Most companies agree that business Internet security systems are a paramount concern.  Relying on traditional security efforts such as firewalls and antivirus software are not going to perform a very important emerging security detection technique called network behavior analysis.  To leverage this internal security measure, network administrators need to collect and analyze NetFlow or IPFIX from existing routers and switches.  And here’s some good news: firmware upgrades are usually not needed to take advantage of flow technology.

Internal threat detection is a growing area of concern especially with the emergence of BYOD traffic.  Some companies are placing firewalls and other “security boxes” on high speed gigabit backbone links as another layer of protection from internal infected hosts. In fact, Forrester Research calls for a Zero Trust model where networks are designed from the inside out.

“The redesign starts with a black box or network segmentation gateway that can handle high speeds – up to 10G interfaces. The gateway acts like a UTM appliance, but it does much more than provide firewall, antispam and content filtering features. It can add data leakage prevention capabilities, intrusion prevention and encryption to the network” said John Kindervaq, a senior analyst with Forrester Research, Inc.

Using NetFlow for security is largely about monitoring internal traffic and watching for odd traffic patterns that could indicate malware.  Flagging nefarious traffic patterns or even end systems communicating with hosts with poor Internet reputations can lead to the first symptom that is often indicative of a Command and Control infection or worse, an Advanced Persistent Threat.

Because flow data is incredibly useful at aiding the threat detection process, the Cisco ASA, Palo Alto Networks firewall and the SonicWALL firewall all export NetFlow or IPFIX.  In some cases these security appliances export threat detected messages inside NetFlow datagrams that other vendors typically send as syslogs.  Below is an example from a SonicWALL.

More network security vendors are using NetFlow or IPFIX exports to send messages about the threats detected or quarantined as shown above. Another example from Cisco is called Smart logging telemetry:

The above messages can be correlated with traditional NetFlow which ultimately leads to increased host Threat Indexes(TM).  If the indexes reach a threshold, they can trigger alarms. The science to indexes is in how the vendor increases and decreases them based on age and importance of the threats detected. Persuading a vendor to open up and talk about how they compute indexes isn’t easy  as it’s often a closely guarded secret.  A well implemented index can help reduce Mean Time To Know (MTTK) as well as the Mean Time To Repair (MTTR).

Although the additional security provide by NetFlow and IPFIX is significant, it should only be part of a company’s complete Unified Threat Management solution. For example, NetFlow algorithms can be used to accurately detect SYN scans, ICMP redirect issues, DDoS attacks, XMAS scans, etc. In some cases, this same mathematical searching through the flows can trigger alarms for legitimate traffic.  This is why it is important to use indexes and rememeber: analyzing NetFlow and IPFIX is meant to be another effective security layer.

 

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Tags: Business Internet Security Systems, Byod traffic, Internal Threat Detection, internet reputations, netflow behavior analysis, Network Behavior Analysis

This entry was posted on Friday, July 6th, 2012 at 8:00 am and is filed under ASA, BYOD, Flow Analytics, IPFIX, network behavior analysis, SonicWALL. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.