White Paper 14 Ways to Leverage NetFlow for Network Performance & Security

Transcription

1 White Paper 14 Ways to Leverage NetFlow for Network Performance & Security Network Performance + Security Monitoring Lancope, Inc Brookside Pkwy, Suite 400 Alpharetta, GA Tel: Intl: +44 (0) sales@lancope.com

2 Table of Contents Overview of NetFlow 3 Visibility Into All Areas of the Network 5 Answering Why Is the Network Slow? End-User Complaints 6 Internal IDS 7 Identifying Slow Responding Applications 9 VM2VM Communications Monitoring and Security 10 MPLS Network Monitoring 11 Remote Office and Off-site Location Monitoring 12 Data Leakage 14 Botnet Detection 15 Worm Detection 16 Compliance HIPAA, PCI, SCADA, etc. 17 QoS Monitoring 17 Capacity Planning 18 Association of Log Data 20 Conclusion - Filling in the Gaps with NetFlow 21 Page 2

3 Overview of NetFlow NetFlow Provides In-Depth Network Visibility Today s corporate network is continuously evolving and growing in complexity. This environment calls for more innovative and comprehensive ways of obtaining the insight needed to maintain secure, highperformance networks. NetFlow is a core technology built into many Cisco routers and switches that automatically logs all host-to-host conversations. When people consider NetFlow, they often think of simple traffic analysis and top talker reports. However, NetFlow offers much more. After a brief overview, this paper explores 14 ways you can leverage NetFlow to cost-effectively and dramatically improve network performance and security. NetFlow can be used to collect data across a wide range of distributed physical and virtual networks, from small branch offices to 10G data centers. This data then becomes the core resource for solutions such as Lancope s StealthWatch to achieve the following objectives (at a fraction of the cost of traditional monitoring solutions): Increase network visibility Enhance security posture Improve network operations and performance Monitor and improve application performance Minimize costly and damaging downtime Help organizations achieve and maintain compliance By leveraging NetFlow from existing routers and switches, StealthWatch provides the in-depth network visibility and actionable insight required to identify and troubleshoot a wide range of network and security issues. NetFlow A Phone Bill for Your Network As a core Cisco technology, NetFlow has quickly become a de facto industry standard. In addition, many other manufacturers now make NetFlow-compatible devices. A range of NetFlow variants have also been introduced to the market under other names (CFlow, J-Flow, Flexible NetFlow and IPFIX, to name a few). What makes NetFlow both powerful and unique is its ability to automatically create continuous records of all conversations traveling through a NetFlow-enabled router or switch. Each communication session provides critical information for more than 80 attributes, including the following seven fields: Source IP address Destination IP address Source port Destination port Layer 3 protocol type Type-of-service byte Input logical interface If any two network packets match on all seven of these fields, NetFlow assigns them to the same flow. The router or switch harvests these flows and then sends them to a flow collector. Routers/switches send NetFlow data to flow collectors for processing. Page 3

4 A flow is analogous to a phone conversation. Each month, your phone bill provides an itemized list of all of the calls that were placed, when they were placed, minutes used, rate type, and the call destination. NetFlow is essentially a telephone bill for your network, providing similar details about each flow. Similar to a phone bill, NetFlow provides details about each flow conversation on your network. A single NetFlow packet can contain details on as many as 30 flows. These details are invaluable in understanding individual and collective communications between clients and servers on the network. The user interface in Lancope s StealthWatch System makes reading this data easy through the use of tables, diagrams and graphs. When you combine individual flow records together over a certain time period, you can then create higher-level traffic and bandwidth graphs. This type of data is useful for an overall understanding of how bandwidth is being used across the network. NetFlow offers insight into enterprise-wide traffic all the way down to individual flows. Page 4

