Maximize Network Visibilitywith NetFlow Technology

Adam PowersChief Technology Officer

Lancope

Agenda

What is NetFlowh Introduction to NetFlow hNetFlow Examples

NetFlow in ActionhNetwork Operations User CasehSecurity Operations User CasehPCI Compliance and Auditing User Case

A Glimpse into the Power of NetFlowh10+ G Ethernet EnvironmentshVirtual EnvironmentshMPLS and Multi-point VPNs

What is NetFlow?

NetFlow Fields

src and dst IP

src and dst port

start time

end time

packet count

byte count

...

Internet

NetFlowPackets

StealthWatchFlow Collector

NetFlow vs. Traditional SNMP Monitoring

Traditional SNMP

NetFlow Reporting

Flow-based Visibility and Drill-down

NetFlow for the Network Team

NetFlow Packetflow1flow2

...

Network Team

Interface utilization

Billing and chargeback

QOS monitoring

BGP ASN monitoring

MPLS visibility

Application troubleshooting

Security Team

File sharing

Malware outbreak detection

Network acceptable use

Flow forensics

Data loss prevention

StealthWatchFlow Collector

Compliance and Auditing

PCI Compliance

HIPAA Compliance

SCADA Security

Sarbanes-Oxley

NetFlow in Action : Network Operations

OldCastle APGLeading North American manufacturer of concrete masonry, lawn, garden and paving products and a regional leader in clay brick206 Operating locations7000+ employees

ProblemNo way to visualize who or what was causing network slowdowns Internal IT staff using multiple tools in attempts to troubleshoot incidents

SolutionCombining Cisco NetFlow and Lancope’s StealthWatch System for visibility into the ‘who, what, when and where’ of network traffic

Business ResultsDetermine the root cause of network slowdowns in real-timeDetect bandwidth and network user violations and tie user identity to rogue activityUnified view of network and security operationsh All regional network managers, helpdesk and network/security engineers at Oldcastle APG

use StealthWatch to pinpoint the traffic and users associated with network and security issues and expedite problem resolution

Gains detailed network performance analysis for capacity planning, helping Oldcastle APG forecast bandwidth upgradesAlso helps quickly discover and diffuse virus infections

NetFlow in Action : Network Operations

Tony Jaroszewski, Network/Security Engineer for OldCastle APG

“StealthWatch enables our support team to make strategic decisions about network and security management based on a unified view of network, security and user information across the enterprise. Not only does it provide network performance monitoring to ensure our applications run optimally, StealthWatch also identifies internal and external threats through behavior-based algorithms.”

NetFlow in Action : Network Operations

NetFlow Compliance and Auditing

NetFlow Packetflow1flow2

...

Network Team

Interface utilization

Billing and chargeback

QOS monitoring

BGP ASN monitoring

MPLS visibility

Application troubleshooting

Security Team

File sharing

Malware outbreak detection

Network acceptable use

Flow forensics

Data loss prevention

StealthWatchFlow Collector

Compliance and Auditing

PCI Compliance

HIPAA Compliance

SCADA Security

Sarbanes-Oxley

NetFlow facilitates compliance with PCI DSS Requirements:Verifies actual network communications (1.1.2)Monitors services and ports in use (1.1.5)Determines when accounts are active and what they did during this activity (8.5.6)Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)

NetFlow in Action : PCI Compliance

NetFlow in Action : PCI Compliance

AirTran AirwaysFortune 1000 companyGeographically dispersed network across the continental US

ProblemRequired improved security and network management across the enterprise in accordance with Payment Card Industry (PCI) requirementsWanted greater network visibility and behavioral intrusion detectionAbility to monitor a geographically dispersed network

SolutionStealthWatch identifies who does what when, and provides data to enforce accountability

Business ResultImmediately upon deployment, StealthWatch provided continuous network monitoring to help AirTran demonstrate network-wide PCI by:• Supplying real-time visibility and awareness of network and host-based behaviors,• increasing accountability for introducing network security risks as well as jeopardizing

network availability, and• tracking, measuring and prioritizing network and host-based risk.

