The benefits of monitoring SPAN and Netflow

[deanwebb]

In security, you want information. You then want to analyze that information to see what it means. Based on the meanings gathered, you want to take appropriate actions.

With those thoughts in mind, I want to look at SPAN and Netflow data. When you know about a particular threat that uses a particular port, you want to examine your SPAN and Netflow information for evidence of connections to/from that particular port. When you see that evidence, you then need to execute actions appropriate to eliminating that threat.

For example, there is a Cisco vulnerability on TCP 4786. If you see traffic in your network trying to use that port, you may have someone trying to exploit that vulnerability. If the source of the traffic is internal, you may be dealing with a box that is itself compromised: examine that box to see what external connections it maintains. You will then want to see if other boxes have similar external connections. If the source of the traffic is external, you will want to block that traffic at the firewall - and you'll also want to block those external connections from the other example.

And if that traffic is blocked at the firewall but you still see it in the SPAN and Netflow, then you need to follow that traffic back to the path it's taking *around* your perimeter firewalls. Keep checking because you may have multiple unauthorized Internet connection points in your organization.

[Otanx]

This is also why you need a good list of what ports and protocols are authorized on your network. Maybe you are using Smart Install (TCP/4786) so you would see that traffic, but if you know that the server at IP 10.10.10.10 is authorized for that traffic you can filter that out.

-Otanx

[icecream-guy]

and you need something to process, index, graph, and make sense of all that information.

so when your 10G link suddenly goes from 4GB to 8GB, click a few buttons and know why.