Acquisition, Aggregation, and Intelligence – A Hierarchical Visibility Architecture

Acquisition, Aggregation, and Intelligence – A Hierarchical Visibility Architecture

The purpose of a network visibility architecture is to provide a method of access for security, analysis, and performance tools to access the data traversing your network infrastructure. These appliances are incedibly valuable to your organization, however they are only as effective as the data they are seeing.  This post is intended to provide a framework to design a visibility architecture that can support the tools you currently have as well as scale to support the tools of the future. There are five key considerations that a visibility architecture should address.  Along with these considerations, your design should adhere to a well defined, repeatable approach that can be translated across all environments with minimal architecture changes.  Adhering to these principles allows for a supportable architecture that is easy to maintain and cost effective to deploy. The five key considerations: Provide shared access Wire-speed, reliable transport Scalability Cost Simplicity The Three Tiers - Acquisition, Aggregation and Intelligence A good way to visualize the design of your visibility architecture is a hierarchical, three tiered approach.  Those tiers are acquisition, aggregation, and intelligence.  Each layer defines a separate role within the visibility infrastructure and contributes individually to the five key considerations above.  Let's dive into each role to get a better understanding of it's place in our architecture.   74

Read More
Trace File Sanitization Pt. 1 – TraceWrangler

Trace File Sanitization Pt. 1 – TraceWrangler

This post is part 1 in a series of posts on trace file anonymization/sanitization.  In this series, I will be focusing on three individual tools that each accomplish capture file anonymization.  The general use of capture anonymization is to allow capture file owners to obfuscate potentially sensitive data within the files to prepare them for consumption in a non-secured environment.  Most likely scenario would be preparing a trace to send to a vendor or consultant.  There are differing levels of sanitization within a trace file ranging from removal of .pcap metadata (comments within .pcapng files) all the way to the removal of all payload data after layer 4 and total randomization of any other potentially identifiable information within the frame. The three tools I'll be focusing on in this series are: TraceWrangler tcprewrite from AppNeta SCRUb-tcpdump TraceWrangler TraceWrangler is a GUI based trace obfuscation tool built exclusively for Windows.  It supports .pcapng file formats as well as .pacp and .cap.  At the time of writing, the last development release was in Sept. 2013. In this exercise, I will work through a basic process of ingesting a trace file, anonymizing the IPv4, IPv6, and MAC addresses within the capture, then exporting it to a sanitized version of the file.  In this case, we are required to keep the payload data of an HTTP request.  These steps will not remove any potentially sensitive data within the payload, however TraceWrangler has the capability to do that.  I would encourage you to check out the documentation to understand that process. Let's start with our initial capture file.  In the screenshot below, you can see that my original IP addresses, as well as MAC addresses are visible. My host:  IP - 192.168.0.10  MAC - 24:77:03:0c:ca:9c Remote host:  IP - 192.167.20.246  MAC - 40:8b:07:ab:38:80 Now let's fire up…

Read More