Home > Information Security Magazine > Features > Mining NetFlow
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Mining NetFlow
by Ned Lindberg
Issue: Jan 2006
printer-friendly
licensing & reprints
< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >

Your routers and switches can yield a mother lode of security information about your network--if you know where to dig.

Excavating endless logs to detect malicious network activity is a lot like mining for gold-- randomly digging holes to find a nugget or two isn't very efficient. Your search will be a lot more fruitful if you know what to look for and where to look for it.

Fortunately, data generated by NetFlow, a de facto UDP-based traffic reporting protocol, yields a rich vein of specific information about data flow--source and destination IP addresses and port numbers, protocol and service types, and the router input interface.

Mining NetFlow data can still be extremely difficult, but a handful of free and/or relatively inexpensive tools allow you to hit pay dirt by easily sorting, viewing and analyzing the information you want to use. The results can help you identify and shut down everything from spam to botnets. This technique is particularly valuable for ISPs, but can produce invaluable security information in any organization.

Drilling Operations
Cisco defines flow as a stream of packets between a given source and destination, defined by a network-layer IP address and transport-layer source and destination port numbers. It includes date and time information, as well as packet and byte counts. NetFlow data, created by Cisco and also supported on Juniper and other routers, has been used for network, application and user monitoring, as well as capacity planning, security analysis and accounting.

NetFlow security analysis is a basic form of anomaly detection--looking at traffic patterns that stray from the norm. In contrast, signature-based IDSes inspect payload information.

This analysis can generate a wide range of security-related information. A typical activity, such as a single device generating an unusually high number of connections, could indicate DoS or worm attacks, network scans or spam. You can filter NetFlow data to show only activity on specific ports, which may indicate worm or Trojan activity (Slammer uses port 1434). You may also spot unfamiliar IP addresses generating outbound traffic or, conversely, known IP addresses on your network generating inbound traffic.

< PREV PAGE   |   1  |   2  |   3  |   4  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts