netflow security monitoring for dummies

NetFlow Security Monitoring

FOR

DUMmIES

LANCOPE SPECIAL EDITION

by Mike Chapple, Ph.D.

These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

NetFlow Security Monitoring For Dummies, Lancope Special EditionPublished by John Wiley & Sons, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com

Copyright 2012 by John Wiley & Sons, Inc.

Published by John Wiley & Sons, Inc., Hoboken, NJ

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trade-marks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Lancope, StealthWatch, FlowCollector, FlowSensor, Concern Index, Point-of-View, and Relational Flow Mapping are registered or unregistered trademarks of Lancope, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETE-NESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITU-ATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PRO-FESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRIT-TEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Business Development Department in the U.S. at 317-572-3205. For details on how to create a custom For Dummies book for your business or organization, contact [email protected]. For information about licensing the For Dummies brand for products or services, contact BrandedRights&[email protected].

ISBN 978-1-118-33541-3 (pbk); ISBN 978-1-118-33772-1 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Acquisitions, Editorial, and Vertical Websites

Project Editor: Jennifer Bingham Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan

Composition Services

Senior Project Coordinator: Kristie Rees Layout and Graphics: Claudia Bell, Carl Byers, Lavonne Roberts Proofreader: Dwight Ramsey Special help: Angela Frechette Cannon

Publishers Acknowledgments

Some of the people who helped bring this book to market include the following:


Introduction

N etwork flow records provide a valuable source of information for security analysts seeking to augment other controls and conduct forensic investigations. I hope that this short book will get you started with NetFlow for security and whet your appetite for more information about this cutting-edge technology.

About This BookNetFlow Security Monitoring For Dummies, Lancope Special Edition, explains how NetFlow can be leveraged to improve your organizations security controls.

This book takes you through the basics of NetFlow analysis for information security purposes what NetFlow is, how it works, and how you can enable it to yield actionable security intelligence. It also provides some detail on the specific security risks addressed by NetFlow analysis and provides best practices for conducting NetFlow collection and analysis with the Lancope StealthWatch System. The contents of this book were provided by and published specifically for Lancope.

Icons Used in This BookThe margins of this book sport several helpful icons that can help guide you through the content:

When I present something that can save you time and effort, I toss in this icon to highlight it.

This icon offers a little extra info of a technical nature. You dont have to read it to follow the book, but its an interesting aside.


NetFlow Security Monitoring For Dummies, Lancope Special Edition 2

This bit of info is worth remembering. No need to tattoo it on your forearm or anything, just keep it in mind.

This icon flags information to take note of because it could cause problems.


Chapter 1

Getting to Know Your NetFlow

In This Chapter Learn how NetFlow provides a valuable source of information about

conversations between networked systems Understand the basics of configuring NetFlow on commonly used

network devices Identify the role that NetFlow information plays in a network security

infrastructure

I f youre not already leveraging NetFlow information in your security infrastructure, youre missing out on a tool that provides valuable network intelligence. In many cases, you already have the majority of the equipment you need to get started on your network!

So why do many organizations fail to take advantage of this rich data source? In some cases, they simply havent yet made the investment of time required to get NetFlow up and running properly. Other organizations may have tried using NetFlow data in the past and were frustrated by the insuffi-cient analysis capabilities of outdated analysis tools.

In this chapter, I explore the basics of NetFlow technology and the role it can play in your security infrastructure. I also cover the basic configuration required to get NetFlow up and running on your network.



What Is NetFlow?NetFlow is a feature built into many network devices manu-factured by Cisco, Juniper, Nortel, SonicWall, and others. It captures basic information about every IP conversation that takes place through the monitored device, including the iden-tities of the systems involved in the conversation, the time of the communication, and the amount of data transferred.

You might think of NetFlow records as a phone bill for your network, as shown in Figure 1-1. It cant tell you what was said on your network, but it gives you a good idea who was talking and how much they said. NetFlow provides information about the conversations that take place on your network similar to the information phone bills provide about voice conversations.

Figure 1-1: How NetFlow provides you with information similar to a phone bill. (Source: Lancope, Inc.)

Take a moment to think about the potential applications of these records. In addition to the obvious network diagnostic and maintenance uses of this data, NetFlow information can also be a critical tool for security analysts trying to identify anomalous activity or reconstruct the sequence of events when responding to an incident.


Chapter 1: Getting to Know Your NetFlow 5

NetFlow records provide a rich source of data for security analysts to mine. Some of the most commonly used data ele-ments generated by NetFlow include:

Source IP address

Destination IP address

Source port

Destination port

Protocol

Timestamps for the flow start and conclusion

Amount of data passed

These are only a small sampling of the many data fields avail-able to NetFlow analysts.

NetFlow versionsCisco developed the original NetFlow standard but it quickly became adopted as an industry standard. Over time, this standard evolved through

nine versions until culminating in the most recent release of IPFIX. The fol-lowing table gives you a rundown on the different versions of NetFlow.

Version Statusv1 Original version of NetFlow, now obsoletev2-v4 Working versions that were never releasedv5 Most commonly deployed version today, only

supports IPv4v6 Working version that was never releasedv7 Used only on some Cisco Catalyst switchesv8 Never widely adoptedv9 Next-generation flow formatting that supports IPv6, MPLS

& multicastv10 IPFIX, the industry standardized version of v9



IP address information included in NetFlow records depends on the perspective of the NetFlow collector. If the collector is behind a firewall or other device using network address trans-lation, the true source IP address may not be available.

Where Is NetFlow Information Available?

NetFlow data is available from a wide variety of sources, including both traditional NetFlow-enabled networking and security devices and special-purpose NetFlow collection appliances.

Traditional NetFlowAlthough NetFlow was originally created by Cisco for use on their routers and switches, the networking community quickly adopted it as an Internet standard and many manufacturers now support NetFlow. Some of the major platforms that allow direct export of flow records in NetFlow format include:

Cisco routers and switches

Cisco ASA firewalls

Juniper routers and switches

Citrix NetScaler

BlueCoat PacketShaper

Palo Alto next-generation firewalls

Nortel Networks Ethernet Routing Switches

This is a small, representative list of the manufacturers and devices supporting NetFlow data collection. If youre using different devices on your network, consult with the manufac-turer to determine whether theyre NetFlow-compatible.

If youre not running the current firmware on your network device, check whether upgrades are available. Many ven-dors added NetFlow support to their devices after the initial release and a firmware upgrade may be all you need to get up and running.


