Most companies agree that business Internet security systems are a paramount concern.  Relying on traditional security efforts such as firewalls and antivirus software are not going to perform a very important emerging security detection technique called network behavior analysis.  To leverage this internal security measure, network administrators need to collect and analyze NetFlow or IPFIX from existing routers and switches.  And here’s some good news: firmware upgrades are usually not needed to take advantage of flow technology.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Palo Alto Networks NetFlow NAT support is reflected in the latest version of our NetFlow monitoring solution. Check out the template details:

postNAPTDestinationTransportPort
postNAPTSourceTransportPort
postNATDestinationIPv4Address
postNATSourceIPv4Address

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

What is Flow Analytics™ ?

Flow Analytics™ is a built-in module that a NetFlow analyzing tool uses to perform network behavior analysis. Flow Analytics™ can trigger alarms for such behaviors as worms, network scanning, and known compromised internet hosts. It can alarm you if any DoS attacks are happening. Once that happens it can identify repeat offenders and create a Unique Identifier (UI) to manage traffic counts. Flow Analytics™ can also identify your top applications, conversations, protocols, etc across dozens of routers and switches.

Flow Analytics™ allows you to store data for more than 24 hours. You can choose to save an infinite amount of Net Flow data history at every interval. So now you can go back and identify a problem that occurred 2 weeks ago on your network. Flow Analytics™ also allows for automated DNS resolution to help you quickly identify culprits on your network.

What makes Flow Analytics™ incredibly amazing is the ability to look at the NetFlow from multiple routers and switches simultaneously every 5 minutes. Potentially, you can configure hundreds of devices for each algorithm in Flow Analytics™. In this blog I will show you how to set up Flow Analytics™ and how to start configuring it. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Overview
With several million machines now infected, identifying the Downadup worm on your network is a little easier than you might think with NetFlow.  We suggest leveraging it for more than just viewing top talkers.

While this worm is designed to change itself to elude identification by AV software, it does not change its behavior on the network.

How does it work?
The Downadup worm takes advantage of a security hole in the RPC service for Windows machines. This hole has been patched and can be obtained here. This patch was not rolled out via the normal windows update and has left tens of millions of PC’s at risk.

It Phones Home
Once infected, the machine goes out to one of 4 sites to get its true external IP address. Once it has that, it establishes has the ability to communicate with C&C (command and control) servers.

It Spreads the Disease
The first priority of the worm is to try and infect other hosts. It will try and scan your entire subnet for other hosts. The scan will occur on TCP Port 445 (RPC).

How is this identified?
If using Netflow or sFlow Scrutinizer with Flow analytics can catch this using its SYN scan algorithm. Once you have been alerted, you can drill into the flow view to see the addresses that have been scanned and isolate the infected hosts from the network.

Monitor for the Call
The Flow Analytics Internet Threats algorithm will notify you if a machine on your network is communicating with a known C&C server.  You can also run reports in Scrutinizer to see who has accessed one of the four known addresses that provide an IP address.  Call us and we’ll get Flow Analytics installed on your server.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!