Two years ago, I wrote a blog about tracking malware in encrypted traffic. The overall theme of that blog was that encryption has become much more of a standard. 2017 in particular was a milestone year in which the volume of encrypted traffic officially surpassed unencrypted web traffic. It’s safe to say that in three years, that balance has shifted even more in favor of SSL/TLS encryption. In this blog, I’ll explore the concept of JA3 and JA3S fingerprinting and the benefits they introduce when it comes to inspecting encrypted traffic.
Read moreAuthor: Jeff Morrison
Jeff Morrison is a Solutions Engineer here at Plixer. He is responsible for travelling on-site to provide assistance with initial deployment, setup and design, in-depth training, and custom configurations. While in the office Jeff is responsible for providing technical assistance on initial overviews, providing training for internal resources, and researching integrations with 3rd-party vendors. When not on the road travelling, he enjoys playing music, riding motorcycles, video games, and spending time with friends and family.
The importance of monitoring and correlating your wireless network traffic
Posted on - by Jeff Morrison
I’m often asked, “if I already have a solution to monitor this segment of the network, why do I need a solution that will overlap”? It’s a very fair question to ask, considering in most aspects of life redundancy or overlap isn’t necessarily considered good. In the case of network monitoring, I would argue overlap isn’t bad if it’s also providing correlation. With that in mind, I wanted to focus on the benefit of monitoring your wireless network traffic, and specifically having the ability to correlate this traffic across the entirety of your network.
Read moreCisco ASR 1001-X overloading QFP
Posted on - by Jeff Morrison
Whether you work primarily on the networking side of the house or the security side, you’ll need to ingest metadata into at least one of the tools in your toolbox. In my experience, it’s often the same data sets are often being generated multiple times from the same raw packet. This can put an extreme load on your exporting device. This happened recently with a customer, and in the process, we uncovered a bug specific to Cisco’s ASR 1001-X platform running IOS XE 3.16.x. I’ll discuss what this bug was, the issues it caused, and how it can be alleviated in the future.
Read moreScrutinizer and Its RESTful API
Posted on - by Jeff Morrison
I spend a large amount of time day-to-day working with customers to understand how they can best leverage their current NetFlow/IPFIX data to solve a variety of problems. What I’ve begun to realize is that there are many different use cases for leveraging metadata, and the format in which data can be most useful will vary as well. More and moreoften, the traditional graph and table format of displaying data may not be the preferred format. One way to overcome this is to use a RESTful API, so today I’d like to talk about Scrutinizer’s ability to fully support RESTful API calls.
Cisco Catalyst 9500 Flexible NetFlow Configuration
Posted on - by Jeff Morrison
Recently I’ve had many requests from customers who upgraded to the Catalyst 9500 series and are looking for a NetFlow configuration document. So I’ve put together this guide for configuring FNF (Flexible NetFlow).
Configuring an ERSPAN within VMware and Cisco Switches
Posted on - by Jeff Morrison
With the ever-growing support for flow exports, the need for probes and port mirroring has become a lot more limited. There are certain environments where it’s a requirement, however, and physically impossible to position a probe near a device that we want to port mirror from. In these situations, it’s important for the probe to have support for a remote span.
NetOps and SecOps Collaboration Solves the Data Silo Problem
Posted on - by Jeff Morrison
In the IT space we are not new to challenges. Some might even say we welcome them and thrive in overcoming hurdles. Each and every department in our IT infrastructure faces their own unique challenges every day. Today I wanted to explore one challenge in particular: data silos.
Read moreScrutinizer SaaS Deployment
Posted on - by Jeff Morrison
Let’s talk about the cloud for a minute. A majority of IT infrastructure has been moving to the cloud over the last few years, and for good reason. The cost-saving benefit, ease of administration and space reduction are all good reasons to move your internal applications to the cloud. This movement of offloading hardware to the cloud has started what I lovingly refer to as the $_aaS movement. Most are aware that nearly any application can be hosted as a service, but I want to talk about hosting your network monitoring solution as a service. That’s right, Plixer has a Scrutinizer SaaS deployment option!
ISPs and Netflix Open Connect
Posted on - by Jeff Morrison
Whether it’s after a long day at work, a rainy weekend, or when a new season of your favorite TV show is released, we’ve all been on a Netflix bender (*cough* Stranger Things *cough*). What we probably don’t think about is how all of that content is being delivered and what a burden that puts onto our ISPs. If you’re in the ISP industry, don’t worry—Netflix has the solution in Netflix Open Connect!
Wildcard Mask Filters Within Scrutinizer
Posted on - by Jeff Morrison
While working with users, I’ve noticed scenarios where filtering traffic based on a CIDR or an IP range just isn’t enough control. I wanted to explore another option—wildcard netmask filters! Let’s walk through how they work, and how they can be applied.
