- Netflow Solutions
- Products
FlowTraq
FlowTraq Lite
- Flow Exporter
- InterMapper Flows
- Resources
- Support
- News
- About
How to Implement Internal Flow Forensics
« Back to NewsJune 7, 2012
Was there a large download from the database server last night? Are workstations connecting to servers after hours? Are internal hosts scanning or spamming your network? Are any systems randomly mounting and unmounting network shares?
How can you answer these sorts of questions?
For years, customers have used FlowTraq to perform flow forensics on the traffic that crosses the borders of their network. But recently we have noticed a strong trend towards flow forensics on the internal network.
It is impossible to answer the above questions by monitoring the ISP uplink alone, so more and more FlowTraq customers are including their internal networks in their data collection. To answer questions like these it is important to expand your visibility *into* your borders.
Internal systems can be used as stepping stones by attackers, and trusted internal users may have less-than-honorable intentions. Sensitive records can be downloaded to a local workstations, written to a USB drive, or simply printed out, without ever crossing the network border to the ISP. Similarly, a compromised host can be used to mount open network shares and browse, or even modify, sensitive documents. None of this activity is visible when only monitoring the connection to the ISP.
Adding internal network visibility to your FlowTraq installation can be as easy as enabling netflow on your core switches. Often it is also useful to install Flow Exporter, our software IPFIX exporter, on your key servers, and get complete visibility into your traffic.
It is not uncommon, however, to see substantially higher volumes of traffic inside the network than what traverses the border. Many organizations have 10Gbps switches deployed at the network core, and these switches do not have sufficient CPU power or memory to accurately track all flows at peak bandwidth. After all, their primary job is switching packets, not maintaining connection state. This means many flows will not get exported, packets will be dropped, and your switches won’t be switching at full capacity.
Simply capturing packets with a 10Gbps NIC is fraught with problems, “The 10Gbps Challenge“, and will not get you the performance you would expect. To solve this problem for our customers, we took a key part of our FlowTraq software, and optimized it for the specialized Tilera processors. This integration allows you to capture multiple 10Gbps links without drops, without burdening your switchgear, and without slowing down your network. You can have full flow forensics on your busy 10Gbps core with FlowTraq.
Last month at Interop Las Vegas we demonstrated a FlowTraq-on-Tilera system that was processing 20Gbps of traffic for 3 days without a single interruption. This means you can figure out who is downloading your database, who is scanning your internal network, and who is stealing, exfiltrating, and modifying your files, even as your network grows to 20, 40, and 80 Gbps.
To learn more, contact FlowTraq today.
« Back to NewsGet Started
Learn More
Free Flow Exporter
Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »
News, Blog & Events
You are invited to join the FlowTraq Cloud!
Announcing an industry first: a new way to harness the power of FlowTraq's flow analytics with the FlowTraq Cloud.
Advanced Threat Intelligence Services Added to FlowTraq Q2/13
Faster, more powerful, FlowTraq Q2/13 delivers detailed view of the potential network threats with NBI threat management and new threat intelligence service.
Password Cracking Attacks? FlowTraq has you covered.
With its full-fidelity NetFlow store, FlowTraq keeps track of everything, even those little three-packet failed login attempts.