Chapter 1: Getting to Know Your NetFlow 7

NetFlow generation In some cases, security analysts may not be able to gain access to NetFlow data from the organizations network devices. This might be because the devices arent capable of generating NetFlow exports, network engineers are unwilling to provide access to those records, or concerns exist about the overhead introduced on the networking device.

If this is the case in your organization, you may wish to con-sider the use of dedicated NetFlow exporters to collect the same information sometimes enhanced with application performance metrics. These devices can be attached to the network in the following ways:

Switch port analyzer (SPAN)

Mirror port

Ethernet test access port (TAP)

Installed as a virtual machine on VMware ESX server

About sampled flow dataNetFlow records provide an extremely accurate accounting of the communi-cations that take place on a network. This accurate recordkeeping requires that the NetFlow device analyze the details of each packet and fold it into the ongoing accounting of each con-nection. In some cases, this level of accuracy isnt needed, as the needs of both network and security admin-istrators may be met with approxima-tions of the amount of data passed and they may be willing to miss some shorter communications.

Sampled flow data uses a 1 in n approach to flow data. The NetFlow

exporter simply samples every nth packet and includes the data from that packet in the NetFlow records.

For limited cases, where the use of sampled network flow information may be appropriate, Lancope rec-ommends using a sample rate of 1 in 128 to collect fairly accurate net-work flow data while dramatically reducing the burden on the exporting device. However, Lancope doesnt advocate using sampled NetFlow for security applications.


NetFlow Security Monitoring For Dummies, Lancope Special Edition 8Although purchasing a NetFlow exporter will require an addi-tional investment in hardware or software, you can gather the same NetFlow information without modifying your network configuration.

For more information on this topic, see Chapter 6.

Configuring NetFlowGenerally speaking, its easy to perform a basic NetFlow configuration on most supported devices. Youll need to con-figure the device to enable NetFlow collection and direct the flow data to the NetFlow collector of your choice.

In this section, I look at configuring NetFlow support on two commonly used devices: Cisco routers and Cisco Adaptive Security Appliances (ASAs).

Configuring NetFlow on Cisco routersCisco invented NetFlow and they make it easy to get started. There are four basic steps to configuring NetFlow on a Cisco router:

1. Enter global configuration mode. Use the configure terminal command to put the device into configura-tion mode.

2. Select the interface you wish to configure. The exact syntax will depend upon the type of interface. Consult the IOS documentation if youre not sure how to do this.

3. Enable NetFlow. Use the ip flow ingress com-mand to enable NetFlow.

4. Start a NetFlow export. Use the ip flow-export command to specify the IP address and destination port of the system that will collect flow information.

Heres an example that puts all these steps together to send NetFlow version 9 data to a collector located at 192.168.2.100 and listening on port 2055:


Chapter 1: Getting to Know Your NetFlow 9configure terminalinterface FastEthernet 0/0ip flow ingressexitip flow-export version 9ip flow-export destination 192.168.2.100 2055exit

In most cases, you wont be able to simply copy these com-mands and use them on your device. They may vary slightly depending upon your IOS version, device type, and site configu-ration. For example, many Cisco devices support the more pow-erful Flexible NetFlow (FNF) technology. Details on configuring FNF may be found at www.lancope.com/blog/FNFconfig.

Configuring NetFlow on Cisco ASA devicesCiscos line of Adaptive Security Appliance (ASA) devices provides a wide range of network security features, including firewall capabilities. Many organizations use these devices to create both internal and external perimeters and, because of this position as a network gatekeeper, they are a valuable source of NetFlow data. ASA provides additional information in NetFlow not found in router-based NetFlow and is very valu-able for security-based analysis of flows.

Configuring NetFlow on an ASA uses the Adaptive Security Device Managers graphical user interface. To configure NetFlow export, follow these steps:

1. Access the NetFlow configuration screen. In ADSM, choose Device ManagementLoggingNetFlow.

2. Add a NetFlow collector by clicking the Add button. Youll need to specify the IP address and destination port where the ASA should send the NetFlow traffic, as well as the firewall interface that should be used to send the traffic.

3. Click OK to configure the collector. Youve now con-figured the ASA with the collectors details but still need to instruct it to export flow data.


NetFlow Security Monitoring For Dummies, Lancope Special Edition 10 4. Access the Service Policy Configuration Screen. In

ADSM, choose FirewallService Policy Rules.

5. Click the Add button in the Service Policy Rules sec-tion of the screen.

Be careful to use the correct Add button. There are three on this screen that look identical. You want to use the one in the middle pane!

6. Specify that you want to create a Global policy and then click the Next button.

7. Specify the traffic criteria for the NetFlow informa-tion you wish to collect. If you wish, you can limit the Source and Destination IP addresses or set other cri-teria for your NetFlow collection. You can also select class-default to capture NetFlow data on all traffic. Click Next when you are finished specifying traffic criteria.

8. Select the NetFlow tab on the Rule Actions screen.

9. Click the Add button to create a new flow event type.

10. Ensure that the Send box is checked for the collector you created in Steps 2 and 3. This will configure the ASA to send NetFlow records on traffic matching the policy to your NetFlow collector.

11. Click OK to close the Add Flow Event Window.

12. Click Finish to create the Service Policy Rule.

13. Click the Apply button to deploy the policy to your ASA device. Youll be left with a service policy rule.

Once youve completed this process, your ASA device will immediately begin exporting flow records to your NetFlow collector.

Configuring NetFlow on other devicesI covered Cisco routers and firewalls in detail in this book because they make up a large portion of many network infra-structures, but theyre not the only devices out there. As


Chapter 1: Getting to Know Your NetFlow 11discussed in the previous section, there are many potential NetFlow data sources.

Youll find detailed configuration instructions in the documen-tation for your network device, but rest assured, its just as simple as the processes outlined here!

NetFlow in the Security Infrastructure

NetFlow collection and analysis plays an important role in a defense-in-depth approach to information security by aug-menting the capabilities provided by many other controls. Examples include:

NetFlow augments the capabilities of intrusion detec-tion systems (IDSs) by providing views into the interior of networks, while the IDSs deployed by most organiza-tions are limited to looking at traffic crossing the network perimeter.

Malware detection capabilities benefit from NetFlow data when systems begin exhibiting patterns of behavior indicative of a worm infection or botnet membership. NetFlow-based detection is especially important when a system is infected with a zero-day threat that traditional antivirus software cant detect.

Security Incident and Event Management (SIEM) sys-tems can provide greater insight into network activity when supplemented with NetFlow data.

Forensics and incident response are key benefits. NetFlow provides a 24x7 view of all network communi-cations. Its a complete audit trail of everything thats happened, and it allows you to implement a passive sur-veillance monitoring system on your network. Its some-thing like a CCTV for your network.

For more on the roles that NetFlow analysis plays in the security infrastructure, including a detailed look at its ability to identify systems that may be compromised by a worm or botnet, see Chapter 4.



Cant I just capture everything?Many security professionals con-sidering NetFlow deployment for the first time do so after first consider-ing capturing all traffic on a network. This is often driven by a desire to retain forensically valuable informa-tion or comply with stringent security requirements.

Although full packet capture is tech-nically possible and would provide undeniably valuable information in

the event of a security incident, its simply not feasible. The amount of storage required to retain data cap-tured across even a low bandwidth connection over a long period of time is tremendous.

For example, if you wanted to capture all the data crossing a circuit that averages 100Mbps, you would be col-lecting 12.5 megabytes of data every second, or 45 terabytes per hour!


Chapter 2

Examining Trends Addressed by NetFlow

In This Chapter Understanding the evolving risk posed to enterprises by advanced

persistent threats and insider attacks Exploring the impact of the consumerization and virtualization of

information technology on traditional defenses Using NetFlow to adapt security controls in the face of evolving

network technologies

S ecurity and networking professionals in a variety of industries are turning to NetFlow as a defensive tool against a variety of emerging security threats. The rapidly changing nature of the threat landscape and advances in information technology demand tools capable of adapting to new attacks. In this chapter, I look at the trends driving the adoption of NetFlow as a security tool.

Evolving Threat LandscapeThe nature of information security threats changed dramati-cally over the past few years. As shown in Figure 2-1, it has moved from an environment where the familiar automated attacks of worms and viruses have given way to more advanced and insidious threats.



IndustrializedAttacks

APTsInsiderThreats

EmployeeMisuse

& Abuse

AutomatedAttacks

Low Risk

High Risk

VeryHigh Risk

IndustrializedAttacks

APTsInsiderThreats

EmployeeMisuse

& Abuse

AutomatedAttacks

Low Risk

High Risk

VeryHigh Risk

Figure 2-1: The evolving threat landscape includes two very high risk items: advanced persistent threats and the threats posed by insiders. (Source: Lancope, Inc.)

Two threats warrant particular attention from security ana-lysts: the advanced persistent threat (APT) and the insider threat.

Advanced persistent threats Advanced persistent threats (APTs) are targeted attacks against a particular organization. An attacker may single out a company, government agency, or even an individual who has desirable information or resources and use advanced, stealthy attack techniques to slip in under the radar and carry out an attack.

APTs are especially insidious because theyre carried out by persistent attackers with the time and resources to deliber-ately target an organization. Security practitioners previously associated APTs strictly with government agencies engaged in cyberwarfare.


Chapter 2: Examining Trends Addressed by NetFlow 15

However, dont underestimate the risk of APTs against your organization today. In a recent Ponemon Institute study, 83 percent of respondents believed that their organization was the target of an APT. Political hacktivists and other attackers are now targeting a wide range of corporate and government entities.

The nature of APTs means that the carefully constructed perimeter security controls put in place by enterprise security professionals are simply insufficient. The persistent hacker leveraging advanced techniques will likely find an opportunity to breach that perimeter and find a path onto the internal net-work. In this case, NetFlow data can play a critical role both in detecting the presence of an APT and conducting post-incident forensic analysis. NetFlow-based security analysis leverages behavioral analysis and pattern recognition techniques that allow for rapid detection of undocumented attack vectors, often revealing APT attackers early in the attack lifecycle.

Insider threatIn many cases, the greatest risk to an organizations security comes not from far-away hackers but from trusted individuals with access to sensitive information. The federal government experienced this in 2010 when the alleged actions of a single Army intelligence analyst led to a massive disclosure of classi-fied information on the WikiLeaks website.

As with APTs, perimeter controls arent effective against the insider threat because those controls are designed to permit insiders access to sensitive information! NetFlow technology can identify signs of insider attacks in progress, such as inter-nal or external data transfers that are unusually large or to atypical destinations.

Changes in Information Technology

At the same time as the threats to information security evolve, information technology continues to change. Two important IT trends driving the adoption of NetFlow in enterprises


NetFlow Security Monitoring For Dummies, Lancope Special Edition 16include the widespread adoption of mobile computing and the increased use of virtualization technology.

Mobility and the vanishing perimeterMobile computing use has skyrocketed in recent years, to the point where smartphones, tablets, and other portable Internet-enabled devices are nearly ubiquitous and the phrase BYOD (bring your own device) has begun to arise. Youd be hard-pressed to find a business traveler without at least one mobile device in his or her pocket that is capable of reaching back through their employers firewall to access sensitive corporate information.

This trend keeps security practitioners awake at night. All it takes is a single lost or stolen device to render significant investments in security controls moot. This leads to a trend, known as the vanishing perimeter, where security architects must consider all those mobile devices as part of their front-line security defenses and design controls with that in mind.

Your organization should adopt formal policies about the use of personally owned devices on your networks and with your enterprise information systems. If you dont adopt such a policy, users will bring their devices anyway and not know the proper way to secure them.

Consumerization of information technology

A trend related to mobility is the rapid, widespread consumerization of tech-nology. End-users have ready access to extremely advanced technology simply by walking into a retail electron-ics store. They increasingly expect to be able to use these consumer-grade devices to manage all aspects of their work and personal lives.

Consumerization opens up a vari-ety of concerns for IT professionals charged with simultaneously helping users meet their business needs and securing their networks. NetFlow can help organizations monitor the activity of personally-owned devices on their networks for behavioral anomalies that could signify threats.


Chapter 2: Examining Trends Addressed by NetFlow 17NetFlow technology plays an important role in identifying and reacting to the risks posed by mobile devices. As traffic to and from these devices traverses the internal network, NetFlow captures the patterns of their network behavior and can quickly alert security professionals to any anomalous activity. No other monitoring technology provides such rapidly deploy-able, broad coverage at such a low cost to the organization.

VirtualizationOrganizations are quickly embracing the use of virtualization technology to host many virtual servers on a single hardware platform. This provides many apparent benefits to the enter-prise, including:

Recapture of computing resources (CPU cycles, memory, storage) that would otherwise go unused.

Reduced hardware footprint, allowing greater data center density.

Smaller environmental impact, reducing carbon emissions.

Virtualization comes, however, with challenges for network security analysts. Communications between guest systems running on the same virtual host never touch an actual hard-ware switch or cross a network wire. Instead, they are routed through a virtual switch that exists in the memory of the virtu-alization host.

The communications taking place over virtual switches are difficult to protect with conventional security tools, and are invisible to traditional NetFlow technology. For this reason, many organizations are adopting NetFlow solutions that have specialized virtual network collectors, such as Lancopes StealthWatch FlowSensor VE (virtual edition). For more about this, see Chapter 3.

Evolution of the NetworkAdvances in networking technology also complicate the jobs of security professionals seeking visibility into enterprise networks. In addition to virtualized networks, three additional trends play important roles in shaping the future of network


NetFlow Security Monitoring For Dummies, Lancope Special Edition 18monitoring: high-speed networking, MPLS environments, and IPv6 deployment. Each of these technologies has the potential to disrupt current network flow monitoring solutions if not properly managed.

High-speed networkingMany organizations are moving to higher speed networks in response to increased user demand for data-intensive appli-cations. In many cases, networks with 10Gbps segments are capable of generating hundreds of thousands of network flows per second.

This increase in bandwidth requires a scalable NetFlow analy-sis system capable of monitoring massive amounts of data in real time.

MPLS environmentsMultiprotocol Label Switching (MPLS) networks are turning the hierarchical Ethernet paradigm on its head. Unlike tradi-tional data networks, MPLS networks dont utilize a central-ized hub where security analysts can attach a monitoring device to capture all traffic.

NetFlow architectures for MPLS networks must take this into account and use a series of flow sensors or exporters placed in strategic positions throughout the enterprise network.

IPv6 deploymentThe rapid depletion of available IP address space is beginning to drive the long-anticipated adoption of IPv6 networking, especially in larger organizations. Those enterprises with IPv6 networking in place or planning deployment of such networks in the near future should be sure to select a NetFlow solution that accommodates IPv6 addressing.


Chapter 3

Choosing a Solution for NetFlow Collection

In This Chapter Identifying the objectives of your NetFlow deployment and selecting

an appropriate solution Designing a scalable NetFlow infrastructure able to accommodate the

flows generated by your network Leveraging advanced analysis techniques to mine significant security

information from NetFlow data

N etFlow provides a valuable source of information about activity on your network in a consistent, standardized format supported by many networking and security vendors. Collecting data, however, is where the standardization stops. Many different systems provide the ability to collect and ana-lyze NetFlow data, ranging from open-source packages with limited functionality to commercial systems with advanced analysis capabilities.

Whats Your Objective?As you begin to select a NetFlow analysis solution, you should have a clear understanding of the objectives of your deploy-ment. Some possibilities include:

Monitoring your network for anomalous activity that may indicate a security event.

Creating a forensic audit trail to assist in post-incident analysis following a security breach.


NetFlow Security Monitoring For Dummies, Lancope Special Edition 20 Providing network engineers with a robust tool for

troubleshooting network performance issues.

Complying with regulatory requirements to retain net-work connection information.

As you consider various NetFlow collection and analysis plat-forms, keep your objectives front-of-mind and allow them to drive your product selection process.

Designing for ScalabilityConducting NetFlow analysis in large environments requires solutions that offer a scalable architecture not found in open-source products or software-only solutions. Flow rates in excess of 100,000 flows per second arent uncommon in large enterprises or eCommerce environments. Figure 3-1 provides an example of a scalable architecture consisting of three com-ponents: NetFlow exporters, flow collectors, and a manage-ment console. Administrators can add capacity at any layer as needed.

Flow Analytics Console

StealthWatchManagement Console

StealthWatchFlowCollectors

MANAGEMENTCollect from up to 25StealthWatch FlowCollectors

FLOW COLLECTIONStores and analyzes ows up to2,000 ow sources at up to 120,000ows per second (fps).

NETFLOW EXPORTERSNetFlow is generated either byCisco equipment or aStealthWatch FlowSensor(in areas without NetFlow support)

Flows

NetFlow and sFlow CapableRouters and Switches

FlowSensor NetFlowGenerator

VMware ESX withFlowSensor VE

VEVM VM

Figure 3-1: Scalable NetFlow analysis platforms use three layers of devices: NetFlow exporters, flow collectors, and a management console. (Source: Lancope, Inc.)


Chapter 3: Choosing a Solution for NetFlow Collection 21

NetFlow exportersA wide variety of devices are capable of generating NetFlow data and exporting it to a flow collection system. There are three basic categories of NetFlow exporters:

Routers, switches, and firewalls. Network infrastructure components are in a unique position to capture and export NetFlow information due to their central location in the network. In many cases, an organizations existing network infrastructure is already capable of generating NetFlow records and exporting them to a collection system.

Dedicated flow sensors. NetFlow collection system vendors also offer passive flow sensors that may be con-nected to a network tap in a manner similar to an intrusion detection system. They then monitor traffic on the tap, generating flow records for each connection encountered.

Virtual flow sensors. Specialized flow sensors operate in virtualized networking environments, monitoring the traf-fic passing through a virtual switch and exporting flow records to the collection system.

You can limit the amount of data exported by NetFlow devices using Ciscos Flexible NetFlow (FNF) technology. For more about this technology, see Chapter 6.

Flow collectorsFlow collectors are the workhorses of the NetFlow analysis system. They receive flow records from exporters and per-form a number of critical tasks, including:

Flow deduplication. In networks with multiple flow exporters, the same network connection may be cap-tured multiple times. Flow collectors must watch for this and remove duplicate records before performing security analysis on the flows.

Flow stitching. NetFlow generates unidirectional records, resulting in two different flow records for each network


NetFlow Security Monitoring For Dummies, Lancope Special Edition 22session. The flow collector puts these back together again, giving analysts the full picture of each connection.

Behavioral analysis and pattern recognition. Security-oriented flow collectors will provide algorithms and mechanisms for analyzing flows to detect security threats.

Flow storage. The flow collector will store weeks, months, perhaps even years worth of flow data. The col-lectors flow database is used to perform detailed foren-sics and incident response.

The number of flow collectors you need will depend upon the amount of NetFlow data generated on your network. This is normally measured in flows per second. Chapter 6 discusses a technique for estimating your networks flow rate.

Management consoleIn large networks, multiple flow collectors are needed to collect flows. When multiple collectors are used, a central management console is a must. The management console pro-vides the day-to-day interface used by networking and secu-rity professionals to interact with and manage the NetFlow analysis platform. Management consoles typically offer a wide set of features, including:

Dashboards providing analysts with quick overviews of network activity.

Advanced analytic capabilities to visualize abnormal behavior.

Alarms that immediately alert analysts when certain sus-picious conditions occur.

A management interface that allows the reconfiguration of the NetFlow analysis system.

Management of the security policy across multiple collectors.

Per-user access restrictions to the flow data.



Before selecting a system, be sure to give the management console a test drive. Its helpful to go back to your objectives and prepare a list of common tasks that you expect analysts will perform and then walk through those tasks in the manage-ment console. Theres nothing like hands-on experience to help you evaluate a product.

Enhancing Analysis CapabilitiesOne of the true differentiators of NetFlow collection systems is the sophistication of the analysis tools provided through their management consoles. Some systems offer advanced features, such as behavior analysis, security indexes, and activity alarms to facilitate network security monitoring.

Network behavior analysisNetFlow records provide a uniquely valuable data source for identifying anomalous behavior. Many systems, especially critical servers, are creatures of habit they engage in the same types of activity with the same systems from day to day. Figure 3-2 provides an illustration of how this activity can be baselined to develop a picture of your network under normal conditions.

Once youve developed a baseline of network activity, your NetFlow analysis system can then identify anomalies by watching for deviations from that baseline. Security analysts can use that information to proactively identify potential security incidents requiring further investigation.

Security indexesNetFlow analysis platforms have access to a large amount of data about anomalous connections, and analysts may struggle to identify the significant data that requires their immediate attention. One approach to this problem is the use of secu-rity indexes that summarize this data into easily prioritized scores.



FLOWS

Collect and analyze ows

Alarm on anomalies and changes in behavior

Establish baseline of behavior

BEHAVIOR

Number of concurrent owsPackets per secondBits per secondNew ows createdNumber of SYNs sentTime of dayNumber of Syns receivedRate of connection resetsDuration of the owOver 80+ other attributes

threshold

Critical Servers

threshold

Anomaly detectedin host behavior

Exchange Servers

threshold

Web Servers

threshold

Marketing

Figure 3-2: Network behavior analysis algorithms allow you to baseline normal behavior for a host and alert security analysts to future deviations from that baseline. (Source: Lancope, Inc.)

For example, Lancopes StealthWatch System provides three indexes for anomalous behavior:

The Concern Index (CI) tracks hosts that appear to pose a threat to the integrity of your network.

The Target Index (TI) tracks hosts that the system sus-pects may be the victims of suspicious activity.

The File Sharing Index (FSI) monitors systems that appear to be engaged in peer-to-peer (P2P) file sharing activity.

Security alarmsOne of the most important features of a NetFlow analysis system is its capability to run in an unmanned mode, freeing analysts to perform other tasks. This is done through the use of security alarms that may be triggered by violations of an organizations security policy or significantly anomalous net-work behavior (see Figure 3-3).



Over 100 ow-based algorithms...

Figure 3-3: With the StealthWatch Concern Index, administrators can easily determine which issues need to be dealt with first for optimum network protection. (Source: Lancope, Inc.)

A NetFlow system should be capable not only of generating alarms but also of triaging them by severity level. For exam-ple, the Lancope StealthWatch System uses a five-tier system that assigns different colors to alarms:

Red: Critical severity

Orange: Major severity

Yellow: Minor severity

Blue: Trivial severity

Light blue: Informational

Analysts can use this color coding to quickly identify the secu-rity alarms that require immediate attention. Alarm informa-tion can also be exported from the system via syslog, SNMP, or e-mails sent to the network security analyst.



Adapting to Emerging Technologies

The final criteria you should consider when selecting a NetFlow system is the vendors ability to adapt to emerging technologies, including:

MPLS networks

Virtualization

IPv6

High-speed networking

Mobile devices

For more on these topics, see Chapter 2.

Although youll definitely want to ensure that the system you choose supports your current network environment, a ven-dors willingness and ability to quickly adapt to new technol-ogies is also a reassuring indication that they will remain ahead of the technology curve.


Chapter 4

Putting NetFlow to Work for Security

In This Chapter Leveraging NetFlow information to gain visibility into the security of

your network Correlating NetFlow records with information from other systems Using NetFlow analysis techniques to gain situational awareness,

maintain a forensic audit trail, and comply with security regulations

N etFlow records, combined with an effective analysis platform, can provide important capabilities to secu-rity analysts struggling to maintain visibility into a complex enterprise network. One of the most valuable characteristics of a NetFlow analysis platform is its ability to reduce the mean time to know (MTTK) for a security event. In this chapter, I look at a number of the specific security applications of NetFlow data.

Total Network VisibilityNetFlow offers security analysts the ability to view network traffic information from across the entire network, from the edge to core to access. Many analysis packages offer the abil-ity to not only consolidate data from NetFlow collectors dis-tributed across many points on the local network, but also to collect data across wide area network links to remote sites.

Figure 4-1 provides an example of NetFlow information gath-ered from multiple international locations and consolidated into a single view using Lancopes StealthWatch Management Console.



Figure 4-1: This screenshot from the StealthWatch Management Console demonstrates the consolidation of information from local and remote networks into a single view. (Source: Lancope, Inc.)

Correlating Flows with ContextAnother powerful feature of NetFlow analysis tools is their ability to integrate external information with network connec-tion data to build a more complete picture of network activity.

Integration with IDS, IPS, and firewall event sourcesNetFlow fills the gaps left by traditional security technol-ogies such as IDS and firewalls. Some NetFlow systems, such as Lancopes StealthWatch, provide features to collect syslog and SNMP traps from firewalls or IDSs such as Snort. Signature-based event data can be combined with network flow data to provide a complete picture of the attack.

Identity awarenessAlmost every security investigation that begins with NetFlow records at some point requires identifying the individual user and/or system involved in a communication. Unfortunately, generic NetFlow doesnt provide this information, because


Chapter 4: Putting NetFlow to Work for Security 29NetFlow exporters dont have access to information not found in the packets comprising the flow.

Some NetFlow systems provide security analysts with the added ability to correlate identity information from other sources, such as the identity of an individual user, retrieved from a Windows domain controller, proxy server, or a VPN concentrator. Identity-aware NetFlow collectors bridge the gap between IP addresses and users.

Gaining Situational AwarenessNetFlow data also provides keen insight for individuals seeking greater situational awareness on their networks. Specifically, security analysts can use NetFlow analysis techniques to reduce the MTTK for security risks on their networks.

Worm detectionWorms are an especially virulent form of malicious code that exploit network vulnerabilities to spread from system to system without user intervention. This often takes the form of infecting a host system and then using that system to scan the local network for other systems that might be vulnerable to attack. The worm then infects those vulnerable systems and continues its spread outward.

This pattern of contact is easily modeled. One system (the original infection) begins scanning the network, contacting many other systems. Then a subset of those systems (the next round of victims) exhibit the same behavior. NetFlow analy-sis can identify these systems due to their unique pattern of anomalous activity (see Figure 4-2).

Botnet detectionMany hackers maintain networks of systems used to conduct other malicious activity, such as waging distributed denial of service attacks. These networks, known as botnets (short for network of robots), often lie dormant for long periods of time until activated by the hacker (or botmaster).



Figure 4-2: Advanced flow collection and analysis systems can help users easily track the spread of malware throughout their infrastruc-ture for fast mitigation. (Source: Lancope, Inc.)

NetFlow offers security analysts the ability to detect systems on your network that may be members of a botnet and, there-fore, under the control of an external party. One of the easiest ways to detect botnet activity is to look for systems commu-nicating with known command-and-control servers used by botmasters to control their botnets.

IP reputation lists such as ZeuS Tracker (https://zeustracker.abuse.ch) can be integrated into the StealthWatch FlowCollector for easy detection of botnet activity within the network. IP addresses from the ZeuS Tracker list are automatically pushed into the collector and matched against the IP addresses found within the incoming flows. When an internal host attempts to communicate with a botnet command-and-control server, the flows are flagged and brought to the security administrators attention.

Application awarenessIn years past, security analysts were normally able to rely on destination port numbers in flow records to indicate the application in use during a particular connection. An example would include communications taking place on port 80, which normally consists of HTTP traffic.


Chapter 4: Putting NetFlow to Work for Security 31However, the ability of HTTP traffic to pass through almost all firewalls made it an easy target for application developers seeking an easy way to tunnel traffic through an organiza-tions perimeter. Port 80 is now used for VPN connections, videoconferencing, instant messaging, gaming, VoIP calls, and many other applications.

NetFlow v9 and IPFIX provide mechanisms to recognize not only the port number but all the actual applications in use within the flow. A few examples of application-aware NetFlow exporters include: Palo Alto firewalls, Lancopes FlowSensor NetFlow generator, BlueCoats PacketShaper, and Ciscos IOS 15.1 and above (via the Network-based Application Recognition feature-set).

Well-intentioned application developers arent the only ones aware of this trick. Malicious code authors often use port 80 to tunnel command-and-control traffic through enterprise fire-walls.

Some advanced NetFlow analysis systems have the ability to peer inside network traffic and perform deeper inspection, identifying the particular application in use for each session and including that information in the retained flow data.

Maintaining a Forensic Audit Trail

One of the first ways that many organizations use NetFlow data for security purposes is in a forensic/incident response role. They simply enable NetFlow exporting to a flow collector and then allow the flow data to accumulate over time. This then becomes a valuable source of information for post- incident assessment in the event of a security breach. NetFlow acts as a 24x7 continuous audit trail of all communications that occur within the network.

Analysts can retrieve data from the StealthWatch System to assist with forensic analysis. For a given pair of systems, the analyst can identify the number of communication sessions that took place, the duration of those sessions, the amount of data passed, and additional technical details.



NetFlow and PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) creates a number of obligations for organiza-tions involved in the processing of credit card transactions. Although PCI DSS doesnt explicitly call for NetFlow monitoring, the standard includes a number of requirements that may be facilitated through a NetFlow analysis platform. These include:

Enable only necessary and secure services, protocols, dae-mons, and so on, as required

for the function of the system. (Requirement 2.2.2)

Instruct customers to encrypt all non-console administrative access with strong cryptogra-phy, using technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. (Requirement 12.1)

Do not store cardholder data on Internet-accessible systems (for example, web server and data-base server must not be on same server). (Requirement 9.1)

NetFlow and ComplianceMany industries are subject to information security laws and regulations that require the use of strict security controls to protect the confidentiality, integrity, and availability of sensi-tive information. Network flow data can help in these cases by providing security analysts the tools they need to proactively monitor the compliance status of a network, conduct forensic investigations, identify malicious software in use on the net-work, and assess the effectiveness of other security controls.

NetFlow data can assist organizations seeking to comply with the Payment Card Industry Data Security Standard (see the sidebar NetFlow and PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act (SOX), Control Objectives for Information Technology (COBIT), and National Institute of Standards and Technology (NIST) 800 series, among others.


Chapter 5

Viewing NetFlow Security Data

In This Chapter Leveraging dashboards to get at-a-glance insight into suspicious

network activity Using StealthWatchs reporting capabilities to generate the data

views you need Grouping related hosts in relational maps to gain additional insight

I n this chapter, I look at several ways that Lancopes StealthWatch System enables security administrators to view NetFlow data.

Leveraging DashboardsReviewing a NetFlow security dashboard should be every security analysts first step in the morning. The dashboard allows you to assess the health and security of your network at a single glance, immediately identifying issues that might require further investigation (refer to Figure 4-1 for a visual).

Dashboards arent just for analysts! You might consider using the security dashboard to provide managers and executives with a view into your security posture.

The Lancope StealthWatch Management Console provides a dashboard view. This dashboard includes the following information:


NetFlow Security Monitoring For Dummies, Lancope Special Edition 34 Top Internet destinations

Top internal talkers

Top suspicious internal hosts

Geographic activity map

Relational activity map

Average round trip time

Total traffic to the Internet

When viewing the dashboard, you might notice, for example, that an unusual host appears on your top talkers list (as illustrated in Figure 5-1). A security analyst could then drill into that traffic to conduct a follow-up investigation and deter-mine whether it was legitimate or might indicate a security incident.

Figure 5-1: When fully leveraged, NetFlow can provide complete visibility across the entire network, along with the ability to drill down into specific communications for more effective troubleshooting. (Source: Lancope, Inc.)


Chapter 5: Viewing NetFlow Security Data 35

Reporting on NetFlow DataIn addition to the dashboard view, security administrators may use their NetFlow analysis platform for detailed report-ing. One way to do this is through the use of predefined reports created by the platform developer for widespread use. Figure 5-2 provides an example of a predefined report from StealthWatch showing network activity by protocol over time.

