Re: NetFlow for IDS

[Adam Powers <apowers () lancope com>]

Okay, so sure, lots of technologies can take NetFlow and store it to disk.
They might even extract a few stats here and there for network
management/traffic accounting purposes. This kind of capability is trivial.
Inclusion of vendors with this class of NetFlow support will dilute the
value of the list Andy has introduced.

I think the list should be limited to only those technologies that do deep
analysis of the inbound Netflow PDUs. Stuff like...

1. NetFlow-based attack detection. First and foremost, the NetFlow security
vendor MUST be able to detect various types of attacks based solely on the
NetFlow data stream. Examples include SYN/UDP/ICMP floods, fragmentation
attacks, traffic anomalies, policy violations, and scanning of various
types.

2. Deduplication of NetFlow. If 2 or more NetFlow exporters see the same
flow, the duplicate records must be counted and removed before processing.
Non-trivial to say the least.

3. Realtime or near-realtime operation. The technology must be able to
process high volume NetFlow (30,000+ flows per second) in near realtime,
alarming on events as they happen vs. batch mode hourly or daily operation.

4. Normalization of NetFlow records; aka. "Flow Stitching". All of the
"real" NetFlow security technologies (known affectionately as "ArOneZuCope
Security"; Arbor, Q1Labs, Mazu, Lancope) allow for the consolidation of
multiple NetFlow records into a single stateful record. This ability allows
for tremendous data reduction in the overall amount of flow data being
written to disk.

5. Client/Server determination. A single TCP socket will result in at least
two NetFlow records (one in each direction of the socket; client->server,
server->client). The receiving NetFlow collector must be able to assemble
the two flows to determine which host was the server and which was the
client.

6. Validation of NetFlow exporters. You must be able to not only collect
NetFlow but alarm/alert when the exporter has failed (stopped exporting,
misconfigured timeouts, etc).

7. Ability to handle and make use of v7 NetFlow ("flagless" NetFlow). v7
does not include ORed TCP flag data. Without TCP flags, NetFlow analysis is
made far more difficult. Overcoming limitations of v7 NetFlow takes a good
bit of thought on the vendor's part.

8. Topology discovery and accounting. NEXTHOP data in the NetFlow PDU can be
used for topological mapping of the network which allows the NetFlow
security technology to determine which router is electronically "closest" to
a given host (for use in mitigation).

The list goes on...


My point is that there are "NetFlow Storage Technologies" and then there are
"NetFlow Security Technologies" (aka. "You sir, are no President Kennedy").

Think TCPDUMP vs. snort in regards to Ethernet frame analysis.



On 7/20/05 9:27 PM, "Ron Gula" <rgula () tenablesecurity com> wrote:

> At 12:21 PM 7/18/2005, Gary Halleen (ghalleen) wrote:
> > That list is handy, but incomplete.
> >
> > Cisco MARS should be added.  MARS is a SIM product that receives log
> > information from various sources (firewalls, routers, switches, IDS/IPS,
> > host logs, antivirus, and more).  It also receives netflow, and can
> > provide very useful security-related information based on it.
> >
> > Gary
>
> Along those lines, you can add any SIM that has a netflow agent or
> a log analyzer that can read someone else's netflow logs. Tenable's
> Thunder will do netflow in our 2.0 release and a quick survey of
> other SIMs saw other folks had netflow agents as well.
>
> Ron Gula
> Tenable Network Security
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


-- 

Adam  Powers
Director of Technology
Lancope, Inc.
c. 678.725.1028
f. 770.225.6501
e. apowers () lancope com

StealthWatch by Lancope - Security Through Network Intelligence



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------