Reigning in External Services with NetFlow
In a previous entry, we examined how NetFlow allows for discovery and analysis of network assets obtained from Mergers and Acquisitions. Another emerging area of “data chaos” is concerning external services or SaaS being utilized by an organization. As departments and users are given latitude to subscribe to distributed services, maintaining situational awareness of external service use becomes increasingly difficult.
One of the most efficient ways to inventory external service use is to create application profiles.
Application profiles can be created using a combination of IP addresses (layer 3) of the servers, ports/protocols (layer 4) used and network based application recognition (NBAR) of the application via deep packet inspection (DPI.)
These definitions in StealthWatch by Lancope allow histograms to be run to establish capacity planning metrics.
StealthWatch is also able to utilize these application definitions to establish how much a specific business unit or location are consuming these applications.
Utilizing identity data, the users associated with application traffic can also be rendered in a flow table.
In addition to application tracking, relationship tracking can also be established. The IP addresses of external services can be placed in a host group and transmissions to and from those servers can be analyzed by StealthWatch.
These relationships can render the detailed usage metrics as well.
Top reports can also be utilized across the relationship objects to reveal the top hosts utilizing the services on these external servers.
In addition to the capacity planning workflows already described, StealthWatch can monitor for anomalous behavior between external services and internal clients. Protecting against unauthorized data loss, policy violations and advanced threats can be accomplished through the same visibility.
By utilizing NetFlow data, external services can be accurately monitored. Reporting on usage from locations, business units and users can be quickly resolved via StealthWatch dashboards. As more services move to the Internet it is important to ensure visibility into organizational data is not lost.
Follow Charles Herring on Google+.