Skip Links

Network World

Brad Reese

NetFlow analytics vs. network behavior analysis

By Brad Reese on Wed, 09/10/08 - 7:55pm.
Newsletter Signup

Welcome to the second in a three-part series on network behavior analysis through the eyes of Plixer International. The third and final part focused on network behavior analysis and DoS attacks. Additionally, you may also wish to review our first installment - Intrusion detection systems vs. network behavior analysis: Which do you need?

As a NetFlow and sFlow analysis vendor, Plixer with its Flow Analytics is making a play into the "deeper flow analysis market."

Flow Analytics with Network Behavior Analysis (NBA)

Hopefully, this Q&A with Plixer CEO Michael Patterson will provide us with a better understanding on what Plixer's Flow Analytics strategy is all about.

What is Flow Analytics and is it better than NBA (Network Behavior Analysis)?

It isn’t necessarily better, it is a different approach to flow analysis. Based on feedback from customers, we felt we could catch 90% of issues using a few behavior algorithms and then focus on specific areas.

Specifically, Flow Analytics focuses on collecting data across hundreds of routers and switches and displaying status windows on:

Top hosts sending or receiving data
Top hosts sending or receiving flows
Top applications currently on the network
Top hosts communicating back and forth on the network
Volume of hosts communicating on the network (e.g. 23,000 unique hosts in the last 5 minutes)

-----------------------------------

What do you mean by catching 90% of issues using a few behavior algorithms?

We started developing toward the NBA market initially. During our beta phase, it was exciting to see Scrutinizer catch SYN scans etc. that were currently underway on a customer’s network. Other times we noticed that some customer networks had few problems.

We are still shipping with features that continually tally all flows and help identify:

Suspicious NetBIOS-based services
Unauthorized Application Deployments
Poorly configured and unauthorized devices
Zero-day worms, SYN Floods and DoS attacks
P2P traffic, such as BitTorrent (even if encrypted)
Unauthorized or incorrectly configured server activity
Internal IP addresses communicating with known compromised internet hosts, view the long list

Furthermore, we decided to start adding status windows on various things we could point out about the network across all routers and switches. Several of our customers have well over 500 routers and they want some high level information for management.

Below you can see a host having a conversation with 1 destination involving over 500 flows. Why so many unique connections? You can click and drill in for details and learn more about the behavior. We aren’t always alarming on these behaviors, that is why we call it Flow Analytics.

Flow Analytics Screenshot

Do you think catching 90% of the issues is good enough?

Contact Brad Reese
http://www.BradReese.Com

Search 31,427 Cisco Job Openings

Post Cisco Network Engineer Jobs

View 1,595 items of Refurbished Cisco

Examine CCIE Resumes

Consider 697 Cisco Certified
Network Engineer Resumes

  
Brad's Favorite Top 5 Picks
# 1. Cisco Tools
# 2. Cisco vs. Competitor Lab Tests
# 3. Cisco Engineering Support Directory
# 4. Cisco Repair and Hardware Troubleshooting
# 5. Cisco Product Quick Reference Guides, CPQRGs
Brad Reese on Cisco Story Archives Brad Reese on Cisco Story Archives

Cisco Jobs

Cisco Resumes

2008 Cisco Salary Rates

Nine Year Worldwide CCIE Count
  

NBA Has Definite Promise - But Does it Hold Up in Practice?

0
By Redwarrior (not verified) on Thu, 09/11/2008 - 1:25pm.

While I might not completely agree with the slightly extreme stance of the jericho followers, I do think that we have focused far too much on just locking down our firewalls and getting better packet inspection and application layer firewalling when our biggest threats have remained behind our firewalls. I see NDA as a great step towards a more integrated approach that could combine a good perimeter firewall system with IPS capabilities, NAC for keeping infected or unauthorized hosts off the network to begin with, and then NBA as a final line of defense to help alert us when something sneaks through our other defenses. While I don't think any one of these technologies on their own makes a network secure, the combination of all, particularly if they are able to integrate and share information with each other, could be a great leap forward.

I do wonder how a third party vendor like Plixar could integrate their product to work with other vendor's firewalls and NAC solutions, though. As a network engineer, the idea of adding yet another separate system to my network to learn and manage is far less appealing than sticking with the same vendor for my security needs and getting some kind of centralized threat management. I'd like to hear more about any plans they might have for moving in that direction.

Re: NBA Has Definite Promise - But Does it Hold Up in Practice?

