Blog :: Security Operations

Security Professionals Love NetFlow and IPFIX

It has never been more dangerous to maintain your company’s on-line presence.  If your company security perimeter is breached, what should you do?  We wish it were as easy as calling 911 but, unfortunately most companies are left to investigate the incident on their own.  Often times there is no one else to turn to unless you consider consultants and even then, they will want you to provide the evidence.   What records is your company maintaining in the event that you need to perform a forensic investigation?

One of the best ways to track 100% of all traffic in and out of a network is using NetFlow.  Unlike the limitation of packet capture, flow collection can be done everywhere in fact, all major router vendors support NetFlow or IPFIX.  Administrators simply need to turn it on and stream it to a collector for analysis.

Security Professionals Love Flow Data

Security Professionals should consider every NetFlow and IPFIX router a security camera that allows them to go back in time and investigate suspect traffic reported by any number of security appliances.

network behavior analysis

In addition, they should be thinking about how flow data can benefit all departments within IT.  Although NetFlow and IPFIX are often the go to protocol for investigating potential insurgencies, it can also be leveraged by the application support group.  These individuals should be aware of application baselines and what is considered normal.

Configuring thresholds for abnormal traffic patterns could help contribute to an enterprise wide early malware detection system.  Network administrators should also be leveraging the same flow data to uncover possible routing misconfigurations or priority queuing issues among other things. They too can consider baselines and set thresholds as an early warning system. By encouraging other teams to leverage the same flows and set thresholds above baselines, the network stays cleaner and some forms of malware will more easily expose themselves.

Security Practitioners want Flow Data

Many Security Practitioners concern themselves with compliance.  Because of this, they need to make sure that the company has policies and controls in place which protect information and systems.  At the same time, they may be called up to prove that those policies and controls are enforced. Since flow data can be archived indefinitely, in many cases it allows companies to provide demonstrable evidence of IT compliance with internal governance policies, external regulations, and industry best practices like: HIPAA, FIPS, NERC, SCADA, SOX, COBIT, PCI and NPPI.

For example, flow data can be used to confirm that certain portions of the network have had absolutely no direct Internet access. It can also be used as an education mechanism to show employees that nearly everything they do on the their computer causes traffic and this traffic is scrutinized for potential malware and archived for future reference.

Using NetFlow data for security analysis?

Most companies use NetFlow and IPFIX to identify the top applications, hosts, DSCP values, etc. and investigate anything that looks abnormal.  Almost all new users of flow data identify unwanted traffic within minutes after viewing the data for the first time.  Word quickly spreads within the company that IT is watching everyone’s traffic which starts promoting a culture of self-governance when utilizing the corporate network. As the network starts to get cleaned up, performance starts to improve and then, security will start using flow data to track down issues reported by the firewall, IDS or other security appliances. NetFlow and IPFIX help provide the eyes and ears of IT in every corner of the infrastructure.  It won’t be long before they wonder how they ever got by without it.

Network Behavior Analysis

One way to take an advanced proactive security measure with NetFlow or IPFIX is to monitor for DDoS attacks or to set up thresholds that watch the volume of connections to the DNS.  For example, excessive requests (e.g. above 1000 in 1 minute) could spell trouble but, rather than risk the potential for false positives, deploy a network behavior analysis (NBA) system.  An NBA system will suppress initial events but, leverage them to build threat indexes.  Overtime, if the indexes grow due to excessive events from any number of threat detection algorithms, an alarm could eventually get triggered.  Other threat detection algorithms use logic that considers the TCP flags in flows or the ratio of unique destinations to flows initiated. Beyond the dozens of algorithms used to uncover unwanted flow patterns, an NBA system can be used to baseline behaviors assumed to be normal.  When a monitored characteristic communicates outside its normal pattern, it too will trigger an event that will cause the threat index to grow for an individual host.

With so many communications today leveraging encrypted HTTPS connections, even next generation firewalls are often ineffective at detecting some forms of malware.  NBA offers an excellent additional layer of threat detection. Learn more about our threat detection system at CiscoLive 2014 in San Francisco.