This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."
Download it now to read this article plus other related content.
Your routers and switches can yield a mother lode of security information about your network--if you know where to dig.
Excavating endless logs to detect malicious network activity is a lot like mining for gold-- randomly digging holes to find a nugget or two isn't very efficient. Your search will be a lot more fruitful if you know what to look for and where to look for it.
Fortunately, data generated by NetFlow, a de facto UDP-based traffic reporting protocol, yields a rich vein of specific information about data flow--source and destination IP addresses and port numbers, protocol and service types, and the router input interface.
Mining NetFlow data can still be extremely difficult, but a handful of free and/or relatively inexpensive tools allow you to hit pay dirt by easily sorting, viewing and analyzing the information you want to use. The results can help you identify and shut down everything from spam to botnets. This technique is particularly valuable for ISPs, but can produce invaluable security information in any organization.
Cisco defines flow as a stream of packets between a given source and destination, defined by a network-layer IP address and transport-layer source and destination port numbers. It includes date and time information, as well as packet and byte counts. NetFlow data, created by Cisco and also supported on Juniper and other routers,
NetFlow security analysis is a basic form of anomaly detection--looking at traffic patterns that stray from the norm. In contrast, signature-based IDSes inspect payload information.
This analysis can generate a wide range of security-related information. A typical activity, such as a single device generating an unusually high number of connections, could indicate DoS or worm attacks, network scans or spam. You can filter NetFlow data to show only activity on specific ports, which may indicate worm or Trojan activity (Slammer uses port 1434). You may also spot unfamiliar IP addresses generating outbound traffic or, conversely, known IP addresses on your network generating inbound traffic.
This was first published in January 2006