Most companies agree that business Internet security systems are a paramount concern.  Relying on traditional security efforts such as firewalls and antivirus software are not going to perform a very important emerging security detection technique called network behavior analysis.  To leverage this internal security measure, network administrators need to collect and analyze NetFlow or IPFIX from existing routers and switches.  And here’s some good news: firmware upgrades are usually not needed to take advantage of flow technology.

Internal threat detection is a growing area of concern especially with the emergence of BYOD traffic.  Some companies are placing firewalls and other “security boxes” on high speed gigabit backbone links as another layer of protection from internal infected hosts. In fact, Forrester Research calls for a Zero Trust model where networks are designed from the inside out.

“The redesign starts with a black box or network segmentation gateway that can handle high speeds – up to 10G interfaces. The gateway acts like a UTM appliance, but it does much more than provide firewall, antispam and content filtering features. It can add data leakage prevention capabilities, intrusion prevention and encryption to the network” said John Kindervaq, a senior analyst with Forrester Research, Inc.

Using NetFlow for security is largely about monitoring internal traffic and watching for odd traffic patterns that could indicate malware.  Flagging nefarious traffic patterns or even end systems communicating with hosts with poor Internet reputations can lead to the first symptom that is often indicative of a Command and Control infection or worse, an Advanced Persistent Threat.

Because flow data is incredibly useful at aiding the threat detection process, the Cisco ASA, Palo Alto Networks firewall and the SonicWALL firewall all export NetFlow or IPFIX.  In some cases these security appliances export threat detected messages inside NetFlow datagrams that other vendors typically send as syslogs.  Below is an example from a SonicWALL.

SonicWALL NetFlow

More network security vendors are using NetFlow or IPFIX exports to send messages about the threats detected or quarantined as shown above. Another example from Cisco is called Smart logging telemetry:

Smart Logging Telemetry

The above messages can be correlated with traditional NetFlow which ultimately leads to increased host Threat Indexes(TM).  If the indexes reach a threshold, they can trigger alarms. The science to indexes is in how the vendor increases and decreases them based on age and importance of the threats detected. Persuading a vendor to open up and talk about how they compute indexes isn’t easy  as it’s often a closely guarded secret.  A well implemented index can help reduce Mean Time To Know (MTTK) as well as the Mean Time To Repair (MTTR).

Although the additional security provide by NetFlow and IPFIX is significant, it should only be part of a company’s complete Unified Threat Management solution. For example, NetFlow algorithms can be used to accurately detect SYN scans, ICMP redirect issues, DDoS attacks, XMAS scans, etc. In some cases, this same mathematical searching through the flows can trigger alarms for legitimate traffic.  This is why it is important to use indexes and rememeber: analyzing NetFlow and IPFIX is meant to be another effective security layer.


Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply