Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Cyberoam Certified Network & Security Professional (CCNSP)
Learning
training.cyberoam.com © Copyright 2012 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
training.cyberoam.com
Module 14 – Network Forensics
Learning
What is Forensics?
• Network Forensics is monitoring, analyzing and recreating a

scene for the purpose of information gathering, legal
evidence or an intrusion
• It has two uses
– To implement security consisting of monitoring and logging
– Law Enforcement (investigating/recreating a crime scene)
Learning
Types of Forensics
• Network
– Forensics done on a network to recreate/investigate a network event. Includes
• Email Forensics
• Chat Forensics
• Protocol Forensics
• Application Forensics
• Computer
– Used when an individual’s computer needs to be investigated.
– Generally overdone by Network Forensics
Learning
Why Forensics ?
• Forensics is needed for

– Responding to a network incident
– Supporting a crime investigation
Learning
Forensics in action
• Involves
– Monitoring user activity
• Authentication events
• Email activity
• Messenger/Internet application activity
• Internal Web Server(s) activity
• Web Traffic (HTTP/HTTPS)
• Other Protocol Traffic like FTP, etc.
Learning
Forensics in action
• Identifying the source of data leak

– Computer from where the data is leaked
• Difficult to track because of Organization dynamism
• Dynamic IP address schema
• Roaming tendency of a user
• Bringing own devices like USB Drives, etc in organization network
• Using own network like 3G.
– Media through which data is leaked
• Email
• Chat (Messengers)
• Web Upload
• FTP Upload
• Cloud Storage Drives
• USB Sticks
• Mobile device memory
Learning
Capturing and Recording Data
• An efficient forensic solution should be able to capture the

following data
– Authentication data - username in place of IP addresses
– Email transaction data - sender, receiver, number of bytes, date and time of
email, subject line, etc.
– Website visit data - website URL, sub domain, category of website, data
upload/download to/from the website, total bytes transferred, etc.
– Messenger data - message sender, receiver, file name, file type, etc.
Learning
Discovering Data
• A forensic solution must be able to filter following captured

data and discover live data such as live connections, packet
capture, traffic discovery and real time traffic.
– Email
• Filtering criteria should include sender name, sender email, sender IP
address, receiver name, receiver email, receiving mail server IP address,
subject line, body text search, etc.
– Chat (Messenger)
• Filtering should include username, message search, file name search, file
type search, file MIME header search, etc.
– Web Upload
• Filtering criteria should include username, website name, URL search,
category search, etc.
Learning
Analyzing Data
• Once the capturing is done, there should be a mechanism

which puts the data in proper place, meaning a sensible
format which can be easily understood by the viewer.
• A good forensic solution must answer An investigator’s five
questions
– What ?
– Where?
– When?
– Why?
– How?
Learning
Managing the Data
• A Forensic solution should ensure that proper data

management facilities are available.
• For example:
– Data Retention Policy.
– Maintain proper storage space for the data.
Learning
iView
• In this section , we will know more about the forensic

reporting solution iView.
• Layer 8 firewalls come with an on-appliance reporting
solution known as Cyberoam - iView.
Learning
iView
• On-Appliance Intelligent Logging & Reporting Module

– Log Management
– Security Management
• Traffic & Security Dashboards
• Network attacks information
– Compliance Management
• Display compliance reports
– Forensic Analysis
• Reconstructing sequence of events at the time of security breach with
iView logs and reports
Learning
Real-Time Data Recording
• Real-Time Data records the data for modules like IPS, Web
Filter, Anti Spam, Anti Virus and Firewall.
• This page gives consolidated information about all the events
that have occurred.
Note – Real-time logs are stored on cache,

Allows viewing Maximum 1100/logs per module (IPS, Firewall, etc.)
follow FIFO (First-in First-Out) order.
Logs are flushed on reboot. Learning
Real-Time Data Recording > Web Filter
Learning
Real-Time Data Recording > Search Filter
Learning
Real-Time Data Recording > Application Filter
Learning
Real-Time Data Recording > Anti Virus
Learning
Real-Time Data Recording > Anti Spam
Learning
Traffic Discovery
• Traffic Discovery shows the live connections

