Network monitoring and detection of abnormal network activity using Flowmon Networks solutions

Recently, on the Internet you can find a huge number of materials on the topic traffic analysis at the network perimeter. At the same time, for some reason, everyone completely forgot about local traffic analysiswhich is no less important. This article is just visited by this topic. For example Flowmon Networks we will remember the good old Netflow (and its alternatives), consider interesting cases, possible anomalies in the network and find out the benefits of the solution when the entire network works as a single sensor. And most importantly, you can conduct such an analysis of local traffic completely free of charge, within the framework of a trial license (45 days). If the topic is of interest to you, welcome under cat. If you are too lazy to read, then, looking ahead, you can register on upcoming webinar, where we will show and tell everything (there you can also learn about the upcoming product training).

What is Flowmon Networks?

First of all, Flowmon is a European IT vendor. Czech company, headquartered in Brno (the issue of sanctions is not even raised). In its current form, the company has been on the market since 2007. Prior to that, it was known under the Invea-Tech brand. So in total, almost 20 years have been spent on the development of products and solutions.

Flowmon is positioned as an A-class brand. Develops premium solutions for enterprise customers and has been awarded Gartner's Network Performance Monitoring and Diagnostics (NPMD) award. And, interestingly, of all the companies in the report, Flowmon is the only vendor noted by Gartner as a manufacturer of solutions for both network monitoring and information protection (Network Behavior Analysis). It does not take the first place yet, but due to this it does not stand as a wing from a Boeing.

What problems does the product solve?

Globally, we can distinguish the following pool of tasks solved by the company's products:

1. increasing the stability of the network, as well as network resources by minimizing their downtime and unavailability;
2. improving the overall level of network performance;
3. Improving the efficiency of administrative staff by:
   • use of modern innovative network monitoring tools based on information about IP flows;
   • providing detailed analytics about the functioning and state of the network - users and applications operating on the network, transmitted data, interacting resources, services and nodes;
   • responding to incidents before they happen, and not after the loss of service by users and customers;
   • reducing the time and resources required to administer the network and IT infrastructure;
   • Simplify troubleshooting tasks.
4. increasing the level of security of the network and information resources of the enterprise, through the use of non-signature technologies for detecting anomalous and malicious network activity, as well as "zero-day attacks" (zero-day);
5. ensuring the required level of SLA for network applications and databases.

Flowmon Networks Product Portfolio

Now let's look directly at the Flowmon Networks product portfolio and find out what exactly the company does. As many have already guessed from the name, the main specialization is on solutions for streaming flow monitoring of traffic, plus a number of additional modules that expand the basic functionality.

In fact, Flowmon can be called a one product company, or rather one solution company. Let's see if this is good or bad.

The core of the system is a collector responsible for collecting data using various flow protocols, such as NetFlow v5/v9, jFlow, sFlow, NetStream, IPFIX… It is quite logical that for a company that is not affiliated with any of the network equipment manufacturers, it is important to offer the market a universal product that is not tied to any one standard or protocol.

Flowmon Collector

The collector is available both as a hardware server and as a virtual machine (VMware, Hyper-V, KVM). By the way, the hardware platform is implemented on customized DELL servers, which automatically removes most of the issues with the warranty and RMA. Only FPGA traffic capture boards developed by a subsidiary of Flowmon, which allow monitoring at speeds up to 100 Gbps, are their own hardware component.

But what if there is no way to generate a high-quality flow on the existing network equipment? Or is the load on the equipment too high? No problem:

Flowmon Prob

In this case, Flowmon Networks suggests using its own probes (Flowmon Probe), which are connected to the network through the SPAN port of the switch or using passive TAP splitters.

SPAN (mirror port) and TAP implementation options

In this case, the "raw" traffic arriving at the Flowmon Probe is converted into an extended IPFIX containing more 240 metrics with information. While the standard NetFlow protocol generated by network equipment contains no more than 80 metrics. This makes it possible to ensure the visibility of protocols not only at layers 3 and 4, but also at layer 7 according to the ISO OSI model. As a result, network administrators can monitor the operation of applications and protocols such as e-mail, HTTP, DNS, SMB…

Conceptually, the logical architecture of the system is as follows:

The central part of the entire "ecosystem" of Flowmon Networks is the Collector, which receives traffic from existing network equipment or its own probes (Probe). But for an Enterprise solution, it would be too easy to provide functionality solely for monitoring network traffic. Open Source solutions can also do this, albeit not with such performance. The value of Flowmon is additional modules that expand the basic functionality:

• module Anomaly Detection Security – detection of anomalous network activity, including zero-day attacks, based on heuristic analysis of traffic and a typical network profile;
• module Performance Monitoring app – monitoring the performance of network applications without installing “agents” and influencing target systems;
• module Traffic Recorder – recording of network traffic fragments according to a set of predefined rules or according to a trigger from the ADS module, for further troubleshooting and/or investigation of information security incidents;
• module DDoS protection – protection of the network perimeter against volumetric DoS/DDoS denial of service attacks, including attacks on applications (OSI L3/L4/L7).

In this article, we will look at how everything works live using the example of 2 modules - Network Performance Monitoring and Diagnostics и Anomaly Detection Security.
Initial data:

• Lenovo RS 140 server with VMware 6.0 hypervisor;
• an image of the Flowmon Collector virtual machine, which can be download here;
• a pair of switches with support for flow protocols.

