RE: NetFlow for IDS

From: Joseph Hamm (jhamm_at_lancope.com)
Date: 07/24/05

  • Next message: Devdas Bhagat: "Re: Firewalls (was Re: IDS evaluations procedures)"
    Date: Sun, 24 Jul 2005 13:06:42 -0400
    To: <ferg@furg.net>, "Gary Halleen (ghalleen)" <ghalleen@cisco.com>
    
    

    Fergus,

    >In fact Netflow is widely considered to be inaccurate at times ( I can
    reference examples of 200% utilisation reporting >etc...), a serious
    issue for UBB etc, and as we all know when the bad stuff happens the
    availability and integrity of
    >the information is extremely important.

    Was the >100% utilization numbers a result of duplicate flows? Flows
    reported by multiple devices and that get counted more than once could
    alter your numbers. Tools that are able to de-duplicate flows before
    processing can provide more accurate information.

    And you're right, complementing exported flow data with native packet
    capture is always preferred (especially in anomaly detection) because of
    the additional information provided through header and payload
    information.

    Regards,
    Joe

    Joe Hamm, CISSP
    Senior Security Engineer
    Lancope, Inc.
    jhamm@lancope.com
    404.644.7227 (cell)
    770.225.6509 (fax)

    Lancope - Security through Network Intelligence(tm)
    StealthWatch(tm) by Lancope, a next-generation network security
    solution, delivers behavior-based intrusion detection, policy
    enforcement and insightful network analysis. Visit www.lancope.com.

    Join Lancope for a complimentary webcast "Exclusive Look at StealthWatch
    System v 5.0" at 11 AM ET on Wednesday, July 27, 2005. Register today at
    https://lancope.webex.com/lancope/onstage/g.php?d=751852973&t=a.

    -----Original Message-----
    From: Fergus Brooks [mailto:fergwa@gmail.com]
    Sent: Thursday, July 21, 2005 2:59 AM
    To: Gary Halleen (ghalleen)
    Cc: focus-ids@securityfocus.com
    Subject: Re: NetFlow for IDS

    This is good stuff.

    The 4 products Adam mentioned perform Network Behavioural Anomaly
    Detection (NBAD).

    NBAD is an added layer - complimentary to NIDS/NIPS. This is a very good
    article for those interested:

    http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleI
    d=163700677&pgno=1

    Despite the marketing pitch, MARS is not an NBAD product and should not
    be in the NBAD quadrant when Gartner puts it together. Aggregation and
    correlation tools like Protego (sorry Cisco..) MARS look at a bunch of
    different information and assess the importance of events - a good NBAD
    product should profile the behaviour of the network in real time and not
    wait for devices to start hinting at issues.

    I have questions about products that depend on flow info from routers
    etc - if you are being badly DDoSed then I am not sure that these
    devices will be accurate in providing the necessary intelligence for
    accurate mitigation. In fact Netflow is widely considered to be
    inaccurate at times ( I can reference examples of 200% utilisation
    reporting etc...), a serious issue for UBB etc, and as we all know when
    the bad stuff happens the availability and integrity of the information
    is extremely important. Hence why most of the NBAD platforms can gather
    information from the wire independent of Net/c/sflow via SPAN/tap etc.

    Also Cisco are investors in Arbor and have incorporated Riverhead. The
    Riverhead stuff is very good at dealing with anomalous traffic, and they
    are also pushing MARS as some kind of anomaly detection solution.
    I have also heard that there is some protocol anomlay detection in Cisco
    IDS.

    As a representative of Cisco Gary, perhaps you could let us all know
    what Cisco's roadmap is for these supposedly competing products they
    have invested in? I am confused!

    On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
    > That list is handy, but incomplete.
    >
    > Cisco MARS should be added. MARS is a SIM product that receives log
    > information from various sources (firewalls, routers, switches,
    > IDS/IPS, host logs, antivirus, and more). It also receives netflow,
    > and can provide very useful security-related information based on it.
    >
    > Gary
    >
    >
    > -----Original Message-----
    > From: Andy Cuff [mailto:lists@securitywizardry.com]
    > Sent: Thursday, July 14, 2005 2:21 PM
    > To: focus-ids@securityfocus.com
    > Subject: NetFlow for IDS
    >
    >
    > Netflow data offers a valuable source of IDS information. To this end
    > Jeff Ames has detailed all known Netflow analysis tools on a single
    > page at http://securitywizardry.com/protNetFlowA.htm
    >
    > As always please notify us of any omissions or errors
    >
    > Regards
    > Andy Cuff
    > Chief Technology Officer
    > Computer Network Defence Ltd
    > http://SecurityWizardry.com
    > Phone (+44) (0) 7968 608945
    >
    >
    >
    >
    > ----------------------------------------------------------------------
    > --
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT.
    > Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ----------------------------------------------------------------------
    > --
    > --
    >
    > ----------------------------------------------------------------------
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT.
    > Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ----------------------------------------------------------------------
    > --
    >
    >

    On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
    > That list is handy, but incomplete.
    >
    > Cisco MARS should be added. MARS is a SIM product that receives log
    > information from various sources (firewalls, routers, switches,
    > IDS/IPS, host logs, antivirus, and more). It also receives netflow,
    > and can provide very useful security-related information based on it.
    >
    > Gary
    >
    >
    > -----Original Message-----
    > From: Andy Cuff [mailto:lists@securitywizardry.com]
    > Sent: Thursday, July 14, 2005 2:21 PM
    > To: focus-ids@securityfocus.com
    > Subject: NetFlow for IDS
    >
    >
    > Netflow data offers a valuable source of IDS information. To this end
    > Jeff Ames has detailed all known Netflow analysis tools on a single
    > page at http://securitywizardry.com/protNetFlowA.htm
    >
    > As always please notify us of any omissions or errors
    >
    > Regards
    > Andy Cuff
    > Chief Technology Officer
    > Computer Network Defence Ltd
    > http://SecurityWizardry.com
    > Phone (+44) (0) 7968 608945
    >
    >
    >
    >
    > ----------------------------------------------------------------------
    > --
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT.
    > Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ----------------------------------------------------------------------
    > --
    > --
    >
    > ----------------------------------------------------------------------
    > --
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT.
    > Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ----------------------------------------------------------------------
    > --
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Devdas Bhagat: "Re: Firewalls (was Re: IDS evaluations procedures)"

    Relevant Pages

    • Re: Current state of Anomaly-based Intrusion Detection
      ... Extending the concept in a slightly different direction.. ... I fully agree, NetFlow has it's place, even if it only logs the metadata. ... detection" in network flows is to extend something like MSs LogParser ... > anomaly detection technology anywhere you have NetFlow capable ...
      (Focus-IDS)
    • RE: NetFlow for IDS
      ... One of the great thing about leveraging network flows is that you can ... of people who don't even know about flow technologies such as NetFlow ... Subject: NetFlow for IDS ...
      (Focus-IDS)
    • Re: NetFlow for IDS
      ... You can get Netflow, sFlow, RMON and MIBII with it. ... ATS - Advanced Telecom Systems S.p.A. ... Designing, Testing, Managing Network Quality ...
      (Focus-IDS)
    • Re: Problems with flows
      ... :There seem to be many people who use netflow to monitor their network. ... :using a packet based solution instead. ... to be much faster than a dedicated high-performance router in order ...
      (comp.security.misc)
    • Re: NetFlow for IDS
      ... There is a whole sector of vendors that seems to be missing. ... Mazu Network: www.mazunetworks.com ... > Netflow data offers a valuable source of IDS information. ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)