BreachBytes

NetFlow data is critical for network operations and security. The primary use of NetFlow these days is on the operations side but security professionals are catching on too. For insider threat detection, network forensics and network behavior analysis (NBA) there’s no better data source available. Any given enterprise falls into one of the following four scenarios:

1. NetFlow is already being collected for network operations but not being shared with security analysts.
2. NetFlow is not being collected but is supported by routers (or switches).
3. NetFlow data is already being collected for network security purposes.
4. NetFlow cannot be collected because the hardware doesn’t support it.

Most organizations are already feeding NetFlow data streams into tools for network operations. Odds are your enterprise falls into category #1. If so, your best course of action is to talk to the network operations folks and convince them to start redirecting a NetFlow feed to the security operations team. All you need is a decent Linux box (with as much disk as possible) running either SiLK or flow-tools. I have been very happy with flow-tools and have had minimal exposure to SiLK although it is being actively developed unlike flow-tools.

Category #2 basically puts you in the same position as #1 but you might need to do a little more convincing with the network operations people to make configurations to the routers. Advent, makers of Manage Engine, have a nice configuration guide that is very easy to follow, making your case to the network engineers a little stronger.

If category #3 applies to you then pat yourself on the back and get back to finding the bad guys. If you find yourself in category #4 then your enterprise is a dinosaur. Call Cisco and they will be happy to assist you.

The reality is that NetFlow data is available and extremely useful for network security operations. Enterprises need to start realizing the potential of this ubiquitous technology and start leveraging it to protect networks. Anyone not finding their network in category #3 above should immediately start taking steps to get there as soon as possible.

This entry was posted on Monday, December 17th, 2007 at 12:32 pm and is filed under NetFlow for Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.