5 NetFlow Meets IT Challenges Head On Recent surveys have shown that when it comes to monitoring and protecting their networks, organizations tend to face the same 14 challenges as follows: 1. Visibility Into All Areas of the Network 2. Answering Why Is the Network Slow? End-User Complaints 3. Internal IDS 4. Identifying Slow Responding Applications 5. VM2VM Communications Monitoring and Security 6. MPLS Network Monitoring 7. Remote Office and Off-site Location Monitoring 8. Data Leakage 9. Botnet Detection 10. Worm Detection 11. Compliance HIPAA, PCI, SCADA, etc. 12. QoS Monitoring 13. Capacity Planning 14. Association of Log Data Most IT administrators are amazed to learn that NetFlow analysis can help address all of these challenges. 1. Visibility Into All Areas of the Network Evolving business and IT trends such as globalization, virtualization, IT consumerization, Web 2.0 and user mobility are adding exponential amounts of traffic, applications and complexity to corporate networks. These trends are also creating what is referred to as the vanishing perimeter within enterprises. All of these factors cloud network visibility, and unfortunately, you can t protect what you can t see. Without NetFlow, achieving 100% visibility into the network is difficult and costly. Traditional methods, including placing a sniffer or a physical probe on each individual network segment, quickly become cumbersome to deploy, manage and maintain, especially as networks grow. In addition, using probes can cost as much as 15 times more than using NetFlow. NetFlow leverages a company s existing investment in its routers and switches. After spending thousands of dollars on routers and switches, why would a company deploy additional, expensive hardware surveillance points when they essentially already have probes their routers and switches in place? Suppose an organization with NetFlow-capable routers wants to understand what is going on at each of its 15 WAN sites. By simply enabling NetFlow on the routers at each of these sites and pointing them to a flow collector, such as the StealthWatch Xe FlowCollector, the organization immediately gains complete visibility into the communications within those sites without deploying any additional equipment. Using NetFlow helps to eliminate network blind spots with end-to-end visibility into all network and application traffic across both physical and virtual environments. Page 5

6 For areas of the network that are not NetFlow-enabled, or where operators need deeper visibility into packet data, Lancope offers the StealthWatch FlowSensor, a low-cost NetFlow generator. Simply direct the FlowSensor toward any NetFlow v9-capable flow collector to derive the valuable detailed traffic statistics that only NetFlow can deliver for both physical and virtual environments. When combined with the StealthWatch FlowCollector, the FlowSensor also provides deep insight into performance metrics and behavioral indicators. Leveraging existing NetFlow data to its fullest potential enables organizations to regain the network visibility required to easily prevent costly, damaging network and security issues. 2. Answering Why Is the Network Slow? End-User Complaints Probably the most common call that the network engineering team receives is the complaint call from an end-user that the network is slow. SNMP monitoring tools might be able to detect a bandwidth spike, but they can t drill down to see what/who is causing the problem. Some organizations will try to move a portable sniffer over to the network segment where they think the problem is, but by the time the sniffer is deployed, the problem has often times resolved itself, and no root cause is ever determined. This becomes incredibly frustrating for the network team. With StealthWatch, those why is the network slow? complaint calls can easily be solved with indepth visibility for troubleshooting all the way down to the exact user. First, the system can automatically display the end-user s User ID: There s no need to even do an ipconfig to determine the end-user s IP address: Integration with a back-end user authentication store such as Active Directory, Novell edirectory, LDAP, RADIUS servers, and even VPN concentrators will show the IP address that the end-user is currently logged into. Double-clicking on the IP address will show the interfaces used in order to traverse the network. Page 6

7 We see that Ethernet 3 has spiked to over 90% on its outbound utilization summary, while Ethernet 1 has spiked to nearly 97% on an inbound perspective. Clicking on one of the interfaces will identify the root cause of the traffic spike and identify the actual conversation and host pairs using up all the bandwidth: Using the underlying flow data, we find that the conversation between the two hosts on the first line has been saturating the Ethernet 3 interface at nearly 1 Mbps. From here, it is easy to find the User ID of the internal host and go knock on the person s office door to ask them to stop their Facebook or music streaming session since they are impairing network performance for other users. 3. Internal IDS While they can be effective in certain situations, perimeter-based defenses definitely have their limitations. For example, many companies have deployed signature-based IDS/IPS at the perimeter of their networks. These solutions have to be deployed inline or via a passive network tap or SPAN/mirror port. It therefore quickly becomes too costly to deploy a signaturebased IDS/IPS sensor on every network segment or at each remote office. Alternatively, NetFlow data can be used to provide cost-effective internal IDS functionality by turning on the inherent NetFlow capabilities within each router and layer 3 switch. NetFlow records are used to create a baseline of typical or normal behavior for every single host within the network. Once the normal behavior is defined, then anomalies can be identified by analyzing the NetFlow data in near real time. By facilitating behavioral-based anomaly detection, NetFlow can provide organizations with effective internal network protection. Page 7

8 It s much easier to define the known good than the known bad. The known bad is nearly infinite, but the known good is a much easier set of parameters to define. As the NetFlow data comes in, a series of steps are taken: In this method, hosts that are misbehaving can be quickly identified. In other words, of the 5,000 hosts on the network, which of the hosts are introducing the most risk at this point in time? With StealthWatch s behavioral analysis, it is easy to leverage NetFlow data to identify the top offending hosts on the network. Page 8

9 The analysis of the NetFlow data has determined that the host on the top line above is the most malbehaving host on the network. Double-clicking on the IP address of the offending host will show details including exactly what the host has been doing to become a concern, who it is targeting, active conversations, network path, services profile, other alarms, the User ID of the end-user and physical MAC address of the end-user s machine. Leveraging NetFlow with powerful tools such as StealthWatch enables organizations to address the vanishing perimeter and provide comprehensive internal security for issues not handled by perimeter defenses. 4. Identifying Slow Responding Applications According to Gartner, over 80% of end-user complaint calls about network sluggishness actually have nothing to do with the network. The root cause in fact often turns out to be an application or server responding more slowly than normal. Fortunately, Lancope s StealthWatch FlowSensor technology can take advantage of Flexible NetFlow to package in statistics about Round Trip Time (RTT) and Server Response Time (SRT), allowing organizations to diagnose whether a network problem is actually an application that is responding more slowly than normal. In the example below, we are looking at both the network piece (RTT the time it takes to complete the initial three-way handshake between client and server) and the application response metric (Server Response Time aka SRT the time it takes the server to respond to the request from the client): Throughout the last two hours on the graph, we see that the Round Trip Time has been pretty consistent (sub 100 milliseconds) but that the Server Response Time has spiked on several occasions, up over 1000 milliseconds on three occasions. Page 9

10 Now, let s view a visual map for the SAP application that is accessed by various offices around the world: Using just Flexible NetFlow, we see that there is an issue in the multi-tiered SAP application. The application server is taking an average of 20,035 milliseconds to respond to requests from the front-end Web servers. By observing this application and tiers over time, we know that the application server normally responds in less than 50 milliseconds. An alarm can be generated whenever that SRT value spikes above 50 milliseconds. It is flexible enough so that the alarm can be triggered only at the point when performance actually suffers, which according to the specific application could be 60 milliseconds or it could be 1,000 milliseconds. Depending on the application, alarm thresholds for SRT values can be customized to suit an organization s needs. In the above example, one can double click on the SRT alarm and drill into the individual NetFlow records to look at which flows experienced higher than normal Server Response Times. From there, one might drill into the application server itself to examine its behavior immediately prior to its high SRT values. Perhaps it s fielding a larger than normal number of requests, which would dictate a certain course of action; an entirely different course of action would be taken if five minutes before the spike in the SRT, a host from the Russian Federation uploaded a 128 Kb file to the application server. That s the true power of NetFlow providing the context around any event or anomaly occurring within a host to quickly pinpoint the root cause of issues and reduce Mean Time To Know (MTTK). StealthWatch and NetFlow enable organizations to regain visibility over virtual environments. 5. VM2VM Communications Monitoring and Security Server virtualization delivers many benefits, including decreased hardware maintenance and energy costs, recovered data center floor space, higher availability, reduced disaster recovery costs, faster server deployments, maximized server capacity and increased flexibility for development and testing environments. Unfortunately, organizations are discovering a multitude of network traffic and security challenges associated with migrating to virtualized server environments. Because traditional network and security devices cannot see virtual-machine-to-virtual-machine (VM2VM) communications, problem identification and resolution Page 10

