Today’s threat detection and intrusion prevention systems deployed at companies concerned with cybercrime utilize a layered approach to network protection. Anti-virus programs are deployed on every end system and server. Most of us have access lists on routers and switches and those who need to provide remote access to employees leverage encrypted VPN technologies. Then of course there is the next generation firewall (e.g. Cisco, Dell – SonicWALL and Palo Alto) which performs deep packet inspection to compare bit patterns against regularly updated signatures.
“IPS (or deep packet inspection) is our #1 security defense; NetFlow is a very close #2”
-Gavin Reid, Manager of Cisco CSIRT
Companies unwilling to put their intellectual property at greater risk take a more aggressive approach. Proactive security measures like removing full time Internet access to servers (i.e. online only for periodic software updates) have been successful. Another popular method is removing employee administrator privileges on laptops, preventing them from installing harmful software, better known as adware or malware. These additional, albeit a bit drastic, steps are often justified by the security teams in an effort to try and avoid the latest security exploit or Advanced Persistent Threat (APT).
It’s no secret that hackers & hacktivists are always one step ahead of the game. 2012 has been quite the year for the INFOsec community. Blue Coat recently published a report stating that Malnets have tripled in the past six months. Combine that with the ongoing Operation Cisco Raider, the House Intelligence Committee’s recent Huawei & ZTE accusation, the barrage of attacks on US Banking Institutions, and an implementation of LOIC (low-orbit ion cannon) by Anonymous earlier this year. Clearly, it isn’t just the onset of the “End of Days” that has us all fearing the worst and asking, “How can I beef up my network security?”.
Let’s take a look at a few different ways how NetFlow and IPFIX can improve threat detection. NetFlow has the advantage of not requiring regular antivirus signature updates. Instead, it can be used to watch for behavior patterns. Excessive flows, network scans, odd TCP flag patterns, irregular communication ratios, etc. are all indicators of a possible infection; NetFlow/IPFIX analysis then is an excellent network monitor for anomaly intrusion detection.
“As we work increasingly with the ability to understand traffic via NetFlow, which is free on every router we make, it has some really good value equations in situational understanding. Although you can’t see payload, you can see traffic in terms of how much and from what IP address to another, and that’s where it’s really valuable.”
-John N. Stewart
A host communicating with another host that has a poor reputation is one of the best ways to catch machines that could be involved in an Advanced Persistent Threat type of attack or some kind of command and control botnet or malnet. This type of constant monitoring process should be part of every serious IPFIX and NetFlow Solution. Ours has been doing it since 2008.