Feb
06
2008
Network Flow Data: What's the big deal?
Posted by: Ben Uphoff in NetFlow for Security, Network Forensics, network security, tags: incident response, insider threat, j-flow, netflow, Network Forensics, sFlowMost of my posts on BreachBytes are about using flow data, primarily NetFlow, for network security, incident response and network forensics on enterprise networks. I also tend to get rather technical most of the time. For this post I want to take a step back and answer the following question: what’s the big deal about network flow data? Let me try to answer this question in a single sentence:
“Network flow data, which can be generated by all enterprise routers, provides security analysts with real-time, long-term network visibility that can be used to prevent data leakage, defend against the insider threat and enhance incident response effectiveness.”
Key Points:
- Generated by all enterprise routers: The technology is in place, your network can generate flow data in some form.
- Real-time: Flow reporting can be near-real time depending on configuration.
- Network visibility: Most enterprises are essentially blind to their internal network (the Soft Gooey Center — good in candy, bad in networks).
- Long-term: Disk is cheap and flows are small, while still providing adequate information for a variety of network security tasks.
Entries (RSS)