Performing Network Forensics with Flow Data

Performing Network Forensics with Flow DataVarious players in the industry keep creating new technologies in the form of hardware, software, programs and all, which enterprises can acquire and sync with existing technologies in a network to perform particular tasks. For each of these technologies, new rooms are invariably created for hacker attacks or threats on the network. While network engineers are trying to ensure that loopholes are not created in a network system, attackers are also trying to manipulate vulnerable links and create backdoors into a network. When the chips are down, SecOps analysts work with NetOps to conduct network forensics and troubleshoot malicious activities on a network.

Network forensics can be defined as the evaluation of data and patterns observed in network traffic between network devices, to create an insight into the sources of an attack or network problem and the extent to which damages occurred. Such evaluations or investigations utilize the in-depth understanding and assessment of various protocols, such as web protocols, file transfer protocols, email protocols and network protocols to reach a final verdict.

In practice, the forensic procedure can focus on either of the two options; packet data or flow data to complete its assessment. Each, though unique in its application and function, has been a source of intense debate between network engineers on which should be used for thoroughly insightful network forensics. As an innovative industry leader, LiveAction ended the debate by being the first to provide a practical and highly recommended integrated solution that combines the best of both worlds to resolve all network issues in record time.
In this article, we will focus on flow data, and look at how it can be used to perform network forensics, as well as the features that make it stand out.

Network Forensics through Flow Monitoring

The flow data used in network forensics is derived from flow exports. The most commonly used program for extraction and analysis of the files is NetFlow; a vendor-specific network security protocol which was developed by Cisco for collecting and monitoring IP traffic. We discussed NetFlow in details, here.

The use of flow exports for network forensics is made easier as almost all modern network devices that you can think of, such as switches, firewalls, routers, etc., are enabled to support flow data export. Thus, eliminating the need to install a whole bunch of additional appliances for network monitoring.

The process through which flow data is generated for network forensics is very basic and straightforward to understand. Generally, the process involves a flow collector, network devices and flow data.

Network Devices

For NetFlow, this includes all Cisco-enabled switching or routing devices, which summarize the details of the traffic created by the packets as they casually flow through the network. The summary is then exported to a flow collector, while the device deletes the record to free up space.

NetFlow Collector

A flow collector is a syslog service that can be located on any remote server to collect, analyze and store UDP-based messages developed by end devices as packets traverse through them. From this collector, a logging process is established, and network engineers can program the collector with various levels of severity. Each set of probable events can be assigned a level of severity which helps the collector to channel detected threats to specific destinations such as terminal lines or a network monitoring system to alert NetOps in real-time.

Flow Data

These messages or summaries or flow data, bear the metadata of the packets and are transactional records that can be stored over a very long period. Metadata provided may include but is not limited to –

  • Destination and source IP addresses
  • Destination and sources ports
  • The IP protocol used in the transaction
  • Start and end-time of the flow/web session
  • Number of packets and bytes involved in each session
  • The URL
  • Usernames

Flow DataWhile the metadata provided does not provide an in-depth insight into the contents of the data, it provides enterprise-wide visibility into all activities across a network. Also, the metadata provided is invaluable in carrying out network forensics or investigations. The fact that NetFlow is a built-in feature that can easily be switched on in most network devices buttresses its effectiveness in providing end-to-end network visibility.

Another beauty of NetFlow in network monitoring and analysis is in its ability to provide historical records. The historical records are essential in investigating persistent attacks. It makes it easier to retrace where an attack came from initially, the command and control channels that the attack initiated, the information that was extracted, as well as all other devices that were affected. Also, real-time reports help analysts to react faster to incidence occurrence and proffer instant solutions.

How to Stay Ahead

To a trained mind, Cisco NetFlow, and flow data from other vendors, is an easy tool to use in determining the source of a network problem or an attack at a glance – and that’s even made better with the use of various telemetry sources such as DNS server logs, web proxy logs, VPN logs, etc. But for most enterprises, building a reliable team of well-trained experts that can easily coordinate and act responsively with the evidence collected isn’t that easy. Attackers get more ruthless with each new day, and it takes more than a trained eye to detect false alarms or masked activities, given the limited information provided by flow data.

LiveAction is a proactive Cisco partner, and we are proud to have taken the industry further with the first integrated monitoring tool which combines packet, SNMP and flow data to provide well-detailed evidence of network activities over a very long period. Now, enterprises can gain complete visibility through flow data, be it in the darkest corner, leaving no room for attackers to get into a network without being traced. Aside from that, the system reports unusual traffic to NetOps in real-time, keeping them abreast of the health of a network, to aid in detecting and troubleshooting potential errors before they manifest. Consequently, this ensures that an enterprise stays live – boosting task completion rate, output and overall performance.

Network forensics shouldn’t be a concept that makes your IT staff shudder when they think of what they have to go through to gain deep visibility into your network. LiveNX gives you all the edge you need to stay afloat in this era of reckless cyber attacks.

Contact our sales team to get a hold of the undue advantage.