Infrastructure // Network Security
News
12/24/2013
08:06 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Using NetFlow Data For Robust Network Security

NetFlow analytic data can spot dangerous traffic patterns including anomalous "hot-spots" of activity and compromised hosts.

While NetFlow data may traditionally be seen as a network infrastructure tool, smart security teams can get tons of benefits out of the collection of IP traffic statistics, too.

"Security professionals should consider every NetFlow and IPFIX router a security camera that allows them to go back in time and investigate suspect traffic reported by any number of security appliances," says Michael Patterson, CEO of Plixer.

According to Dr. Vincent Berk, CEO of FlowTraq, security pros may have to battle to get their hands on the data if other infrastructure people—the ones 'responsible for moving packets but not securing them—are at all territorial. But it is worth the effort.

"This has created a climate where security professionals have increasingly had trouble getting their hands on streams of NetFlow throughout their organizations," Berk says. "However, the advanced values that a security professional can get from NetFlow is enormous."

Read the rest of this article on Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
12/30/2013 | 12:33:18 PM
No Silver Bullet
"Robust" in the sense that if you add this to your existing in depth arsenal of analysis tools, then yes it's another good thing to have around. I note that the Dark Reading articls says "More Robust" which is a bit more accurate in my opinion.

 

Netflow is great, but data may not be complete, and is not as "real time" as we'd typically like. It's not like it's streaming information constantly to a netflow analyzer. Typically netflow data aggregates IPs (because storing every individual IP flow is just too much overhead for busy routers, whether in terms of CPU or memory), has limited storage assigned to it (after which, should you ditch the older data or just not add the new data?), and is only dumped from the router to a collector periodically (the time frame for which determines the potential granularity of the definition of 'real time' analysis).

 

You can of course allow netflow to capture every flow in detail, assign a lot of memory to it, and dump every minute - with, as you can imagine, an accompanying impact on the network devices providing the data. I'm sure some can handle it well, but netflow is not a panacea for full network visibility. The fact that the data comes neatly formatted and ready for onward processing is very helpful though and if you can see discrepancies in that data that will help security then certainly there's no harm. As with every tool though we have to recognize the inherent limitations in the data gathering process and take that into account when analyzing the output.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.