffic that leaves the switch.
network switches.
Source ports are monitored as traffic
Source (SPAN)
• Port mirroring enables the switch to copy entering them is replicated (mirrored)
port
frames that are received on one or more to the destination ports.
ports to a Switch Port Analyzer (SPAN) A port that mirrors source ports.
port that is connected to an analysis Destination Destination SPAN ports often connect
(SPAN) port to analysis devices such as a packet
device. analyzer or an IDS.
• The table identifies and describes the
SPAN terms.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Network Monitoring and Tools
Traffic Mirroring and SPAN (Contd.)
• The association between source ports and
a destination port is called a SPAN session.
• In a single session, one or multiple ports
can be monitored.
• In few Cisco switches, session traffic can be
copied to more than one destination port.
• A source VLAN can be specified in which all
ports in the source VLAN become sources
of SPAN traffic.
• Note: A variation of SPAN called Remote
SPAN (RSPAN) enables a network
Switch interconnecting two hosts and
administrator to use the flexibility of VLANs
mirroring traffic to an IDS and Network
to monitor traffic on remote switches.
Management Server
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
15.2 Introduction to Network
Monitoring Tools

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Introduction to Network Monitoring and Tools
Network Security Monitoring Tools
• Common tools that are used for network
security monitoring include:
• Network protocol analyzers such as
Wireshark and Tcpdump
• NetFlow

• Security Information and Event

Management Systems (SIEM)
• It is common for security analysts to rely on
log files and Simple Network Management
Protocol (SNMP) for network behavior
discovery.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Introduction to Network Monitoring and Tools
Network Protocol Analyzers
• Network protocol analyzers (or ‘packet sniffer’
applications) are programs used to capture
traffic.
• Protocol analyzers display what is happening on
the network through a graphical user interface.
• Network protocol analyzers are not only used
for security analysis but also used for network
troubleshooting, software and protocol
development, and education.
• As shown in the figure, Wireshark is used in
Windows, Linux, and Mac OS environments. It
is a very useful tool for learning network
protocol communications.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Introduction to Network Monitoring and Tools
Network Protocol Analyzers (Contd.)
• Frames captured by Wireshark are saved in a PCAP file that contains information regarding the
frame, interface, packet length, time stamps, and all binary files sent across the network.
• Wireshark can open files containing captured traffic from other software such as the
tcpdump utility.
• The example in the command output displays a sample tcpdump capture of ping packets.

• Note: windump is a Microsoft Windows variant of tcpdump. tshark is a Wireshark command

line tool that is similar to tcpdump.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Introduction to Network Monitoring and Tools
NetFlow
• NetFlow is a Cisco IOS technology that provides 24x7 statistics on packets that flow through
a Cisco router or multilayer switch.
• NetFlow is the standard for collecting IP operational data in IP networks.

• NetFlow can be used for network and security monitoring, network planning, and traffic
analysis. It provides a complete audit trail of basic information about every IP flow forwarded
on a device.
• Although NetFlow stores flow information in a local cache on the device, it should always be
configured to forward data to a NetFlow collector which stores the NetFlow data.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Introduction to Network Monitoring and Tools
NetFlow (Contd.)
• NetFlow can monitor application connection by
tracking byte and packet counts for that
individual application flow.
• It pushes the statistics over to an external server
called a NetFlow collector.
• Cisco Stealthwatch collects NetFlow statistics to
perform advanced functions including:
• Flow stitching - It groups individual entries
into flows.
• Flow deduplication - It filters duplicate
incoming entries from multiple NetFlow clients. PC1 connected to PC2 using HTTPS

• NAT stitching - It simplifies flows with NAT

entries.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Introduction to Network Monitoring and Tools
SIEM and SOAR
SIEM
• Security Information Event Management (SIEM) is a technology used in enterprise
organizations to provide real time reporting and long-term analysis of security events.
• SIEM systems include the following essential functions:
• Forensic analysis – The ability to search logs and event records from sources and provide
complete information for forensic analysis.
• Correlation – Examines logs and events from different systems or applications, speeding
detection of and reaction to security threats.
• Aggregation - Reduces the volume of event data by consolidating duplicate event records.
• Reporting - Presents the correlated and aggregated event data in real-time monitoring and
long-term summaries.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Introduction to Network Monitoring and Tools
SIEM and SOAR (Contd.)
• SIEM provides details on the source of suspicious activity:
• User information such as username, authentication status, location.
• Device information such as manufacturer, model, OS version, MAC address, network
connection method, and location.
• Posture information such as compliance of the device with the security policy and updated
antivirus files and OS patches.
SOAR 
• Security Orchestration, Automation, and Response (SOAR) enhances SIEM.

• SOAR helps security teams investigate security incidents and add enhanced data gathering
and a number of functionalities that aid in security incident response.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Introduction to Network Monitoring and Tools
SIEM and SOAR (Contd.)
• SOAR solutions:
• Provides case management tools that allow cybersecurity personnel to research and
investigate incidents, frequently by integrating threat intelligence into the network security
platform.
• Use artificial intelligence to detect incidents that aid in incident analysis and response.
• Automate complex incident response procedures and investigations, which are potentially
labor intensive tasks performed by Security Operations Center (SOC) staff by executing run
books.
• Offers dashboards and reports to document incident response to improve SOC key
performance indicators and can enhance network security for organizations.
• SOAR helps analysts respond to the threat.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Introduction to Network Monitoring and Tools
SIEM Systems
• An open source product called Security Onion includes the ELK suite for SIEM functionality.

• ELK is an acronym for three products from Elastic:

• Elasticsearch - Document oriented full text search engine.
• Logstash - Pipeline processing system that connects ‘inputs’ to ‘outputs’ with optional
‘filters’ in between.
• Kibana - Browser based analytics and search dashboard for Elasticsearch.
• Note: SolarWinds Security Event Manager and Splunk Enterprise Security are two popular
proprietary SIEM systems used by SOCs.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17