• It can be drilled down by
– Application wise Users
– User wise Applications
Learning
Traffic Discovery
Learning
Traffic Discovery
Learning
Event Captures
• Event captures are represented on the Log viewer page on

the Cyberoam appliance.
• Log Viewer page allows to view the data recorded for
components like System, Authentication, Admin, etc.
Learning
Event Captures > System
Learning
Event Captures > Authentication
Learning
Event Captures > Admin
Learning
Capture Configuration
• Syslog is an industry standard protocol/method for collecting

and forwarding messages from devices to a server running a
syslog daemon usually via UDP Port 514.
• Appliance Syslog support requires an external server running
a Syslog daemon on any of the UDP Port.
• A SYSLOG service simply accepts messages, and stores
them in files or prints.
Learning
Capture Configuration > Firewall logs
• Once you add the server, configure types of captures to be

sent to the syslog server.
• Go to Logs & Reports -> Configuration -> Log Settings.
Multiple servers are configured and various captures can be
sent on different servers.
Learning
Capture Configuration > SYSLOG Config
– Note: More about logging and reporting is described in CCNSE as it is beyond the scope
of CCNSP to understand the type of facility.
Learning
Capture Configuration > SYSLOG Config
Learning
Layer 8 analysis > View User Dashboard
• To view navigate to Logs & Reports -> View Reports
Learning
Layer 8 analysis > Application Risk Meter
• Application Risk meter provides the risk assessment based

on the analysis of the traffic through the network.
• Risk meter is displayed at the top of each page that contains
application for an ease to provide an organization with the
level of security.
• By viewing the risk meter, an organization can choose
whether to tighten the security or not.
Learning
Layer 8 analysis > Productivity Analysis
• Productivity analysis of an organization network can be done

from the graphs.
• Cyberoam iView provides a detailed analysis with graphs and
stats for an organization to see exactly as to how much
productive the use of network is.
Learning
Blocked Attempts
• Cyberoam iView generates blocked attempt reports

• From this report you can view the user trend to try surfing
blocked web traffic or trying unbolt blocked applications.
• On the blocked application dashboard page, Cyberoam iView
shows the following consolidated reports
• To view the blocked attempts go to reports -> Blocked
Applications, or reports -> Blocked Web Attempts,
(depending on what report you want to see).
Learning
Top Denied Application Categories
Learning
Top Denied Application
Learning
Top Denied Technologies
Learning
Top Denied Risks
Learning
Top Denied Users
Learning
Top Denied Hosts
Learning
Top Denied Rule IDs
Learning
Top Denied Web Users
Learning
Top Denied Domains
Learning
Country Maps
• Graphical overview of Data transfer and Risk level
Learning
Data Leakage Prevention
• CyberoamOS proactively monitors and reports file uploads

which can possibly lead to data breach and leakage.
• For an organization it is essential not only to maintain the
availability of the files of its employees, but also integrity and
harmony
Learning
Search within data
• Cyberoam iView’s deep and extensive search algorithm lets you search the
reports on multiple and mixed criteria’s.
• There are five main types of searches that can be performed on the iView
database.
– Web Surfing
– Mail Usage
– Spam
– Virus
– FTP
• In Web Surfing report search can be done on the following criteria’s
– Report Type : Can either be summary or in detail
– Search type : Can be a domain, URL, Category, or an IP Address
– Search for: Can be a User or a Group
– Username: Specific username
– Domain: a particular domain name like www.example.com
Learning
Compliance data
• Supported compliances:
– HIPAA(Health Insurance Portability and Accounting Act)
– GLBA (Gramm-Leach Biley Act)
– SOX (Sarbanes-Oxley)
– PCI (Payment Card Industry)
– FISMA (Federal Information Security Management Act).
Learning
Bookmarks
• Bookmark management in iView allows an organization to

create bookmark of any report, being at any level.
• It not only provides an organization with wider visibility in to
the network based on criteria, but also allows easy access to
most common and important reports to an organization.
Learning
Notifying Administrator
• Cyberoam iView if configured to, can send reports to

