Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/11/2010
02:32 PM
Commentary
Commentary
Commentary
50%
50%

Monitoring With Network Flow Technology

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.The most common flow technology is the NetFlow protocol designed by Cisco Systems. Other specifications exist, like jFlow, cFlow, sFlow, Netstream, and the latest incantation of NetFlow called IPFIX, but the features and functionality differ only slightly between the protocols. For example, the primary feature of sFlow is the presentation of sampled flow information, whereas the primary feature of IPFIX is its ability to have its exported data customized via templates. Various vendors have expanded the capabilities of network flow technologies to include full packet capture and deep packet inspection capabilities that provide even more depth and context to what is happening on the network. These technologies provide a view into all seven layers of the OSI model and even allow for the extraction of data contained within the flow session.

Network flows were historically leveraged as statistical data-generating tools for data measurement and usage quantification products. With data on network utilization, organizations could quickly wield the collected data for such things as quality of service (QoS) scope-limiting, bandwidth-utilization trending, enterprise application performance-tuning, and even third-party billing of clients piggy-backing on, or in some cases leasing, network access from Internet service providers. Network performance monitoring and management products have evolved over the years to facilitate the requirements imposed on them by desperate security analysts looking for visibility into what users and systems are doing on the network.

For the enterprise, the technology can be wielded for detecting anomalous network or system activity, as a botnet early-warning system, and as a data loss prevention solution. With the continuous network traffic-inspection capabilities, the products can also be used as an alternative to host intrusion detection and network intrusion detection systems.

From an audit and change control perspective, flow-capable tools can be used to more tightly monitor and profile all services and ports on a network. This gives firewall administrators a better understanding of what a firewall rule change could potentially disrupt between disparate network segments and systems if enacted. Third-party enterprise security information management (ESIM) products, like the multitude of players in the security information and event management (SIEM) and log management (LM) subsectors, can leverage the data-collection capabilities of flow-generating products to augment their own organic flow and log information stores. The collected data can then be correlated and normalized to provide a grander view of the happenings on the network.

From the carrier network and service-provider side of the table, the technology can be leveraged in the same fashion, though on a much larger scale, for network diagnostics and management of fixed, mobile, IP and converged multiservice networks.

Network flows provide an added layer of visibility into what is happening on the network without the need to become a "packet head." There are some limitations in the depth of inspection, but if a 10,000-foot view is all that is required, network flows may be the perfect contributor to your security and compliance-monitoring infrastructure.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.