0
By Mike Krygeris (not verified) on Thu, 09/11/2008 - 7:07pm.

I think you show a great understanding of the separate levels of security that need to be addressed in an enterprise network.
Working with multiple vendors is both a boon and a bust because of the headaches involved with managing disparate systems. But, When locking in with one vendor for everything, you really never get "best of breed" solutions. Nobody in the network security arena does all these things well and that is unlikely to change due to the scope and breadth of today’s networks.
Plixer does provide centralized logging and alerting software that allows very flexible integration with 3rd party vendors. We are also very in tune with the integration needs of our customers and often design our software around their collective needs(what a concept!).

One of the things we are looking at is integrating with other 802.1x NAC solutions in order provide integration with those services. Another thing that can be done in the absence of the more “graceful” 802.1x protocol, is to automate port shutdown in cases of apparent attack. We can do this today.

The big question is how to quickly isolate zero day problems. This is where Flow Analytics and NBA start to come in particularly handy. The reason is because the number of vulnerabilities, coupled with easy to use toolkits for creating network havoc, make everything from the firewalls to antivirus almost moot. None of those things can isolate and stabilize a network core because perimeter and endpoint tools are looking for signatures or very specific patterns to work their magic. Netflow affords us a way to take a broader look at the behavior of a host, as opposed to the pattern your IDS might look for on a perimeter. As this viewpoint matures, and netflow’s place in this area gels, you will see greater interoperability with the rest of your toolset.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
Advertisement:
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished which offers one year warranties on Cisco Refurbished and Cisco Repair.

