Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/11/2010
02:32 PM
Commentary
Commentary
Commentary
50%
50%

Monitoring With Network Flow Technology

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.The most common flow technology is the NetFlow protocol designed by Cisco Systems. Other specifications exist, like jFlow, cFlow, sFlow, Netstream, and the latest incantation of NetFlow called IPFIX, but the features and functionality differ only slightly between the protocols. For example, the primary feature of sFlow is the presentation of sampled flow information, whereas the primary feature of IPFIX is its ability to have its exported data customized via templates. Various vendors have expanded the capabilities of network flow technologies to include full packet capture and deep packet inspection capabilities that provide even more depth and context to what is happening on the network. These technologies provide a view into all seven layers of the OSI model and even allow for the extraction of data contained within the flow session.

Network flows were historically leveraged as statistical data-generating tools for data measurement and usage quantification products. With data on network utilization, organizations could quickly wield the collected data for such things as quality of service (QoS) scope-limiting, bandwidth-utilization trending, enterprise application performance-tuning, and even third-party billing of clients piggy-backing on, or in some cases leasing, network access from Internet service providers. Network performance monitoring and management products have evolved over the years to facilitate the requirements imposed on them by desperate security analysts looking for visibility into what users and systems are doing on the network.

For the enterprise, the technology can be wielded for detecting anomalous network or system activity, as a botnet early-warning system, and as a data loss prevention solution. With the continuous network traffic-inspection capabilities, the products can also be used as an alternative to host intrusion detection and network intrusion detection systems.

From an audit and change control perspective, flow-capable tools can be used to more tightly monitor and profile all services and ports on a network. This gives firewall administrators a better understanding of what a firewall rule change could potentially disrupt between disparate network segments and systems if enacted. Third-party enterprise security information management (ESIM) products, like the multitude of players in the security information and event management (SIEM) and log management (LM) subsectors, can leverage the data-collection capabilities of flow-generating products to augment their own organic flow and log information stores. The collected data can then be correlated and normalized to provide a grander view of the happenings on the network.

From the carrier network and service-provider side of the table, the technology can be leveraged in the same fashion, though on a much larger scale, for network diagnostics and management of fixed, mobile, IP and converged multiservice networks.

Network flows provide an added layer of visibility into what is happening on the network without the need to become a "packet head." There are some limitations in the depth of inspection, but if a 10,000-foot view is all that is required, network flows may be the perfect contributor to your security and compliance-monitoring infrastructure.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
WannaCry Has IoT in Its Crosshairs
Ed Koehler, Distinguished Principal Security Engineer, Office of CTO, at Extreme Network,  9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...