11 are complicated. Therefore, the cost of monitoring and securing these communications can potentially erase the cost savings typically associated with virtual environments. By enabling NetFlow inside the virtual servers, you can see any VM communication, including VM2VM communications that never touch the physical network and that leave organizations vulnerable to hidden threats. Without this visibility, no organization can claim that they are fully aware of what is going on within the corporate network. This level of visibility can be achieved with tools such as the StealthWatch FlowSensor VE (virtual edition). The FlowSensor VE installs as its own guest OS on each VMware host OS and observes all VM communications, creating individual NetFlow records for out-of-band analysis. No VM traffic escapes the attention of this guest OS. In addition, the FlowSensor VE can pull deep network and application performance metrics, such as Round Trip Time, Server Response Time and TCP packet loss measures. Therefore, an organization can honestly ensure that virtualized applications are responding within established parameters and determine whether an application, the network or a security concern is causing any delay in performance. NetFlow enables administrators to perform the following critical tasks for virtual environments: Identify when a VM is generating an excessive amount of traffic Determine which services are offered by each VM Know when anomalous traffic is introduced into the virtual environment Secure VMs without introducing undue administrative burden and performance issues Detect unauthorized VM access Alert on misconfigured firewalls within the virtual environment Monitor VMs that travel between physical machines (i.e., VMotion events) With flow data, organizations can obtain the same level of visibility into virtual networks that they can achieve within physical environments. 6. MPLS Network Monitoring MPLS delivers many benefits, including reduced congestion due to added flow path control, easier creation of VPN tunnels, Quality of Service and reduced network complexity. MPLS allows users to maintain secured communications through the cloud without purchasing point-to-point links or managing a large number of VPN encryption devices. In many cases, it reduces the load on WAN links by allowing remote locations to communicate with each other directly rather than being forced to go through a centralized location to route traffic. Unfortunately, enterprises are discovering a number of problems with their traditional monitoring and security solutions after transitioning. Prior to MPLS, probe-based solutions offered a cost- effective means of monitoring network traffic for traffic analysis and/or IDS functions. This was possible through deploying probes at the hub locations because all data was required to pass through these points. In order for traffic to travel from the Seattle, WA facility to the Denver, CO facility, it had to first pass through the Atlanta, GA data center, as depicted by the orange arrows in Figure 1. With this network model, the probe in the Atlanta data center inspects all traffic passing between facilities. It is important to realize, however, that this visibility can only be maintained as long as traffic reliably passes through the hub. Figure 1 Page 11

12 MPLS introduces the potential for the spokes to communicate directly with one another, bypassing the hubs and security devices resident within. As depicted by the orange arrow in Figure 2, traffic can now travel from the Seattle, WA facility to the Denver, CO facility without first going through the Atlanta hub. Consequently, all facilities can communicate with and infect one another without the protection of an IDS at the hub, thereby eliminating visibility and security for this inter-facility network traffic. So, in order to monitor an MPLS network effectively, there are really only two options. The first option would be to place a sensor or probe at each MPLS site often times, a very costly and difficult-to-manage proposition. The second option is to turn on NetFlow at each of the MPLS sites and export the flow data to a centrally located collection and analysis technology. This is a very cost-effective option in that it leverages the existing investment already made in routers and switches within the MPLS network. Most MPLS network providers will gladly turn on NetFlow for those devices. Figure 2 With NetFlow enabled, it is easy to determine the root cause of congestion and other issues on MPLS networks. NetFlow and tools such as StealthWatch allow organizations to embrace progressive IT trends while still maintaining control over network performance and security. 7. Remote Office and Off-site Location Monitoring As previously mentioned, in years past the only way to achieve remote office monitoring was to install an appliance at each site or hope that monitoring at the core of the network would be sufficient. Neither method will work for most organizations today. Probe-heavy deployments generally fail due to the cost and complexity of putting a probe at each location. Core monitoring alone is not sufficient for today s meshed networks because not all communication traverses the core. Employing NetFlow turns each router and Layer-3 switch at the remote site into a surveillance point. Each location generates its own NetFlow data that can be used for cost-effective remote site monitoring. Because NetFlow is so lightweight, typically adding less than 1% to the total amount of switched traffic, it is Page 12

