Security Management Strategies for the CIOFrom humble beginnings, NetFlow has today become a commonly used network monitoring tool. Alone, NetFlow analysis provides powerful management capabilities. When combined with security information and event management systems (SIMs) and correlated with data from other devices and layers, NetFlow becomes indispensable. In this article, we'll discuss NetFlow analysis and what it offers to SIM systems that use it. We will then review the advantages gained in combining these two powerful technologies together.
What is NetFlow?
Initially, network monitoring was performed with the Simple Network Monitoring Protocol (SNMP).
Although SNMP eases capacity planning, it does little to characterize traffic applications, which
are essential for understanding how well the network supports the business. Port flows were
monitored, but newer applications dynamically select new ports for each session and thus were
inadequate. What was needed was a more granular picture of bandwidth usage. The arrival of NetFlow
allowed network administrators to characterize and analyze network traffic flows via UDP.
NetFlow analysis is now built into most enterprise-class switches and routers, and has become a primary network accounting and anomaly-detection technology in the industry. NetFlow essentially answers the following questions about network traffic: Who, what, when, where, and how? Each flow is a collection of packets characterized by flow-specific information, such as the
Requires Free Membership to View
source and
destination IP addresses, as well as port information. The packets in a particular flow are counted
and reported via a collector. The collector classifies all the traffic collected on a network,
based on its source, destination and application. The resultant reports allow an administrator to
view the flows as prioritized by bandwidth utilization. Bandwidth may be broken down even further
into smaller subclassifications such as applications, users and servers.
Network behavior anomaly detection
NetFlow creates a behavior-based system that profiles the typical connections made between devices.
This creates a baseline that may be as granular as hourly or daily. After the network is "learned,"
any variation that is considered anomalous may be acted on.
How SIM uses NetFlow data
NetFlow data is aggregated with data from other sources. such as IPSes, firewalls, VPNs, the
application layer and, in some systems, identity data. This data is then correlated using several
techniques including:
- Rules-based
- Statistical
- Historical
- Vulnerability
These correlations are conducted per monitoring site and across sites as well.
This correlated data is prioritized based on traffic flows, attacks within a site or attacks across sites. A risk analysis is then performed to discover which attack has the greatest potential for harm to the enterprise. Ideally this risk assessment will include attacks on at least:
- Business processes
- Network processes
- Site versus enterprise
This has been a differentiator in the SIM space however. Some are better at network-based attacks, while others allow for reviewing business processes as well.
Finally, this data is provided to a reporting engine. Graphs and charts are provided by a series of dashboards and text-based reports. The newest generation of security information management systems allows for visualization techniques with drill-down capability.
Advantages of SIM/NetFlow together
One of the clearest gains in combining NetFlow with SIMs is the improvement in security insight and
response. With real-time NetFlow views, priority-based alerts can be created. Threats can also be
correlated with other attack vectors, so that the highest-priority problems are seen first and
administrators can respond accordingly.
This combination now allows us to view threats across an enterprise to spot things like salami attacks, or a series of small attacks with a larger purpose, which are still used in the hacker community today. Automated vulnerability assessment tools use this technique to evade IPS devices. When you collect NetFlow data from across the enterprise and correlate it, you can spot this type of stealth attack more readily.
From the editors:
Related content
Read why application
logging is critical in detecting hack attacks.
Learn more about understanding
network traffic flow analysis.
See resources on network
behavioral anomaly detection (NBAD)
One of the most interesting advantages gained is the ability to see adverse events in one flow with its associated flows. This is possible because the security information management system correlates NetFlow data from across the enterprise, allowing an administrator to view both the attack flow and those flows supporting the attack.
Freeware tools
If you do not have an SIM installed and you would like to "see" NetFlow in action, there are
several tools available to gain added insight. Sourceforge.net is an open source community with
some outstanding open source (freeware) security tools available. Sourceforge.net's
NetFlow listings currently offer 44 tools to view, manipulate and use NetFlow data. Two of the
most popular are:
- Extreme Happy NetFlow Tool
http://sourceforge.net/projects/ehnt/ - NFDUMP - NetFlow processing tool
http://sourceforge.net/projects/nfdump/
Conclusions
NetFlow has become an indispensable tool in both the network and security markets. It provides
real-time views of bandwidth use and application and user priorities, and thus business process
flows. The faster this data can be turned into useful information, the faster security pros can
respond to incidents and minimize the impact on an organization's business. Additionally, when
combined with security information and event management systems, NetFlow can reveal previously
hidden threats happening across an enterprise. NetFlow and SIM is like peanut butter and jelly:
they simply belong together.
About the author:
Tom Bowers, managing director of security think tank and industry analyst firm Security
Constructs, holds the CISSP, PMP and Certified Ethical Hacker certifications, and is a well-known
expert on the topics of data leakage prevention, global enterprise information security
architecture and ethical hacking. His areas of expertise include aligning business needs with
security architecture, risk assessment and project management on a global scale. Bowers serves as
the president of the 600-member Philadelphia chapter of Infragard, is a technical editor of
Information Security magazine, and speaks regularly at events like Information Security
Decisions.
This was first published in March 2007
Join the conversationComment
Share
Comments
Results
Contribute to the conversation