- From Alexander Graham Bell to an AI assistant guiding your customer journey, CX has come a long way (baby)!
- Cisco U. Spotlight: Your Best Day of Learning is Waiting
- A data-driven farming revolution: Smart Greenhouse in Greece
- さくらインターネットのCIOが語る「CIOの役割や魅力」とは
- These backyard solar panels are saving me $30 a month - Here's how
Unlocking the Power of Network Telemetry for the US Public Sector
Co-authors: Lou Norman and Erich Stokes
Understanding Network Telemetry
In Part 1 of this blog series “Defining Network Telemetry” we defined network telemetry and noted that it is a transformative tool for the US Public Sector as it provides comprehensive insights into network performance, security, and usage patterns. Telemetry data is like a Golden Nugget for a prospector because it holds immense value in uncovering hidden insights within a network.
By collecting and analyzing telemetry data, public sector organizations can gain visibility into their network operations, which is essential for efficient and automated network management. This visibility allows for proactive threat detection, performance optimization, and informed decision-making regarding resource allocation and network planning.
Network telemetry can also greatly reduce response time by giving accurate information on what an infected host has communicated with, both on premises and to the Internet. This allows responders to know what was compromised and just as important, what was not compromised. Network telemetry plays a crucial role in enhancing security response times by providing detailed insights into network activities. Here is how it works:
- Real-Time Monitoring: Traditional network monitoring methods often rely on periodic polling, which can miss critical events. In contrast, telemetry provides real-time data, allowing for immediate detection of anomalies and potential threats.
- Comprehensive Visibility: Telemetry offers a unified view of network activities, integrating data from various sources such as network devices, cloud services, and applications. This comprehensive visibility helps in identifying compromised hosts and understanding the scope of an attack.
- Proactive Threat Detection: By continuously streaming data, telemetry enables proactive threat detection and faster response times. This approach reduces the mean time to resolution from hours to seconds, as operators are notified of issues as they occur.
- Enhanced Security Operations: Telemetry data supports automated network management and security operations, allowing for efficient threat detection and response. This includes identifying what was compromised and ensuring that unaffected systems remain secure.
Now let’s dive deeper to better understand Network Telemetry.
Diving Deeper
NetFlow and IPFIX (Internet Protocol Flow Information Export)
NetFlow and IPFIX are protocols designed to provide detailed insights into network traffic flows. These protocols enable organizations to monitor and analyze the data traversing their networks, offering a comprehensive view of communication patterns and data exchange volumes.
- NetFlow, developed by Cisco, aggregates traffic into flows based on a set of key fields such as source and destination IP addresses, source and destination port numbers, and protocol type. This aggregation allows for the identification of unique sessions between devices, providing valuable information about network users, applications, and traffic routing.
- IPFIX, on the other hand, is an IETF standard that extends the capabilities of NetFlow by offering a more flexible and extensible framework for exporting flow information. It supports a wide range of data types and can be customized to meet specific monitoring needs. Both protocols are instrumental in network management, enabling organizations to detect anomalies, optimize performance, and ensure security.
By understanding who is communicating with whom and the volume of data being exchanged, organizations can make informed decisions about resource allocation, network planning, and security measures. These insights are crucial for maintaining efficient and secure network operations.
NetFlow Secure Event Logging (NSEL)
NSEL is a specialized security logging mechanism built on NetFlow Version 9 technology, specifically designed for firewalls like the Cisco ASA series.
NSEL provides a stateful IP flow tracking method that exports records indicating significant events in a flow, such as flow creation, teardown, and denial. This stateful tracking allows for a detailed analysis of the flow’s lifecycle, capturing the transitions and changes in state that occur during its existence. This includes tracking Network Address translation (NAT) and Port Address Translations (PAT) connections through the firewall to understand end-to-end connections across a translated boundary.
By focusing on these significant events, NSEL offers a more efficient and targeted approach to logging, reducing the volume of data while still providing critical insights into network activity.
NSEL is particularly valuable for monitoring and analyzing firewall activity because it captures and exports data about flow status changes, which are often indicative of security events. For instance, flow-denied events can highlight potential security threats or policy violations, while flow-create and flow-teardown events can provide insights into normal and abnormal traffic patterns.
Additionally, NSEL supports the generation of periodic flow-update events, which provide byte counters over the flow’s duration, offering a more comprehensive view of network usage. This detailed logging capability enables network administrators to better understand and respond to security incidents, optimize firewall performance, and ensure compliance with security policies. By integrating NSEL with tools like Cisco Secure Workload, organizations can further enhance their security posture through automated policy enforcement and advanced threat detection.
Cisco’s Encrypted Traffic Analytics (ETA)
ETA is a groundbreaking technology designed to detect threats in encrypted traffic without the need for decryption, thereby preserving privacy and maintaining security. Traditional methods of threat inspection often involve bulk decryption, analysis, and re-encryption, which can be resource-intensive and compromise data privacy. ETA, however, circumvents these challenges by utilizing advanced telemetry and machine learning techniques to analyze encrypted traffic.
ETA extracts four main data elements from encrypted traffic: the Sequence of Packet Lengths and Times (SPLT), the Initial Data Packet (IDP), byte distribution, and TLS-specific features. These elements provide insights into the behavior of the traffic without revealing the actual content.
By analyzing these data points, ETA can identify anomalies and potential threats, such as malware, within encrypted streams. This approach not only enhances security by detecting threats in real-time but also ensures that the integrity of the encrypted data is maintained, as there is no need to decrypt the traffic. This innovative solution leverages Cisco’s network infrastructure expertise, providing organizations with enhanced visibility and cryptographic compliance without compromising on performance or privacy.
Encrypted Visibility Engine (EVE)
To build upon ETA, Cisco has developed EVE for its Next Generation Firewalls (NGFW) to provide additional security and visibility for encrypted traffic. Like ETA, EVE can identify artifacts in encrypted traffic such as the application that is running and determine if this traffic is benign or malicious without decryption. Firewalls commonly make decisions based off the application that is running, and having the visibility to see this in encrypted traffic makes the firewall more efficient and much easier to manage.
Network Visibility Module (NVM)
NVM is a component of Cisco Secure Client that focuses on collecting detailed telemetry data from endpoint devices. It is designed to provide comprehensive insights into endpoint behavior and network interactions, which are crucial for maintaining robust security postures.
NVM captures rich flow context from endpoints, whether they are on or off the premises, and provides visibility into network-connected devices and user behaviors. This telemetry data includes information about user traffic direction and volume, the destination of that traffic, software processes and applications present on the endpoint, and details about the device itself, such as device type, operating system, and network interfaces. NVM will allow the investigator to tie the NetFlow traffic not only to the endpoint IP address, but to the specific process and parent process on the endpoint. This allows the investigator to utilize the end user security context that the process is running under on the endpoint allowing for more granular analysis.
NVM uses the IPFIX protocol to capture, format, and transport this telemetry data to flow collectors or network management systems for analysis and logging. This makes Cisco Secure Client the only security agent for mobility that leverages IPFIX for endpoint security telemetry.
The data collected by NVM is then analyzed to provide security visibility and insights, which can be used for capacity and service planning, auditing, compliance, and security analytics. By integrating with solutions like Cisco Secure Network Analytics or third-party platforms provided by Splunk, NVM enables organizations to monitor application use, classify logical groups of applications, users, or endpoints, and identify potential anomalies, thereby enhancing the overall security and management of their IT infrastructure.
The Unique Advantage of Cisco Hardware
Cisco’s network hardware stands out in its ability to generate comprehensive telemetry data across various network components. For example, NetFlow/IPFIX is embedded into Cisco Unified Access Data Plane (UADP) ASIC hardware since the introduction of the CAT 3850 and all the Cat 9K switches (Since this is embedded into hardware, Cisco can generate NetFlow/IPFIX without adding any CPU load on the device. This is a huge benefit for Cisco hardware) . These ASICs are integral to the performance and flexibility enabling advanced features such as enhanced security generating full NetFlow/IPX at line rate. Whether it’s routers and switches providing NetFlow data and ETA, firewalls offering NSEL insights and EVE, or endpoints delivering NVM data, Cisco ensures that every part of your network contributes to a holistic view of your network environment.
Conclusion
In conclusion, NetFlow and IPFIX are pivotal protocols that provide detailed insights into network traffic flows, enabling organizations to monitor and analyze data traversing their networks. Telemetry data is like a golden nugget for a prospector because it holds immense value in uncovering hidden insights within a network. By leveraging these protocols, organizations can extract valuable information that aids in optimizing network performance and enhancing security measures.
NetFlow, developed by Cisco, aggregates traffic into flows based on key fields such as IP addresses and port numbers, allowing for the identification of unique sessions between devices. This provides valuable information about network users, applications, and traffic routing.
IPFIX, an IETF standard, extends NetFlow’s capabilities by offering a more flexible framework for exporting flow information, supporting a wide range of data types and customization for specific monitoring needs. Both protocols are instrumental in network management, helping organizations detect anomalies, optimize performance, and ensure security by understanding communication patterns and data exchange volumes.
Resources
Cisco Telemetry Architecture Guide
Cisco Secure Network Analytics + Splunk
Cisco Nexus 9000 Series NX-OS Programmability Guide, Release 10.2(x)
Share:
