UserName with NetFlow or IPFIX

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

UserName with NetFlow or IPFIX

Ask any network administrator trying to track down the end user of a suspect traffic pattern, whether they would rather have the IP address or username and they will likely tell you ‘both’.  Several vendors are now including both in their NetFlow and IPFIX exports.

Vendors Including Username in NetFlow or IPFIX
Cisco, Dell, and Palo Alto to name a few are all including usernames in their flow exports.  Some NetFlow solutions can then leverage the username/IP address combination from one export as contextual information against flow exports from other vendors which may not include username.

Username Cisco ASA

“We can take contextual data from one device and leveraging it against another.  Since most firewalls export username in their flow exports, we can leverage the list against the hundred or so routers and switches that are also sending flows.  All it takes is a couple clicks.” Said Marc Bilodeau, VP at Plixer.

If the customer doesn’t have a NetFlow exporter that exports usernames, we can gather the usernames from the MS Active Directory, Cisco ISE or authentication system and correlate the names using the IP Addresses.

When a flow export containing usernames is not available, many times it can be extracted from Radius, LDAP or active directory logs and exported as IPFIX with the Flow Replicator. The Flow Replicator can be configured to fetch, format and forward any machine log as IPFIX.  This appliance has also been used to export proxy logs containing IP addresses URL details.  These messages can be correlated with just about any flow from any vendor.

Investigating a Network Threat
When investigating a network threat, username can be a huge time saver and improves overall situational awareness.  Because of the wide adoption of DHCP, we all understand that the usernames associated with the same IP address can change over time.  A well thought out NetFlow and IPFIX solution can address this issue as well.  We can use WMI to grab username details from the domain controller.  We can also leverage Cisco ISE or Enterasys Mobile IAM technology which also delivers details on the operating system (E.g. iPhone, iPad, Android, Cisco Phone, etc.).  The bottom line: We can link flow data to almost any type of external 3rd party contextual information.

If your company forces any type of end user authentication on the network, chances are there is a log somewhere and we can probably fetch, format and forward with the Flow Replicator.  From there, we can correlate the data and provide usernames, etc. in your NetFlow / IPFIX reports.  There’s more than one way to skin a cat.

Network Surveillance Webcast
Watch our upcoming webcast Where’s the Security Camera when you need it which talks about the new Cisco AVC flow exports and touches on Usernames.

Feedback for UserName with NetFlow or IPFIX

Leave a comment

Featured Events