Prevent malware spreading with automatic client isolation using Flowmon ADS and Cisco ISE

August 06, 2018 Flowmon, Infrastructure Management

Today, threats are not only limited to the internet. Organizations face guests and employees who connect their own equipment into the network or take company equipment home with them. A firewall with IPS capabilities, such as a next generation firewall, is a good first measure to protect against modern day threats, but they will only protect what goes in and out at the network perimeter.

The problem: malware is free to operate

When someone connects an infected device to your network, for example Malware or Ransomware, the first thing the infected device does is try to replicate itself to other machines in the network. Since there is no firewall on every network port or on every wireless connection the malicious software has no problem in doing so. Within a short time the software will have replicated across your network, waiting to become active.

The solution: turn your network into an enforcer

The first thing you need to do is create visibility. At aaZoo we have been a Flowmon partner for a couple of years now. We use the Flowmon software suite to monitor customer networks with Probes and analyze network behavior using Flowmon Anomaly Detection System (ADS). Flowmon ADS has multiple modules to detect aberrant behavior. It learns normal traffic patterns, and issues an alert when there are changes to the normal baseline.

Malware and Ransomware usually tend to do several things that can be picked up by ADS:

They will try to connect to the internet to a Command and Control server

They will scan the network for other endpoints and possibly open ports

They will try to connect to these endpoints to exploit vulnerabilities

We can detect these traffic patterns with Flowmon ADS. We can use this information to manually blacklist hosts that are possibly infected but the response time is too slow. To automate the process, we add another piece of software into the mix: Cisco Identity Services Engine (ISE).

Cisco ISE is a policy-based network access control system. It allows administrators to define company policies and translate those to dynamic access control. Using dynamic Access Control Lists you can limit users based on their credentials. You can add secondary parameters to it, such as: which device is the end-user on? Is it company-provided or BYOD? Or you can even check if virus definitions are up to date.

ISE can exchange information with other applications using the Platform Exchange Grid (pxGrid). Using IETF standards, platform solutions, such as Flowmon ADS, this enables us to integrate with ISE and utilise Rapid Threat Containment. When Flowmon ADS detects suspected traffic it will send the information to Cisco ISE. Cisco ISE will receive the information and perform a Change of Authorization on the user. This will immediately change user access to the network. In our case we push an access-list that allows the user to only visit one website: a captive portal that tells them they are blocked from using the network.

We will show how this works in the following video:

https://www.youtube.com/embed/-O3EWydCf84

About aaZoo:

aaZoo is a security-focused network integrator from the Netherlands. We run our own Security Operations Center and offer cloud-based and on-premise secure network solutions. We offer secure network design, implementation and managed operations to customers in different verticals. Knowledge is our strength, challenge us! 

Related Articles:

What is Network Detection and Response (NDR)?

Gert-Jan de Boer