FlowPro Series
Complete visibility of network traffic is key to managing your network, protecting your assets, and investigating security incidents. While Scrutinizer collects network traffic data directly from a wide variety of infrastructure devices, there are many situations where FlowPro can be deployed to deliver additional, valuable network and security insights. FlowPro provides deep packet inspection, application fingerprinting, application performance, and visibility from Layer 2 through Layer 7. It also gives you the ability to monitor domain name system (DNS) traffic to identify the fully qualified domain names for encrypted web traffic, protocol anomalies, and malicious activity.
This single platform enables network operations to efficiently manage and optimize the network, while simultaneously enabling security operations to lower risk, gain data context, and respond quickly to security incidents. Whether you need to monitor traffic in remote offices, an isolated data closet, or a full data center, FlowPro provides the information you need to perform root-cause analysis of both network performance and security events.
FlowPro for Security
By installing FlowPro Defender where it can observe your entire network DNS traffic, you gain details about what is entering and leaving your network over DNS.
Ninety-one percent of malware today uses DNS in its attacks. Specifically, malware creators abuse DNS to bypass your firewall and use your DNS servers (internal or external) to communicate directly with assets within your network.
One technique encodes information such as credit card numbers into the fully qualified domain name (FQDN) sent to the DNS server. When the DNS server looks it up, it finds that the domain name does not exist. The local DNS server then forwards the request out of your network with your data, where it makes its way to an authoritative DNS server controlled by the malware creator. The malware creator can simply decode the FQDN forwarded by your DNS server and store your stolen information for later resale on the black market. Malware creators can also use the DNS reply to send an encoded response back to your asset, providing additional instructions to the malware.
Using a combination of deep packet inspection (DPI) and behavioral analytics, FlowPro Defender quickly identifies and alerts on assets compromised by malware that has leveraged various forms of DNS abuse for data exfiltration or C2.
FlowPro for Networking
Cloud-hosted applications such as CRM systems, backups, and email services put your business performance at the mercy of the internet. Resolving issues around poor connection times is often more involved than merely reviewing a bandwidth utilization trend. Packet loss, retransmits, and round-trip time can all be major contributors to a poor application experience. The physical location of the end user can also be a significant factor. Is the problem isolated to a specific end system, an end user, a subnet, or the entire organization?
FlowPro Application Performance Monitor (APM) empowers network administrators to find the root cause. By leveraging DPI to monitor critical application traffic, both internal and cloud-bound, it provides detailed visibility into each connection to help ensure that the end-user experience remains optimized.
Beyond performance information, FlowPro APM provides insight into potential configuration issues as well. VoIP quality of service is often measured with MOS score, ToS, packet loss, and jitter; however, phone calls can also be affected by the wrong codec and the network path a call takes. FlowPro APM exports these factors in a way that makes troubleshooting easier, reducing Mean Time to Resolution.
| FlowPro | FlowPro APM | FlowPro Defender | FlowPro APM-Defender | |
|---|---|---|---|---|
| Obtain traffic visibility from all network locations |  | | | |
| Monitor network traffic | | | | |
| Virtual appliance available | | | | |
| Physical appliance (with up to 7 monitor ports) available | | | | |
| Monitors via SPAN, mirror port, or ethernet tap | | | | |
| ERSPAN support | | | | |
| Troubleshoot latency issues | | | ||
| Measure application round trip time | | | ||
| Packet-level performance metrics | | | ||
| Resolve network performance issues | | | ||
| Identify Layer 7 applications | | | ||
| Monitor latency for Layer 7 applications | | | ||
| Monitor latency for clients/servers | | | ||
| Monitor VoIP performance | | | ||
| Detect malware DNS data exfiltration | | | ||
| Detect malware DNS Command and Control | | | ||
| Detect compromised assets using DGAS | | | ||
| Alert on DNS lookup to known malware C2 sites | | | ||
| Alert on DNS lookup to user-defined domains | | | ||
| FQDN reporting | | | ||
| DNS performance visibility | | |
Cisco’s analysis of malware validated as “known bad” found that the majority of that malware—91.3 percent—uses the Domain Name Service (DNS) to carry out campaigns. Through retrospective investigation into DNS queries, Cisco uncovered “rogue” DNS resolvers in use on customer networks. The customers were not aware that the resolvers were being used by their employees as part of their DNS infrastructure.” Source
Social Media