This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."

Download it now to read this article plus other related content.

Traffic at a Glance

    Requires Free Membership to View

WebView can show NetFlow data on traffic flows in graphs (right) and tables (below), useful in monitoring the type and volume of traffic on the network and understanding QoS issues.

Mining Tools
There are many automated tools for dealing with network threats, but recording virtually all traffic and being able to analyze it in many ways at will provides a powerful way to identify and deal with problems that have happened despite other controls.

NetFlow analysis is a largely manual, detailed process conducted over a lengthy time period; it can be a bit tedious, but automatically scheduled reports can expedite analysis of specific areas and complement the ad hoc capabilities. We recommend using a combination of tools for data mining and warehousing, enabling you to maintain several months of information for long-term analysis.

  • Mark Fullmer's Flow-Tools (www.splin tered.net/sw/flow-tools) is a compilation of libraries and programs used to collect, send, process and generate reports based on NetFlow data. Among a variety of functions, various programs can generate more than 50 reports, such as source destination IP pairs and most active devices, or any designated export field; tag flows based on a particular network; and import/export data in ASCII format. The Web site is an excellent resource for information about data flow analysis. An alternative free NetFlow analysis package is SiLK (http://silktools.sourceforge.net), created by the CERT Analysis Center. There are also commercial tools, such as AdventNet's ManageEngine NetFlow Analyzer (http://origin.manageengine.adventnet.com/ products/netflow).

  • WebView is a Web-based reporting tool from Berbee Information Networks, an IT/security managed service provider. A front end for Flow-Tools, WebView has a nice ad hoc query interface that makes it easy to rapidly dig through gigabytes of flow data to discover interesting trends and patterns. It allows selection based on such factors as IP addresses, ports, peers, number of flows, and amount of data. It's currently available only to Berbee customers, but it is open source, and Berbee says it will soon be available for free on SourceForge.net.

  • KEDIT, from Mansfield Software Group (www.kedit.com), is a powerful text editor that allows for further sorting of data and offers commands that enable easy data reduction; it is also a powerful macro capability used to remove uninteresting data, such as router-to-router chatter.
As threats evolve, the ad hoc nature of data mining makes it a valuable technique for identifying and adapting to new dangers as they emerge. Analyzing NetFlow data brings precious security information to the surface, helping managers understand what's going on in their networks and keeping them safe.

This was first published in January 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: