Mining NetFlow - Information Security Magazine - Page 1

Your routers and switches can yield a mother lode of security information about your network--if you know where to dig.

Excavating endless logs to detect malicious network activity is a lot like mining for gold-- randomly digging holes to find a nugget or two isn't very efficient. Your search will be a lot more fruitful if you know what to look for and where to look for it.

Fortunately, data generated by NetFlow, a de facto UDP-based traffic reporting protocol, yields a rich vein of specific information about data flow--source and destination IP addresses and port numbers, protocol and service types, and the router input interface.

Mining NetFlow data can still be extremely difficult, but a handful of free and/or relatively inexpensive tools allow you to hit pay dirt by easily sorting, viewing and analyzing the information you want to use. The results can help you identify and shut down everything from spam to botnets. This technique is particularly valuable for ISPs, but can produce invaluable security information in any organization.

Drilling Operations
Cisco defines flow as a stream of packets between a given source and destination, defined by a network-layer IP address and transport-layer source and destination port numbers. It includes date and time information, as well as packet and byte counts. NetFlow data, created by Cisco and also supported on Juniper and other routers,

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

has been used for network, application and user monitoring, as well as capacity planning, security analysis and accounting.

NetFlow security analysis is a basic form of anomaly detection--looking at traffic patterns that stray from the norm. In contrast, signature-based IDSes inspect payload information.

This analysis can generate a wide range of security-related information. A typical activity, such as a single device generating an unusually high number of connections, could indicate DoS or worm attacks, network scans or spam. You can filter NetFlow data to show only activity on specific ports, which may indicate worm or Trojan activity (Slammer uses port 1434). You may also spot unfamiliar IP addresses generating outbound traffic or, conversely, known IP addresses on your network generating inbound traffic.

This was first published in January 2006