To conclude our 7 part NetFlow v9 overview blog series, I will highlight our Advanced NetFlow Traffic Analyzer, showing off the innovative features we bring to Network Traffic Management and Traffic Analysis in these areas:

• Dashboard views
• Flow Reporting
• Network Security

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

In Part 5 of the NetFlow v9 overview series, I will be talking about NetFlow v9 Options Templates, following up on Scott’s installment, part 4, which addressed what a NetFlow Data Flowset is.

What is an Options template?

It is a special type of template record used to communicate the format of data related to the NetFlow process.

Combine the Options template with an Options data record to provide information about the NetFlow process itself.  For example, the options template can contain applications tables with application tags, names and descriptions; or interface index tables to provide interface descriptions via NetFlow.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

There are many uses of NetFlow but one of the most important and often overlooked is the network security value NetFlow and IPFIX can provide. Based on feedback gathered over 10 years from hundreds of NetFlow customers, here’s the top five uses of NetFlow analysis for network security in ascending order…
Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Businesses with IT Teams managing tens of thousands of IP addresses often find it more difficult to track down IP addresses and for this reason, they would rather work with a username. Identity Aware NetFlow ties the two together. In this post, lets take an example of tracking down the root cause of a network security issue or detected threat.
Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Mike Patterson (Plixer CEO and Founder) and I have been long time colleagues in the arena of NetFlow analysis. Over the years we’ve both watched as NetFlow has matured and gained increasing popularity and I’ve always admired Mike and his team’s energy and steadfast devotion to NetFlow technology. Read more »

In this blog I want to talk about how to configure SSL for our NetFlow and sFlow Analyzer web authentication.  The standard procedure to configuring SSL for HTTPS redirection has three basic steps.

1. Generating SSL files.
2. Installing a CA signed certificate.
3. Configuring Apache to use SSL.

A. GENERATING SSL FILES

Three files are generated as a result of this process: the private key(.key), the Certificate Signing Request (.csr), and the public key or SSL certificate (crt). The private key contains encrypted information that identifies an institution or company. The Certificate Signing request contains the information found in the private key and a public key to be signed by a Certificate Authority (CA). Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

I’m sure just about every company’s security manager is aware of Conficker. This worm is spreading through networks at alarming rates. It’s weapon: exploiting a vulnerability, called MS08-067, in Windows 2000, XP, and Server 2003.

Conficker looks like legitimate traffic
Conficker.A, .B & .C (yes, it has versions) randomly creates domain names that are based on the system clocks of popular web sites such as google.com, yahoo.com, etc., so the HTTP traffic looks legitimate. At first, I thought we should block all the domains, but that is not a simple task. As of April 8th, Conficker.E was found not to be using randomly created domains, but deletes itself on May 3rd, 2009; unlike Conficker.C. It constantly changes its own behavior!

On April 7th researches found a variant of Conficker that initiates communication via a peer-to-peer (P2P) connection. A TCP connection is then used to download the file. Irregular UDP communications also take place.

What is Cisco’s position?
Learn more about Cisco’s position on Conficker. They encourage customers to purchase their Home Network Defender product and as a result, you “should be” protected. Here is some additional great information on Conficker from Cisco.

Track Conficker with Cisco NetFlow?
It isn’t that easy. Remember, Conficker looks like legitimate traffic. Network Behavior Analysis solutions can’t confidently detect Conficker either. We are looking into a solution that watches Conficker behaviors. Our Internet Threats Monitor has proven to be very effective at getting updates out to all our customers within just a few minutes. We could do the same as Conficker mutates and we learn its new behavior. For now, here are a few things to be aware of:

• Make sure you know your company’s legitimate applications VERY WELL.
  • Make sure you have defined the known applications within Scrutinizer.
  • Put in the time to mark legitimate traffic within the Top Applications gadget of Flow Analytics.
• Watch your DNS logs for hosts failing to resolve odd host names. Maybe script something that looks for excessive DNS lookup failures within a time frame, etc. I’m still looking into this.
• Participate in Systrax and get involved.

Are you infected?
Take the Conficker test right now. If all 6 images show up you are in good shape.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Good morning world.  At the beginning of the week I was helping a customer who found he had been attacked by the Downadup/conficker Worm. This worm pounded his network! The customer explained to me that the worm came in with a brute force attack, which infected his computers that were not updated. He then saw the traffic on his network almost triple. The Downadup/Conficker Worm generated 250 domain names per day that scanned his network, infected his computers, and tried to go to the Internet. Because of the way this customer had set up his network, the worm was not able to pass through his Proxy to the Internet.

The customer looked at his Flow Analytics and saw that he was having Excessive SYN Violations. SYN Violations indicate a denial-of-service attack. Because the worm was not able to get through the Proxy, it created a denial of service. This customer was able to click on the SYN Violations in Flow Analytics and pick off which computers were infected and patch them up.

The customer was able to patch up his servers and his computers in a timely manner with the help of Flow Analytics; traffic has slowed down and his network is back to normal.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!