Tuesday, 14 May 2013

Detecting Worms on the network through flow based analysis

Internet usage graph is always upward facing, as there is lot of information on the internet to learn and develop intellectual skills. We are also silently exposed to the security threats from Worms, Ports scans, DDoS attack and misuse.

Today, enterprise network are facing enormous security threats. Common ways of defending the security threats are using Firewall and IDS(Intrusion detection system).

These Firewall and IDS are signature based and it is possible that security threats surpasses their defense. An additional technology like flow based analytics must be a valuable enhancement which can help to detect the threats that even surpasses the firewall.

What is Flow ?

Flow is defined as a unidirectional sequence of packets (which means there will be two flows for each connection , one from the Initiator to receiver, one from the receiver to Initiator).

A flow can be identified by seven key fields: source IP address, destination IP address, source port number, destination port number, protocol type, type of services, and the router input interface. Based on these seven key fields the router decides the route of a packet.

What is NetFlow Flow?

NetFlow is a Cisco Proprietary protocol which captures all the flows on the routers interfaces and sends to external collector for traffic analytics and security audits.

Every NetFlow packets exported from the device has several key fields, the source and destination IP address, next hop address, input and output interface number, number of packet in the flow, total bytes in the flow, the source and destination port, the protocol, ToS, source and destination AS number, and TCP flags.

NetFlow based security Analytics versus IDS:

NetFlow based security analytics is faster approach to identify the security threats when comparing to digging every packets on the network which IDS does.

NetFlow very useful in zero-day or "mutant attack" detection in cases where signature-based intrusion detection systems would fail, since the flow records are directly exported from the core edge devices. If NetFlow data are interpreted properly, gives in depth visibility on traffic pattern and network anomalies.

Use Case Scenario:

A malware sitting on couple of PC or in some portion of internal network segment is causing a Syn flood(DoS attack), the network with out a flow based traffic and security analytics tool might a face huge task in identifying this threat.Say for an example a network with ManageEngine NetFlow Analyzer with ASAM module facing the above mentioned will easily find out the infected system or segment and take a necessary action to remove the Malware.


How ASAM helps in this situation?

Assume that the PCs or infected network segments(Group of PCs) are connected to a Core layer 3 switch which is currently being monitored in NetFlow Analyzer using NetFlow export, Administrator notices that there is a sudden huge spike on their traffic graphs on a particular port, he suspects that it might be a some security threat.

He now uses the ASAM module to check is there any threat on this particular device.
For easier analysis he is using resource based security threat analysis. The Resource based analysis snapshot tells which particular Router, Source Network, Source IP, Destination Network and Destination IP is having more number of events.

This snapshot helps administrator to easy drill down to problematic Network Segment to find out the offenders, once the list offender IP’s extracted, network administrator can now identify the PCs and remove the malwares using some Anti Virus tool or disconnect those infect PCs from network.

You can download the 30 day trial of ManageEngine NetFlow Analyzer from here.

Reach us on Facebook at NetFlow Analyzer TAC

Catch up with the latest updates in the industry, through our LinkedIn community Bandwidth Monitoring and Traffic Analysis for Enterprises

Praveen Kumar
NetFlow Analyzer Technical Team
Download | Interactive Demo  | Twitter | Customers


Posted by Netflow Analyzer by ManageEngine at 04:58 0 comments

Thursday, 2 May 2013

Timezone based reporting in NetFlow Analyzer

Managing a Corporate network spread across the globe is a highly challenging task for the Network Administrator. When it comes to bandwidth monitoring and generating traffic reports for each location, based on their time zone is a painful task faced by every network admin. Of course there will be localizations within the network with individual Administrator’s across the globe to monitor their own segment of the network.

NetFlow Analyzer  serves many corporate networks to successfully manage bandwidth and monitor traffic through their network devices. This blog focuses on the time zone based traffic report generation feature.

 Consider a network which spread globally across 4 location and using NetFlow Analyzer  to monitor the bandwidth. The have office in (Japan, China, India and US). The NetFlow Analyzer is installed on the Head Office in (US), NetFlow data are exported from devices at each location to the central Head office NetFlow Analyzer through MPLS.

NetFlow Analyzer parse all NetFlow data received and stores the record in its server time.

Time zone based reporting:

Assuming that the Network Administrator in the US manages all other locations including the Head Quarters, his job is to monitor the entire network with the help of administrators at each location. The role of administrators at each location is to manage and monitor devices that belongs to their location. Since these administrators are located in various time zone, it would be better if the reports generated from NetFlow Analyzer are with their respective time zones.

Device Grouping :

The Administrator in US managing the entire network and NetFlow Analyzer server, creates a device group for all the three location and associated the Devices that belong to each location to the concerned device group.


Assigning the Devices to User:

He then created a user access(Operator Level) for each location administrator with their respective time zones and associated the device group that belongs to them.







Once the users are created, each location users can log in to NetFlow Analyzer and generate reports based on their time zone. Users can generate reports for their devices alone. They can also create Alerts for the devices being monitored.So, when threshold violation occurs they will get an alert.
Administrator can also change their time zone, when generating report for device located in different time zones.



Apart from these time zone based view, the schedule report, alerts can also be configured with time zone.

Click here to know the features available and click Download to install the product on your network to evaluate its capability.

Praveen Kumar
NetFlow Analyzer Technical Team

Posted by Netflow Analyzer by ManageEngine at 04:55 0 comments
Subscribe to: Comments (Atom)