Once, the idea of knowing what applications are running on your network and knowing the application performance of each of them was only a want for administrators. Now, in the last few years especially, it seems that application performance has been on a growing trend, and Layer 7 application visibility is now a need and no longer a want. Applications have become part of everyday business some have even become mission critical meaning that we are reliant on that application performing efficiently at all times. Read more
Ever look at the NetFlow details of a conversation and wish you had the full packets to look at? Combining your NetFlow solution with an open source packet capture tool can greatly enhance insight into your network. Today I want to discuss Moloch packet capture integration with a NetFlow solution as well as how you can take that conversation and get full packet details with a simple click. In a previous blog, I mentioned the use of packet capture tools with NetFlow for troubleshooting and we looked at some filters you can manually add to narrow your results. This is no longer needed, as a you can pass filters like source IP, to see the full Moloch packet capture details for further analysis right from your NetFlow report. Read more
Recently one of our employees experienced a DNS hijacking attack while trying to visit a company’s website to learn more about them. You have probably experienced DNS hijacking at some point; your TCP/IP configuration is subverted to point at a rogue DNS server under the control of an attacker. Essentially the website you tried to visit was somehow redirected to a domain chosen by the attacker. In the case of our employee, the site that he was redirected to served up a pop-up that warned of malware on his PC.
Security is a top concern for most network administrators and engineers today. Those that want to detect suspicious network activity within their environment can use a NetFlow solution to gain insight into network traffic and cyber threats. I often hear, however, that they don’t have time to just stare at a screen until something goes wrong; there are too many user issues and fires that need attention. By using Scrutinizer, you can automatically receive email alerts on specific threshold breaches to help detect suspicious network activity. In this post, I’d like to explain how to detect suspicious network activity.
Lately I’ve spoken to a few people in the field that are using Arista switches to get visibility into their networks using sFlow and thought I would write about Arista sFlow configuration. Arista switches offer a single sFlow agent that samples ingress traffic from all Ethernet as well as port channel interfaces. At Plixer we see more and more companies who are looking to utilize flow collection to identify bandwidth issues and network security risks. Read more
There is a rising trend in network segmentation for compliance purposes, such as adhering to PCI compliance among network administrators. If you store sensitive user information such as credit card numbers, you are affected by PCI Compliance. What if, though, you could leverage NetFlow data to show that the servers, that store such information, are segmented on your network? Being able to show that you have full visibility into your network and that you have protected sensitive information can be a huge relief when you are asked to show PCI compliance. Read more
When you log into your NetFlow Analyzer, it may be shocking to find one of your core devices is saying “no flows received”. I’ve seen this in support and know that it is important to have your devices sending NetFlow data to your collector at all times. I’ve found that the best way to uncover the issue is to narrow down the variables and isolate the problem. In this blog, I’d like to look at why flows are not being received by a NetFlow collector, by using a packet capture analysis tool, Wireshark.
I have had a few customers ask about username reporting with Netflow within their incident response system. Collecting user activity and viewing reports filtered on specific users can give administrators insight and convenience when looking at user logged into the network when investigating an incident or providing detailed reports for management. Most authentication systems are supported (E.g. Cisco ISE, Enterasys Mobile IAM). Adam has discussed the advantages to administrators in a previous blog about username reporting with Netflow. In this blog I will go over how to integrate with a Microsoft Domain Controller, and then use an incident response system to utilize username reporting. Read more
Identifying a compromised host in your environment is a common task for administrators in most network environments. What about other local hosts currently communicating with a compromised IP addresses, that you are not yet aware of? It’s not just a question of detecting the communication but of how long it has been going on before you detect it.
I have been working with a number of customers who asked for an sFlow vs NetFlow comparison. They were concerned about the amount of visibility they were seeing with the sFlow (sampling) technology and why those reports were so different from their NetFlow reports. In response to all those requests, I set up a lab to show you some of these differences!