13 a viable option to export NetFlow across the WAN to a single collector device. This eliminates the need for onsite hardware to be purchased for remote offices. In this example, the Seattle, San Francisco, Austin and New York offices are exporting NetFlow data to a single NetFlow collection device located in Atlanta. If a problem occurs in the Seattle office, NetFlow can be used to determine the root cause of the issue. It could be that a WAN router in Seattle is overburdened or perhaps a core device in Atlanta is saturated. Or, perhaps it is that the custom business application the end-user is trying to access is responding more slowly than normal, or that the end-user s machine in Seattle is infected with a worm, causing it to slow down under the weight of the worm activity. Utilizing just StealthWatch, a logical representation of a company s WAN infrastructure can be created and monitored in near real time with only a single piece of hardware: In this NetFlow-fed WAN map, we see all of the WAN sites and how they feed back into the Atlanta data center. We can look at traffic levels and application-level traffic flowing across the WAN. If any alarm conditions arise, an alarm bubble will materialize, letting the operator know that the Los Angeles WAN site is experiencing an issue such as a SYN Flood or DDoS condition, for example. Page 13

14 With NetFlow, organizations do not have to fear that evolving their networks to meet future challenges will result in a loss of visibility, performance or security. 8. Data Leakage A multitude of high-profile incidents have demonstrated the dire consequences of letting confidential information leave the protection of the enterprise from theft, monetary losses and a ruined reputation to the entire demise of a company. StealthWatch uses NetFlow to provide a window into this challenge by identifying hosts that have uploaded atypically large amounts of data to unapproved Internet destinations. If a host normally uploads 10Mb of data a day, and all of the sudden that spikes up to 100Mb or 1Gb of data, that would be something that should be investigated, even if it proves innocuous. In the above example, the host on the top line was only expected to upload 2.91 Mb of data, but over the course of the day, it actually uploaded Mb of data. Despite a high tolerance for change for this host (no alarm would have been generated below 9.54 Mb), a significant change in this host s uploading behavior has triggered an alarm. With NetFlow, all of the flow records that made up that total level of uploads can easily be pulled back and examined one by one. In the above example, one flow record sticks out: StealthWatch is adept at identifying problems and laser-focusing on areas where personnel and time resources need to be spent. In the above example, we can delve into the internal host in question and look at its snapshot, which is a view of everything that we know about this host, including who is logged into it. With NetFlow enabled, we also have the ability to drill down into every single conversation that this person has had on the network for the last 3 to 12 months, depending on the size and speed of an organization s network (as seen below). Page 14

15 From there, we can determine whether any of the details revealed are a cause for concern, and if so, quickly take the appropriate action. Data leakage issues such as these are one of the key types of internal threats not detected by traditional security technologies, making more comprehensive coverage extremely valuable. 9. Botnet Detection If your enterprise is connected to the Internet, then you are the target of a bot-driven attack. It is not a question of if or when you ll be compromised it s a question of how bad the problem already is, and how soon before your staff can identify or minimize the damage. Leading botnet research entity Damballa reports that up to nine percent of all machines in an enterprise are infected with botnets. Not a single company that Damballa has worked with has been free of botnet activity. The exceptional stealth of these attacks and their widely dispersed nature make them uniquely dangerous. Every one of these systems can leak sensitive internal information or attack other organizations at any time. NetFlow can be extremely useful in helping detect botnet activity. Beaconing hosts and some Long-Lived Flows are an easy example of this. Beaconing hosts indicate that an IP communication between an Inside and Outside host (with traffic in only one direction) exceeds the seconds required to qualify a flow as long duration. Suspect Long Flows inspect similar attributes, but for completed flows passing data in each direction. These alarms detect suspicious channels of communication such as spyware, remote desktop technologies (i.e., gotomypc.com), VPNs, IRC botnets and other covert means of communication. Another more interesting way of detecting botnet activity on the network via NetFlow is to make use of lists of known bad Internet command and control (CnC) hosts from CERT or open-source lists such as the one from ZeuS Tracker. These lists of known bad Internet hosts can be automatically populated into a NetFlow analysis technology and will let an organization know when one of its internal hosts even attempts to communicate with one of these known CnC hosts, as shown here: For example, a host in the Sales and Marketing department has attempted to communicate with a known CnC host over port 80. ZeuS Tracker has identified this outside host as a known bad guy. A Zone Lock rule has been set up to let us know whenever one of our internal hosts even attempts to communicate with one of these known bad guys. The list of bad actors is updated every hour into the NetFlow analysis system. More frequent or less frequent updates can be scheduled if so desired. These Zone Lock rules can be extended elsewhere within the organization. For example, a server with important financial data on it should only be accessed by a certain group within the organization and only over http and https. Any other group or any other service/application used to communicate with this server should not be allowed. These Zone Lock policy rules are useful for auditing firewall rules. If someone makes an error while developing a firewall policy and communication suddenly starts to flow where it should not be allowed, these NetFlow-based Zone Lock rules will catch it and let the organization know that the firewall has been misconfigured and needs urgent attention. Instead of relying on signatures for known attacks, this solution analyzes network behavior to detect anomalous communication patterns that might indicate bot activity, enabling fast, effective remediation of this especially damaging attack method. Page 15

16 10. Worm Detection Though not as prevalent today, computer worms are still considered a real threat to corporate networks due to the vast amounts of damage they can cause if they are able to propagate. Since they rely on signature updates, perimeter defenses cannot always detect every cyber attack, allowing them to penetrate the internal network. Flow-based tools do not rely on signatures and instead detect anomalous behavior, which can be used to uncover worms. Worms must propagate to survive, making it easy to identify their behavior using statistical pattern detection within NetFlow records: In this example, we see a host address scanning on TCP port 445, targeting a variety of subnets including the 178, 179 and 183 subnets. Once this behavior has been identified, the next step is to see if any of those hosts that were scanned actually began communicating with the host doing the scanning. In this example, we see that the host has touched at least one of these other hosts meaning that it has passed data to it: Identification of these touched hosts is easy: Page 16

17 Now, an organization should really worry if these two touched hosts begin exhibiting that same type of scanning activity on TCP port 445. If that happens, it will look like the image below. Creating a visual worm tracker using NetFlow data makes for easy investigation and clean-up, enabling organizations to avoid the high costs and reputation damages that come with widespread outbreaks. 11. Compliance HIPAA, PCI, SCADA, etc. As industry regulations and their enforcement become more stringent across industries, organizations have to take careful measures to ensure that they achieve and remain in compliance to avoid heavy fines and other repercussions. Through continuous network monitoring across the enterprise, StealthWatch can play an integral role in any compliance strategy. StealthWatch delivers the visibility, accountability and measurability required to maintain compliance by: Supplying real-time awareness of network- and host-based behaviors all the way down to individual users Increasing user accountability for introducing security risks Tracking, measuring and prioritizing network risks for faster remediation Providing the in-depth data needed to conduct forensic analysis for security incidents Easily extending network and security monitoring to virtual environments Helping to maintain the network availability and performance critical to business process integrity Determining and enhancing the effectiveness of traditional security controls currently in place StealthWatch can fill in the gaps left by other technologies to provide more comprehensive capabilities for achieving and maintaining compliance for a wide range of industry regulations. 12. QoS Monitoring As corporate end-users require access to an increasing amount of applications and services, organizations are seeking ways to guarantee that the most important traffic is always given the highest priority throughout the network. StealthWatch supports QoS efforts by monitoring, reporting and trending traffic volume for each DSCP value on each interface across the network. This helps to ensure that actual traffic passing through individual interfaces matches configured or desired traffic levels for each service. As such, StealthWatch enables the verification of operator-defined per-hop behaviors and facilitates planning for capacity upgrades. Page 17

18 The user can create profiles with common DSCP settings, or create policy on a per-interface basis. Then, by referencing the DSCP status document, one can determine when certain services are in danger of exceeding their reserved bandwidths. Specific bandwidth questions can be answered, such as: Which bandwidth allocations have been exceeded? What percentage of bandwidth allocation is being used inbound? What percentage of bandwidth allocation is being used outbound? With StealthWatch, organizations can easily monitor QoS for maximum network and application performance. 13. Capacity Planning StealthWatch enables organizations to obtain in-depth data on traffic volumes for each application and service. With more pressure being placed upon IT teams to cut costs, making intelligent capacity planning decisions is more important than ever, and it requires a decision support system with an enterprise-wide view of network traffic usage. NetFlow is very useful for organizations wanting to have greater ability to perform capacity planning. Since it is very lightweight, NetFlow can be stored for long periods of time and can therefore be used to look at how traffic has trended over time for a department, subnet, VLAN or interface. Suppose an organization wants to look at traffic trending for a specific department over a certain time period. With NetFlow, that data is right at their fingertips. Page 18

