Professional Documents
Culture Documents
Cyberoam Certified Network & Security Professional (CCNSP) : Learning
Cyberoam Certified Network & Security Professional (CCNSP) : Learning
Cyberoam Certified Network & Security Professional (CCNSP) : Learning
Learning
training.cyberoam.com © Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
training.cyberoam.com
Module 14 – Network Forensics
Learning
training.cyberoam.com
What is Forensics?
Learning
training.cyberoam.com
Types of Forensics
• Network
– Forensics done on a network to recreate/investigate a network event. Includes
• Email Forensics
• Chat Forensics
• Protocol Forensics
• Application Forensics
• Computer
– Used when an individual’s computer needs to be investigated.
– Generally overdone by Network Forensics
Learning
training.cyberoam.com
Why Forensics ?
Learning
training.cyberoam.com
Forensics in action
• Involves
– Monitoring user activity
• Authentication events
• Email activity
• Messenger/Internet application activity
• Internal Web Server(s) activity
• Web Traffic (HTTP/HTTPS)
• Other Protocol Traffic like FTP, etc.
Learning
training.cyberoam.com
Forensics in action
– Email transaction data - sender, receiver, number of bytes, date and time of
email, subject line, etc.
– Website visit data - website URL, sub domain, category of website, data
upload/download to/from the website, total bytes transferred, etc.
– Messenger data - message sender, receiver, file name, file type, etc.
Learning
training.cyberoam.com
Discovering Data
Learning
training.cyberoam.com
Analyzing Data
Learning
training.cyberoam.com
Managing the Data
Learning
training.cyberoam.com
iView
Learning
training.cyberoam.com
iView
Learning
training.cyberoam.com
Real-Time Data Recording
• Real-Time Data records the data for modules like IPS, Web
Filter, Anti Spam, Anti Virus and Firewall.
• This page gives consolidated information about all the events
that have occurred.
Learning
training.cyberoam.com
Real-Time Data Recording > Search Filter
Learning
training.cyberoam.com
Real-Time Data Recording > Application Filter
Learning
training.cyberoam.com
Real-Time Data Recording > Anti Virus
Learning
training.cyberoam.com
Real-Time Data Recording > Anti Spam
Learning
training.cyberoam.com
Traffic Discovery
Learning
training.cyberoam.com
Traffic Discovery
Learning
training.cyberoam.com
Traffic Discovery
Learning
training.cyberoam.com
Event Captures
Learning
training.cyberoam.com
Event Captures > System
Learning
training.cyberoam.com
Event Captures > Authentication
Learning
training.cyberoam.com
Event Captures > Admin
Learning
training.cyberoam.com
Capture Configuration
Learning
training.cyberoam.com
Capture Configuration > Firewall logs
Learning
training.cyberoam.com
Capture Configuration > SYSLOG Config
– Note: More about logging and reporting is described in CCNSE as it is beyond the scope
of CCNSP to understand the type of facility.
Learning
training.cyberoam.com
Capture Configuration > SYSLOG Config
Learning
training.cyberoam.com
Layer 8 analysis > View User Dashboard
• To view navigate to Logs & Reports -> View Reports
Learning
training.cyberoam.com
Layer 8 analysis > Application Risk Meter
Learning
training.cyberoam.com
Layer 8 analysis > Productivity Analysis
Learning
training.cyberoam.com
Blocked Attempts
Learning
training.cyberoam.com
Top Denied Application Categories
Learning
training.cyberoam.com
Top Denied Application
Learning
training.cyberoam.com
Top Denied Technologies
Learning
training.cyberoam.com
Top Denied Risks
Learning
training.cyberoam.com
Top Denied Users
Learning
training.cyberoam.com
Top Denied Hosts
Learning
training.cyberoam.com
Top Denied Rule IDs
Learning
training.cyberoam.com
Top Denied Web Users
Learning
training.cyberoam.com
Top Denied Domains
Learning
training.cyberoam.com
Country Maps
Learning
training.cyberoam.com
Data Leakage Prevention
Learning
training.cyberoam.com
Search within data
• Cyberoam iView’s deep and extensive search algorithm lets you search the
reports on multiple and mixed criteria’s.
• There are five main types of searches that can be performed on the iView
database.
– Web Surfing
– Mail Usage
– Spam
– Virus
– FTP
• In Web Surfing report search can be done on the following criteria’s
– Report Type : Can either be summary or in detail
– Search type : Can be a domain, URL, Category, or an IP Address
– Search for: Can be a User or a Group
– Username: Specific username
– Domain: a particular domain name like www.example.com
Learning
training.cyberoam.com
Compliance data
• Supported compliances:
– HIPAA(Health Insurance Portability and Accounting Act)
– GLBA (Gramm-Leach Biley Act)
– SOX (Sarbanes-Oxley)
– PCI (Payment Card Industry)
– FISMA (Federal Information Security Management Act).