Step 1. Install Flowmon Collector

The deployment of a virtual machine on VMware occurs in a completely standard way from the OVF template. As a result, we get a virtual machine running CentOS and with ready-to-use software. Resource requirements are humane:

It remains only to perform basic initialization on command sysconfig:

We configure IP on the management port, DNS, time, Hostname and we can connect to the WEB interface.

Step 2. Installing a license

A trial license for one and a half months is generated and downloaded along with the virtual machine image. Loading via Configuration Center -> License. As a result, we see:

All is ready. You can get to work.

Step 3. Setting up the receiver on the manifold

At this stage, you need to decide how the system will receive data from sources. As we said before, this can be one of the flow protocols or a SPAN port on the switch.

In our example, we will use the data reception protocols NetFlow v9 and IPFIX. In this case, as a target, we specify the IP address of the Management interface - 192.168.78.198. The eth2 and eth3 interfaces (of type Monitoring interface) are used to receive a copy of the "raw" traffic from the switch's SPAN port. We skip them, not our case.
Next, we check the collector port where the traffic should go.

In our case, the collector listens for traffic on port UDP/2055.

Step 4. Setting up network equipment for flow export

Configuring NetFlow on Cisco Systems equipment is probably quite common for any network administrator. For our example, we will take something more unusual. For example, MikroTik RB2011UiAS-2HnD router. Yes, oddly enough, such a budget solution for small and home offices also supports NetFlow v5/v9 and IPFIX protocols. In the settings, set the target (collector address 192.168.78.198 and port 2055):

And add all the metrics available for export:

On this we can say that the basic setup is completed. Check if traffic is entering the system.

Step 5: Verify and Operate the Network Performance Monitoring and Diagnostics Module

You can check the presence of traffic from the source in the section Flowmon Monitoring Center –> Sources:

We see that the data enters the system. Some time after the collector accumulates traffic, the widgets will start displaying information:

The system was built on the principle of drill down. That is, the user, choosing a fragment of interest to him on a diagram or graph, “falls through” to the level of data depth that he needs:

Up to information about each network connection and connection:

Step 6Anomaly Detection Security Module

This module can be called, perhaps, one of the most interesting, thanks to the use of signatureless methods for detecting anomalies in network traffic and malicious network activity. But this is not an analogue of IDS / IPS systems. Working with the module begins with its "learning". To do this, a special wizard specifies all the key components and services of the network, including:

• gateway, DNS, DHCP and NTP server addresses,
• addressing in user and server segments.

After that, the system goes into training mode, which lasts from 2 weeks to 1 month on average. During this time, the system generates a baseline of traffic that is specific to our network. Simply put, the system learns:

• what behavior is typical for network nodes?
• what amounts of data are usually transferred and are normal for the network?
• what are the typical hours of operation for users?
• what applications are running on the network?
• and much more..

As a result, we get a tool that detects any anomalies in our network and deviations from typical behavior. Here are a couple of examples that the system allows you to detect:

• distribution of new malware on the network that is not detected by antivirus signatures;
• building DNS, ICMP or other tunnels and transferring data bypassing the firewall;
• the appearance on the network of a new computer posing as a DHCP and / or DNS server.

Let's see how it looks live. After your system has been trained and built a network traffic baseline, it starts detecting incidents:

The main page of the module is a timeline showing identified incidents. In our example, we see a clear surge, approximately between 9 and 16 hours. We select it and look in more detail.

The anomalous behavior of the attacker on the network is clearly traced. It all starts with the fact that the host with the address 192.168.3.225 started a horizontal network scan on port 3389 (Microsoft RDP service) and finds 14 potential “victims”:

и

The next recorded incident - host 192.168.3.225 starts a brute-force attack to brute-force passwords on the RDP service (port 3389) on previously identified addresses:

As a result of the attack, an SMTP anomaly is recorded on one of the hacked hosts. In other words, SPAM has begun:

This example is a clear demonstration of the capabilities of the system and the Anomaly Detection Security module, in particular. Judge for yourself the effectiveness. This completes the functional overview of the solution.

Conclusion

We summarize what conclusions about Flowmon we can draw in the bottom line:

• Flowmon is a premium level solution for corporate customers;
• due to versatility and compatibility, data collection is available from any sources: network equipment (Cisco, Juniper, HPE, Huawei…) or proprietary probes (Flowmon Probe);
• the scalability of the solution allows you to increase the functionality of the system by adding new modules, as well as increase productivity due to a flexible approach to licensing;
• due to the use of signatureless analysis technologies, the system allows detecting zero-day attacks even unknown to antiviruses and IDS / IPS systems;
• due to complete "transparency" in terms of installation and presence of the system in the network - the solution does not affect the operation of other nodes and components of your IT infrastructure;
• Flowmon is the only solution on the market that supports traffic monitoring at speeds up to 100 Gbps;
• Flowmon is a solution for networks of any scale;
• the best price / functionality ratio among similar solutions.

In this review, we have considered less than 10% of the overall functionality of the solution. In the next article, we will talk about the rest of the Flowmon Networks modules. Using the Application Performance Monitoring module as an example, we will show how business application administrators can ensure availability at a given SLA level, as well as diagnose problems as quickly as possible.

Also, we would like to invite you to our webinar (10.09.2019/XNUMX/XNUMX) dedicated to the solutions of the Flowmon Networks vendor. For pre-registration, please register here.
That's all for now, thanks for your interest!

Only registered users can participate in the survey. Sign in, you are welcome.

Do you use Netflow for network monitoring?

• Yes

• No, but I plan

• No

9 users voted. 3 users abstained.

Source: habr.com