Reigning in External Services with NetFlow by Charles Herring

Reigning in External Services with NetFlow

In a previous entry, we examined how NetFlow allows for discovery and analysis of network assets obtained from Mergers and Acquisitions. Another emerging area of “data chaos” is concerning external services or SaaS being utilized by an organization. As departments and users are given latitude to subscribe to distributed services, maintaining situational awareness of external service use becomes increasingly difficult.

Application Definition

One of the most efficient ways to inventory external service use is to create application profiles.

 

NetFlow for Application Profiles

Application profiles can be created using a combination of IP addresses (layer 3) of the servers, ports/protocols (layer 4) used and network based application recognition (NBAR) of the application via deep packet inspection (DPI.)

These definitions in StealthWatch by Lancope allow histograms to be run to establish capacity planning metrics.

 

NetFlow for Capacity Planning Metrics

StealthWatch is also able to utilize these application definitions to establish how much a specific business unit or location are consuming these applications.

 

NetFlow for Bandwidth Consumption

Utilizing identity data, the users associated with application traffic can also be rendered in a flow table.

 

NetFlow for Identity Data

Relationship Tracking

In addition to application tracking, relationship tracking can also be established. The IP addresses of external services can be placed in a host group and transmissions to and from those servers can be analyzed by StealthWatch.

 

NetFlow for IP Relationship Tracking

These relationships can render the detailed usage metrics as well.

 

NetFlow for Network Usage Metrics

Top reports can also be utilized across the relationship objects to reveal the top hosts utilizing the services on these external servers.

 

NetFlow for Top Hosts Utilizing external servers

Security Monitoring

In addition to the capacity planning workflows already described, StealthWatch can monitor for anomalous behavior between external services and internal clients. Protecting against unauthorized data loss, policy violations and advanced threats can be accomplished through the same visibility.

Wrap Up

By utilizing NetFlow data, external services can be accurately monitored. Reporting on usage from locations, business units and users can be quickly resolved via StealthWatch dashboards. As more services move to the Internet it is important to ensure visibility into organizational data is not lost.

Follow Charles Herring on .