Contact Brad Reese

Archives
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
A government official in possession of a large corporate stockholding while that corporation is subject to administrative rulings by that same government official
After contacting Cisco
Agito adds that its enterprise fixed mobile convergence (eFMC) platform enables low-cost in-building voice coverage
Agito introduced Agito for BlackBerry
Agito's BlackBerry smart phone functionality for Cisco VoIP
Agito's RIM BlackBerry support announcement
Americas Vice President and General Manager of HP ProCurve - Karl Soderlund
An assortment of communications companies
Andreessen plans to watch what companies Cisco acquires
Andreessen sees as the next market transition
As a matter of Cisco policy
Back in April the CCIE Security track changed
Black Hat attack on Cisco's network admission control (NAC)
Boas also led an educational session at the Gartner Security Summit
Boas shares his insight on the most prevalent threats to the enterprise network
Bragging about Cisco's ability to catch market transitions
Brings enterprise VoIP over WiFi for dual-mode BlackBerry smartphones
But neither felt it as bad as Cisco did
Can Cisco VARs profitably match HP ProCurve pricing on a deal-by-deal basis?
Careers
Chairman and CEO of Cisco China - Jim Sherriff
Cisco
Cisco CEO John Chambers has never been shy
Cisco Chief Technology Officer Padmasree Warrior
Cisco NAC design flaws that the folks at Black Hat so alarmingly described
Cisco VARs no longer have enough margin left to profitably match HP ProCurve pricing
Cisco customer a discount
Cisco has held this share position since CY02
Cisco has produced a new CCIE count
Cisco is celebrating its 25th anniversary this year
Cisco is the revenue-leading vendor overall with 38% of total network security appliances and software in 1Q09 (down 2.8 points from 4Q08)
Cisco might do very well with the Flip
Cisco offer price-matching discounts to existing customers in order to equal ProCurve prices
Cisco only counts your CCIE number once
Cisco released its new worldwide CCIE count
Cisco's executive biographies web page
Cisco's loss of market share has in itself become the networking industry's newest market transition
Compromised the Cisco agent installed on the end system
Confirmation testimony before the U.S. Senate noteworthy
Customer-proven best practices of network access control (NAC)
Data Center
Didn’t RIM already support voice over WiFi?
Doesn’t RIM’s Ascendent acquisition give them this?
Douglas Gourlay - Vice President of Cisco Data Center Solutions
Douglas Gourlay is as sharp as a tack and one of the most impressive people I've ever had the honor of collaborating with on Cisco stories
Dual CCIE #18532 Routing and Switching/Security - George Morton
Dual-mode BlackBerry smartphones
Enables BlackBerry to be integrated into corporate PBXs and Unified Communications systems
Enterasys NAC is agent-less assessment based on a network scan
Enterasys security expert Dennis Boas
Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system
Enterprise concerns about the financial and management aspects of NAC
Enterprises that have standardized on the BlackBerry platform
Exactly what's causing everybody to quack?
Famous networking industry journalist
Flexible options with Enterasys NAC
Flip video below of Chambers' doing his quacks
Flip video of Cisco CEO John Chambers performing his duck quacks
Further details on why Cisco has lost market share in network security
Gourlay was featured just 7 days earlier in the Cisco Data Center Networks blog story
Gourlay's office is located at Cisco's nearby headquarters in San Jose
HP ProCurve continues to win business and gain market share
HP ProCurve is calling the shots now
HP ProCurve is whacking Cisco in its most vulnerable spot
HP ProCurve pricing on a deal-by-deal
HP ProCurve will take 20% off its list price
Half the smartphones in use in the US today are BlackBerry devices
Hogtied by Cisco's new committee culture
How Cisco was working overtime AGAINST the Buy America provisions of the $7.2B broadband stimulus fund
I can still see those wishing to cash out selling to Cisco
I have worked for a handful of telecommunications companies of varying sizes
I voted for President Obama seeking change
If you trade-in your Cisco equipment
Independent companies operating in Silicon Valley able to out innovate Cisco
Interesting CCIE news from around the world
Is Cisco likely to innovate? No
Its been proven that a government official can be bribed with free dinners
Jeff Wilson - network security analyst at Infonetics Research
Joel Bion - Senior Vice President of Cisco's Product Resiliency Research
Juniper and Check Point are second and third with 10.4% and 9.5% respectively
LANs / WANs
Larry Strickling is confirmed as the new Administrator of the National Telecommunications and Information Administration (NTIA)
Last month Cisco missed the multiple CCIE numbers
Made by Strickling during his March 19
Manny Rivelo - Senior Vice President of Cisco's Development Organization
May 2009 vs. June 2009 Worldwide CCIE Count Comparison
Mobile features integrated into the BlackBerry
My previous government service at the FCC provide me a unique background for the position of Assistant Secretary
My source suggested Gourlay had left Cisco
Network security vendor Enterasys
Not only among the Cisco workforce
Not too many senior executives are around from Cisco's early days
Now it appears the Internet is quacking too
Omitted the years of Cisco service for both John Morgridge and Richard Justice because they are no longer full-time Cisco executives
Only 66% of all applicants who passed were for the CCIE Router and Switch track
Only one CCIE is a member of Cisco's 59 strong senior executive team
Out innovate Cisco simply because they have no desire to be acquired
Pacific Rim CCIE numbers didn't change over the last 39 days
Pejman Roshan - Chief Marketing Officer of enterprise fixed mobile convergence (eFMC) vendor Agito Networks
Ponemon Institute reported
Post a comment to Cisco's blog that contains a link to your duck quacking video
ProCurve wants to make all Cisco customers aware of this offer
ProCurve’s momentum and market share gains
R & S + Security this year as the most popular dual CCIE track
R & S + Service Provider was 49% of the successful attempts for dual CCIE
RIM offers only data services over WiFi on their dual-mode smartphones
Responsible for Cisco's IOS Software
SMB
Security
Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications
Security sales will come back for Cisco
Showed that Stickling owned a large Cisco stock position
So we had 251 new CCIEs
Subject of Cisco's senior executive team came up
The CEO of Cisco quacked
The Cisco workforce quacked
The IOS 12.4 track with ISR routers is slowing down the Security CCIE track
The National Telecommunications and Information Administration (NTIA) granted Cisco its coveted Buy American Exception
The average tenure would be of the 61 executives listed on Cisco's Mount Rushmore
The best duck call will win a new Flip Mino HD from John Chambers
The change in the CCIE Security track has had a major impact on new security CCIEs
Tremendous benefits HP ProCurve provides by offering the best value
VoIP / Convergence
We build our culture at Cisco around catching market transitions
We can confirm that Doug Gourlay is no longer with Cisco and we wish him well in his future endeavors
We're also now starting to see the CCIE Wireless track
We've experienced a new low for CCIE Security track
What exactly has Agito Networks announced this week?
What's your take on the implications of the new worldwide Cisco CCIE count?
What's your take on why Douglas Gourlay left Cisco and where do you think he will land?
Which had Gourlay inviting guests to Cisco Live in the following video
Which video quacks you up the most?
While Cisco salivates over 30 to 50 new market adjacencies
Why does Cisco lack pricing flexibility?
Why is cellular-only PBX and UC integration incomplete?
Why the Enterasys NAC solution is doing so well
Why the Enterasys NAC solution is in such high demand
Wireless / Mobile
Without ducking my question
Would you back the technology vision of Marc Andreessen
You too will understand why duck quacking has become such an overnight sensation
On The Web
Twitter