Benefits of NetFlow and IPFIX Collection & Analysis for Security Operations
Vanishing perimeters, perimeter-based security strategies and signature-based technologies have left gaping holes in the security posture of many enterprises. Traditional security systems monitor only the perimeter and do not provide insight into traffic that stays within the network, leaving companies wide open to insider threats. Additionally, external attacks continue to bypass traditional safeguards, and employing conventional security systems internally is cost-prohibitive. Without adequate internal monitoring, security issues can go unnoticed for long periods of time, wreaking havoc on the network.
A core technology built into many Cisco routers and switches, as well as other compatible devices, NetFlow and IPFIX are highly valuable yet underused assets for improving network security. By collecting and analyzing NetFlow, IPFIX and other flow data from existing routers and switches, StealthWatch provides the in-depth network visibility required to detect and mitigate a wide range of security issues at a fraction of the cost of conventional monitoring solutions. StealthWatch can also combine this in-depth insight from the internal network with intelligence from perimeter technologies such as firewalls to deliver even greater contextual awareness.
Unlike other technologies, StealthWatch takes a proactive approach to security by analyzing network behavior instead of relying on signatures to identify attacks. StealthWatch can detect targeted, custom threats, zero-day worms, viruses, botnets and other malware, as well as insider threats including network misuse, policy violations and data leakage all the way down to the user involved. StealthWatch is also ideal for performing sophisticated forensic analysis to investigate security incidents. Unifying security, network and application performance monitoring in a single system, StealthWatch can also vastly improve network operations in addition to security.
Classic IDS/IPS technology
|Database signatures detect known attacks||Real-time monitoring of host behaviors and traffic analysis to identify threats|
|Per-packet, inline blocking of attacks||Mitigation via network infrastructure or integration with inline devices|
|Cost prohibitive at speeds above 1G||Unlimited monitoring of high speed networks at no extra cost|
|Minimal forensics value||Archived audit trail of network IP communications|
|Little to no network performance tools for identifying DoS, worm outbreaks||Extensive network performance reports including top talkers, interface utilization, exporter tracking, etc.|
|No identity integration||User-identity aware|
|Limited visibility per direct network connection||End-to-end network visibility, combining both internal and external monitoring|
|Commonly deployed technology||Innovative technology deployed by early adopters|