This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."

Download it now to read this article plus other related content.

Striking It Rich
For a security analyst, finding and using NetFlow data will aid in the discovery and prevention of network compromises. Here are some real-world examples of the power and flexibility of NetFlow analysis:

It's in the mail: When a PC is sending unsolicited e-mail, NetFlow analysis can identify the compromised machine. The daily routine of SMTP analysis leads to scheduled reports, removing the manual work. The net result is a significant reduction of spam being generated, which will help to keep the organization off e-mail blacklists.

It's easy to identify problems by selecting SMTP traffic and sorting it by the number of flows. For example, an unregistered server causing thousands of e-mail flows in a relatively short time interval has a compromised system and will be contacted. Failure to fix problems results in subsequent notifications and could lead to account suspension.

Even registered mail servers with excessive flows can be worth further investigation. For example, thousands of e-mail flows out of a small business or a school in the middle of the night raises a red flag, and checking IPs against Internet registries often turns up large numbers of suspicious foreign destinations. Detailed flow analysis of a specific machine generating spam usually shows activity on ports indicating a specific mail Trojan.

On the trail of malware: When a new virus or worm hits, NetFlow analysis can

    Requires Free Membership to View

reveal its characteristics, the extent to which it has infected networks and how it's spreading. For example, Sasser and Sober are fairly easy to profile from the ports they use and the number of flows generated. Thousands of flows on port 445 over a 20-minute interval just isn't normal activity--it's Sasser.

Symantec, McAfee, the Internet Storm Center and others are ready sources of information on the activity patterns of viruses, worms and spyware.

This was first published in January 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: