AlienVault® USM Appliance™

NetFlow Monitoring

Applies to Product: USM Appliance™ AlienVault OSSIM®

NetFlow is an industry-standard protocol designed by Cisco Systems that lets you capture information about network flows (communication between hosts using TCP/IP). USM Appliance Sensors can generate NetFlow information from traffic received on mirrored ports, or network devices can send NetFlow information directly to the USM Appliance Server.

USM Appliance customers can use NetFlow collection as a part of behavior monitoring they want to perform. For example, NetFlow collection can assist users in identifying insecure services, and protocols and ports that should not be used. It can also assist in identifying traffic sources and destinations to help ensure that inbound internet traffic is limited to IP addresses residing within the DMZ.

NetFlow Fundamentals

Although originally designed to assist network administrators generate metrics for performance and utilization of their networks, NetFlow has gained increasing popularity in recent years as a vital tool for security analysis, detection and forensic investigation. Operating systems and applications are rarely configured to log every last action they perform and, all too often, this can leave a critical gap in the forensic reconstruction of an "event" or incident. For example, applications or services may log who connected to them, but not from where, or when a session was started. In situations like these, cross referencing application and service logs against the records of network traffic to that host, can allow analysts to infer the missing information needed to fully reconstruct and understand events.

In any TCP/IP communication between two hosts or devices, the TCP session will contain two flows, one for the traffic going from host A to host B, and a second of the traffic going from host B to host A. NetFlow creates a flow record for each direction of communication within a TCP traffic session, capturing a standard set of information based on the particular version of NetFlow that is used. For example, using NetFlow version 5, flow records contain the following information about traffic sessions between hosts:

  • Network Interface
  • Source IP Address
  • Destination IP Address
  • IP Protocol
  • Source port (for UDP or TCP flows, 0 for other protocols)
  • Destination port (for UDP or TCP, type and code for ICMP, or 0 for other protocols)
  • IP Type-Of-Service flags

This is the bare minimum information contained in a flow. Later versions of the NetFlow standard include additional supported fields. Of these additional fields, the ones most relevant to USM Appliance are:

  • TCP Flags
  • Total Packets in Flow
  • Total Bytes in Flow
  • Packets Per Second (PPS)
  • Bits Per Second (BPS)
  • Average Bits Per Packet (BPP)
  • Duration (milliseconds)

Note: USM Appliance currently supports NetFlow versions 1, 5, 7, 9, and 10 (aka IPFIX), plus sFlow versions 4 and 5. USM Appliance does not currently support JFlow or any other NetFlow versions not listed here.