Skip Links

Network World

Brad Reese

NetFlow analytics vs. network behavior analysis

Q & A with Plixer CEO Michael Patterson.

By Brad Reese on Wed, 09/10/08 - 7:55pm.

Welcome to the second in a three-part series on network behavior analysis through the eyes of Plixer International. The third and final part focused on network behavior analysis and DoS attacks. Additionally, you may also wish to review our first installment - Intrusion detection systems vs. network behavior analysis: Which do you need?

As a NetFlow and sFlow analysis vendor, Plixer with its Flow Analytics is making a play into the "deeper flow analysis market."

Flow Analytics with Network Behavior Analysis (NBA)

Hopefully, this Q & A with Plixer CEO Michael Patterson will provide us with a better understanding on what Plixer's Flow Analytics strategy is all about.

What is Flow Analytics and is it better than NBA (Network Behavior Analysis)?

It isn’t necessarily better, it is a different approach to flow analysis. Based on feedback from customers, we felt we could catch 90% of issues using a few behavior algorithms and then focus on specific areas.

Specifically, Flow Analytics focuses on collecting data across hundreds of routers and switches and displaying status windows on:

Top hosts sending or receiving data
Top hosts sending or receiving flows
Top applications currently on the network
Top hosts communicating back and forth on the network
Volume of hosts communicating on the network (e.g. 23,000 unique hosts in the last 5 minutes)

-----------------------------------

What do you mean by catching 90% of issues using a few behavior algorithms?

We started developing toward the NBA market initially. During our beta phase, it was exciting to see Scrutinizer catch SYN scans etc. that were currently underway on a customer’s network. Other times we noticed that some customer networks had few problems.

We are still shipping with features that continually tally all flows and help identify:

Suspicious NetBIOS-based services
Unauthorized Application Deployments
Poorly configured and unauthorized devices
Zero-day worms, SYN Floods and DoS attacks
P2P traffic, such as BitTorrent (even if encrypted)
Unauthorized or incorrectly configured server activity
Internal IP addresses communicating with known compromised internet hosts, view the long list

Furthermore, we decided to start adding status windows on various things we could point out about the network across all routers and switches. Several of our customers have well over 500 routers and they want some high level information for management.

Below you can see a host having a conversation with 1 destination involving over 500 flows. Why so many unique connections? You can click and drill in for details and learn more about the behavior. We aren’t always alarming on these behaviors, that is why we call it Flow Analytics.

Flow Analytics Screenshot

Do you think catching 90% of the issues is good enough?

Contact Brad Reese
http://www.BradReese.Com

Search 31,427 Cisco Job Openings

Post Cisco Network Engineer Jobs

View 1,595 items of Refurbished Cisco

Examine CCIE Resumes

Consider 697 Cisco Certified
Network Engineer Resumes

  
Brad's Favorite Top 5 Picks
# 1. Cisco Tools
# 2. Cisco vs. Competitor Lab Tests
# 3. Cisco Engineering Support Directory
# 4. Cisco Repair and Hardware Troubleshooting
# 5. Cisco Product Quick Reference Guides, CPQRGs
Brad Reese on Cisco Story Archives Brad Reese on Cisco Story Archives

Cisco Jobs

Cisco Resumes

2008 Cisco Salary Rates

Nine Year Worldwide CCIE Count
  

NBA Has Definite Promise - But Does it Hold Up in Practice?

0
By Redwarrior (not verified) on Thu, 09/11/2008 - 12:25pm.

While I might not completely agree with the slightly extreme stance of the jericho followers, I do think that we have focused far too much on just locking down our firewalls and getting better packet inspection and application layer firewalling when our biggest threats have remained behind our firewalls. I see NDA as a great step towards a more integrated approach that could combine a good perimeter firewall system with IPS capabilities, NAC for keeping infected or unauthorized hosts off the network to begin with, and then NBA as a final line of defense to help alert us when something sneaks through our other defenses. While I don't think any one of these technologies on their own makes a network secure, the combination of all, particularly if they are able to integrate and share information with each other, could be a great leap forward.

I do wonder how a third party vendor like Plixar could integrate their product to work with other vendor's firewalls and NAC solutions, though. As a network engineer, the idea of adding yet another separate system to my network to learn and manage is far less appealing than sticking with the same vendor for my security needs and getting some kind of centralized threat management. I'd like to hear more about any plans they might have for moving in that direction.

