Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentNetFlow Based Active Network Protection

Good information and communication infrastructure is necessary for the functioning of the country and it is also a key part of any modern organization. Therefore a variety of hardware and software means were gradually developed in recent decades not only to detect a wide range of attacks against this infrastructure, but also for its defence against or prevent them.

During project CYBER objective fulfilling the theoretical overview of possible solutions of active network infrastructure defence was initially put together. Then the incorporating of network probes to active network defence was specified in detail. An overview of possible methods is discussed in general; it presents three basic types of elements involved in the defence network: event sources, control centres and defensive elements. Using those three types of elements it is then possible to build active network defence at different levels and with different connecting.

The probe usage specification begins with an overview of properties and possibilities of hardware probe, both in FlowMon mode designated for NetFlow monitoring and in the HAMOC centre mode designated for hardware acceleration of common network tools and services. Subsequently, five possible scenarios of involving hardware probes for active network defence are described in details:

  • Probe as a passive event source with the central collector and the Remotely-Triggered Black Hole Filtering (RTBH),
  • Probe as a source of events and a packet filter, also as a stateful firewall,
  • Probe as a source of events and indirect defence mean (defence against phishing),
  • Probe as a source of events and generator attack,
  • Probe as a source of events and traffic limiter.

Quarantine of user accessing phishing site

Denoted schemes demonstrate the flexibility of hardware probes and the possibility of its integration into network according to current needs and network structure. An important feature that makes the probe an ideal means for use in active network defence is just the ability to process (filter, analyze, etc.) network traffic at wire-speed (unlike conventional switches and routers) and also its invisibility in terms of OSI layers 2 and 3. It is therefore almost unrealistic to try to attack the probe itself and blind network monitoring and defence for any attacker. Presented scenarios will be deployed into operation within Masaryk University network and the hardware capabilities of specific probes in real situations will be subsequently verified.