Learning
training.cyberoam.com
Bookmarks
Learning
training.cyberoam.com
Notifying Administrator
Learning
training.cyberoam.com
Customize data view
Learning
training.cyberoam.com
Data Management
Learning
training.cyberoam.com
Data Management (Cont.)
Learning
training.cyberoam.com
Data Management (Cont.)
Learning
training.cyberoam.com
Data Management (Cont.)
Learning
training.cyberoam.com
Data Management (Cont.)
Learning
training.cyberoam.com
Case 1
Learning
training.cyberoam.com
Case 1
Learning
training.cyberoam.com
Case 1
• Initial Information
– The company has a total of around 400 + employees.
– The designing task started around a month earlier and
ended on 5th October.
– Design team comprises of 5 people.
– Design team sent the design out to product team.
– Product team comprises of 10 people, out of which 6 are
responsible to work for the product with this design
Learning
training.cyberoam.com
Case 1
• Initial Investigation
– Investigation reveals that 2 people from design team were
working on this design. The design was completed on 5th
October.
– Design was sent out using their emails to the persons from
product team.
– The leak came into the knowledge of the management on
25th October
Learning
training.cyberoam.com
Case 1
Learning
training.cyberoam.com
Case 1
• File upload report does not highlight any user who has
uploaded the design file, hence, we now check the email
usage with subject line search (Path: Search -> Mail usage)
Learning
training.cyberoam.com
Case 1
Learning
training.cyberoam.com
Case 1
Learning
training.cyberoam.com
Case 2
Learning
training.cyberoam.com
Case 2
• Initial Investigation
– The organization has strict policies enforced to its employees since its
inception.
– These polices include, locking USB ports on each computer, all file internet
drive applications are locked.
– Maximum file size supported in email is 25 MB.
– User’s have a monthly quota of 1.5GB. They cannot browse any network
resources beyond this limit.
– The forensic analysts have been assigned task to find, who leaked the file,
and how the file was leaked?
Learning
training.cyberoam.com
Case 2
• Initial Investigation
– Initial investigation and interrogation with administrators revealed that static IP
addresses are assigned to each computer, authentication mechanism are in
place, and each user has a quota of 150 MB/day.
Learning
training.cyberoam.com
Case 2
• Step 1
– To solve this complicated case, we first drill down the file upload report. (Path:
Reports -> Web Usage -> Top File Upload)
Learning
training.cyberoam.com
Case 2
– Web file upload does not give any information about a 1 GB file, hence Upon
no clues with file upload, we drill down the group wise web usage report.
(Path: Reports -> Web Usage -> Top Web User Groups). From this screen we
shall come to know the group to which the user(who leaked the file) belongs
to.
Learning
training.cyberoam.com
Case 2
– All group usage show the same type of pattern, hence it is difficult to suspect
any group, however, we still drill down into the users from each group to see
their individual data usage. Drilling down into details of group wise web usage
report for clues (path: Search -> Web Surfing Reports)
Learning
training.cyberoam.com
Case 2
– This screen also does not show the usage by any particular user, hence we
are sure that the file was not uploaded directly as a 1 GB file, Upon no
successful clues, we are forced to look into the web search reports. (Path:
Reports -> Search Engine)
Learning
training.cyberoam.com
Case 2
– Suspect identified, drilling into user based reports for web categories, files
uploaded, files downloaded, denied categories, viruses, and internet usage.
(Path: Dashboard -> Custom Dashboard)
Learning
training.cyberoam.com
Case 2
Learning
training.cyberoam.com
Pre-requisites
Learning
training.cyberoam.com
Certification Prerequisites
Learning
training.cyberoam.com
Certification Prerequisite
Learning
training.cyberoam.com
Cyberoam Product Overview > Agenda
• Certification Prerequisite
• Cyberoam Overview
• CCC (Cyberoam Central Console)
• CCMS (Cyberoam on Cloud Management Service)
• Cyberoam iView
Learning
training.cyberoam.com
Learning
training.cyberoam.com
Cyberoam
Learning
training.cyberoam.com
Cyberoam > Layer 8 – Patent Pending Technology
Application
User
Learning
training.cyberoam.com
Cyberoam > Layer 8 – Patent Pending Technology > Firewall
Learning
training.cyberoam.com
Cyberoam > Appliances
Learning
training.cyberoam.com
Cyberoam > Select the Right Appliance
- Case 1:
- Small Business customer with 15 concurrent users having 4Mbps Internet
Connectivity with 3G as a backup link.
- Customer is looking for a solution to protect network from internal and external
threats as well as to increase employee productivity by blocking unproductive
resources
- Which model of Cyberoam?
CR15i or CR15wi
- Subscriptions Required
SVS
Learning
training.cyberoam.com
Cyberoam > Select the Right Appliance
- Case2:
- Case 1 customer has expanded business in country by opening 4 new
branches. Each branch has got 3-5 internet users accessing central
accounting system hosted at Central Office. Branches also need wireless
connectivity. Internet bandwidth at Central Office also has increased to
12Mbps
- Customer would like to extend Central Office network in secure way to allow
access of accounting system.
- Central Office? CR50ia by considering 15 + 5 (Each Branch) x 4 branches
= 35 Concurrent Users
- Branch Offices? CR15wi
- Subscription: SVS
Learning
training.cyberoam.com
Cyberoam > Select the Right Appliance
- Case3:
- Same customer has created DMZ zone and added 5 business critical servers
to protect from various network attacks. Server includes 1 email server, 1 web
server, 1 FTP server and 2 accounting servers.
- Customer is expecting 100 concurrent users to surf their corporate web
site and approximate 350 emails per day.
- Internet Bandwidth has increased to 20Mbps.
- Customer is looking for replacement of existing device:
- Appliance Model: CR100ia by below logic:
- Considering 30 additional users (30% of 100 external users) apart from 35 existing users.
This makes total 65 users and email traffic.
- Inbound traffic has increased due to Email & Web Server. This needs increased new
sessions per second.
- Subscriptions:
- TVS + WAF
Learning
training.cyberoam.com
Cyberoam > Features offered with one time sale of appliance (Basic Appliance)
- Identity-based Firewall
- 8 x 5 Support for one month from the registration
- VPN- Threat Free Tunneling
- SSL VPN
- Bandwidth Management
- Multiple Link Management
Learning
training.cyberoam.com
Cyberoam > Features offered with Subscription
Learning
training.cyberoam.com
Cyberoam > Features offered with Bundled Subscription
Learning
training.cyberoam.com
Cyberoam > Bundled Subscription > Types
Learning
training.cyberoam.com
Cyberoam > Bundled Subscription > Types (Continued…)
Learning
training.cyberoam.com
Cyberoam > How to Check Subscription?
Learning
training.cyberoam.com
NFR V/S Regular Appliance
• Regular Appliance
- Cyberoam appliance sold to Partner / Reseller for direct customer sale.
- Will be registered once to get 3, 15 days trials for all subscription based
modules.
• Not for Resale (NFR) Appliance
- Cyberoam appliance sold to Partner / Reseller for conducting demo’s.
- Can be registered unlimited number of times under different credentials after
factory reset.
- Will get 3, 15 days trial for all subscription based modules after each
registration.
Learning
training.cyberoam.com
Cyberoam Product Overview > Agenda
• Certification Prerequisite
• Cyberoam Overview
• CCC (Cyberoam Central Console)
• CCMS (Cyberoam on Cloud Management Service)
• Cyberoam iView
Learning
training.cyberoam.com
CCC
Learning
training.cyberoam.com
CCC (Cyberoam Central Console)
- Offer the flexibility of hardware CCC appliances and virtual CCC appliances
- Provide granular security and visibility into remote and branch offices across
the globe.
Learning
training.cyberoam.com
CCC > Key Highlights
- Centralized Management
- Centralized Visibility
Learning
training.cyberoam.com
CCC > Key Highlights
- Centralized Management
- Centralized Visibility
Learning
training.cyberoam.com
CCC > Hardware CCC and Virtual CCC
• Hardware CCC
- CCC 15
- CCC 50
- CCC 100
- CCC 200
- CCC 500
- CCC 1000
• Virtual CCC
- CCC VMS 15, CCC VMS 50, CCC VMS 100, CCC VMS 200 for VMware
server-based virtual environment
- CCC VMW 15, CCC VMW 50, CCC VMW 100, CCC VMW 200 for VMware
workstation-based virtual environment
Learning
training.cyberoam.com
Cyberoam Product Overview > Agenda
• Certification Prerequisite
• Cyberoam Overview
• CCC (Cyberoam Central Console)
• CCMS (Cyberoam on Cloud Management Service)
• Cyberoam iView
Learning
training.cyberoam.com
Learning
training.cyberoam.com
CCMS (Cyberoam Cloud Management Service)
Learning
training.cyberoam.com
Cyberoam Product Overview > Agenda
• Certification Prerequisite
• Cyberoam Overview
• CCC (Cyberoam Central Console)
• CCMS (Cyberoam on Cloud Management Service)
• Cyberoam iView
Learning
training.cyberoam.com
Cyberoam iView
Learning
training.cyberoam.com
Cyberoam iView
Data Compliance
Protection Management
Identity
Logging Reporting
Learning
training.cyberoam.com
Q&A
If any??
Learning
training.cyberoam.com
Training Conclusion
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
How to Appear for Exam
• Click start test when you are ready to start the exam
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
How to Appear for Exam
Learning
training.cyberoam.com
Thank you!
Learning
training.cyberoam.com