Gain Visibility and Internal Security Using NetFlow
Many organizations have yet to fully realize the untapped security potential available within their network infrastructure. By collecting, processing and analyzing NetFlow data, exportable from Cisco routers and switches, organizations can easily extend the value of their network infrastructures.
NetFlow provides network and security benefits beyond those provided by traditional security controls through two additional layers of intelligence: visibility into host-based conversations and traffic pattern analysis. Whereas host conversations provide a broader context than that available through point in time security events, traffic pattern analysis helps to quickly identify suspicious traffic flows, such as outbound FTP sessions to North Korea, regardless of content. This additional visibility is not available through classic IDS/IPS technology and can only be obtained through NetFlow-based technologies.
|Classic IDS/IPS technology||NetFlow-enabled technology|
|Database signatures detect known attacks||Real-time monitoring of host behaviors and traffic analysis to identify threats|
|Per-packet, inline blocking of attacks||Mitigation via network infrastructure or integration with inline devices|
|Cost prohibitive at speeds above 1G||Unlimited monitoring of high speed networks at no extra cost|
|Minimal forensics value||Archived audit trail of network IP communications|
|Little to no network performance tools for identifying DoS, worm outbreaks||Extensive network performance reports including top talkers, interface utilization, exporter tracking, etc.|
|No identity integration||User-identity aware|
|Limited visibility per direct network connection||End-to-end network visibility|
|Commonly deployed technology||Innovative technology deployed by early adopters|
NetFlow Fills the Gaps Left by Perimeter Defenses
Vanishing perimeters, perimeter-based security strategies and signature-based technologies have left gaping holes in security infrastructure. Industry analysts not only recognize the existence of these gaps, but also specifically recommend flow-based technologies that analyze NetFlow data to fill these gaps.
“Commercial products have gone much further in developing the security capabilities of NetFlow . . . Of all the NetFlow vendors, Lancope has had the most consistent focus on internal network security from the inception. Its StealthWatch product is designed to identify malicious behavior and alert or even block when anomalies are detected.” 1
Have you ever asked yourself any of the following questions?
- What happens if my perimeter defenses fail to stop an external threat?
- What happens when perimeter defenses are bypassed altogether (e.g. walk-in worms)?
- How do I know that I haven’t already been compromised? And, what can I do about it?
These questions indicate a need for an internal security solution. Further compounding this concern are compelling events in the news that continually highlight the need for better internal security. NetFlow analysis by StealthWatch provides end-to-end visibility to secure network cores by detecting malicious, accidental and suspicious activities on the network, including:
- misconfigured systems and devices
- unauthorized apps (e.g. P2P file sharing)
- file servers “re-deployed” as web servers
Do you have a solution to rapidly respond to compromises and then, more importantly, precisely contain them? By leveraging NetFlow to monitor host behaviors, technologies such as StealthWatch are ideal for detecting compromised hosts. This scalable approach enables security and network operations teams to remediate an incident within minutes, preventing widespread, costly and potentially irreparable damage. StealthWatch not only applies proprietary technology to collect NetFlow in order to determine when hosts have been compromised, but also supplies an Incident Response workflow for rapid response. Moreover, stored NetFlow records provide a complete history for past host and network activities. This broad context proves invaluable for investigating problems and shaping security policies. Track records of user behavior on the network is useful in applying disciplinary measures for past network abuse as well as proactively restricting user activities moving forward.
Post-Admission Network Monitoring
Because properly analyzed NetFlow captures host-based communications, it provides a watchful eye into users’ activity on the network. This visibility is not limited to internal users only, but includes post-admission monitoring of external user activity, including customers, partners and consultants. Notably, StealthWatch provides visibility into these external users’ host and network activity without requiring pre-admission control agents.
Ever-Changing Network Conditions Require NetFlow-based Technologies
Today’s vanishing perimeters and ever-changing networks have truly reduced the effectiveness of perimeter-based security. As well, successful attacks have become more frequent, damaging and costly, highlighting the shortcomings associated with perimeter-based security strategies. Contributing to the ever-changing nature of today’s networks are MPLS rollouts, core network upgrades, the need for external user network monitoring, data center consolidations and mergers of once separate networks.
Multiprotocol Label Switching (MPLS) provides many network benefits, but introduces several security challenges. Often organizations fail to realize that traditional security strategies for hub-and-spoke networks do not apply to MPLS networks. Because MPLS enables direct site-to-site communications, MPLS rollouts drastically reduce network visibility and security provided by network security controls that were deployed only at the hub. Consequently, organizations need a means to recapture network visibility. Clearly, deploying inline IDS/IPS at potentially hundreds of sites is not a cost-effective option. StealthWatch provides enterprise-wide visibility through proprietary NetFlow analysis to offer a cost-effective, offline alternative to costly deployments associated with inline network devices.
Core Network Upgrades to 10 Gigabytes
Core network upgrades are outpacing throughputs available with traditional network IDS/IPS. As such, inline technologies must be re-deployed at the edge, requiring a solution to provide visibility and security in higher speed networks. Since StealthWatch NetFlow analysis is not impacted by high speed networks and provides the most extensive network visibility and security available on the market today, businesses now have a high speed solution for securing high speed core networks.
Mergers, Acquisitions and Consolidations
Changing network conditions put network visibility at risk and force organizations to address the question “Do I really know what’s happening on my network?” Some of these changes include:
- data center consolidation
- WAN optimization
- merging once separate networks
- application acceleration
- server virtualization
All of these are issues that jeopardize network visibility and ultimately raise doubt as to who has control of the network. StealthWatch, the most widely used system for security, network and application performance monitoring, enables security and network operations teams to recapture network visibility and regain control of the network.
1 “Getting to Know NetFlow,” Richard Stiennon, Dark Reading, August 16, 2006