Modern networks are designed to provide fast and reliable access to the applications that make us productive. Maybe it’s the inventory system used to keep procurement and warehousing in sync, or maybe it’s a system that queues and processes financial transactions. In any case, often these business-critical apps will need to be scaled horizontally to allow for additional concurrent capacity. Orchestrating access to multiple nodes serving the same app can be a technical challenge.Read more
Over the years, libraries have been filled on the topic of flow protocols—specifically, how they work and their general accuracy.Read more
I spend a large amount of time day-to-day working with customers to understand how they can best leverage their current NetFlow/IPFIX data to solve a variety of problems. What I’ve begun to realize is that there are many different use cases for leveraging metadata, and the format in which data can be most useful will vary as well. More and moreoften, the traditional graph and table format of displaying data may not be the preferred format. One way to overcome this is to use a RESTful API, so today I’d like to talk about Scrutinizer’s ability to fully support RESTful API calls.
Virtualization offers many benefits to organizations. But at the same time, you’ll have to figure out how to monitor your virtual environment, because a lack of visibility can cause many problems. This blog will cover how organizations can use Scrutinizer to take full advantage of a virtual environment without the accompanying challenges.
Do you wanna build a NetFlow? Doesn’t have to be a NetFlow…
Network metadata (NetFlow, IPFIX, sFlow, etc.) provides a wealth of information about the transactions that are happening on a network. Typically, if something happens on the network, NetFlow will see it.
Traditional flow records, however, can leave a lot of the puzzle unsolved during an investigation.
As a technical support engineer, I have worked with hundreds of customers across the globe. I typically ask them why they choose Scrutinizer as their go-to solution for network monitoring and security needs. While their answers may vary based on the role and the industry, visibility into the network is the key. In this blog, I will list the 5 reasons why internet service providers choose Scrutinizer.
Real-time applications have redefined the world around us. We can now hold meetings with members distributed across the world, play games with long-distance friends we haven’t seen in a while, or binge our favorite shows over a streaming service without missing a frame. But while using these tools has made life easier for the end users, the same cannot be said for those responsible for managing the networks that support them. Whether it is a datagram-based media stream like RTP, or an interactive TCP-based session, network performance is key to ensuring these applications work. It is essential that teams have a good workflow for identification and resolution of issues that can degrade or interrupt service. This blog focuses on the metrics that are important when trying to improve real-time application performance.
Although it ought to be a basic task, patch management has nearly gotten out of control. Many vendors, to their credit, are quick to release patches when they discover issues. But there are more devices and applications on today’s networks, and an ever-growing list of threats to worry about. These factors combined have made it exponentially harder to keep up with patch management. So, dear reader, by the end of this blog I want you to come away with some strategies to make your life easier.Read more
If you are ever out to dinner with friends talking about which network devices have the strangest exports, the Cisco ASA will certainly be near the top of the list. The ASA is truly unlike any other firewall in what it can export in its NetFlow Secure Event Logging (NSEL) format. When gathering ASA flows, you will get most of what you are used to with standard version 5 or 9 of NetFlow (minus DSCP Marking and TCP Flags). The interesting bit is its unique elements:
Elements Unique to Cisco ASA NSEL Data
- Firewall Event:
- ID 1 – Flow Created: Flow added to cache (conversation starts)
- ID 2 – Flow Deleted: Flow deleted from cache (conversation ends)
- ID 3 – Flow Denied: (conversation was blocked)
- ID 5 – Flow Updated: In the cache as an active flow (conversation is ongoing)
- Firewall Extended Events:
- Flow Denied:
- ID 1001: Flow was denied by an ingress ACL
- ID 1002: Flow was denied by an egress ACL
- ID 1003: Typically, ICMP to the ASA being denied, but could be other reasons.
- ID 1004: The first packet on the TCP connection wasn’t a SYN packet
- Flow Deleted: These IDs will be somewhere in the 2000s
- Flow Denied:
- Ingress Access List: What ingress ACL was in play during a flow
- Egress Access list: What egress ACL was in play during a flow
- Username: Interestingly, the Cisco ASA includes VPN Username in the flow records. So if your ASA is a VPN appliance, you can gain some valuable insight into what users are doing during VPN sessions. I have worked with customers to set up custom alerts to let them know if VPN connections are being established from outside of the USA or other approved regions.
- NAT Information: ASA keeps track of and exports information regarding how IPs and ports are translated by the firewall. Useful for gaining visibility into internal users when investigating traffic entering the firewall.
As you can see, there is a wide variety of elements that are specific to the ASA. By harnessing these data elements, you can get historical reports on all of the ACL activity the firewall has seen.
For example, let’s say there is an overly permissive policy that allows any host to communicate to a disaster recovery provider off prem. A firewall admin may want to lock this policy down to the IP addresses he believes should be making this communication. But prior to making this change on the firewall, we could look back over a couple months of data and make sure we aren’t going to be inadvertently blocking any IP addresses we didn’t think of. Furthermore, we could check to see if any hosts are communicating with the disaster recovery site that we wouldn’t expect.
Taking a look at an example from Scrutinizer, we can see some peculiar activity from our marketing team. As a firewall administrator, I could investigate who from marketing was attempting to connect to the AWS Backup Servers and what time of day it’s occurring. Then I can determine if this communication should be allowed or investigated further.
These type of reports nicely complement companies’ compliance initiatives. Being able to prove that ACLs are doing their job over extended periods of time tells a great story during an audit. That said, when considering where to store this NSEL data, if compliance is a priority, make sure the solution you choose has customizable data retention settings to ensure the data is there when you need it.
When it comes to reporting on ACLs within a flow collection system, powerful filtering mechanics will be crucial to this endeavor. To get started collecting these, you can either use ASDM or the CLI to configure the Cisco ASA. Once the data is flowing into Scrutinizer, you would simply be running reports specific to those events.
Contact our support team if you want to learn more about these integrations, or need help with configurations.
It’s that time of year again. Employees have gone away from the office to spend time with friends and family. They will, of course, return shortly in the new year, many of whom will have new devices that they will want to join the corporate network to stay connected. Many of these devices include smartphones, televisions, watches, phones, tablets, etc. The technology provides an exceptional level of convenience for the user, but it means that more information is being shared with third-parties, and new threat surfaces are being created as more devices are added. With these new devices, the security of the information they collect (and in fact the security of the devices) is not perfect. So, what can you do to make sure you secure your devices, data, and network? Let’s take a look! Read more