Latest Blog Posts

Newsletter

For a Free Quote...

2 minutes reading time (499 words)

PREVENT MALWARE SPREADING WITH AUTOMATIC CLIENT ISOLATION USING FLOWMON ADS AND CISCO ISE

Today, threats are not only limited to the internet. Organizations face guests and employees who connect their own equipment into the network or take company equipment home with them. A firewall with IPS capabilities, such as a next generation firewall, is a good first measure to protect against modern day threats, but they will only protect what goes in and out at the network perimeter. 

 The Problem: Malware is Free to Operate

When someone connects an infected device to your network, for example Malware or Ransomware, the first thing the infected device does is try to replicate itself to other machines in the network . Since there is no firewall on every network port or on every wireless connection the malicious software has no problem in doing so. Within a short time, the software will have replicated across your network, waiting to become active.

The Solution: Turn Your Network into an Enforcer 

The first thing you need to do is create visibility. At aaZoo we have been a Flowmon partner for a couple of years now. We use the Flowmon software suite to monitor customer networks with Probes and analyze network behavior using Flowmon Anomaly Detection System (ADS) . Flowmon ADS has multiple modules to detect aberrant behavior. It learns normal traffic patterns, and issues an alert when there are changes to normal baseline.

 Malware and Ransomware usually tend to do several things that can be picked up by ADS:

  1. They will try to connect to the internet to a Command and Controls server
  2. They will scan the network for other endpoints and possibly open ports
  3. They will try to connect to these endpoints and possibly open ports

We can detect these traffic patterns with Flowmon ADS. We can use this information to manually blacklist hosts that are possibly infected but the response time is too slow. To automate the process, we add another piece of software into the mix: Cisco Identity Services Engine (ISE). 

Cisco ISE is a policy-based network access control system. It allows  administrators to define company policies and translate those to dynamic access control. Using dynamic Access Control Lists, you can limit users  based on their credentials. You can add secondary parameters to it, such as: which device is the end-user on? Is it company-provided or BYOD? Or you can even check if virus definitions are up to date.

ISE can exchange information with other applications using the Platform Exchange Grid (pxGrid). Using IETF standards, platform solutions, such as Flowmon ADS, this enables us to integrate with ISE and utilize Rapid Threat Containment. When Flowmon ADS detects suspected traffic it will send the information to Cisco ISE. Cisco ISE will receive the information and perform a Change of Authorization on the user. This will immediately change user access to the network. In our case we push an access-list that allows the user to only visit one website: a captive portal that tell them they are blocked from using the network.

We will show how this works in the following video:


Thank you to Gert-Jan De Boer from Flowmon for the article.

Bypass TAPs - Safety Nets for Your In-line Applian...
Deciding Which Network TAP to Purchase for Total N...
 

Comments

No comments made yet. Be the first to submit a comment
Guest
Thursday, 18 October 2018

Captcha Image

Contact Us

Address:

Telnet Networks Inc.
100 Strowger Blvd, Suite 118, Brockville, ON, K6V 5J9, Canada

Phone:

(800) 561-4019

Fax:

613-498-0075

For More Information about Telnet Networks, our products, or our services, or to request a quote please feel free to contact us directly.