Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/11/2010
02:32 PM
Commentary
Commentary
Commentary
50%
50%

Monitoring With Network Flow Technology

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.The most common flow technology is the NetFlow protocol designed by Cisco Systems. Other specifications exist, like jFlow, cFlow, sFlow, Netstream, and the latest incantation of NetFlow called IPFIX, but the features and functionality differ only slightly between the protocols. For example, the primary feature of sFlow is the presentation of sampled flow information, whereas the primary feature of IPFIX is its ability to have its exported data customized via templates. Various vendors have expanded the capabilities of network flow technologies to include full packet capture and deep packet inspection capabilities that provide even more depth and context to what is happening on the network. These technologies provide a view into all seven layers of the OSI model and even allow for the extraction of data contained within the flow session.

Network flows were historically leveraged as statistical data-generating tools for data measurement and usage quantification products. With data on network utilization, organizations could quickly wield the collected data for such things as quality of service (QoS) scope-limiting, bandwidth-utilization trending, enterprise application performance-tuning, and even third-party billing of clients piggy-backing on, or in some cases leasing, network access from Internet service providers. Network performance monitoring and management products have evolved over the years to facilitate the requirements imposed on them by desperate security analysts looking for visibility into what users and systems are doing on the network.

For the enterprise, the technology can be wielded for detecting anomalous network or system activity, as a botnet early-warning system, and as a data loss prevention solution. With the continuous network traffic-inspection capabilities, the products can also be used as an alternative to host intrusion detection and network intrusion detection systems.

From an audit and change control perspective, flow-capable tools can be used to more tightly monitor and profile all services and ports on a network. This gives firewall administrators a better understanding of what a firewall rule change could potentially disrupt between disparate network segments and systems if enacted. Third-party enterprise security information management (ESIM) products, like the multitude of players in the security information and event management (SIEM) and log management (LM) subsectors, can leverage the data-collection capabilities of flow-generating products to augment their own organic flow and log information stores. The collected data can then be correlated and normalized to provide a grander view of the happenings on the network.

From the carrier network and service-provider side of the table, the technology can be leveraged in the same fashion, though on a much larger scale, for network diagnostics and management of fixed, mobile, IP and converged multiservice networks.

Network flows provide an added layer of visibility into what is happening on the network without the need to become a "packet head." There are some limitations in the depth of inspection, but if a 10,000-foot view is all that is required, network flows may be the perfect contributor to your security and compliance-monitoring infrastructure.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3656
PUBLISHED: 2019-12-10
JBoss KeyCloak: XSS in login-status-iframe.html
CVE-2013-0293
PUBLISHED: 2019-12-10
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
CVE-2013-1793
PUBLISHED: 2019-12-10
openstack-utils openstack-db has insecure password creation
CVE-2013-2095
PUBLISHED: 2019-12-10
rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.