For those of you that have been around the networking world for a while, NetFlow is far from a new technology. Cisco developed NetFlow years ago and it has become the industry standard for generating and collecting IP traffic information. NetFlow quickly found a home within network management providing valuable telemetry for overall network performance and management. Nine versions later NetFlow is growing in popularity not solely due to its value to network management but as a critical component of security operations. Over the past 12 months I have encountered more and more large enterprises that view NetFlow as one of their top tools for combating advanced threats within their perimeters.
The dynamic nature of the cyber threat landscape and growing level of sophistication and customization of attacks are requiring organizations to monitor their internal networks at a new level. IP flow monitoring (NetFlow) coupled with security focused NetFlow collectors like Lancope’s StealthWatch is helping organizations quickly identify questionable activity and anomalous behavior. The value that NetFlow provides is unsampled accounting of all network activity on an IP flow enabled interface. I bring up unsampled because of its importance from a security perspective. While flow sampling is a valid method for network management use cases sampling for the sake of security leaves too much in question. An analogy would be having two different people listen to the same song. One person gets the song played in its entirety, unsampled, and the other only hears the song in 30-second intervals. While neither may be musically inclined the person who had the advantage of listening to the song in its entirety would be able more accurately hum or sing back that song than the person that only heard 30 second snippets of the song. Furthermore the ability to identify that song during radio airplay would be in favor of the individual that was able to listen to the song in its entirety. This holds true for IP flow information when leveraging the information for detecting malicious or anomalous traffic. Some malicious code will only send a single packet back to a master node, which would most likely be missed, in a sampling scenario.
Further increasing the value of IP flow monitoring is Cisco’s recent release of Flexible NetFlow (FnF). FnF introduces two new concepts to flow monitoring. The first is the use of templates and the second expands the range of packet information that can be collected as well as monitor more deeply inside of a packet. This allows greater granularity in the information that is to be monitored as well a providing different collector sources for different sets of information. You can search for Flexible NetFlow on Cisco’s main website to get more technical details.
Are you using NetFlow for security operations? I welcome any feedback, good or bad regarding your experience and opinions on the value that IP flow information provides for detecting this ever-changing threat landscape.
The federal government is a perennial target, always subject to accusations of waste and inefficiency, among other allegations. But recent developments in technology and new legislation hold out hope for a more efficient, effective, and greener federal workforce. The U.S. Telework Enhancement Act of 2010 generated tremendous momentum toward increasing workforce mobility options for federal employees. The act paves the way for the federal government to unlock significant benefits, including greater productivity, resilience, environmental sustainability, and employee inclusion. It creates accountability for achieving these objectives in the form of telework managing officers (TMOs), senior officials responsible for telework policy development and implementation.
Realizing these objectives will require a significant departure from current practice. To date, agencies have focused on increasing telework participation rates through advertising, employee training, and resolution of technological barriers. Meaningful progress toward the act’s other goals-including emergency readiness, energy use, recruitment and retention, performance, and productivity-will require moving past first-generation strategies aimed at increasing telework participation rates and, instead, pursuing integrated mobility strategies explicitly linked to agency business objectives.
TMOs should not view the act as just another administrative burden that requires compliance. As the first TMOs assume their roles, they have a unique opportunity to use workforce mobility-including telework and a broader range of tools and systems to enable productivity anywhere, anytime, and on any device-as a catalyst to create a more flexible, productive, and inspiring federal workplace.
Achieving this vision requires a sober assessment of the current situation, an ambitious, goal-driven strategy linked to agency business objectives, and a new management posture aimed at transforming mindsets and behaviors rather than resolving technological challenges.
Cisco will be a Platinum sponsor of the third annual Cloud Computing World Forum in London. If you are planning to attend this event, please stop by booth #235 where we’ll be demonstrating Cisco Cloud technologies such as VXI, Cloud Orchestration/automation, UCS, Security, etc. This would be a good opportutnity to talk to experts in this field or meet account teams for the European and Emerging Market regions.
We are also excited to host a Public Sector Cloud Day with Cisco customers on June 20th. This event (by invitation only) will allow us to meet with CIO and Technical Decision Makers to discuss the evolution of Cloud Computing in public sector organizations. A great opportunity to stay close to our customes!
We’ve talked about how telepresence can bring therapy to those in need, and it turns out the technology may help calm the nerves of another suffering group of people: some federal employees.
As part of the 2005 Base Realignment and Closure (BRAC) initiative, the Defense Department (DoD) has begun to move 123,000 employees to new office facilities. The moves profoundly change the personnel composition of more than 8,000 bases across the country, and it costs more than $35 billion. According to a survey by Federal News Radio, 49 percent of the 468 respondents do not think the consolidation will improve collaboration amongst the affected DoD and military offices, civilian agencies, and contractors. Conversely, they see mounting problems with communication, commute, employee satisfaction, and training.
Fortunately, for federal workers impacted by these changes, there is a technology currently deployed within DoD and Civilian agencies that can alleviate much of the stress of these foreshadowed issues. Telepresence and video communications can facilitate real time interaction with Pentagon offices, which are no longer easily accessible by displaced workers, removing the potential for BRAC to “greatly disrupt” the relationship among offices, as one respondent feared would happen. Likewise, telepresence technology can make teleworking more effective and efficient, providing the “face time” several employees expressed concern about losing, while still allowing them to be an integral part of the conversation.
The benefits keep multiplying. Keeping employees connected in real time boosts morale, makes everyone feel invested in the day-to-day operation of the bases, and makes possible the mentor/mentee relationships some respondents said would be lost.
With budgets and government downsizing hot button issues right now, it’s a solution the feds can’t afford to overlook.