In situations like these, cross referencing application and service logs against the records of network traffic to that host, can allow analysts to infer the missing information needed to fully reconstruct and understand events. For example, applications or services may log who connected to them, but not from where, or when a session was started. Operating systems and applications are rarely configured to log every last action they perform and, all too often, this can leave a critical gap in the forensic reconstruction of an "event" or incident. NetFlow FundamentalsĪlthough originally designed to assist network administrators generate metrics for performance and utilization of their networks, NetFlow has gained increasing popularity in recent years as a vital tool for security analysis, detection and forensic investigation. It can also assist in identifying traffic sources and destinations to help ensure that inbound internet traffic is limited to IP addresses residing within the DMZ. For example, NetFlow collection can assist users in identifying insecure services, and protocols and ports that should not be used. USM Appliance customers can use NetFlow collection as a part of behavior monitoring they want to perform. USM Appliance Sensors can generate NetFlow information from traffic received on mirrored ports, or network devices can send NetFlow information directly to the USM Appliance Server. NetFlow is an industry-standard protocol designed by Cisco Systems that lets you capture information about network flows (communication between hosts using TCP/IP). USM Appliance™ NetFlow Monitoring Applies to Product:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |