Wouldn’t performing a Network Threat Investigation be easier if you had a network traffic security camera on every router and switch? You’re in luck. Right now, on your network as you read this post the local router is watching and analyzing every packet created by your connection to this IP address. Why not enable your routers network security camera capabilities. Our upcoming webcast on Cisco AVC is titled:
Cisco AVC Flow Exports turn Routers into Security Surveillance Solutions
Cisco AVC IPFIX Webcast
Webcast attendees will gain insight on:
- The benefits Cisco AVC brings to cloud applications
- Hardware platforms it is available on
- Network performance monitoring using Cisco AVC
- Network Surveillance and Threat Investigation using Scrutinizer and Cisco AVC
- September 26 – 10:00AM EDT [Registration Closed]
- September 26 – 4:00PM EDT [Registration Closed]
QUESTION: When a department stores security suspects shoplifting, what do they turn to in order to investigate the incident?
ANSWER: The security cameras
Network Threat Investigation
It seems to reason that network threat investigation would include a similar practice but, where are the cameras? Answer: Every major brand of router is capable of exporting NetFlow or IPFIX. Flow technologies provide the all-seeing eyes on the network. Just as you can’t walk in or out of Wal-Mart(TM) without passing by a camera, the same holds true when it comes to routers, switches and firewalls. All major firewalls also support NetFlow or IPFIX.
Many switches can export NetFlow or IPFIX as well. However, don’t count on sFlow. Due to the sampling nature of sFlow, you don’t even end up with a snap shot of what happened. Because sFlow only samples packets, it might only capture the image of the plant or the grocery carriage next to the guy who stole the goods.
Network Security Forensics
Network security forensics is part of the business of NetFlow. These technologies are playing larger and larger roles in Network and Application Performance Monitoring, accounting and billing, regulation compliance, network threat detection and of course network threat investigation. BUT, something else is also happening!
NetFlow and sFlow are proprietary technologies that have evolved into a true IETF standard called IPFIX. And more and more vendors (e.g. F5 Networks as of late) are exporting richer contextual details (e.g. latency, packet loss, jitter, retransmits, HTTP host, caller ID, etc.). This means more flows resulting in a need for a collector which can scale to meet the growing flow volumes. If your legacy NetFlow collector maxes out at 20K flows per second (1.8 million flows / minute), it might be time to consider an upgrade. Also, powerful filtering is an absolute must with the ability to include and exclude your way down to the specific flows desired. Your next solution should allow you to save the report, schedule it and even use it to set a threshold to watch for matching traffic patterns.
If you aren’t using your routers, switches, firewalls and servers as network traffic security cameras, it might be time to consider them for this purpose. Make sure your current flow solution ‘DVR’ has the capacity to store all the footage and be sure to join our webcast.