Network Anomaly Detection with NetFlow and IPFIX Analysis

I was working with a customer last week who only wanted TCP, UDP, HOPOPT and ICMP on the network.  In addition to that they wanted to be alarmed if any other transport protocol passed through their Cisco ASA .  I introduced them to the Top Network Transports gadget in Flow Analytics.

First I made sure that the Cisco ASA was added to the Top Network Transports algorithm. The gadget below is part of the Flow Expert tab in MyView:
If you click on the ‘Configure’ button above, it will bring up the dialog box where you can enter the allowed protocols.  You can also just click on the + sign next to the above protocol.
In the Top Network Gadgets screenshot above, I clicked on PUP(12) to see the host using this unwanted transport protocol. Most Cisco NetFlow reporting tools don’t have a behavior analysis capability like this.
We have been performing network threat detection like this with our NetFlow collector for over 3 years.  We constantly strive to be the leader in NetFlow and IPFIX analysis.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s