Maximize Network Visibility with NetFlow Technology. Andy Wilson Senior Systems Engineer Lancope

Maximize Network Visibility with NetFlow Technology Andy Wilson Senior Systems Engineer Lancope

Agenda What is NetFlow Introduction to NetFlow NetFlow Examples NetFlow in Action Network Operations User Case Security Operations User Case PCI Compliance and Auditing User Case A Glimpse into the Power of NetFlow 10+ G Ethernet Environments Virtual Environments MPLS and Multi-point VPNs

What is NetFlow? Internet NetFlow Packets NetFlow Fields src and dst IP src and dst port start time end time packet count byte count... StealthWatch Flow Collector

NetFlow vs. Traditional SNMP Monitoring Traditional SNMP NetFlow Reporting

Flow-based Visibility and Drill-down

NetFlow for the Network Team NetFlow Packet flow1 flow2... StealthWatch Flow Collector Network Team Interface utilization Billing and chargeback QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Compliance and Auditing PCI Compliance HIPAA Compliance SCADA Security Sarbanes-Oxley Security Team File sharing Malware outbreak detection Network acceptable use Flow forensics Data loss prevention

NetFlow in Action : Network Operations OldCastle APG Leading North American manufacturer of concrete masonry, lawn, garden and paving products and a regional leader in clay brick 206 Operating locations 7000+ employees Challenge No way to visualize who or what was causing network slowdowns Internal IT staff using multiple tools in attempts to troubleshoot incidents Solution Combining Cisco NetFlow and Lancope s StealthWatch System for visibility into the who, what, when and where of network traffic

NetFlow Compliance and Auditing NetFlow Packet flow1 flow2... StealthWatch Flow Collector Network Team Interface utilization Billing and chargeback QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Compliance and Auditing PCI Compliance HIPAA Compliance SCADA Security Sarbanes-Oxley Security Team File sharing Malware outbreak detection Network acceptable use Flow forensics Data loss prevention

NetFlow in Action : PCI Compliance NetFlow facilitates compliance with PCI DSS Requirements: Verifies actual network communications (1.1.2) Monitors services and ports in use (1.1.5) Determines when accounts are active and what they did during this activity (8.5.6) Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)

NetFlow in Action : PCI Compliance AirTran Airways Fortune 1000 company Geographically dispersed network across the continental US Challenge Required improved security and network management across the enterprise in accordance with Payment Card Industry (PCI) requirements Wanted greater network visibility and behavioral intrusion detection Ability to monitor a geographically dispersed network Solution StealthWatch identifies who does what when, and provides data to enforce accountability

NetFlow for the Security Team NetFlow Packet flow1 flow2... StealthWatch Flow Collector Network Team Interface utilization Billing and chargeback QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Compliance and Auditing PCI Compliance HIPAA Compliance SCADA Security Sarbanes-Oxley Security Team File sharing Malware outbreak detection Network acceptable use Flow forensics Data loss prevention

NetFlow in Action : Security Operations Aurora HealthCare Network Overview Largest private employer in Wisconsin over 27,000 employees 14 Hospitals Over 150 Clinics 200 + Pharmacies Challenge Monitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network Needed complete visibility of the network from the internal network to the clinics at the edge Monitor for zero-day attacks, viruses, Trojans, etc. Support for HIPAA Compliance Solution Combining NetFlow & StealthWatch System

Visibility Lost Due to Emerging Tech Emerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technology... 10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive MPLS and multi-point VPNs create a meshed WAN that s expensive to monitor adequately Virtualization hides whole network segments from the network manager s view, making VM2VM communication problems difficult to troubleshoot These issues result in an inability to react to network problems because of a basic lack of.

10G+ Ethernet 10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive traditional Ethernet sensor Where to plug in?

NetFlow in a 10G+ Ethernet Environment 10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive StealthWatch Flow Collector

Virtualization Virtualization hides whole network segments from the network manager s view, making VM2VM communication problems difficult to troubleshoot Physical network VM1 VM2 VM3 virtual machines VM2VM traditional Ethernet probe physical machine virtual switches

NetFlow in the Virtual Environment physical network NetFlow v9 promiscuous capture VM VM VM VM Server virtual machines VM2VM virtual switches StealthWatch Flow Collector *** Cisco Nexus 1000v also supports NetFlow ***

MPLS and Multi-point VPNs MPLS and multi-point VPNs create a meshed WAN that s expensive to monitor adequately traditional Ethernet sensor

MPLS and Multi-point VPNs Fully meshed connectivity circumvents network monitoring deployed at the hub location

MPLS and Multi-point VPNs Full visibility requires a probe at each location throughout the WAN

NetFlow Collection in the WAN Deploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site StealthWatch Flow Collector NetFlow Packet NetFlow Packet

Quick Recap: Network Operations Fully integrated view of network usage, performance, host integrity and user behavior Diagnose Network congestion and provide root cause analysis of the problem causing response time delays Visibility and Metrics for WAN Optimization Real-time and Historical data to facilitate network performance monitoring, capacity planning and resource management Monitor Quality of Service on a per-hop basis throughout the Network

Quick Recap: Security Operations Quickly pinpoint zero-day and unknown threats that bypass perimeter security Identify policy violations, unauthorized activity/applications, misconfigured hosts, and other rogue devices Faster Incident Resolution & detailed Forensic data Detection of DoS/DDoS attacks, Worms, Viruses and Botnets Track and Audit network behavior and access by Individual Hosts

Quick Recap: PCI Compliance and Auditing NetFlow Solutions supply organizations with the means to: Continuously but passively monitoring host behaviors looking for deviations from normal processes Tie individual users to internal network performance problems Tie individual users to the introduction of security risks inside the internal network Implement appropriate Network Controls and Policies Provide for Internal Audit and Risk Assessment

Thank You Andy Wilson Senior Systems Engineer Lancope