Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/11/2010
02:32 PM
Commentary
Commentary
Commentary
50%
50%

Monitoring With Network Flow Technology

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.

A network flow is a data entity that contains information related to a unidirectional sequence of packets on an IP network. Comprised of source and destination port and IP address information as well as IP protocol, ingress interface, and type of service (ToS) entries, the data (organized as flow records) serves to provide high-level insight into what is happening on the network. Every major routing and switching infrastructure vendor supports the generation of network flows in some iteration.The most common flow technology is the NetFlow protocol designed by Cisco Systems. Other specifications exist, like jFlow, cFlow, sFlow, Netstream, and the latest incantation of NetFlow called IPFIX, but the features and functionality differ only slightly between the protocols. For example, the primary feature of sFlow is the presentation of sampled flow information, whereas the primary feature of IPFIX is its ability to have its exported data customized via templates. Various vendors have expanded the capabilities of network flow technologies to include full packet capture and deep packet inspection capabilities that provide even more depth and context to what is happening on the network. These technologies provide a view into all seven layers of the OSI model and even allow for the extraction of data contained within the flow session.

Network flows were historically leveraged as statistical data-generating tools for data measurement and usage quantification products. With data on network utilization, organizations could quickly wield the collected data for such things as quality of service (QoS) scope-limiting, bandwidth-utilization trending, enterprise application performance-tuning, and even third-party billing of clients piggy-backing on, or in some cases leasing, network access from Internet service providers. Network performance monitoring and management products have evolved over the years to facilitate the requirements imposed on them by desperate security analysts looking for visibility into what users and systems are doing on the network.

For the enterprise, the technology can be wielded for detecting anomalous network or system activity, as a botnet early-warning system, and as a data loss prevention solution. With the continuous network traffic-inspection capabilities, the products can also be used as an alternative to host intrusion detection and network intrusion detection systems.

From an audit and change control perspective, flow-capable tools can be used to more tightly monitor and profile all services and ports on a network. This gives firewall administrators a better understanding of what a firewall rule change could potentially disrupt between disparate network segments and systems if enacted. Third-party enterprise security information management (ESIM) products, like the multitude of players in the security information and event management (SIEM) and log management (LM) subsectors, can leverage the data-collection capabilities of flow-generating products to augment their own organic flow and log information stores. The collected data can then be correlated and normalized to provide a grander view of the happenings on the network.

From the carrier network and service-provider side of the table, the technology can be leveraged in the same fashion, though on a much larger scale, for network diagnostics and management of fixed, mobile, IP and converged multiservice networks.

Network flows provide an added layer of visibility into what is happening on the network without the need to become a "packet head." There are some limitations in the depth of inspection, but if a 10,000-foot view is all that is required, network flows may be the perfect contributor to your security and compliance-monitoring infrastructure.

Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...