Complete visibility of network traffic is key to managing your network, protecting your assets, and investigating security incidents. Whether you need to monitor traffic in remote offices, in an isolated data closet, or in a data center, FlowPro provides the information you need to perform root-cause analysis of both network performance and security events.
FlowPro Defender adds these capabilities to FlowPro:
- Detailed layer-7 analysis of your DNS traffic to immediately alert when malware uses DNS for information exfiltration or command and control (C2)
- Identifies malware using domain generation algorithms (DGAs) that have infected hosts on your internal network
- Alerts if any DNS lookup requests are to any of several hundred thousand domains known to be associated with malware operators, or with domains that you deem to be undesirable and/or not suitable for your network
- Includes all the capabilities of FlowPro
FlowPro APM adds these capabalities to FlowPro:
- Metrics for latency in Layer 7 applications, as well as clients and servers, to better identify and troubleshoot network slowdowns and performance issues
- Ability to monitor VoIP performance to ensure the best QoS for calls and more easily troubleshoot issues
- Includes all the capabilities of FlowPro
|FlowPro™||FlowPro APM™||FlowPro Defender™|
|Obtain Traffic Visibility from All Network Locations|
|Monitor Network Traffic|
|Resolve Network Performance Issues|
|Identify Layer-7 Applications|
|Troubleshoot Latency Issues|
|Measure Application Round Trip Time|
|Packet-Level Performance Metrics|
|Physical Appliance (with up to 7 monitor ports)|
|Monitors via SPAN, mirror port, or Ethernet Tap|
|Detect Malware DNS Data Exfiltration|
|Detect Malware DNS Command and Control|
|Detect Compromised Assets Using DGAs|
|Alert on DNS Lookup to Known Malware C2 sites|
|Alert on DNS Lookup to User-Defined Domains|
|Monitor Latency for Layer 7 Applications|
|Monitor Latency for Clients/Servers|
|Monitor VoIP Performance|
FlowPro Defender provides complete visibility into all area of your network–both locally and in remote locations. It allows network and security teams to:
- Detect malware (and other applications) using DNS for data exfiltration and C2
- Resolve network performance issues and manage your network traffic
- Collect detailed packet-level performance data
- Detect and alert on internal assets infected with malware that use DGAs to “call home” to exfiltrate information and receive new instructions
- Troubleshoot VoIP and other applications that are latency sensitive
- Identify layer-7 applications, including those using encrypted protocols and non-standard ports
- Alert on domain looups to known malware C&C sites
- Define your own domain list and alert when users engage in unauthorized activities such as:
- Using social media sites
- Accessing video streaming sites
Obtain enhanced traffic visibility by sending flows to your flow collection and analysis system (e.g. Scrutinizer) and installing FlowPro in blinds spots around the network. It is ideal for remote locations that don’t have NetFlow- or IPFIX-capable exporters. FlowPro supports in-depth network investigations into network performance issues and security violations by using Deep Packet Inspection (DPI) technology to identify applications, including those using non-standard ports. Beyond providing metrics on bytes and packet counts, it delivers details on network latency and application round trip time, providing more realistic insight into performance issues. FlowPro conforms to the IPFIX IETF standards for sending information to your flow collector.
FlowPro APM Features
Cloud-hosted applications such as CRMs, back-ups, and email services put your business performance at the mercy of the Internet. Resolving issues surrounding poor connection times is often more involved than simply reviewing a bandwidth utilization trend. Packet loss, retransmits, and round trip time can all be major contributors to a poor application experience. Physical location of the end user can also be a significant factor. Is the problem isolated to a specific end system, an end user, a subnet, or the entire organization? The FlowPro Application Performance Monitor (APM) empowers network administrators to find the root cause. By monitoring all applications both internal and cloud-bound, it provides detailed visibility into each connection to help ensure that the end user experience remains optimized.
Beyond performance counters, FlowPro APM provides insight into potential configuration issues as well. VoIP quality of service is often measured with MOS score, ToS, packet loss, and jitter; however, phone calls can also be impacted by the wrong codec and the network path a call takes. FlowPro APM exports these factors in a way that makes troubleshooting easier, reducing Mean Time To Repair.
Dozens of reporting options can be customized in Scrutinizer, which allows troubleshooters to filter down and narrow in on specific patterns. With FlowPro APM, your team can ensure that the applications the business depends on stay optimized.
FlowPro Defender Features
By installing FlowPro Defender where it can observe your entire network DNS traffic, you gain details about what is entering and leaving your network over DNS. Malware operators (and some legitimate companies) abuse DNS to bypass your firewall and use your DNS servers (internal or external) to communicate directly with assets within your network. One technique encodes information such as credit card numbers into the fully qualified domain name (FQDN) sent to the DNS server. When the DNS server looks it up, it finds that the domain name does not exist. The local DNS server then forwards the request out of your network with your data, where it makes its way to an authoritative DNS server controlled by the malware operator. The malware operator can simply decode the FQDN forwarded by your DNS server and store your stolen information for later resale on the black market. Malware operators can also use the DNS reply to send an encoded response back to your asset, providing additional instructions to the malware. Using a combination of DPI and behavioral analytics, FlowPro Defender quickly identifies and alerts on assets compromised by malware using this type and other forms of DNS abuse for data exfiltration or C2.
Cisco’s analysis of malware validated as “known bad” found that the majority of that malware—91.3 percent—uses the Domain Name Service (DNS) to carry out campaigns. Through retrospective investigation into DNS queries, Cisco uncovered “rogue” DNS resolvers in use on customer networks. The customers were not aware that the resolvers were being used by their employees as part of their DNS infrastructure.” Source
FlowPro and FlowPro Defender Appliance Specifications:
|FlowPro APM™||FlowPro APM™ - 10||FlowPro™/FlowPro Defender™-S3||FlowPro™/FlowPro Defender™-H7||FlowPro™/FlowPro Defender™-H7-10|
|Form Factor||1U Rack-Mount||1U Rack-Mount||1U Rack-Mount||1U Rack-Mount||1U Rack-Mount|
|Management Ports||RJ45 GbE||RJ45 GbE||RJ45 GbE||RJ45 GbE||RJ45 GbE|
|Monitoring Ports||3x RJ45 1GbE||3x RJ45 1GbE + 2x SFP 10GbE||3x RJ45 1GbE||5x RJ45 1GbE||5x RJ45 1GbE + 2x SFP 10GbE|
|Compatible Flow Collector||All Major NetFlow Collectors||All Major NetFlow Collectors||All Major NetFlow Collectors||All Major NetFlow Collectors||All Major NetFlow Collectors|
Behavior monitoring is the best new security layer. Firewalls, antivirus, and the IDS provide good perimeter security defense. Scrutinizer and FlowPro Defender monitor internal communication behaviors as well as traffic to and from the DNS. Call Plixer at +1 (207) 324-8805 to get started with an evaluation. All systems can run on a virtual appliance.