Gain Network Visibility and Internal Security Using sFlow®
Many organizations have yet to fully realize the untapped security potential available within their network infrastructure. By collecting, processing and analyzing sFlow data, exportable from existing routers and switches, organizations can easily extendthe value of their network infrastructure.
| sFlow analysis provides several different lenses by which flow data is analyzed. Some of these perspectives include “host centric” views that focus on all activity involving a single host; “virtual securityzones” for internal and external hosts that shows traffic flows within and between local groups of hosts:and by individual flow, which identifies each flow as “normal” or “possibly malicious." 1 |
This additional intelligence is not available through classic IDS/IPS technology and can only be obtained through sFlow-basedtechnologies, which offer significant value for both security and network operations.
| Classic IDS/IPS Technology | sFlow-enabled NBA Technology |
|---|---|
| Database signatures detect recognized attacks | Real-time monitoring of host behaviors and traffic analysis to identify threats |
| Per-packet, inline blocking of attacks | Mitigation via network infrastructure or integration with inline devices |
| Cost prohibitive at speeds above 1G | Unlimited monitoring of high speed networks at no extra cost |
| Little to no network performance tools for identifying DoS, worm outbreaks | Extensive network performance reports, including top talkers, interface utilization, exporter tracking, etc. |
| No identity integration | User-identity aware |
| Limited visibility per direct network connection | End-to-end network visibility |
| Commonly deployed technology | Innovative technology deployed by early adopters |
sFlow Fills the Gaps Left by Perimeter-Defenses
Vanishing perimeters, perimeter-based security strategies and signature-based technologies have left gaping holes in the securityinfrastructure. Industry analysts not only recognize the existence of these gaps but also specifically recommend Network BehaviorAnalysis (NBA) technologies, which analyze flow data, to fill these gaps.
Internal Security
Have you ever asked yourself any of the following questions?
- What happens if my perimeter defenses fail to stop an external threat?
- What happens when perimeter defenses are bypassed altogether (e.g. walk-in worms)?
- How do I know that I haven’t already been compromised? And, what can I do about it?
These questions indicate a need for an internal security solution. Further compounding this concern are compelling events in the news that continually highlight the need for better internal security. sFlow analysis by StealthWatch® provides end-to-end visibility to secure network cores by detecting malicious, accidental and suspicious activities on the network, including:
- misconfigured systems and devices
- unauthorized apps (e.g. P2P file sharing)
Incident Response and Problem Investigation
Do you have a solution to rapidly respond to compromises and then, more importantly, precisely contain it? By leveraging sFlow to monitor host behaviors, NBA technologies, such as StealthWatch, are ideal for detecting compromised hosts. This scalable approach enables security and network operations teams to remediate an incident within minutes, preventing widespread, costly and potentially irreparable damage. StealthWatch not only applies proprietary technology to collected sFlow in order to determine when hosts have been compromised, but also supplies an Incident Response workflow for rapid response. Behaviors indicative of compromised hosts include desktops sending e-mails to 1,000 different IP addresses and laptops scanning random IP addresses.
Post-admission Network Monitoring
Because properly analyzed sFlow captures host-based communications, it provides a watchful eye into users’ activity on the network. And this doesn’t apply to internal users only. Application extends to post-admission monitoring of external user activity, including customers, partners and consultants. Notably, StealthWatch provides visibility into these external users’ host and network activity without requiring pre-admission control agents.
Ever-Changing Network Conditions Require sFlow-based Technologies
Today’s vanishing perimeters and ever-changing networks have truly reduced the effectiveness of a perimeter-based security. As well, successful attacks that have become more frequent and more costly attest to the shortcomings associated with perimeter-based security strategies. Contributing to the ever-changing nature of today’s network are MPLS rollouts, core network upgrades, the need for external user network monitoring, data center consolidations and mergers of once separate networks.
MPLS
Multiprotocol Label Switching (MPLS) provides many network benefits, but introduces several security challenges. Often organizations fail to realize that traditional security strategies for hub-and-spoke networks, do not apply to MPLS networks. Because MPLS enables direct site-to-site communications, MPLS rollouts drastically reduce network visibility and security provided by network security controls that were deployed only at the hub. Consequently, organizations need a means to recapture network visibility. Clearly, deploying inline IDS/IPS at potentially hundreds of sites is not a cost-effective option. StealthWatch provides enterprise-wide visibility through proprietary sFlow analysis to offer a cost-effective, offline alternative to costly deployments associated with inline network devices.
Core Network Upgrades to 10 Gb
Core network upgrades are outpacing throughputs available with traditional network IDS/IPS. As such, inline technologies must be re-deployed at the edge, requiring a solution to provide visibility and security in higher speed networks. Since StealthWatch sFlow analysis is not impacted by high speed networks and provides the most extensive network visibility and security available on the market today, businesses now have a high speed solution for securing high speed core networks.
Mergers, Acquisitions and Consolidations
Changing network conditions puts network visibility at risk and forces organizations to address the question “Do I really know what’s happening on my network?” Some of these include:
- Data center consolidation
- Merging once separate networks
- Server virtualization
- WAN optimization
- Application acceleration
All are issues that jeopardize network visibility and ultimately raise doubt as to who has control of the network. Lancope, Inc.’s StealthWatch System, the most widely used NBA solution, enables security and network operations teams to recapture network visibility and regain control of the network.
sFlow expert John Jerrim explores the science and applications of sampled sFlow in much more depth in his white paper available at http://www.lancope.com/resource/
1 John Jerrim, Chief Research Officer, Lancope
