Blog :: Network Operations :: Security Operations

NetFlow Security: Tips and Tricks

Cyber AttackLet’s talk about some network security tips and tricks for NetFlow. I have the privilege of interacting with network engineers on a daily basis, and I’ve come to realize that many have a very basic understanding of IP flow protocols, and therefore are not efficiently using their NetFlow and IPFIX Analyzer. I would like to list a few important practices which can help you improve how you are using your NetFlow application to prevent cyber attacks.

  • Enable Behavior Analysis: Certain Cyber security threats can be detected only through traffic behavior analysis. Most Antivirus software and firewalls are usually not able to analyze traffic behavior to detect threats. Your IPFIX application can look at the behavior of your traffic to detect suspicious patterns and identify specific known behaviors such as DDOS, DNS Hits, P2P, etc.
  • Keep up with NetFlow innovations: More than likely, you will improve network visibility when you are exporting a more recent NetFlow version. In other words, why limit yourself to only seeing source and destination IP addresses and ports while, in addition to IPs and Ports, you can see applications, URLs, Usernames, and much more. Older versions will tend to have a very limited visibility level.
  • Let the NetFlow analyzer work for you: Your NetFlow and IPFIX analyzer actively processes the collected data and populates a dashboard with information such as top interfaces, top applications, top conversations, top hosts, top subnets, top domains, top network transports and more, across your entire network. Having this information available allows you to identify who and what is using your network, how it is being utilized and where on the network this activity is occurring. This data can be a perfect starting point when an incident has been reported and you are wondering where to look.
  • Activate username reporting to identify internal hosts who are engaged in nefarious activities: Cisco ASAs and SonicWalls export usernames which allows your traffic analyzer to associate usernames with their respective traffic information. If your device does not support usernames, the traffic analyzer can use domain controller logs to map users with their IP addresses. This will then provide the ability to associate users to their traffic.
  • Turn on IP reputation monitoring: Your NetFlow solution is able to perform IP host lookups to determine IP reputation and alert you wherever a potential cyber security threat is detected. The NetFlow analyzer will identify the offender and the compromised internal host.

If you are interested in learning about some of the latest innovations in IP flow technology, give us a call and our experts will give you a quick demonstration to show you network monitoring capabilities you may not know existed.

I hope you enjoyed this blog, if you have any questions, please contact us.