What do you use to analyze Netflow data at the Enterprise level for security purposes?

Question

We've been pursuing various options for capturing and analyzing North-South and East-West data flows for security purposes.  We've purchased Gigamon and multiple taps, we're budgeting for a Moloch Traffic Analyzer environment, we've discussed Cisco Tetration and tossed it out for it's $1M+ price tag.

None of those solutions easily fit into the budgetary needs of a non-profit.

I know the Engineer's Toolset offers a single-instance Real Time Netflow display that shows detailed information from a single source for the last sixty minutes.  That isn't a good fit for Enterprise security analysis from 800 switches & routers & firewalls, across 70,000 ports.

Our network router's and L3 switches' interfaces all easily capture and forward Netflow information, and our Security team wishes to use that Netflow capability for North-South and East-West analysis.  The need it to capture and display in real time and they want to store it for months for analysis.

1. What do you use to accomplish security analysis of data flows that relies on Netflow information?

2. What ways do you use Netflow (on an enterprise / corporate level) for security analysis?

3. Our Version 8 Cisco 4510's capture L2 VLAN traffic flows on every access port, but our Version 7 chasses need an add-on module that's pricey and obsolete.  What tools do you use to capture East-West Netflow information from L2-aware access switches?

4. Are you able to capture Layer 2 East-West Netflow traffic information from:

A.  Cisco 3850's?

B.  Cisco 9348's?

5. What tools do you rely on to receive enterprise Netflow data that automatically analyze and report problems to you?

6. Talk to me about your Security Analyzation solutions if they use Netflow in any way, please?

Swift Packets!

Rick Schroeder

rschroeder · Answer

Thank you, tdowns​.  We use a variety of tools, including Gigamon, LogRhythm, and three others.  None meet all requirements of completeness and affordability to capture all east-west traffic.  We pick and choose are captures based on perceived need and budget.  I'm certain our Security team would prefer every key stroke logged to a tool that was intelligent enough to compare and apply the strokes and flows to security policies & STIGs.  It's one reason why they are interested in what NetFlow can bring to their analyzers.

hpstech · Answer

Can we see some obfuscated screenshots of juicy sexy reporting data that gets guys like us in the mood for tech lovin'?

tdowns · Answer

Rick - our Network is nowhere near the size of yours, but I'll throw out there what we're using (you may already be familiar with it).  In Aug '18 we switched our SIEM to LogRhythm.   One of their optional components is called Network Monitor (or just NetMon).   They sell/license NetMon as an appliance or virtual appliance.  We're using the VM version.   On our VMWare environment we setup a Remote Mirroring session (RSPAN) on a distributed switch that sends the vlans of our choice to a specific port the Flow of which is captured by the NetMon appliance.   NetMon can capture other types of flow/spans, but we just happen to be using it with VMware dSwitch in this case.

The NetMon flow captures are used in two ways:  1) capture data is sent to the SIEM as a data source and analyzed by the LogRhythm security rules etc.   2) NetMon is accessible via it's own Web UI (I believe it's actually kibana with ElasticSearch) where you can directly see dashboards, capture data and do searches and also set alerts.

Since we're mirroring VLANs it is seeing lateral traffic between servers (searchable traffic directions include: lateral, ingress, egress, unknown/other).   There is also a free version of NetMon that you can check out.   It's actually very full featured (for a free version) from what I remember.   I think that the main limitation is that it can't ship captures to a SIEM, you can only use it's UI to view and search traffic flows.

I have no idea if this scales to the size of your Network or is affordable, but it might.  You'd have to talk to them.

As I said, we've only been using this for a few months but we like it so far -- thus my endorsement is limited by that view.

If this doesn't fit the requirements of your original post, perhaps it will help someone else.

Cheers.

Ted

Ps.  I forgot to mention that one of the cool features of NetMon is that you can use Rules with Deep Packet Analytics and set alerts for things like detecting credit card, routing numbers, SSN, P2P as well as classify traffic by Application.