Maximize Network Visibility with NetFlow Technology. Andy Wilson Senior Systems Engineer Lancope

Maximize Network Visibility

with NetFlow Technology

Andy Wilson

Agenda

 What is NetFlow

Introduction to NetFlow

NetFlow Examples

 NetFlow in Action

Network Operations User Case

Security Operations User Case

PCI Compliance and Auditing User Case

 A Glimpse into the Power of NetFlow

10+ G Ethernet Environments

Virtual Environments

NetFlow vs. Traditional SNMP Monitoring

SNMP

NetFlow for the Network Team

QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Security Team File sharing

Malware outbreak detection Network acceptable use

Flow forensics Data loss prevention

StealthWatch Flow Collector

Compliance and Auditing

PCI Compliance HIPAA Compliance

NetFlow in Action : Network Operations

OldCastle APG

 Leading North American manufacturer of concrete masonry,

lawn, garden and paving products and a regional leader in clay brick

 206 Operating locations

 7000+ employees

Challenge

 No way to visualize who or what was causing network slowdowns

 Internal IT staff using multiple tools in attempts to troubleshoot incidents

Solution

NetFlow Compliance and Auditing

QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Security Team File sharing

Malware outbreak detection Network acceptable use

Flow forensics Data loss prevention

StealthWatch Flow Collector

Compliance and Auditing

PCI Compliance HIPAA Compliance

NetFlow facilitates compliance with PCI DSS Requirements:

 Verifies actual network communications (1.1.2)

 Monitors services and ports in use (1.1.5)

 Determines when accounts are active and what they did during this activity (8.5.6)

 Audits access to anything on the network and tying activity to an individual user, including administrative accounts (10.1)

NetFlow in Action : PCI Compliance

 Fortune 1000 company

 Geographically dispersed network across the continental US

Challenge

 Required improved security and network management across the enterprise in accordance with Payment Card Industry (PCI) requirements

 Wanted greater network visibility and behavioral intrusion detection

 Ability to monitor a geographically dispersed network

Solution

NetFlow for the Security Team

QOS monitoring BGP ASN monitoring MPLS visibility Application troubleshooting Security Team File sharing

Malware outbreak detection Network acceptable use

Flow forensics Data loss prevention

StealthWatch Flow Collector

Compliance and Auditing PCI Compliance HIPAA Compliance

Aurora HealthCare Network Overview

 Largest private employer in Wisconsin – over 27,000 employees

 14 Hospitals

 Over 150 Clinics

 200 + Pharmacies

Challenge

 Monitor a widely dispersed network without deploying administratively problematic and financially burdensome individual sensors throughout the network

 Needed complete visibility of the network – from the internal network to the clinics at the edge

 Monitor for zero-day attacks, viruses, Trojans, etc.

 Support for HIPAA Compliance

Solution

 Combining NetFlow & StealthWatch System

Visibility Lost Due to Emerging Tech

Emerging network technologies are outpacing traditional network monitoring techniques such as SNMP and SPAN/tap-based technology...

“Virtualization hides whole network segments from the network manager’s view, making VM2VM

communication problems difficult to troubleshoot” “MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately” “10G Ethernet is so fast few probe technologies can keep up and those that can are too

expensive”

10G+ Ethernet

NetFlow in a 10G+ Ethernet Environment

“10G Ethernet is so fast few probe technologies can keep up and those that can are extremely expensive”

Virtualization

“Virtualization hides whole network segments from the network manager’s view, making VM2VM communication problems difficult to troubleshoot”

VM VM VM _machinesvirtual VM Server virtual switches VM2VM physical network promiscuous capture NetFlow v9

NetFlow in the Virtual Environment

*** Cisco Nexus 1000v also supports NetFlow ***

MPLS and Multi-point VPNs

“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitor adequately”

traditional Ethernet

MPLS and Multi-point VPNs

MPLS and Multi-point VPNs

NetFlow Collection in the WAN

NetFlow Packet

NetFlow Packet

Deploy a StealthWatch NetFlow collector at a central location and enable NetFlow at each remote site…

Quick Recap: Network Operations

Fully integrated view of network usage, performance, host integrity and user behavior

Diagnose Network congestion and provide root cause analysis of the problem causing response time delays

Visibility and Metrics for WAN Optimization

Real-time and Historical data to facilitate network performance monitoring, capacity planning and resource management

Quickly pinpoint zero-day and unknown threats that bypass perimeter security

Identify policy violations, unauthorized activity/applications, misconfigured hosts, and other rogue devices

Faster Incident Resolution & detailed Forensic data

Detection of DoS/DDoS attacks, Worms, Viruses and Botnets

Track and Audit network behavior and access by Individual Hosts

Quick Recap: PCI Compliance and Auditing

NetFlow Solutions supply organizations with the means to:

Continuously but passively monitoring host behaviors looking for deviations from normal processes

Tie individual users to internal network performance problems

Tie individual users to the introduction of security risks inside the internal network

Implement appropriate Network Controls and Policies

Thank You

Andy Wilson