Blog :: Network Operations :: Security Operations

Monitoring failed login attempts with IPFIX

Does your network team routinely have issues with monitoring failed login attempts? If you answered “Yes” to the previous question or are interested in all things NetFlow then this blog is for you! Working in support I commonly get asked “what other things can NetFlow show me?” My follow-up question is usually “what do you want to see?” We all know that you can monitor VoIP statistics and URL information, but you can take this quite a few steps further now that IPFIX is the NetFlow standard. Using our IPFIX agent we can take Windows event logs, such as login failures, and export the information as NetFlow, which is then forwarded off to our NetFlow/IPFIX collector.

Network Security with IPFIX

Now you might be asking yourself “that’s great, I can now get tons of emails telling me that end users are typing in their password wrong”; this is true, but now you can also be alerted when users are locked out by simply setting up a threshold to alert you after so many failed logins. If you are a security minded individual, you may see where I am headed with this. Brute force password attacks can be uncovered using event log-to-IPFIX conversions. Take the image below for example, this images was taken after a security team was notified of a number of failed login attempts. It appears that a malicious hacker was trying to guess the username schema to guess or brute force common passwords.

NetFlow Security


Scary stuff right? You can see from the above report that a threshold of “3” was configured, which is what this company’s lockout policy was. This was applied so that the security team would be notified of any lockouts. Now you might notice that a couple of those usernames have more than 3 failures. Soon after running this report they found out that this policy was not actually put into place globally, which was allowing more than 3 failures. This had been like this for months and no one noticed. It just goes to show you that NetFlow can be a lot more than just host-to-host conversations.

Network Security Analysis

Network monitoring with IPFIX

Now that I showed you how to monitor failed login attempts using NetFlow and IPFIX, you are probably wondering “what else can I get out of this.” Besides Windows event log reporting, we can also show you CPU and Memory usage of remote machines, as well as show you things like netstats and flows created by application. As the technology moves forward I’m sure that more elements will be able to be exported from different vendors to help increase network security as well as simple network monitoring. If you have any questions or need any assistance with setting up this feature feel free to reach out to us in support and we would be more than happy to help.