I was working with a customer last week who only wanted TCP, UDP, HOPOPT and ICMP on the network. In addition to that they wanted to be alarmed if any other transport protocol passed through their Cisco ASA . I introduced them to the Top Network Transports gadget in Flow Analytics.
First I made sure that the Cisco ASA was added to the Top Network Transports algorithm. The gadget below is part of the Flow Expert tab in MyView:
If you click on the ‘Configure’ button above, it will bring up the dialog box where you can enter the allowed protocols. You can also just click on the + sign next to the above protocol.
In the Top Network Gadgets screenshot above, I clicked on PUP(12) to see the host using this unwanted transport protocol. Most Cisco NetFlow reporting tools don’t have a behavior analysis capability like this.
We have been performing network threat detection like this with our NetFlow collector for over 3 years. We constantly strive to be the leader in NetFlow and IPFIX analysis.