Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

CallMiner Makes AI-Fueled Speech Analytics a Reality

CallMiner allows organizations to extract intelligence from customer interactions,” said Scott Kendrick, VP of Marketing In an in-person interview. You may know...

Full Story »

Omilia Conversational AI Expands into Cloud

Omilia is a software company focusing on customer service automation. They have an AI system commercially deployed at large scale. They handle...

Full Story »

PCM Enhances Collaboration Portfolio

PCM is the 2.3 billion dollar a year organization you may not have heard of. They were once PC Mall – remember...

Full Story »

Beware of New Zealand-Related Scams and Malware Campaigns

Please make note of this important warning from DHS: ---In the wake of the recent New Zealand mosque shooting, the Cybersecurity and...

Full Story »

XMedius Empowers Teams with Enterprise-Grade Call Center Solution

XMedius Solutions Inc. just announced that it has made its XM TeamQ informal call center solution easier to adopt for teams...

Full Story »

AT&T Launches API Marketplace

The new AT&T API Marketplace provides prepackaged code to allow companies, ISVs and others to integrate more functionality into their apps and...

Full Story »

Ransomware is a Plague - Here are Some Cures

Ransomware costs corporations and individuals billions of dollars per year yet many companies seem to care about the threat after they have...

Full Story »

Securing Remote Networks Against Cyber Threats: part 2

July 5, 2013

IP Host Reputation

Today, some NetFlow collector vendors are comparing IP addresses found in flows to reputation lists.  This host reputation look up process is a routine that goes out to an Internet based reputation list provider every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic (e.g. C&C). 

Read part 1 of this series.





Securing Remote Networks Against Cyber Threats: part 1

June 9, 2013

Managed Security Service Providers (MSSP) are depending on NetFlow and IPFIX as one of the top 3 enablers for improving network threat detection for onsite as well as remote sites.  The distributed NetFlow collection nature of this technology allows IT security teams to gain threat insight into remote areas without actually visiting each location. 

Router Overhead When Enabling NetFlow

May 1, 2013

Are you concerned about the router overhead when enabling NetFlow?  You should be if the router already has a busy CPU.  Make sure you trend the CPU utilization on a busy router before you try enabling NetFlow or IPFIX.  In most cases enabling these network traffic monitoring exports won’t impact performance however, they could however on an already over worked appliance. 

Cisco Wireless Controller NetFlow Configuration

April 15, 2013

Two months ago we started playing with the Cisco Wireless Controller NetFlow configuration and got it to export flows with NBAR support.  Pretty cool stuff. We were given a Cisco 2500 series to play with and once we had flows going to our NetFlow analyzer, it became clear why this hardware is part of the Cisco AVC family of NetFlow capable solutions. 

Building a NetFlow Cache: Exporting IPFIX

March 12, 2013

Most engineers implementing NetFlow or IPFIX know how to get started.  Where they sometimes stumble is in the area of a properly structured export with well thought out relationships between the templates. Today I want to provide an good example.

This  post on building a NetFlow Cache and exporting IPFIX is pretty deep. For this reason, my prior post on Exporting NetFlow or IPFIX   really should be reviewed first.  A flow cache entry in a router or switch is built using the first packet between two hosts and the cache table is maintained for all active connections (i.e. flows).   When a packet comes into the device, its tuple is compared to existing entries in the cache table.  A match of the key fields triggers a flow entry update where packet, byte counts and perhaps other fields are incremented and updated. Packets that don’t match a flow entry are compared to policy (e.g. firewall or ACL rules) and are ultimately dropped or used to create new cache entries.  Flow entries are exported to a flow collector periodically based on timers (I.e. Active Timeout) or flow behaviors.



Amazon EC2 Monitoring: Network Performance

January 25, 2013

We recently did a cost analysis where we considered outsourcing to Amazon’s EC2 (Elastic Computing Cloud) service and the topic of network performance monitoring among other issues came up.  We considered the amount of bandwidth we would use as well as how we would monitor the quality of service our customers were gaining through our use of EC2 and the final decision was that Amazon EC2 was not of us.

Enterasys Dragon: Intrusion Prevention System Log Analysis

December 13, 2012

Network threat detection solutions generally share some common attributes with routers, switches, firewalls and even servers.  The one I want to focus on today is logging and specifically those from the Dragon Intrusion Prevention System.  If we can get the machine messages, in this case syslogs, from all systems into a somewhat similar format and in one location, we can then correlate the data and look for events across systems even if they perform very different functions on the network. In the end, this will improve network visibility and security event awareness.



Next Generation Firewalls with Application Performance Monitoring In Mind

December 1, 2012

When choosing a next generation firewall, consumers are fortunate in that these appliances have an array of functions to choose from.  Although the primary goal is a solution that will help the business protect the company’s crown jewels from Internet bots and other types of network threats, other features such as Application Performance Monitoring are a growing concern. 

Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

November 25, 2012

Palo Alto Networks is showing further commitment to NetFlow Reporting by including a Firewall Event element in PAN-OS 5.0.  This new field will provide a few new advantages to Firewall Administrators.  These improvements to their NetFlow export can be seen in multiple ways:

IPFIX Vendors should implement RFC 5610

November 7, 2012

This is a call to all the great companies to date that have implemented IPFIX.  It is clear that IPFIX is the next generation protocol for to be included with most network monitoring solutions and for this reason, I'd like this companies and those considering IPFIX to include support for RFC 5610 or some similar sort of technology.  Without support for this RFC, deciphering new elements is nearly impossible.  The situation IPFIX collector vendors are facing is similar to trying to look decipher traps or browse OIDs without a MIB file. 

Featured Events