In addition to predefined reports, administrators can create customized reports tailored to their workflows and personal preferences. StealthWatch allows administrators to create custom reports to meet their security requirements.

Developing effective, useful reports is an acquired skill that is applicable across many disciplines, including security, net-working, server administration, and others. You may wish to hire a reporting specialist to integrate StealthWatch reports with reports generated from other IT tools.

Point-of-View technologyYouve probably realized by this point that StealthWatch provides a wealth of information valuable to both security and networking pro-fessionals. Different technical pro-fessionals have different needs from the system, and Lancopes Point-of-View technology helps accommo-date these diverse needs.

Point-of-View provides security and networking professionals with

different views when they access the StealthWatch console. Security professionals will see information about violations of your organiza-tions defined policies and potential malware infections on your network. Network professionals, on the other hand, will get technical detail on router statistics, traffic trends, and the most active hosts, for example.



Figure 5-2: The StealthWatch Management Console provides administra-tors with a number of preconfigured reports, including a time-based view of traffic by protocol. (Source: Lancope, Inc.)

Relational Flow MapsIt becomes easier to understand network flow information when youre able to incorporate other information into your assessment, such as the roles of different hosts and the geo-graphic locations of systems. StealthWatchs relational flow maps make it possible to include this data in your analysis and easily visualize the relationships between systems com-municating on your network.

Figure 5-3 shows a flow map of a DMZ with systems grouped by function. A quick glance at this diagram tells you that there is a high level of activity from the Internet to your DHCP, DNS, and backup servers. The shading of the mail server box indicates an area of particular concern warranting further investigation.


Chapter 5: Viewing NetFlow Security Data 37

Figure 5-3: StealthWatch offers map-based views of network activity, grouping related systems by function. (Source: Lancope, Inc.)

In some cases, grouping flows by geographic location can help provide insight into activity. Figure 5-4 shows an example of this type of report, using StealthWatchs ability to superim-pose a flow map over an actual map to aid in analysis.

Figure 5-4: StealthWatch also allows the grouping of systems by location and permits you to superimpose that information on an actual map. (Source: Lancope, Inc.)



Taking the time to work through the reporting features of your NetFlow analysis platform is a good investment of time. By spending some up-front time customizing your reports to fit your workflow and specific reporting needs, you can improve the effectiveness of your troubleshooting and decrease the amount of time spent on daily analysis.


Chapter 6

NetFlow for Security: Best Practices

In This Chapter Gauging NetFlows impact on your network and network devices Estimating flows per second generated by typical networks Customizing flow data with Ciscos Flexible NetFlow technology

A s you begin to design and deploy a NetFlow analysis solution for your organization, its helpful to understand some of the industry best practices that can make your envi-ronment more productive. In this chapter, I look at a few of these best practices.

Gauging NetFlows Impact on Your Network

One of the primary concerns that networking professionals voice when considering a NetFlow deployment is the impact that the technology will have on the performance of the net-work and the network devices used as NetFlow exporters. You need to be able to answer questions to gain support from net-work administrators and management alike.

First, understand the bandwidth consumed by NetFlow data traveling from exporters to the collector. Generally speak-ing, NetFlow traffic has a marginal impact on network band-width. On highly active networks, Lancope has found that the network generates about 1,200 flows per second for every 250Mbps of traffic. With NetFlow v5 collection, this results in


NetFlow Security Monitoring For Dummies, Lancope Special Edition 40about 680Kbps of NetFlow traffic, or a total bandwidth over-head of less than 1 percent.

Lancope offers a NetFlow Bandwidth Calculator on its web-site, which allows you to estimate the expected bandwidth use of NetFlow in your environment based upon the version of NetFlow youre using and the expected number of flows per second leaving the exporter. (Go to www.lancope.com/NF-bandwidth-calc.)

Youll also want to consider the impact of NetFlow on the net-working devices youre using to export data. Some network devices, such as the Cisco Catalyst 6000 series (with Sup720 or Sup2T), the Cisco Catalyst 4500 (with Sup 7-E), and the Cisco ASR 1000, have hardware dedicated to NetFlow and there is very little impact on the device itself.

On the other hand, other Cisco devices, such as the ASA and ISR G1/G2, use the CPU to collect NetFlow data. In these cases, the greater the number of concurrent flows active in the routers memory, the greater the impact to the CPU. As the exporter becomes increasingly busy, the CPU impact from NetFlow goes up. The general rule used by Lancope engineers when assisting with NetFlow implementations is to assume that NetFlow will add approximately 10 percent of the existing CPU utilization when running on a software-based exporter such as Ciscos ISR G1/G2. In other words, if your router is running at 90 percent utilization enabling NetFlow would add an additional 9 percent to the CPU bringing the router to max CPU capacity.

For devices performing NetFlow collection on the CPU, its the number of concurrent flows through the device that deter-mines the CPU impact, not the packets per second rate or overall bandwidth.

Using NetFlow AppliancesIf your network devices cant handle the additional burden of exporting NetFlow data or your networking staff is unwilling to provide you with direct access to NetFlow data, you may wish to consider using dedicated NetFlow appliances to col-lect data.


Chapter 6: NetFlow for Security: Best Practices 41Lancopes StealthWatch FlowSensor appliance sits on your network and collects data through a network tap or switch SPAN port. It then passively monitors the traffic crossing your network and creates NetFlow records for export to StealthWatch FlowCollectors. Its also available as a virtual appliance that installs as a virtual instance per VM. Theres no impact on your routers, switches, or firewalls.

Additionally, the FlowSensor is application-aware and pro-vides additional security metrics not found in traditional NetFlow sources. These additional security metrics improve the ability to detect security events such as SYN Flood DoS attacks, botnets, and SMTP spam sources.

Estimating Flows per SecondAs you prepare to design your NetFlow architecture, one of the most important characteristics for determining the speci-fications of the equipment you need is the number of flows per second on your network.

If youre using traditional NetFlow, estimating the number of flows per second is quite straightforward. Simply use the ip cache flow command on your device and look at the total flows per second on the last line of the result. Figure 6-1 shows an example of this command in use with the result on the last line enclosed in a box.

Figure 6-1: Determining the number of flows per second on a Cisco device using traditional NetFlow. (Source: Lancope, Inc.)



