In today's rapidly-evolving threat landscape, organizations of all sizes must be prepared to analyze traffic through each node of a data network. With flow-based protocols and analytics, network administrators can optimize, troubleshoot and safeguard their networks from poor performance, intrusions and abuse. Mike Saylor, vice president of technology for the Texas Credit Union League (TCUL) explains that flow-based protocols are in every data network. They allow you to build your network based on the source, destination and path your data must take.
“In the IT world, that translates to knowing the source and destination IP addresses, source and destination MAC (machine) addresses, the path the data must take ( the VLAN – Virtual Local Area Network), and the intersections the data must go through (port and protocol),” notes Saylor. “You can visualize this by likening the data network to a road network.”
You take a trip to work starting from your home (source MAC/IP) going along a specific road (VLAN), turning at different intersections (the different ports you move through) until you reach your place of work (destination MAC/IP), explains Saylor. As with a road network, different times or events may slow or stop data traffic at specific points (think rush hour on I-635 in Dallas). When this happens, the traffic can be rerouted, or detoured, through a part of the network in which traffic still flows smoothly. Networks are built using the flow-based protocol to allow for rerouting of traffic off of congested network paths onto uncongested paths, allow for better response to network processes, or quicker response to your computer’s data request.
Saylor says it’s important that credit unions analyze flow-based protocols to assess the performance and security of their data network. Flow based analytics allow the network administrator to determine what types of traffic moves over the network and times that the traffic stresses the network’s capability to perform efficiently.
There are three types of flow-based traffic analytics:
Behavior defines what’s normal traffic for the network, and this includes the time and density of the traffic, the number of machines active on the network, the average connection duration and the types of protocols and applications using the network. By analyzing the types of traffic crossing over a node (intersection) the administrator can create traffic rules that allow control of the traffic.
An example would be to not allow traffic within the network to access a specific site on the Internet during peak business hours, or restrict it completely. Performance defines peak bandwidth usage, types of incoming and outgoing traffic, maximum and average link utilization, the packet rate, the number of connections requested across the network and the sources and destinations receiving more traffic. The security analysis allows you to detect; internal network scans, Denial of Service (DoS) attacks, the spreading of Malwares, the existence of Botnets on the network, and inappropriate usage of your network (such as data hosting or remote desktop access).
By analyzing the traffic flow you define the baseline of your network. Comparing the baseline to current traffic enables you to detect network traffic anomalies. Any deviation from the norm can be considered an anomaly, and could be due to different types of cyber-attacks that cannot be detected using signature based detection techniques.
Saylor offers the following suggestions to help credit unions optimize and safeguard their network:
Define your network baseline. Any deviations from the baseline should alert you to the possibility of trouble.
Define the known bottlenecks on you networks. Examples include the Internet Gateway, point to point connections on the LAN/WAN or specific switches or routers.
Define access rules for switches and routers based on the types of protocols you wish to cross those devices. Restricting or refusing types of traffic at peak times allows efficient bandwidth usage during peak hours of operation.
Know what kinds of traffic an application produces. Types of traffic on your network that are not generated by your applications could also indicate trouble.
Finally, know what to do when you do detect trouble.