What is baselining network traffic? Why worry about baselining network traffic and Is this used for network security? These are the questions I want to answer today and how you can start baselining network traffic with the use of NetFlow/IPFIX.
Baselining Network Traffic?
Baselining network traffic is watching your network traffic and figuring out what is normal, everyday, traffic and knowing when the traffic patterns of any internal host changes. Most internal hosts will either be a consumer or producer of traffic. Each host will be known for normally downloading files from a shared drive on a typical day, uploading files or a mixture of both. We want to know when the host changes its regular traffic patterns.
Why Baseline Network Traffic?
As we can see above, you can start understanding why we want to start baselining network traffic. When a host is normally a consumer of data and becomes a producer of data (or the other way around), this could be an indication that they may be an infected host that is starting to exfiltrate data. If that user clicked on the wrong link in a spear fishing email, thus pulling down malware that starts to pull data from your secured shares drive to its command and control server, we want to get an alert, or possibly an email to the security team, letting them know that this traffic pattern has changed.
Using NetFlow For Baselining Network Traffic:
When in the market for a new NetFlow/IPFIX collector, keep in mind that your collector should work for you. In our collector, we have the ability to baseline network traffic because we collect and store 100% of NetFlow that is sent to the collector. Associating the traffic from a specific IP address and watching its traffic pattern over time will give you the ability to say, if that traffic changes, I want to know. After configuring the baselining algorithms and giving the collector time to make its determination whether a host is a consumer, producer, or combination of them both, we can set up an alert to email our security team that there may be an issue that needs attention.
If a host is starting to produce more traffic than normal, there are a few steps we can take. First, I would set up a report in our NetFlow/IPFIX collector to show all the destinations that the IP has been communicating with, in the last week. We should see some normal traffic such as our shared drive, CRM, and Google. What we would be looking for is some newer destinations that cannot be explained. Maybe URLs that are not recognized.
Be sure that your collector can store 100% of NetFlow/IPFIX data, so the smaller conversations are not missed. If there is malware on your network, and I’m sure there is, or will be soon, it will probably not be one of the “top talkers”. If this is something you would like to know more about, please contact us in support.