If youre using Flexible NetFlow, youll need to follow a few more steps to estimate the flow per second rate on your net-work. For more details, see www.lancope.com/blog/FNFconfig. Or consider using Lancopes flows-per-second calculator, which you can find at www.lancope.com/FPS-calculator.

Reduce the Impact with Flexible NetFlow

As mentioned in Chapter 1, Cisco now offers next-generation Flexible NetFlow (FNF) technology that allows you to custom-ize the flow data collected on your network. This allows you to reduce the impact on your network by limiting the amount of data collected based on what is needed for your security analysis.

Flexible NetFlow is an extremely powerful technology with a large number of configuration options. For more detail, see Ciscos Flexible NetFlow command reference at www.cisco.com/en/US/docs/ios/fnetflow/command/reference/fnf_book.html.

Flexible NetFlow uses flow monitors to track NetFlow infor-mation crossing a device. Each flow monitor consists of two components:

Flow records define the fields that the device should export as part of the NetFlow data. These typically include IP addresses, ports, protocols, and other infor-mation.

Flow exporters include the technical details required to send NetFlow data to the collector. This includes the identity of the collector, the transport protocol to use, and the version of NetFlow supported by the collector.

Unlike traditional NetFlow, FNF is a Cisco-specific technology and isnt available on devices from other manufacturers.


Chapter 7

Top Ten Reasons to Use NetFlow for Security

In This Chapter Reasons enterprises are turning to NetFlow information to improve

their security controls Network management benefits that organizations gain in addition to

NetFlows security improvements

N etFlow has come a long way over recent years. Previous beliefs about it being a complicated, resource-intensive technology have faded, and many organizations are embracing its unique capabilities to achieve a number of network and security management goals.

Available from existing routers and switches, NetFlow provides an extremely cost-effective tool for maintaining secure, high-performance infrastructures. This chapter discusses the top ten reasons enterprises are turning to NetFlow to improve their networks and overall security posture.

Obtaining End-to-End Network Visibility

By collecting and analyzing flow data, organizations can obtain in-depth network visibility to address a wide range of network and security issues. NetFlow can be used to effectively baseline, track, and audit behavior across the entire network even remote sites without having to deploy and manage a physical device at each location.



Monitoring Network and Application Performance

Monitoring NetFlow data provides the insight needed to ensure that both the network and specific applications are delivering high levels of availability and performance. By displaying details on top talkers, hosts, services, and so on, NetFlow can help IT teams quickly identify the root cause and restore performance when the network slows.

Enhancing Security Threat Detection Capabilities

By analyzing network behavior and not relying on signature updates, NetFlow can be used to detect sophisticated zero-day attacks like worms and botnets that bypass perimeter defenses. It can also be used to uncover internal threats such as policy violations, device misconfigurations, network misuse, unauthorized access, and data leakage, significantly bolstering security.

Complying with Legal and Regulatory Requirements

NetFlow delivers unparalleled visibility, accountability, and measurability for maintaining compliance with industry and government regulations such as HIPAA, PCI DSS, FISMA/NIST, and NERC CIP, among others.

Reducing MTTKThe use of NetFlow data can significantly streamline network and security troubleshooting, reducing MTTK from hours or days to just minutes. Faster troubleshooting means less damaging and costly downtime for enterprises.


Chapter 7: Top Ten Reasons to Use NetFlow for Security 45

Improving Network Capacity Planning

By providing real-time and historical visibility into all network traffic, NetFlow can be used to identify the exact hosts and applications consuming bandwidth to help determine whether bandwidth needs to be increased or if existing bandwidth could be better utilized. In the event of a security incident, this information can be used to identify hosts consuming unusual amounts of bandwidth.

Achieving Time and Cost Savings The use of NetFlow can save vast amounts of time and money by eliminating the need to place physical devices at each endpoint and spend countless security analyst hours manually analyzing data to troubleshoot issues.

Maintaining Network Visibility in Evolving Technology Environments

Flow data can help organizations maintain the network visibility that is often lost through migrations to advanced infrastructure such as virtualized environments, 10G networks, and MPLS networks. This allows organizations to embrace new technology trends and innovations without sacrificing network performance and security.

Improving Collaboration in the Enterprise

NetFlow provides a wide range of data that can be leveraged by network, data center, and security teams, as well as other groups such as help desks. Working with a single set of actionable data versus a variety of point solutions fosters


NetFlow Security Monitoring For Dummies, Lancope Special Edition 46greater collaboration between IT teams, eliminating isolated, disjointed efforts and increasing productivity.

Filling in the Gaps Left by Other Security Controls

When leveraged by robust flow collection and analysis solutions such as Lancopes StealthWatch, NetFlow can effectively fill in the gaps between other technologies to provide more comprehensive and actionable insight for improved performance and security.

More information on NetFlow can be found at www.lancope.com/blog.


NetFlow Security Monitoring For Dummies, Lancope Special EditionIntroductionAbout This BookIcons Used in This Book

Chapter 1: Getting to Know Your NetFlowWhat Is NetFlow?Where Is NetFlow Information Available?Configuring NetFlowNetFlow in the Security Infrastructure

Chapter 2: Examining Trends Addressed by NetFlowEvolving Threat LandscapeChanges in Information TechnologyEvolution of the Network

Chapter 3: Choosing a Solution for NetFlow CollectionWhats Your Objective?Designing for ScalabilityEnhancing Analysis CapabilitiesAdapting to Emerging Technologies

Chapter 4: Putting NetFlow to Work for SecurityTotal Network VisibilityCorrelating Flows with ContextGaining Situational AwarenessMaintaining a Forensic Audit TrailNetFlow and Compliance

Chapter 5: Viewing NetFlow Security DataLeveraging DashboardsReporting on NetFlow DataRelational Flow Maps

Chapter 6: NetFlow for Security: Best PracticesGauging NetFlows Impact on Your NetworkUsing NetFlow AppliancesEstimating Flows per SecondReduce the Impact with Flexible NetFlow

Chapter 7: Top Ten Reasons to Use NetFlow for SecurityObtaining End-to-End Network VisibilityMonitoring Network and Application PerformanceEnhancing Security Threat Detection CapabilitiesComplying with Legal and Regulatory RequirementsReducing MTTKImproving Network Capacity PlanningAchieving Time and Cost SavingsMaintaining Network Visibility in Evolving Technology EnvironmentsImproving Collaboration in the EnterpriseFilling in the Gaps Left by Other Security Controls

netflow security monitoring for dummies

Documents