specified email address(es) on a frequency configured.
• To use notifications go to System -> Configuration -> Report
Notification.
Learning
Customize data view
Learning
Data Management
• CyberoamOS creates different partitions on the disk within

appliance such as root, Signature, Configuration, Reports
and Temp.
• This can be seen from the disk usage section under System
Graphs by navigating System -> Diagnostics -> System
Graphs
Learning
Data Management (Cont.)
• For an ease, CLI command can be used to set the lower

threshold limit between 60 to 85%.
Learning
• On the Cyberoam Console window, choose the option 4
• On the console window, type the following command to see

the disk currently being used by report partition
• To see the watermark level defined for reporting partition, key

in the following command.
Learning
• Choose the duration for each module, for retaining data

– Go to System -> Configuration -> Data Management (on Reports UI)
Learning
• Choose manual purge, to purge data for selected duration

• Select, module based report, or All reports
– Go to System -> Configuration -> Manual Purge (on Reports UI)
Learning
Case 1
• A XYZ company’s ex-employee opens his own company.

• When found by the XYZ Company, the product has the
same design and same content as manufactured by the
owing company.
• XYZ Company wants to investigate the network forensics and
find if the design and content data was leaked.
Learning
Case 1
• A XYZ company’s ex-employee opens his own company.

• When found by the XYZ Company, the product has the
same design and same content as manufactured by the
owing company.
• XYZ Company wants to investigate the network forensics and
find if the design and content data was leaked.
Learning
Case 1
• Initial Information
– The company has a total of around 400 + employees.
– The designing task started around a month earlier and
ended on 5th October.
– Design team comprises of 5 people.
– Design team sent the design out to product team.
– Product team comprises of 10 people, out of which 6 are
responsible to work for the product with this design
Learning
Case 1
• Initial Investigation
– Investigation reveals that 2 people from design team were
working on this design. The design was completed on 5th
October.
– Design was sent out using their emails to the persons from
product team.
– The leak came into the knowledge of the management on
25th October
Learning
Case 1
• At first we check the web usage for file upload. (Path:

Reports -> Web Usage -> Top File Upload)
Learning
Case 1
• File upload report does not highlight any user who has
uploaded the design file, hence, we now check the email
usage with subject line search (Path: Search -> Mail usage)
Learning
Case 1
• In the next step, we drill down the usage of Jerome to confirm

if Jerome is the suspect.
Learning
Case 1
• It is revealed from Jerome’s IM usage that it was sent out to

anthony.dcousta using IM.
Learning
Case 2
• An organization’s large file (1 GB), containing essential data

and organization business secrets is leaked.
Learning
Case 2
– The organization has strict policies enforced to its employees since its
inception.
– These polices include, locking USB ports on each computer, all file internet
drive applications are locked.
– Maximum file size supported in email is 25 MB.
– User’s have a monthly quota of 1.5GB. They cannot browse any network
resources beyond this limit.
– The forensic analysts have been assigned task to find, who leaked the file,
and how the file was leaked?
Learning
Case 2
– Initial investigation and interrogation with administrators revealed that static IP
addresses are assigned to each computer, authentication mechanism are in
place, and each user has a quota of 150 MB/day.
Learning
Case 2
• Step 1
– To solve this complicated case, we first drill down the file upload report. (Path:
Reports -> Web Usage -> Top File Upload)
Learning
Case 2
– Web file upload does not give any information about a 1 GB file, hence Upon
no clues with file upload, we drill down the group wise web usage report.
(Path: Reports -> Web Usage -> Top Web User Groups). From this screen we
shall come to know the group to which the user(who leaked the file) belongs
to.
Learning
Case 2
– All group usage show the same type of pattern, hence it is difficult to suspect
any group, however, we still drill down into the users from each group to see
their individual data usage. Drilling down into details of group wise web usage
report for clues (path: Search -> Web Surfing Reports)
Learning
Case 2
– This screen also does not show the usage by any particular user, hence we
are sure that the file was not uploaded directly as a 1 GB file, Upon no
successful clues, we are forced to look into the web search reports. (Path:
Reports -> Search Engine)
Learning
Case 2
– Suspect identified, drilling into user based reports for web categories, files
uploaded, files downloaded, denied categories, viruses, and internet usage.
(Path: Dashboard -> Custom Dashboard)
Learning
Case 2
• Suspect confirmed. The file was broken down into chunks

