Maximize Network Visibilitywith NetFlow Technology
Andy Wilson
Senior Systems Engineer
Lancope
Agenda
What is NetFlow
Introduction to NetFlow
NetFlow Examples
NetFlow in Action
Network Operations User Case
Security Operations User Case
PCI Compliance and Auditing User Case
A Glimpse into the Power of NetFlow
10+ G Ethernet Environments
Virtual Environments
MPLS and Multi-point VPNs
What is NetFlow?
NetFlow Fields
src and dst IP
src and dst port
start time
end time
packet count
byte count
...
Internet
NetFlowPackets
StealthWatchFlow Collector
NetFlow vs. Traditional SNMP Monitoring
Traditional SNMP
NetFlow Reporting
Flow-based Visibility and Drill-down
NetFlow for the Network Team
NetFlow Packet
flow1
flow2
...
Network Team
Interface utilization
Billing and chargeback
QOS monitoring
BGP ASN monitoring
MPLS visibility
Application troubleshooting
Security Team
File sharing
Malware outbreak detection
Network acceptable use
Flow forensics
Data loss prevention
StealthWatch
Flow Collector
Compliance and Auditing
PCI Compliance
HIPAA Compliance
SCADA Security
Sarbanes-Oxley
NetFlow in Action : Network Operations
OldCastle APG
Leading North American manufacturer of concrete masonry, lawn, garden and paving products and a regional leader in clay brick
206 Operating locations
7000+ employees
Challenge
No way to visualize who or what was causing network slowdowns
Internal IT staff using multiple tools in attempts to troubleshoot incidents
Solution
Combining Cisco NetFlow and Lancope’s StealthWatch System for visibility into the ‘who, what, when and where’ of network traffic
NetFlow Compliance and Auditing
NetFlow Packet
flow1
flow2
...
Network Team
Interface utilization
Billing and chargeback
QOS monitoring
BGP ASN monitoring
MPLS visibility
Application troubleshooting
Security Team
File sharing
Malware outbreak detection
Network acceptable use
Flow forensics
Data loss prevention
StealthWatch
Flow Collector
Compliance and Auditing
PCI Compliance
HIPAA Compliance
SCADA Security
Sarbanes-Oxley
NetFlow facilitates compliance with PCI DSS Requirements:
Verifies actual network communications (1.1.2)
Monitors services and ports in use (1.1.5)
Determines when accounts are active and what they did during this activity (8.5.6)
Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)
NetFlow in Action : PCI Compliance
NetFlow in Action : PCI Compliance
AirTran Airways
Fortune 1000 company
Geographically dispersed network across the continental US
Challenge
Required improved security and network management across the enterprise in accordance with Payment Card Industry (PCI) requirements
Wanted greater network visibility and behavioral intrusion detection
Ability to monitor a geographically dispersed network
Solution
StealthWatch identifies who does what when, and provides data to enforce accountability
NetFlow for the Security Team
NetFlow Packet
flow1
flow2
...
Network Team
Interface utilization
Billing and chargeback
QOS monitoring
BGP ASN monitoring
MPLS visibility
Application troubleshooting
Security Team
File sharing
Malware outbreak detection
Network acceptable use
Flow forensics
Data loss prevention
StealthWatch
Flow Collector
Compliance and Auditing
PCI Compliance
HIPAA Compliance
SCADA Security
Sarbanes-Oxley
Aurora HealthCare Network Overview
Largest private employer in Wisconsin – over 27,000 employees
14 Hospitals
Over 150 Clinics
200 + Pharmacies
Challenge
Monitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network
Needed complete visibility of the network – from the internal network to the clinics at the edge
Monitor for zero-day attacks, viruses, Trojans, etc.
Support for HIPAA Compliance
Solution
Combining NetFlow & StealthWatch System
NetFlow in Action : Security Operations
Visibility Lost Due to Emerging Tech
Emerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technology...
“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”
“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”
“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”
These issues result in an inability to react to network problems because of a basic lack of .
10G+ Ethernet
“10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive”
traditional Ethernet sensor
Where to plug
in?
NetFlow in a 10G+ Ethernet Environment
“10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive”
StealthWatchFlow Collector
Virtualization
“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”
VM1 VM2 VM3
virtual
switches
virtual
machines
physical machine
Physicalnetwork
traditional Ethernet probe
VM2VM
VM VM VMvirtual
machines
VM Server
virtual switches
VM2VM
physicalnetwork
promiscuouscapture
NetFlow v9
NetFlow in the Virtual Environment
*** Cisco Nexus 1000v also supports NetFlow ***
StealthWatchFlow Collector
MPLS and Multi-point VPNs
“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”
traditional Ethernetsensor
MPLS and Multi-point VPNs
Fully meshed connectivity circumvents network monitoring deployed at the “hub” location…
MPLS and Multi-point VPNs
Full visibility requires a probe at each location throughout the WAN…
NetFlow Collection in the WAN
NetFlow Packet
NetFlow Packet
Deploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site…
StealthWatchFlow Collector
Quick Recap: Network Operations
Fully integrated view of network usage, performance, host integrity and user behavior
Diagnose Network congestion and provide root cause analysis of the problem causing response time delays
Visibility and Metrics for WAN Optimization
Real-time and Historical data to facilitate network performance monitoring, capacity planning and resource management
Monitor Quality of Service on a per-hop basis throughout the Network
Quickly pinpoint zero-day and unknown threats that bypass perimeter security
Identify policy violations, unauthorized activity/applications, misconfigured hosts, and other rogue devices
Faster Incident Resolution & detailed Forensic data
Detection of DoS/DDoS attacks, Worms, Viruses and Botnets
Track and Audit network behavior and access by Individual Hosts
Quick Recap: Security Operations
Quick Recap: PCI Compliance and Auditing
NetFlow Solutions supply organizations with the means to:
Continuously but passively monitoring host behaviors looking for deviations from normal processes
Tie individual users to internal network performance problems
Tie individual users to the introduction of security risks inside the internal network
Implement appropriate Network Controls and Policies
Provide for Internal Audit and Risk Assessment
Thank You
Andy Wilson
Senior Systems Engineer
Lancope