While I was attending Cisco Live a few weeks back I had more than a few people come up to the booth skeptical of what we meant when we said StealthWatch added support for the flow records from the ASA. I'm happy to say the people I spoke with had very positive comments about the way StealthWatch consumes this flow feed. A number of them asked why everyone didn't process the records the way we did. The issue is that while the ASA outputs statistics using a NetFlow export, the data contained within it wasn’t quite the same as a “normal” NetFlow record. The type of records the ASA exports are referred to as NSEL (NetFlow Security Event Logging) and you can read more about them here: http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html
We chose not to consume the NSEL format the ASA exports for some time because of the differences between the standard NetFlow format and the NSEL format but we’ve modified the way we treat flows from the ASA to properly consume the data without creating data integrity issues you may have noticed with some of the other vendors. We’ve taken it a step further to consume some of the special fields the NSEL format provides pertaining to Permit/Deny actions at the firewall.
Rather than just log these actions we’ve leveraged them to further enhance the security metrics StealthWatch provides by conducting Behavioral analysis and building them into various algorithms where applicable.
For more information about the ASA support within Lancope and how NSEL is different from a standard NetFlow feed please download our market brief: