The benefits of monitoring SPAN and Netflow

Started by deanwebb, April 12, 2018, 12:47:35 PM

Previous topic - Next topic

deanwebb

In security, you want information. You then want to analyze that information to see what it means. Based on the meanings gathered, you want to take appropriate actions.

With those thoughts in mind, I want to look at SPAN and Netflow data. When you know about a particular threat that uses a particular port, you want to examine your SPAN and Netflow information for evidence of connections to/from that particular port. When you see that evidence, you then need to execute actions appropriate to eliminating that threat.

For example, there is a Cisco vulnerability on TCP 4786. If you see traffic in your network trying to use that port, you may have someone trying to exploit that vulnerability. If the source of the traffic is internal, you may be dealing with a box that is itself compromised: examine that box to see what external connections it maintains. You will then want to see if other boxes have similar external connections. If the source of the traffic is external, you will want to block that traffic at the firewall - and you'll also want to block those external connections from the other example.

And if that traffic is blocked at the firewall but you still see it in the SPAN and Netflow, then you need to follow that traffic back to the path it's taking *around* your perimeter firewalls. Keep checking because you may have multiple unauthorized Internet connection points in your organization.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

This is also why you need a good list of what ports and protocols are authorized on your network. Maybe you are using Smart Install (TCP/4786) so you would see that traffic, but if you know that the server at IP 10.10.10.10 is authorized for that traffic you can filter that out.

-Otanx

icecream-guy

and you need something to process, index, graph, and make sense of all that information.

so when your 10G link suddenly goes from 4GB to 8GB, click a few buttons and know why.
:professorcat:

My Moral Fibers have been cut.