Blog :: Security Operations

IBM Proventia IPFIX Support

Today I am going to take a look at the IPFIX support offered on the IBM Proventia network security appliance, and how security forensics using IPFIX adds to the overall enterprise threat defense solution.

The IBM Proventia Network Intrusion Prevention appliance is a unified threat management device that provides protection at the gateway and network levels without jeopardizing network bandwidth or availability. It can combat a variety of threats such as unauthorized access, network attacks, malicious code, blended threats, content-based attacks, spyware and phishing.

IBM Proventia integrates these best-of-breed security modules in a single high performance and easy-to-use unified threat management appliance:

  • Firewall/VPN
  • Network Intrusion prevention
  • Anti-virus
  • Anti-spam
  • Web/URL filter
  • Application protection

Because running multiple security processes across multiple locations can be costly and resource-intensive, the centralized, multi-layered approach offered by IBM Proventia is a welcome solution for small businesses as well as the distributed enterprise.

Take advantage of these Security Forensics using IPFIX

IBM Security Network Intrusion Prevention System Firmware Version 4.6 adds on option to configure the collection of IPFIX flow data to measure and investigate the amount and type of traffic on a network. The appliance then exports the flow data to an external NetFlow/IPFIX flow collector.

The appliance receives flow data information in the form of PAMFlow from the Pluggable Authentication Module (PAM), which is an API that exposes a set of functions that application programmers use for security-related functions like user authentication, data encryption, LDAP, and more. The appliance converts the PAMFlow data into the Internet Protocol Flow Information eXport format (IPFIX). This conversion enables the appliance to send the flow data information to an external flow collector.

Today security forensics using IPFIX to monitor communication behaviors and even maintaining baselines is becoming more prevalent. By collecting flows representing all of the conversations traversing the network, you gain visibility into suspect conversations coming in and out of your network as well as moving laterally inside. When the signatures in the IDS/IPS fail to catch malware, NetFlow and IPFIX can recognize enough odd behaviors to identify an infection. Collecting flows from all of the firewalls, routers, and switches on your network essentially turns each device into a security probe and provides a great additional security layer to your network intrusion prevention solution.

IBM Proventia IPFIX configuration is very easy.

To configure – from the Network IPS Local Management Interface navigate to:

Manage System Settings > Appliance > Remote Flow Data Collection

IBM Network Intrusion Prevention: Using IPFIX for Network Security Forensics

In the SiteProtector™ system navigate to: select the Remote Flow Data Collection policy

  • Enable the appliance to collect flow data.
  • In the Collector field, enter the address of the external event collector.
  • In the Port field, enter the port for the external event collector.
  • From the Protocol list, select a protocol. The appliance supports sending flow data to external event collectors by using the User Datagram Protocol (UDP).
  • In the Template timeout field, enter a timeout interval for the template that is used by the external event collector. This setting specifies the intervals at which the
    template actively times out.  Recommend 60 seconds

The IBM Proventia IPFIX export includes field elements that offer all of the traditional TopN (applications, talkers, and conversations) type of reporting. We have seen many of the next generation firewall vendors export unique vendor flow elements in their IPFIX flow templates,  and the IBM Proventia is no exception. IBM is exporting field elements that let us report on the reason the flow ended. Hopefully they plan on taking full advantage of the IPFIX protocol to export more of the network intrusion prevention data in their flow exports.

Is this the type of network visibility that you would like to take advantage of? Let us show you how you can leverage IBM Proventia IPFIX to detect advanced persistent threats and provide a total security solution.