=================
Vendor Alert;)
=================
There are commercially available performance monitoring tools, SIM/SEM
tools, network anomaly detection systems, and perhaps others that have
the ability to collect and process NetFlow or sFlow information. Of
course, it is important to understand what the solution is doing with
the flows and what information it is able to provide from them.
One of the great thing about leveraging network flows is that you can
get complete visibility of your network without having to deploy many
devices. This is done by essentially turning your routing and switching
infrastructure into security probes. I'm always surprised by the number
of people who don't even know about flow technologies such as NetFlow
and sFlow....considering the valuable information it can provide.
So you will need to decide what information you are looking to gain from
NetFlow data and choose the appropriate tool. Some tools focus on
network management, some on security, some correlate data with other
events, some do a combination of these. Andy's site has some great
links for open source tools for anyone wanting to wet their appetite
with flow data.
There are some challenges with processing flows. First, your
infrastructure has to support it so check with your vendor. You will
want to ensure that enabling flow export does not impact performance of
your network gear. For example, some of the older Cisco gear takes a
considerable performance hit. You will also have to deal with issues
such as duplicate flows (multiple devices reporting the same flow),
appropriately setting timers so that flows get exported in a timely
fashion, etc. Another challenge might be getting your network folks to
enable NetFlow. For testing purposes, you can use an open source tool
like nprobe to collect traffic from a mirror port or tap and create flow
records for processing.
Hope this helps,
Joe
Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm@lancope.com
404.644.7227 (cell)
770.225.6509 (fax)
Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis. Visit www.lancope.com.
Join Lancope for a complimentary webcast "Exclusive Look at StealthWatch
System v 5.0" at 11 AM ET on Wednesday, July 27, 2005. Register today at
https://lancope.webex.com/lancope/onstage/g.php?d=751852973&t=a.
-----Original Message-----
From: Jonathan Glass (GMail) [mailto:jonathan.glass@gmail.com]
Sent: Wednesday, July 20, 2005 7:42 PM
To: Gary Halleen (ghalleen)
Cc: Andy Cuff; focus-ids@securityfocus.com
Subject: Re: NetFlow for IDS
Lancope sells a Stealthwatch XE appliance for anomaly-based IDS using
Netflow analysis.
Jonathan Glass
Gary Halleen (ghalleen) wrote:
That list is handy, but incomplete.
Cisco MARS should be added. MARS is a SIM product that receives log
information from various sources (firewalls, routers, switches,
IDS/IPS, host logs, antivirus, and more). It also receives netflow,
and can provide very useful security-related information based on it.
Gary
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