and uploaded on an FTP server in a span of 11 days.
Learning
Pre-requisites
Learning
Certification Prerequisites
Learning
Certification Prerequisite
• In order to appear for Cyberoam Certifications, it is

mandatory to have prior knowledge of Cyberoam Family
Products.
• This module will help you understand Cyberoam better.
Learning
Cyberoam Product Overview > Agenda
• Certification Prerequisite
• Cyberoam Overview
• CCC (Cyberoam Central Console)
• CCMS (Cyberoam on Cloud Management Service)
• Cyberoam iView
Learning
Learning
Cyberoam
• Next Generation UTM: Cyberoam

- Cyberoam is the identity-based UTM solution that offers Integrated Internet
- Security with fine granularity through its unique identity-based policies.
- It offers comprehensive threat protection with:
• Identity-based Firewall
• VPN- Threat free tunneling
• SSL VPN
• Gateway Anti-Virus & Anti-Spam
• Intrusion Prevention System
• WAF (Web Application Firewall)
• High Availability (HA)
• Content Filtering
• Bandwidth Management
• Multi-Link Manager
• On-Appliance Reporting
• 1000+ drilldown reports
Learning
Cyberoam > Cyberoam’s Security Approach
Cyberoam – Identity Based Security
Cyberoam is the only Identity-based Unified Threat

Management appliance that provides integrated Internet
security to enterprises and educational institutions through
its unique granular user-based controls.
Learning
Cyberoam > Layer 8 – Patent Pending Technology
Application
User
Learning
Cyberoam > Layer 8 – Patent Pending Technology > Firewall
Learning
Cyberoam > Appliances
Small Offices / Small & Medium Large Enterprises

Branch Offices Enterprises
CR 35wi#, CR 35ia, CR CR 200i, CR 300i, CR 100ia, CR 1500ia *, CR 1000ia *,
25wi#, CR 25ia, CR 15i, CR CR 50ia CR 750ia *, CR 500ia *
15wi#
#Appliances available with WiFi *Appliances available with fibre port

variants
Learning
Cyberoam > Select the Right Appliance
- Choosing the right product for an organization depends on

- Number of Concurrent Users
- Bandwidth – Upload/Download
- Number of Servers to be published
- Number of VPN tunnels and users
- Additional requirements (Authentication, Unified Threat Control, HA)
Learning
- Case 1:
- Small Business customer with 15 concurrent users having 4Mbps Internet
Connectivity with 3G as a backup link.
- Customer is looking for a solution to protect network from internal and external
threats as well as to increase employee productivity by blocking unproductive
resources
- Which model of Cyberoam?
CR15i or CR15wi
- Subscriptions Required
SVS
Learning
- Case2:
- Case 1 customer has expanded business in country by opening 4 new
branches. Each branch has got 3-5 internet users accessing central
accounting system hosted at Central Office. Branches also need wireless
connectivity. Internet bandwidth at Central Office also has increased to
12Mbps
- Customer would like to extend Central Office network in secure way to allow
access of accounting system.
- Central Office? CR50ia by considering 15 + 5 (Each Branch) x 4 branches
= 35 Concurrent Users
- Branch Offices? CR15wi
- Subscription: SVS
Learning
- Case3:
- Same customer has created DMZ zone and added 5 business critical servers
to protect from various network attacks. Server includes 1 email server, 1 web
server, 1 FTP server and 2 accounting servers.
- Customer is expecting 100 concurrent users to surf their corporate web
site and approximate 350 emails per day.
- Internet Bandwidth has increased to 20Mbps.
- Customer is looking for replacement of existing device:
- Appliance Model: CR100ia by below logic:
- Considering 30 additional users (30% of 100 external users) apart from 35 existing users.
This makes total 65 users and email traffic.
- Inbound traffic has increased due to Email & Web Server. This needs increased new
sessions per second.
- Subscriptions:
- TVS + WAF
Learning
Cyberoam > Features offered with one time sale of appliance (Basic Appliance)
- Identity-based Firewall
- 8 x 5 Support for one month from the registration
- VPN- Threat Free Tunneling
- SSL VPN
- Bandwidth Management
- Multiple Link Management
Learning
Cyberoam > Features offered with Subscription
- Gateway Anti-Virus Subscription (Anti-malware, phishing, spyware protection

included)
- Gateway Anti-spam Subscription
- Web & Application Filtering Subscription
- Intrusion Prevention System (IPS)
- 8 x 5 support
- 24 x 7 Premium Support
(Subscription services are available on 1 Year, 2 Years or 3 Years subscription

basis)
Learning
Cyberoam > Features offered with Bundled Subscription
• Bundle can be the combination of or all of the following

modules:
- Gateway Anti Virus
- Gateway Anti-spam
- Intrusion Prevention System
- Web and Application Filter
- 8 X 5 Support
Learning
Cyberoam > Bundled Subscription > Types
• TVS (Total Value Subscription)

- Gateway Anti-Virus (Anti-malware, phishing, spyware protection included)
- Gateway Anti-spam
- Web & Application Filtering
- 8 x 5 Email, phone and chat Tech Support
• SVS (Security Value Subscription)
Learning
Cyberoam > Bundled Subscription > Types (Continued…)
• TVSP (Total Value Subscription Plus)

- Gateway Anti-spam
• SVSP (Security Value Subscription Plus)
Learning
Cyberoam > How to Check Subscription?
Learning
NFR V/S Regular Appliance
• Regular Appliance
- Cyberoam appliance sold to Partner / Reseller for direct customer sale.
- Will be registered once to get 3, 15 days trials for all subscription based
modules.
• Not for Resale (NFR) Appliance
- Cyberoam appliance sold to Partner / Reseller for conducting demo’s.
- Can be registered unlimited number of times under different credentials after
factory reset.
- Will get 3, 15 days trial for all subscription based modules after each
registration.
Learning
• Cyberoam iView
Learning
CCC
Learning
CCC (Cyberoam Central Console)
- Offer the flexibility of hardware CCC appliances and virtual CCC appliances
- Provide centralized security management across distributed Cyberoam UTM

appliances
- Enables high levels of security for MSSPs and large enterprises.
- Layer 8 Identity-based policies and centralized reports and alerts, CCC

hardware and virtual appliances
- Provide granular security and visibility into remote and branch offices across
the globe.
Learning
CCC > Key Highlights
- Centralized Management
- Security Management with Reduced Policy Deployment Time
- Ease and Flexibility of Management
- Security Against Misuse of Administrator Privileges
- Centralized Visibility
Learning
CCC > Key Highlights
- Centralized Management
- Security Management with Reduced Policy Deployment Time
- Ease and Flexibility of Management
- Security Against Misuse of Administrator Privileges
- Centralized Visibility
Learning
CCC > Hardware CCC and Virtual CCC
• Hardware CCC
- CCC 15
- CCC 50
- CCC 100
- CCC 200
- CCC 500
- CCC 1000
• Virtual CCC
- CCC VMS 15, CCC VMS 50, CCC VMS 100, CCC VMS 200 for VMware
server-based virtual environment
- CCC VMW 15, CCC VMW 50, CCC VMW 100, CCC VMW 200 for VMware
workstation-based virtual environment
Learning
• Cyberoam iView
Learning
Learning
CCMS (Cyberoam Cloud Management Service)
Learning
• Cyberoam iView
Learning
Cyberoam iView
Learning
Cyberoam iView
• Ability to log and report activities

• LAYER 8 - Identity-based logging and reporting –
Pinpoints the user
• Security Management
- iView dashboard- Shows network attacks on single screen
- Drill-down reports – 3rd level drill-down for attack details
- 1000+ Reports
• Log Management
• Compliance Management
- HIPAA, PCI DSS, GLBA, and more
• Forensic Analysis
Learning
Cyberoam iView – On-Appliance Logging & Reporting
Security Forensic
Management Analysis
Data Compliance
Protection Management
Identity
Logging Reporting
Logs & Events
Learning
Q&A
If any??
Learning
Training Conclusion
• Collect Trainer Feedback Forms from Trainer

