Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Direct Sniffing or Netflow

When deploying the Log Correlation Engine (LCE), Tenable's support group often is asked which is better for network monitoring: using netflow from a router or performing some sort of direct network monitoring. This blog entry will help users choose a strategy and discuss some of the technical and political aspects associated.

Netflow and Direct Sniffing

If you only have access to netflow or direct network sniffing, you should not feel as if your monitoring is lacking because you are doing one or the other.

Both of Tenable's LCE agents, the Tenable Network Monitor (TNM) and the Tenable Netflow Monitor (TFM), produce a record of each network session. This record includes ports, source and destination IP addresses and total number of bytes transfered. Each of these records is consumed by the LCE for normalization, statistical profiling and for event correlation by many different TASL scripts.

There are minor differences between the TFM and the TNM. The TNM uses the libpcap library and can accept any type of valid "pcap" packet filter. The TFM also performs filtering, but it is not as sophisticated as the TNM. The TFM, as of release 2.0.2, also differentiates client and server bandwidth, whereas the TNM logs aggregate bandwidth for each session.

The TFM is available for RedHat ES3 and ES4 and it can receive netflow records from multiple sources. The TNM is available for RedHat ES3, Fedora and FreeBSD, and must be deployed on a system that has a network interface exposed to network traffic.

Leveraging "Sniffing Platforms"

If you have deployed the Passive Vulnerability Scanner (PVS) on RedHat ES3 or ES4, you should consider deploying the TNM on the same system. Tenable has monitored many large networks with servers that ran both the PVS and the TNM with very good results. Compared to the PVS, the performance requirements for the the TNM are negligible.

If your organization has deployed UNIX based NIDS such as Snort, Dragon, Bro or even dedicated network monitoring applications such as TCPDUMP or NTOP, these may also be a candidate to deploy the TNM on.

Leveraging Netflow

The TFM supports netflow records (version 5 and 9) from Cisco devices. A single TFM can accept records from multiple devices.

Since netflow is a UDP based protocol, any CPU contention at the TFM or network congestion between the routers and the TFM could cause some session loss. The TFM does have logic to reconstruct full session data if some netflow records have been missed.

The Business Case for Network Monitoring

As a security auditor or network security monitor, considering network sessions alongside system logs and NIDS events is relevant for a variety of "compliance violation" and "compromise alerting" activities.

If the organization providing access to the network (such as a routing, infrastructure or backbone group) does not have a security component, presenting them with data through the Security Center and the Log Correlation Engine may be very useful to them. If they are already collecting netflow data, perhaps for performance and availability monitoring, sending an addition stream of network session information to a TFM may not be difficult.

If direct sniffing of a data center or network is desired, you will likely need to use switch span ports, network taps or tap concentrators. This is very dependent on your network architecture, the technology of your routers and switches and how reliable your monitoring must be. For more information on this topic, readers should consider the TaoSecurity blog which discusses various aspects of this in depth as well as vendors such as NetOptics.

Filtering for Performance

As with any log aggregation and analysis exercise, you should consider the purpose of the monitoring and what sort of traffic is required. If not, you will likely over-log and record data that isn't relevant. You may also dramatically increase your storage requirements.

If the purpose of network monitoring is to identify hosts, where they connect to, which ports they browse on and what ports are being served, the LCE can tell you this, but you may be better off with the Passive Vulnerability Scanner (PVS).

For example, let's say a new application listens and browses on TCP port 7003. A user of the Log Correlation Engine may run a report for all sessions on port 7003 and then sort by IP address or network. All network sessions would need to be stored by the LCE for it to perform these tasks. However, with the PVS, it maintains a list of all ports that are both open and browsed. The application may have made 1,000,000 network connections on port 7003, and the PVS will only log this once, whereas if the LCE is tracking these, then all 1,000,000 sessions will be stored.

For More Information

Readers who would like to learn more about log analysis should consider the Tenable paper "Security Event Management" as well as the "Network and Behavioral Anomaly Detection" webinar.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training