Maximize Network Visibility with NetFlow Technology Adam Powers Chief Technology Officer Lancope
Agenda What is NetFlow h Introduction to NetFlow h NetFlow Examples NetFlow in Action h Network Operations User Case h Security Operations User Case h PCI Compliance and Auditing User Case A Glimpse into the Power of NetFlow h 10+ G Ethernet Environments h Virtual Environments h MPLS and Multi-point VPNs
What is NetFlow? Internet NetFlow Packets NetFlow Fields src and dst IP src and dst port start time end time packet count byte count... StealthWatch Flow Collector
NetFlow vs. Traditional SNMP Monitoring Traditional SNMP NetFlow Reporting
Flow-based Visibility and Drill-down
NetFlow for the Network Team NetFlow Packet flow1 flow2... StealthWatch Flow Collector Network Team Interface utilization Billing and chargeback QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Compliance and Auditing PCI Compliance HIPAA Compliance SCADA Security Sarbanes-Oxley Security Team File sharing Malware outbreak detection Network acceptable use Flow forensics Data loss prevention
NetFlow in Action : Network Operations OldCastle APG Leading North American manufacturer of concrete masonry, lawn, garden and paving products and a regional leader in clay brick 206 Operating locations 7000+ employees Problem No way to visualize who or what was causing network slowdowns Internal IT staff using multiple tools in attempts to troubleshoot incidents
NetFlow in Action : Network Operations Solution Combining Cisco NetFlow and Lancope s StealthWatch System for visibility into the who, what, when and where of network traffic Business Results Determine the root cause of network slowdowns in real-time Detect bandwidth and network user violations and tie user identity to rogue activity Unified view of network and security operations h All regional network managers, helpdesk and network/security engineers at Oldcastle APG use StealthWatch to pinpoint the traffic and users associated with network and security issues and expedite problem resolution Gains detailed network performance analysis for capacity planning, helping Oldcastle APG forecast bandwidth upgrades Also helps quickly discover and diffuse virus infections
NetFlow in Action : Network Operations Tony Jaroszewski, Network/Security Engineer for OldCastle APG StealthWatch enables our support team to make strategic decisions about network and security management based on a unified view of network, security and user information across the enterprise. Not only does it provide network performance monitoring to ensure our applications run optimally, StealthWatch also identifies internal and external threats through behavior-based algorithms.
NetFlow Compliance and Auditing NetFlow Packet flow1 flow2... StealthWatch Flow Collector Network Team Interface utilization Billing and chargeback QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Compliance and Auditing PCI Compliance HIPAA Compliance SCADA Security Sarbanes-Oxley Security Team File sharing Malware outbreak detection Network acceptable use Flow forensics Data loss prevention
NetFlow in Action : PCI Compliance NetFlow facilitates compliance with PCI DSS Requirements: Verifies actual network communications (1.1.2) Monitors services and ports in use (1.1.5) Determines when accounts are active and what they did during this activity (8.5.6) Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)
NetFlow in Action : PCI Compliance AirTran Airways Fortune 1000 company Geographically dispersed network across the continental US Problem Required improved security and network management across the enterprise in accordance with Payment Card Industry (PCI) requirements Wanted greater network visibility and behavioral intrusion detection Ability to monitor a geographically dispersed network
NetFlow in Action : PCI Compliance Solution StealthWatch identifies who does what when, and provides data to enforce accountability Business Result Immediately upon deployment, StealthWatch provided continuous network monitoring to help AirTran demonstrate network-wide PCI by: Supplying real-time visibility and awareness of network and host-based behaviors, increasing accountability for introducing network security risks as well as jeopardizing network availability, and tracking, measuring and prioritizing network and host-based risk. Quickly identify and resolve issues related to network behavior or malicious events Monitors WAN activity and performance
NetFlow in Action: PCI Compliance Michelle Stewart, Manager of Data Security, AirTran Airways StealthWatch performed so well during our evaluation that we did not pursue trials with any other NBA products. During testing, StealthWatch demonstrated the ability to detect unauthorized remote access, worm activity and root cause analysis of increases in WAN activity. All of these functions have aided our efforts to demonstrate compliance with the PCI Data Security Standard.
