Enterasys was one of the first companies to build switches that support NetFlow and certainly understands the value of being able to quickly determine the top talkers, protocols and applications on the network but, this is just the tip of the NetFlow reporting iceberg. Beyond top N reports, there is a whole underside of NetFlow involving threat detection that represents the rest of the iceberg below the surface of the water.
A best of breed IPFIX and NetFlow solution performs Flow Analytics™ and looks for problems such as:
- Multicast Violations
- P2P Monitor
- Unwanted Network Layer protocols
- Illegal IP Addresses
- Internet Threats (compares flows to a regularly updated host reputation database)
- DDoS violations
- Nefarious Activity
- Breach Attempt Violation
- DNS Hits
- Dozens more can be customized that are specific to organizations. (e.g. DNS issues)
The above threats are monitored across hundreds of flow exporting routers and switches as shown in the following figure:
The Internet Threats algorithm is especially important because it leverages a constantly updated host reputation list by comparing the IP Addresses in flows to the list. Positive matches can trigger events that cause alarms which ultimately fire off notifications. This is one way to help detect Advanced Persistent Threats.
Rob Lee, of the SANS Institute said that “the need for training is obvious, since 50% of Fortune 500 companies have been compromised by APTs.” Did you know that more than 90% of intrusions aren’t even discovered by the victims themselves, but through third-party notification. NetFlow threat detection isn’t meant to replace existing security measures rather, it is intended to add another security layer in your overall network security effort.
If you want to get more out of the NetFlow you are collecting from your hardware, consider a NetFlow Training course which will help you come up to speed on the latest techniques.