Quickly identify and resolve issues related to network behavior or malicious eventsMonitors WAN activity and performance

NetFlow in Action : PCI Compliance

NetFlow in Action: PCI Compliance

Michelle Stewart, Manager of Data Security, AirTran Airways

“StealthWatch performed so well during our evaluation that we did not pursue trials with any other NBA products. During testing, StealthWatch demonstrated the ability to detect unauthorized remote access, worm activity and root cause analysis of increases in WAN activity. All of these functions have aided our efforts to demonstrate compliance with the PCI Data Security Standard.”

NetFlow for the Security Team

NetFlow Packetflow1flow2

...

Network Team

Interface utilization

Billing and chargeback

QOS monitoring

BGP ASN monitoring

MPLS visibility

Application troubleshooting

Security Team

File sharing

Malware outbreak detection

Network acceptable use

Flow forensics

Data loss prevention

StealthWatchFlow Collector

Compliance and Auditing

PCI Compliance

HIPAA Compliance

SCADA Security

Sarbanes-Oxley

Aurora HealthCare Network Overview Largest private employer in Wisconsin – over 27,000 employees 14 Hospitals Over 150 Clinics200 + Pharmacies

ChallengeMonitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network Needed complete visibility of the network – from the internal network to the clinics at the edgeMonitor for zero-day attacks, viruses, Trojans, etc.Support for HIPAA Compliance

NetFlow in Action : Security Operations

SolutionCombining NetFlow & StealthWatch System

Business Results100% visibility from core to network edgeReduced time and resources allocated to network security issues Streamlined the remediation process and reduced incident investigation by more than halfHIPAA auditing support

NetFlow in Action : Security Operations

NetFlow in Action : Security Operations

Dan Lukas, Lead Security Architect : Aurora HealthCare

“[I can] easily drill down into a clinic’s network activity; address bandwidth issues; identify and remediate misconfigured devices; delve into switch levels to pinpoint and mitigate threats. With its ability to locate distributed sniffers, StealthWatch eliminates the need to purchase troubleshooting hardware for significant cost-savings."

Visibility Lost Due to Emerging TechEmerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technology...

“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”

“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”

“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”

These issues result in an inability to react to network problems because of a basic lack of .

10G+ Ethernet“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”

traditional Ethernet sensor

Where to plug

in?

NetFlow in a 10G+ Ethernet Environment

“10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive”

StealthWatchFlow Collector

Virtualization

“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”

VM1 VM2 VM3

virtual switches

virtual machines

physical machine

physicalnetwork

traditional Ethernet probe

VM2VM

VM VM VMvirtual

machines

VM Server

virtual switches

VM2VM

��������

�������

�������

�������

N��F��� �9

NetFlow in the Virtual Environment

*** Cisco Nexus 1000v also supports NetFlow ***

StealthWatchFlow Collector

MPLS and Multi-point VPNs“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”

traditional Ethernetsensor

MPLS and Multi-point VPNsFully meshed connectivity circumvents network monitoring deployed at the “hub” location…

MPLS and Multi-point VPNsFull visibility requires a probe at each location throughout the WAN…

NetFlow Collection in the WAN

NetFlow Packet

NetFlow Packet

Deploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site…

StealthWatchFlow Collector

Quick Recap: Network Operations

Fully integrated view of network usage, performance, host integrity and user behaviorDiagnose Network congestion and provide root cause analysis of the problem causing response time delaysVisibility and Metrics for WAN OptimizationReal-time and Historical data to facilitate network performance monitoring, capacity planning and resource managementMonitor Quality of Service on a per-hop basis throughout the Network

Quickly pinpoint zero-day and unknown threats that bypass perimeter securityIdentify policy violations, unauthorized activity/applications, misconfigured hosts, and other rogue devicesFaster Incident Resolution & detailed Forensic dataDetection of DoS/DDoS attacks, Worms, Viruses and Botnets Track and Audit network behavior and access by Individual Hosts

Quick Recap: Security Operations

Quick Recap: PCI Compliance and Auditing

NetFlow Solutions supply organizations with the means to:Continuously but passively monitoring host behaviors looking for deviations from normal processes Tie individual users to internal network performance problemsTie individual users to the introduction of security risks inside the internal networkImplement appropriate Network Controls and PoliciesProvide for Internal Audit and Risk Assessment

Thank You

Adam PowersChief Technology Officer

Lancope