NetFlow for the Security Team NetFlow Packet flow1 flow2... StealthWatch Flow Collector Network Team Interface utilization Billing and chargeback QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Compliance and Auditing PCI Compliance HIPAA Compliance SCADA Security Sarbanes-Oxley Security Team File sharing Malware outbreak detection Network acceptable use Flow forensics Data loss prevention
NetFlow in Action : Security Operations Aurora HealthCare Network Overview Largest private employer in Wisconsin over 27,000 employees 14 Hospitals Over 150 Clinics 200 + Pharmacies Challenge Monitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network Needed complete visibility of the network from the internal network to the clinics at the edge Monitor for zero-day attacks, viruses, Trojans, etc. Support for HIPAA Compliance
NetFlow in Action : Security Operations Solution Combining NetFlow & StealthWatch System Business Results 100% visibility from core to network edge Reduced time and resources allocated to network security issues Streamlined the remediation process and reduced incident investigation by more than half HIPAA auditing support
NetFlow in Action : Security Operations Dan Lukas, Lead Security Architect : Aurora HealthCare [I can] easily drill down into a clinic s network activity; address bandwidth issues; identify and remediate misconfigured devices; delve into switch levels to pinpoint and mitigate threats. With its ability to locate distributed sniffers, StealthWatch eliminates the need to purchase troubleshooting hardware for significant cost-savings."
Visibility Lost Due to Emerging Tech Emerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technology... 10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive MPLS and multi-point VPNs create a meshed WAN that s expensive to monitor adequately Virtualization hides whole network segments from the network manager s view, making VM2VM communication problems difficult to troubleshoot These issues result in an inability to react to network problems because of a basic lack of.
10G+ Ethernet 10G Ethernet is so fast few probe technologies can keep up and those that can are too expensive traditional Ethernet sensor Where to plug in?
NetFlow in a 10G+ Ethernet Environment 10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive StealthWatch Flow Collector
Virtualization Virtualization hides whole network segments from the network manager s view, making VM2VM communication problems difficult to troubleshoot physical network VM1 VM2 VM3 virtual machines VM2VM traditional Ethernet probe physical machine virtual switches
NetFlow in the Virtual Environment VM VM VM virtual machines NF 9 VM2VM virtual switches VM Server StealthWatch Flow Collector *** Cisco Nexus 1000v also supports NetFlow ***
MPLS and Multi-point VPNs MPLS and multi-point VPNs create a meshed WAN that s expensive to monitor adequately traditional Ethernet sensor
MPLS and Multi-point VPNs Fully meshed connectivity circumvents network monitoring deployed at the hub location
MPLS and Multi-point VPNs Full visibility requires a probe at each location throughout the WAN
NetFlow Collection in the WAN Deploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site StealthWatch Flow Collector NetFlow Packet NetFlow Packet
Quick Recap: Network Operations Fully integrated view of network usage, performance, host integrity and user behavior Diagnose Network congestion and provide root cause analysis of the problem causing response time delays Visibility and Metrics for WAN Optimization Real-time and Historical data to facilitate network performance monitoring, capacity planning and resource management Monitor Quality of Service on a per-hop basis throughout the Network
Quick Recap: Security Operations Quickly pinpoint zero-day and unknown threats that bypass perimeter security Identify policy violations, unauthorized activity/applications, misconfigured hosts, and other rogue devices Faster Incident Resolution & detailed Forensic data Detection of DoS/DDoS attacks, Worms, Viruses and Botnets Track and Audit network behavior and access by Individual Hosts
Quick Recap: PCI Compliance and Auditing NetFlow Solutions supply organizations with the means to: Continuously but passively monitoring host behaviors looking for deviations from normal processes Tie individual users to internal network performance problems Tie individual users to the introduction of security risks inside the internal network Implement appropriate Network Controls and Policies Provide for Internal Audit and Risk Assessment
Thank You Adam Powers Chief Technology Officer Lancope