Cisco Blogs

Network Defense at Blackhat 2012

August 7, 2012 - 2 Comments

Just back from presenting lab-based training session Detecting & Mitigating Attacks Using Your Network Infrastructure with Joe Karpenko at Blackhat USA 2012. Great to see a Defense track of Briefings which included Intrusion Detection Along The Kill Chain: Why Your Detection System Sucks And What To Do About It and more of an emphasis on protecting or remediating network infrastructures in topics like Targeted Intrusion Remediation: Lessons From The Front Lines. I attended several of these briefings and was impressed with the breadth of information provided for network operators. The Defense briefings align well with the network security best practices advocated by Cisco and presented in our training. These best practices include:

  1. Network device hardening – This best practice includes disabling unused services and features as well as enabling commands and features that protect network device processing power for the forwarding of legitimate business IP traffic
  2. Enable syslog on network devices – Event logging provides visibility of network devices and network infrastructures
  3. Correlate syslog events across network devices to identify potential issues – Send logging information to a centralized syslog server so that events across network devices can be aggregated and matched to known security and network issues
  4. Enabling NetFlow on strategic network devices – NetFlow provides visibility for IP Traffic transiting a network.
  5. Use the collected NetFlow information to understand network traffic patterns – Anomalous and security-related network activity can be identified by tracking IP traffic flows
  6. Use DNS logging to identify potential issues – DNS event logging provides visibility into the destination domains for user and device IP traffic.
  7. Use the telemetry gathered from the above best practices to construct a network IP traffic baseline and leverage it to quickly identify anomalies – Network traffic baselines help us determine normal traffic patterns so that we can better identify anomalous behavior. Correlating all of these different telemetry types can help us infer the causes and effects of unusual network activity so that we can react before legitimate business IP traffic is impacted

Other network security best practices are covered in these security best practice documents:

Additional network security resources are available at Cisco Security Intelligence Operations and our security blog is

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. I’m a beginner in cisco and want to explore more in cisco infrastructure..

  2. NetFlow seems reasonable.