• Complete the forms and submit them to the trainer
Learning
How to Appear for Exam
• With the credentials from your enrollment email, log in to the

exam portal
Learning
• Read the Exam Instructions before starting the exam
Learning
• Read the Exam Instructions before starting the exam
Learning
• Click start test when you are ready to start the exam
Learning
• During the test

- If any question has multiple answers, it would be mentioned (Select multiple
answers, if applicable)
- All other questions will allow selecting a single option only.
• Interrupted test
- If your exam is interrupted due to any reason, go back to exam page at
training.cyberoam.com/exam
- Click on “Start test”, status should show “in progress”
Learning
• Results will be declared in 4 working days from the date of

training. Do check your email for the results
Learning
• On successful completion, you will get following email

• This email will also contain attached, a certificate “PDF” file.
Learning
• Consolation email is sent when exam is not cleared
Learning
Thank you!
Learning

Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Uploaded by

Copyright:

Available Formats

You might also like

Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyberoam Certified Network & Security Professional (CCNSP) : Learning

Uploaded by

Copyright:

Available Formats

Cyberoam Certified Network & Security Professional (CCNSP)

• Network Forensics is monitoring, analyzing and recreating a

• Forensics is needed for

• Identifying the source of data leak

• An efficient forensic solution should be able to capture the

• A forensic solution must be able to filter following captured

• Once the capturing is done, there should be a mechanism

• A Forensic solution should ensure that proper data

• In this section , we will know more about the forensic

• On-Appliance Intelligent Logging & Reporting Module

Note – Real-time logs are stored on cache,

• Traffic Discovery shows the live connections

• Event captures are represented on the Log viewer page on

• Syslog is an industry standard protocol/method for collecting

• Once you add the server, configure types of captures to be

• Application Risk meter provides the risk assessment based

• Productivity analysis of an organization network can be done

• Cyberoam iView generates blocked attempt reports

• Graphical overview of Data transfer and Risk level

• CyberoamOS proactively monitors and reports file uploads

• Bookmark management in iView allows an organization to

• Cyberoam iView if configured to, can send reports to

• CyberoamOS creates different partitions on the disk within

• For an ease, CLI command can be used to set the lower

• On the Cyberoam Console window, choose the option 4

• On the console window, type the following command to see

• To see the watermark level defined for reporting partition, key

• Choose the duration for each module, for retaining data

• Choose manual purge, to purge data for selected duration

• A XYZ company’s ex-employee opens his own company.

• A XYZ company’s ex-employee opens his own company.

• At first we check the web usage for file upload. (Path:

• In the next step, we drill down the usage of Jerome to confirm

• It is revealed from Jerome’s IM usage that it was sent out to

• An organization’s large file (1 GB), containing essential data

• Suspect confirmed. The file was broken down into chunks

• In order to appear for Cyberoam Certifications, it is

• Next Generation UTM: Cyberoam

Cyberoam – Identity Based Security

Cyberoam is the only Identity-based Unified Threat

Small Offices / Small & Medium Large Enterprises

#Appliances available with WiFi *Appliances available with fibre port

- Choosing the right product for an organization depends on

- Gateway Anti-Virus Subscription (Anti-malware, phishing, spyware protection

(Subscription services are available on 1 Year, 2 Years or 3 Years subscription

• Bundle can be the combination of or all of the following

• TVS (Total Value Subscription)

• TVSP (Total Value Subscription Plus)

- Provide centralized security management across distributed Cyberoam UTM

- Enables high levels of security for MSSPs and large enterprises.

- Layer 8 Identity-based policies and centralized reports and alerts, CCC

- Security Management with Reduced Policy Deployment Time

- Ease and Flexibility of Management

- Security Against Misuse of Administrator Privileges

- Security Management with Reduced Policy Deployment Time

- Ease and Flexibility of Management

- Security Against Misuse of Administrator Privileges

• Ability to log and report activities