NetFlow data remains a largely untapped resource for network security professionals. All modern routers support it yet in most cases, NetFlow is used for network operations management and QOS and then discarded. This is very unfortunate for security analysts who need flow data for a variety of security and compliance reasons. Good flow data is a fundamental aspect of any network forensics investigation. NetFlow data is appealing in that — for networks with routers that support it — it is free and easy to collect.
Luckily, there are several free NetFlow tools available to collect and store NetFlow data, often in a highly efficient compressed binary format. These tools vary greatly in terms of quality and support. The table below summarizes the free NetFlow tools available to network security analysts.
| Name |
Version |
Last Updated |
License |
| NEye |
1.0.1 |
February 6, 2005 |
GNU-like |
| SiLK |
0.11.7 |
September 6, 2007 |
GNU |
| Flowd |
0.9 |
March 4, 2006 |
BSD-like |
| nfdump |
1.5.6 |
August 8, 2007 |
BSD |
| flow-tools |
0.68 |
April 11, 2005 |
Apache-like |
| Cflowd |
2.1.b1 |
October 24, 2000 |
GNU |
| EHNT |
0.4 |
August 5, 2003 |
GNU |
| Flowc |
1.6 |
August 18, 2006 |
Apache-like |
From personal experience, I have found SiLK, flow-tools and nfdump to be excellent solutions to capturing flow data. It is interesting to note that only two of the eight tools above have been updated in the last year. Future posts in BreachBytes will cover some of these tools in depth as well as look into performance comparisons of the tools.
1 Comment »
I find myself asking the question: “How can a network ever really be secure?” and talking about it with customers and colleagues all the time. This article “How dangerous user behavior puts networks at risk” brings this issue to the forefront. Regardless of the number of defenses a company puts in place whether it’s firewalls, Intrusion Prevention Systems, Security Information Management Systems or the like one of the biggest vulnerabilities are the users on a network.
It is becoming necessary both from what you read in the press and today’s environment to be sure that your company has the necessary “evidence” in a stockpile in addition to alerting and correlation tools for those times when you are alerted by one of your users or a network device about potentially damaging user behavior. What I mean by evidence is to retain all of that network and NetFlow data for future forensic analysis. While that data isn’t going to be able to spot the employee who loads up a thumb drive with company data and takes it home, that data is what allows network security experts in a company to address the insider threat caused by simple violations of corporate policies when it comes to what the employee does online.
(more…)
No Comments »
Don’t believe me? Just ask TJX or Monster.com or The Department of Homeland Security or Salesforce or TD Ameritrade or…..still don’t believe me? Well, check out what Sal Iannuzzi, CEO of Monster.com had to say (he agrees with me):
“I wish I could say…there will be absolutely no way that the Monster site can be compromised. I cannot ever make that promise, and no Internet company can.” 08/29/07, Reuters
If you still don’t believe me then feel free to move on. If you do, then read on.
Let’s reflect back on the past 12 months to perform that so-called “rocking chair test.” It certainly was a busy year! In fact, the Threats Watch Blog even went as far as to call 2007 “The Year of the Data Breaches.” Additionally, CSO magazine has a excellent summation of the past year in their article: The Top 10 Data Breaches of 2007.”
So, what can we learn from this past year? Three things:
- Breaches are Inevitable.
- Organization can no longer rely solely on Protection (Firewalls, IPS, etc) & Detection (IDS, Event correlation, Alerting) for security.
- Organizations must have a comprehensive breach recovery plan in place.
(more…)
No Comments »
NetFlow data is critical for network operations and security. The primary use of NetFlow these days is on the operations side but security professionals are catching on too. For insider threat detection, network forensics and network behavior analysis (NBA) there’s no better data source available. Any given enterprise falls into one of the following four scenarios:
- NetFlow is already being collected for network operations but not being shared with security analysts.
- NetFlow is not being collected but is supported by routers (or switches).
- NetFlow data is already being collected for network security purposes.
- NetFlow cannot be collected because the hardware doesn’t support it.
No Comments »
NetFlow data is ubiquitous and people other than network engineers are taking notice. Security analysts need to be aware that NetFlow data can be easily collected (odds are that your routers support some form of NetFlow) and analyzed for network security operations given the right tools. This CISCO-centric blog post has a good list of useful software solutions for NetFlow analysis relevant to security analysts. At their core, all the tools listed but one—Net/FSE by Packet Analytics—are not network security specific but can certainly be leveraged for this purpose.
(more…)
No Comments »
Entries (RSS)