Welcome to the second in a three-part series on network behavior analysis through the eyes of Plixer International. The third and final part focused on network behavior analysis and DoS attacks. Additionally, you may also wish to review our first installment - Intrusion detection systems vs. network behavior analysis: Which do you need?
As a NetFlow and sFlow analysis vendor, Plixer with its Flow Analytics is making a play into the "deeper flow analysis market."
Hopefully, this Q & A with Plixer CEO Michael Patterson will provide us with a better understanding on what Plixer's Flow Analytics strategy is all about.
What is Flow Analytics and is it better than NBA (Network Behavior Analysis)?
It isn’t necessarily better, it is a different approach to flow analysis. Based on feedback from customers, we felt we could catch 90% of issues using a few behavior algorithms and then focus on specific areas.
Specifically, Flow Analytics focuses on collecting data across hundreds of routers and switches and displaying status windows on:
 |
Top hosts sending or receiving data |
|
Top hosts sending or receiving flows |
|
Top applications currently on the network |
|
Top hosts communicating back and forth on the network |
|
Volume of hosts communicating on the network (e.g. 23,000 unique hosts in the last 5 minutes) |
-----------------------------------
What do you mean by catching 90% of issues using a few behavior algorithms?
We started developing toward the NBA market initially. During our beta phase, it was exciting to see Scrutinizer catch SYN scans etc. that were currently underway on a customer’s network. Other times we noticed that some customer networks had few problems.
We are still shipping with features that continually tally all flows and help identify:
|
Suspicious NetBIOS-based services |
|
Unauthorized Application Deployments |
|
Poorly configured and unauthorized devices |
|
Zero-day worms, SYN Floods and DoS attacks |
|
P2P traffic, such as BitTorrent (even if encrypted) |
|
Unauthorized or incorrectly configured server activity |
|
Internal IP addresses communicating with known compromised internet hosts, view the long list |
Furthermore, we decided to start adding status windows on various things we could point out about the network across all routers and switches. Several of our customers have well over 500 routers and they want some high level information for management.
Below you can see a host having a conversation with 1 destination involving over 500 flows. Why so many unique connections? You can click and drill in for details and learn more about the behavior. We aren’t always alarming on these behaviors, that is why we call it Flow Analytics.
Do you think catching 90% of the issues is good enough?
 http://www.BradReese.Com |
Search 31,427 Cisco Job Openings
Post Cisco Network Engineer Jobs
View 1,595 items of Refurbished Cisco
Examine CCIE Resumes
Consider 697 Cisco Certified
Network Engineer Resumes
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him Toll Free:
866-864-0506
International callers may wish to call Brad by dialing:
850-364-4115
The Leader in Network Knowledge
NBA Has Definite Promise - But Does it Hold Up in Practice?
While I might not completely agree with the slightly extreme stance of the jericho followers, I do think that we have focused far too much on just locking down our firewalls and getting better packet inspection and application layer firewalling when our biggest threats have remained behind our firewalls. I see NDA as a great step towards a more integrated approach that could combine a good perimeter firewall system with IPS capabilities, NAC for keeping infected or unauthorized hosts off the network to begin with, and then NBA as a final line of defense to help alert us when something sneaks through our other defenses. While I don't think any one of these technologies on their own makes a network secure, the combination of all, particularly if they are able to integrate and share information with each other, could be a great leap forward.
I do wonder how a third party vendor like Plixar could integrate their product to work with other vendor's firewalls and NAC solutions, though. As a network engineer, the idea of adding yet another separate system to my network to learn and manage is far less appealing than sticking with the same vendor for my security needs and getting some kind of centralized threat management. I'd like to hear more about any plans they might have for moving in that direction.
Re: NBA Has Definite Promise - But Does it Hold Up in Practice?
I think you show a great understanding of the separate levels of security that need to be addressed in an enterprise network.
Working with multiple vendors is both a boon and a bust because of the headaches involved with managing disparate systems. But, When locking in with one vendor for everything, you really never get "best of breed" solutions. Nobody in the network security arena does all these things well and that is unlikely to change due to the scope and breadth of today’s networks.
Plixer does provide centralized logging and alerting software that allows very flexible integration with 3rd party vendors. We are also very in tune with the integration needs of our customers and often design our software around their collective needs(what a concept!).
One of the things we are looking at is integrating with other 802.1x NAC solutions in order provide integration with those services. Another thing that can be done in the absence of the more “graceful” 802.1x protocol, is to automate port shutdown in cases of apparent attack. We can do this today.
The big question is how to quickly isolate zero day problems. This is where Flow Analytics and NBA start to come in particularly handy. The reason is because the number of vulnerabilities, coupled with easy to use toolkits for creating network havoc, make everything from the firewalls to antivirus almost moot. None of those things can isolate and stabilize a network core because perimeter and endpoint tools are looking for signatures or very specific patterns to work their magic. Netflow affords us a way to take a broader look at the behavior of a host, as opposed to the pattern your IDS might look for on a perimeter. As this viewpoint matures, and netflow’s place in this area gels, you will see greater interoperability with the rest of your toolset.