19 Or suppose a company is interested in looking at an interface utilization level for the past 90 days. Once again, NetFlow is adept at providing that level of insight with the added benefit of being able to double click on any spike within the chart and actually see details about the conversations that were taking place at that time. NetFlow and StealthWatch enable organizations to quickly and easily answer questions such as the following for capacity planning purposes: What are my business applications bandwidth requirements? How much of my bandwidth is consumed by recreational applications? Do I really need more bandwidth or do I need better traffic management capabilities to manage existing bandwidth more efficiently? Are there just a few guilty hosts responsible for the wasted bandwidth, or is there a pattern of host behavior across the board? Do my most critical applications get preferential treatment on the network? If not, does existing bandwidth need to be reallocated or do I need an upgrade? With the ability to quickly see both high-level and in-depth data on bandwidth usage, organizations can more accurately plan for future needs. Page 19

20 14. Association of Log Data NetFlow is extremely useful for providing context around network conditions and host-level behavior. Combined with the capabilities of StealthWatch, it provides situational awareness around any network or security incident. However, it still may be useful to bring in data such as Syslog from other types of technologies such as firewalls and signature-based IDS/IPS due to the different types of information they provide. StealthWatch then acts as the glue that binds all of this data together to create a single, complete picture of what is going on inside your network at any given time. Suppose the NetFlow data indicates that a worm is being propagated across TCP port 8356 and that 10 internal hosts have been infected by an initial outside host from China. Would it not be useful to have the associated firewall Syslog events and signature-based alarms from the perimeter-based IDS to provide additional context surrounding this event? For example, why was the firewall allowing communication over this high-numbered TCP port? The signature-based IDS identified the initial worm infection as, say, the latest Sasser variant, but the NetFlow records indicate that once the initial infection occurred, it quickly started scanning on all high-numbered TCP ports and eventually infected nine other hosts on TCP port A quick review of the associated firewall Syslog events within StealthWatch shows that port 8356 is actually open. In the example below, there is a virtual desktop host that has triggered an ICMP flood alarm that was triggered from the analysis of the NetFlow data. In this example, the source host was expected to send no more than 3230 ICMP packets per five-minute period, but all of the sudden, this host sent out more than 20,000 ICMP packets in a single five-minute time interval. The green checkmark indicates that there are external events from other tools that have been correlated with this behavioral alarm triggered by analyzing the NetFlow data. Clicking on the green checkmark brings back the associated external events: Here we see that the signature-based IDS identified the activity as a possible Evasive Reset, and we see the firewall building the inbound connection and then tearing it down. This gives the analyst a single pane of glass to analyze host-level activity on the network and eliminates the need to switch back and forth between various tools (such as combing through firewall log data manually and keeping up with the flood of signature-based alarms from an IDS). StealthWatch ties these other tools together and allows for a quick understanding of what is happening across the entire network. Page 20

21 Filling in the Gaps with NetFlow The amount of threats and potential network issues that IT teams must address on a daily basis continues to grow exponentially. While traditional network and security tools specialize in addressing one or a few of these issues, NetFlow collection and analysis can fill in the gaps for these technologies to provide more comprehensive visibility, capabilities and coverage. NetFlow and tools such as StealthWatch provide a much-needed layer of insight and security that can be leveraged to address a wide range of network challenges. About Lancope Lancope, Inc. is a leading provider of flow-based monitoring to ensure highperforming and secure networks for global enterprises. Unifying critical network performance and security information for borderless network visibility, Lancope provides actionable insight that reduces the time between problem identification and resolution. Enterprises rely on Lancope to make better network decisions, respond faster to network problem areas and avoid costly outages and downtime at a fraction of the cost of conventional network monitoring solutions. To learn more or request a demo, contact sales@lancope.com. Lancope Headquarters 3650 Brookside Parkway Suite 400 Alpharetta, GA U.S. Sales International Sales +44 (0) Website: sales@lancope.com 2011 Lancope, Inc. All rights reserved. Lancope, StealthWatch, and other trademarks are registered or unregistered trademarks of Lancope, Inc. All other trademarks are properties of their respective owners. WPV Page 21