RE: NetFlow for IDS

• Previous message: Roland Dobbins: "Re: NetFlow for IDS"
• Maybe in reply to: Andy Cuff: "NetFlow for IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 24 Jul 2005 13:06:42 -0400
To: <ferg@furg.net>, "Gary Halleen (ghalleen)" <ghalleen@cisco.com>

Fergus,

>In fact Netflow is widely considered to be inaccurate at times ( I can
reference examples of 200% utilisation reporting >etc...), a serious
issue for UBB etc, and as we all know when the bad stuff happens the
availability and integrity of
>the information is extremely important.

Was the >100% utilization numbers a result of duplicate flows? Flows
reported by multiple devices and that get counted more than once could
alter your numbers. Tools that are able to de-duplicate flows before
processing can provide more accurate information.

And you're right, complementing exported flow data with native packet
capture is always preferred (especially in anomaly detection) because of
the additional information provided through header and payload
information.

Regards,
Joe

Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm@lancope.com
404.644.7227 (cell)
770.225.6509 (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis. Visit www.lancope.com.

Join Lancope for a complimentary webcast "Exclusive Look at StealthWatch
System v 5.0" at 11 AM ET on Wednesday, July 27, 2005. Register today at
https://lancope.webex.com/lancope/onstage/g.php?d=751852973&t=a.

-----Original Message-----
From: Fergus Brooks [mailto:fergwa@gmail.com]
Sent: Thursday, July 21, 2005 2:59 AM
To: Gary Halleen (ghalleen)
Cc: focus-ids@securityfocus.com
Subject: Re: NetFlow for IDS

This is good stuff.

The 4 products Adam mentioned perform Network Behavioural Anomaly
Detection (NBAD).

NBAD is an added layer - complimentary to NIDS/NIPS. This is a very good
article for those interested:

http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleI
d=163700677&pgno=1

Despite the marketing pitch, MARS is not an NBAD product and should not
be in the NBAD quadrant when Gartner puts it together. Aggregation and
correlation tools like Protego (sorry Cisco..) MARS look at a bunch of
different information and assess the importance of events - a good NBAD
product should profile the behaviour of the network in real time and not
wait for devices to start hinting at issues.

I have questions about products that depend on flow info from routers
etc - if you are being badly DDoSed then I am not sure that these
devices will be accurate in providing the necessary intelligence for
accurate mitigation. In fact Netflow is widely considered to be
inaccurate at times ( I can reference examples of 200% utilisation
reporting etc...), a serious issue for UBB etc, and as we all know when
the bad stuff happens the availability and integrity of the information
is extremely important. Hence why most of the NBAD platforms can gather
information from the wire independent of Net/c/sflow via SPAN/tap etc.

Also Cisco are investors in Arbor and have incorporated Riverhead. The
Riverhead stuff is very good at dealing with anomalous traffic, and they
are also pushing MARS as some kind of anomaly detection solution.
I have also heard that there is some protocol anomlay detection in Cisco
IDS.

As a representative of Cisco Gary, perhaps you could let us all know
what Cisco's roadmap is for these supposedly competing products they
have invested in? I am confused!

On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
> That list is handy, but incomplete.
>
> Cisco MARS should be added. MARS is a SIM product that receives log
> information from various sources (firewalls, routers, switches,
> IDS/IPS, host logs, antivirus, and more). It also receives netflow,
> and can provide very useful security-related information based on it.
>
> Gary
>
>
> -----Original Message-----
> From: Andy Cuff [mailto:lists@securitywizardry.com]
> Sent: Thursday, July 14, 2005 2:21 PM
> To: focus-ids@securityfocus.com
> Subject: NetFlow for IDS
>
>
> Netflow data offers a valuable source of IDS information. To this end
> Jeff Ames has detailed all known Netflow analysis tools on a single
> page at http://securitywizardry.com/protNetFlowA.htm
>
> As always please notify us of any omissions or errors
>
> Regards
> Andy Cuff
> Chief Technology Officer
> Computer Network Defence Ltd
> http://SecurityWizardry.com
> Phone (+44) (0) 7968 608945
>
>
>
>
> ----------------------------------------------------------------------
> --
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------------------
> --
> --
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------------------
> --
>
>

On 7/19/05, Gary Halleen (ghalleen) <ghalleen@cisco.com> wrote:
> That list is handy, but incomplete.
>
> Cisco MARS should be added. MARS is a SIM product that receives log
> information from various sources (firewalls, routers, switches,
> IDS/IPS, host logs, antivirus, and more). It also receives netflow,
> and can provide very useful security-related information based on it.
>
> Gary
>
>
> -----Original Message-----
> From: Andy Cuff [mailto:lists@securitywizardry.com]
> Sent: Thursday, July 14, 2005 2:21 PM
> To: focus-ids@securityfocus.com
> Subject: NetFlow for IDS
>
>
> Netflow data offers a valuable source of IDS information. To this end
> Jeff Ames has detailed all known Netflow analysis tools on a single
> page at http://securitywizardry.com/protNetFlowA.htm
>
> As always please notify us of any omissions or errors
>
> Regards
> Andy Cuff
> Chief Technology Officer
> Computer Network Defence Ltd
> http://SecurityWizardry.com
> Phone (+44) (0) 7968 608945
>
>
>
>
> ----------------------------------------------------------------------
> --
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------------------
> --
> --
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from

> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------------------
> --
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Roland Dobbins: "Re: NetFlow for IDS"
• Maybe in reply to: Andy Cuff: "NetFlow for IDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]