We are all trying to get more bang for our buck, but what if you are looking for a free Cisco NetFlow alternative? What is the best option? The good news is that, even if you are just looking for a free Cisco NetFlow monitoring application, Scrutinizer will meet or exceed your needs!

A lot of people ask me, “Can you send me the free version of Scrutinizer?” They don’t understand that when you download Scrutinizer from the Plixer website, you automatically get the FREE version.

The Scrutinizer free version is perfect for dealing with network congestion and troubleshooting other issues. You are able to store 24 hours worth of data, drill down through that data and export the data to be used in your favorite application.

“But I don’t have a NetFlow capable device.” Not a problem. A while ago, I wrote a blog post titled “Cisco NetFlow traffic analysis now within reach of small businesses,” which talks about how to flash your lower end router to enable NetFlow. My Product Manager wrote a post about using nProbe, which gives you the ability to generate Cisco NetFlow traffic from just about any router or switch.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Good morning world.  At the beginning of the week I was helping a customer who found he had been attacked by the Downadup/conficker Worm. This worm pounded his network! The customer explained to me that the worm came in with a brute force attack, which infected his computers that were not updated. He then saw the traffic on his network almost triple. The Downadup/Conficker Worm generated 250 domain names per day that scanned his network, infected his computers, and tried to go to the Internet. Because of the way this customer had set up his network, the worm was not able to pass through his Proxy to the Internet.

The customer looked at his Flow Analytics and saw that he was having Excessive SYN Violations. SYN Violations indicate a denial-of-service attack. Because the worm was not able to get through the Proxy, it created a denial of service. This customer was able to click on the SYN Violations in Flow Analytics and pick off which computers were infected and patch them up.

The customer was able to patch up his servers and his computers in a timely manner with the help of Flow Analytics; traffic has slowed down and his network is back to normal.

Milton

“I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” stated Robert O. Carr, Heartland’s founder, chairman and chief executive officer of Heartland Payment systems.  Heartland Payment systems is a large provider of credit and debit payment and check management services based in NJ.

In a Networkworld.com article, “Debit-card processor claims data breach part of global fraud operation”, Ellen Messmer, senior editor for Networkworld.com, explains how Heartland was hit by a massive security breach that compromised customer card data that crossed Heartland’s network. 

Robert H.B. Baldwin Jr., Heartland’s president and CFO, said “About 100 million card transactions per month occur on the affected systems which provide processing to merchants and businesses.”

I’m sure several initial questions were asked like, “How did this happen?”  “Why didn’t the firewall and IDS prevent this?”  “Why didn’t antivirus pick this up?”  “What security do we have?!!!” I wonder what the answers were.  Crickets with the occasional whimper?  “Yes, it is a problem and we are working on it…” , “I don’t know.” 

Baldwin says the computer forensics conducted by the company has uncovered evidence of multiple instances of malicious software on the Heartland network, although he didn’t disclose the exact number of identified instances.

In the Heartland Official statement there was a clue as to how the breach was carried out.  “Cyber criminals to use the same or slightly modified techniques over and over again.”

So the picture is starting to look like a modified worm and or trojan was created to circumvent antivirus was introduced to the network internally, or through an open port.  Once the right nodes or servers were infected, open season on credit card information collection was initiated.

The last paragraph of the Networkworld article Baldwin states “The company is taking steps to improve its network security by adding what it referred to as “a next-generation program designed to flag network anomalies in “real-time” to better identify possible criminal activity but didn’t go into details.”

In today’s world anybody can learn how to hack and create worms and viruses by a simple Google search, increasing the sophistication and the number of people looking to steal information.  At the core of the attack, symptoms and network behavior are actually very similar.  This is why real-time network traffic anomaly detection is a critical step in securing a network and by Heartland’s published statements they seem to agree.

A tool that would have likely caught this breach is the Netflow Behavior Analysis(NBA) module for the Scrutinizer Netflow Analyzer.  It’s a system designed to look for malicious traffic trends that are flying under the radar of existing conventional countermeasures.

Scrutinizer NBA continually tallies and sizes up the conversations from all flow sending devices and helps identify:

• Zero-day worms, SYN Floods and DoS attacks
• ICMP Destination Unreachable
• Bleeding Edge Attacks
• Policy violations and internal misuse
• Poorly configured and unauthorized devices
• Unauthorized Application Deployments
• Suspicious NetBIOS-based services
• Excessive Multicast Traffic
• Unauthorized or incorrectly configured server activity
• P2P traffic, such as Bit Torrent (even if encrypted)
• Root causes of network slow downs
• Serious vs. trivial network incidents

What happened to Heartland is an example of why having a real-time network behavior analysis tool in place like Plixer’s Netflow Behavior Analysis module can be the key to avoiding catastrophic security breaches.

Plixer offers free evaluations of Scrutinizer and The Flow Analytics/NBA module, so there’s no reason why you shouldn’t check it out, if you don’t already have it.

Check out the Netflow Behavior Analysis Brochure on the Plixer website.

Good luck to Heartland and I hope they’re able to recover from this.

Raul Duran

For those of you who are still running Scrutinizer v5.0.x or v5.5.0 and are looking to upgrade to the latest version; here’s a brief walkthrough on how to do so:

1. Make a complete backup of Scrutinizer directory and Scrutinizer database.

2. Go to the Scrutinizer Available Updates page.
a. Select Upgrade Scrutinizer
b. Select the v5.0.2/5.5 to v5.5.1 Update [Download Update] from the Version Upgrade Section.

3. Run the update executable over your current Scrutinizer installation.

4. When the v5.5.1 update is completed, download the v5.5.1/6.0 to v6.0.4 Update.

5. Run the update executable over the Scrutinizer v5.5.1 installation.

6. When you finish upgrading, you will need a new license key for v6.0.4.

Feel free to contact Plixer Technical Support at 207-324-8805 Ext:4, and we’ll be happy to generate one for you.

Milton