Re: NBA Has Definite Promise - But Does it Hold Up in Practice?

0
By Mike Krygeris (not verified) on Thu, 09/11/2008 - 6:07pm.

I think you show a great understanding of the separate levels of security that need to be addressed in an enterprise network.
Working with multiple vendors is both a boon and a bust because of the headaches involved with managing disparate systems. But, When locking in with one vendor for everything, you really never get "best of breed" solutions. Nobody in the network security arena does all these things well and that is unlikely to change due to the scope and breadth of today’s networks.
Plixer does provide centralized logging and alerting software that allows very flexible integration with 3rd party vendors. We are also very in tune with the integration needs of our customers and often design our software around their collective needs(what a concept!).

One of the things we are looking at is integrating with other 802.1x NAC solutions in order provide integration with those services. Another thing that can be done in the absence of the more “graceful” 802.1x protocol, is to automate port shutdown in cases of apparent attack. We can do this today.

The big question is how to quickly isolate zero day problems. This is where Flow Analytics and NBA start to come in particularly handy. The reason is because the number of vulnerabilities, coupled with easy to use toolkits for creating network havoc, make everything from the firewalls to antivirus almost moot. None of those things can isolate and stabilize a network core because perimeter and endpoint tools are looking for signatures or very specific patterns to work their magic. Netflow affords us a way to take a broader look at the behavior of a host, as opposed to the pattern your IDS might look for on a perimeter. As this viewpoint matures, and netflow’s place in this area gels, you will see greater interoperability with the rest of your toolset.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Welcome, visitor. Register Log in
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.

Don't be shy, contact Brad Reese online or call him Toll Free:

866-864-0506

International callers may wish to call Brad by dialing:

850-364-4115

Archives
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
A classic scam to defraud Cisco's SMARTnet program
America's Best profile written by Useem regarding Chambers' success
Avian Securities Senior Telecom Research Analyst - Catharine Trebnick
Breakingviews.com correspondent - Robert Cyran
CCIE
Careers
Charlie Giancarlo - Managing Director of Silver Lake Partners and Skype investor
Cisco
Cisco ASR 9000 architecture
Cisco ISR G2 Module Support
Cisco Integrated Services Router Generation 2 (ISR G2) Model Comparison
Cisco Integrated Services Routers Generation 2 Portfolio
Cisco Unified Communications Support for Microsoft Windows 7
Cisco is pushing their ASR 9000 at very competitive prices
Cisco is warning Unified Communications customers about NOT successfully offering support for Microsoft Windows 7
Cisco technical star Jonathan Rosenberg
Cisco will have no liability for any delay in delivery
Data Center
Douglas Smith - Cofounder and President of Network Instruments
Expand visibility of NetFlow-dependent NBAD and compliance applications
GigaStor captures and converts packets in NetFlow data flows
Index Venture partner Danny Rimer
Jonathan Rosenberg - a Cisco Fellow in Cisco's Voice Technology Group
Juniper MX960 lab test results
LANs / WANs
Mark Roberts - Polycom vice president of partner marketing
Michael Useem - Professor of Management
Microsoft
NetFlow
NetFlow add-ons
NetFlow overhead can overtax infrastructure
Network Behavior Anomaly Detection (NBAD)
Network Management
Non-NetFlow capable devices are blind to local traffic
Produce NetFlow about any device
SMB
Security
Selection committee member for America's Best Leaders
September 2009 vs. October 2009 Worldwide CCIE Count Comparison
Silver Lake Managing Director - Egon Durban
Skype's cofounders Niklas Zennstrom and Janus Friis
Software
The Charlie angle is to keep Dave Roux on track
The new Cisco ISR G2 portfolio is priced as follows
VoIP / Convergence
What are the benefits of GigaStor NetFlow Agent?
What’s new on the Cisco ISR G2 models vs. the old ISR models?
Windows 7
Windows 7 just not worth an all-out urgent effort by Cisco to support
Wireless / Mobile
eBay CEO - John Donahoe
sFlow
sFlow and NetFlow provides extended visibility
On The Web
Twitter