With more firewalls supporting NetFlow Secure Event Logging (NSEL), NetFlow collectors will become a viable alternative to firewall log analyzers for many networks.
Several SMB-focused NetFlow collector vendors, such as Plixer International and ManageEngine, have supported NSEL for some time, and next week Lancope will start supporting NSEL on its NetFlow Collector, StealthWatch.
"You're going to see more and more of it as firewall vendors add NSEL support to their products," said Adam Powers, CTO of Lancope. "Cisco was the first. Other vendors will add it because it becomes a differentiator. Check Point has some limited capabilities and there are a couple other vendors I can't mention yet because we are helping them implement their NetFlow support and it's all [under an] NDA [non-disclosure agreement] right now."
NSEL: A NetFlow alternative to syslog
Traditionally, enterprises have turned to firewall log analyzer vendors for better visibility into the behavior of their firewalls. Vendors such as LogLogic and Splunk gather and analyze firewall syslog data to pull information about what kind of traffic is hitting firewalls, said Jim Frey, research director with Enterprise Management Associates.
Cisco introduced NSEL as a modified version of NetFLow tailored for firewall reporting. Traditional NetFlow data includes straightforward information like source and destination IP addresses and port numbers. NSEL indicates whether a traffic flow was accepted, denied or dropped by a firewall. It also identifies the access control list (ACL) associated with that flow.
A NetFlow collector that supports NSEL is more efficient than a firewall log analyzer because syslog generation eats up computing resources on a firewall. "If you turn on the NetFlow feature in an ASA, it frees up the CPU and the ability of the firewall to do other things, like processing Layer 7 data and doing NAT [network address translation],” said Powers.
Understanding how firewalls affect network access and performance
While firewalls are usually a blind spot for NetFlow collectors, a collector that analyzes NSEL data can help detect whether a firewall is interrupting network access, Frey said. It can also combine that data into a broader view of the entire network, which goes beyond network security and looks at performance monitoring as well.
"Firewalls are inline devices, so they can have an impact on what is perceived to be regular business network access," Frey said. "When that is interrupted, either due to some perceived malicious content within a flow or a firewall rule change that goes awry, it's really annoying and sometimes hard to figure out. There's a whole category of tools designed just to do good multivendor firewall rules monitoring and analysis. But a rule may be put in place that is perfectly acceptable from a security guy's perspective that can have unintended consequences on legitimate network services."
With NSEL, a NetFlow collector can combine telemetry data from firewalls with NetFlow data from other network devices to give enterprises a bigger picture view of the health and behavior of the network.
"Let's say you have an edge router that's connected to the Internet, and behind the router you have a traditional ASA firewall. Then below that, you have a Catalyst 6500. Then below that you have a Catalyst 3750-X access layer switch. That's four devices that are all going to be generating flows as traffic makes its way across the network," Powers said.
All those devices will supply NetFlow records with different bits of information. The Catalyst 3750 might generate a NetFlow record with the MAC address of a laptop that initiated a flow. The router might supply data on the DNS system associated with the flow. Now the firewall can generate an NSEL record that tells a NetFlow collector whether the flow was denied or allowed and what ACL it's associated with. A NetFlow collector like StealthWatch can combine each of these NetFlow records into a single data structure that gives an enterprise a much more comprehensive view of how the network is performing and why.
"The main additional information is the disposition of the flow: Was it denied by an access list number? Was it permitted? Was it dropped because there was some kind of malformed Layer 7 information in the flow? What did the firewall do to the flow? Did the flow make it through the firewall or no, and if it didn't, why not?" Powers said.
Let us know what you think about the story; email Shamus McGillicuddy, News Director.