Tracking NetFlow over MPLS helps airline with compliance

Budget airline AirTran Airways achieved compliance with PCI DSS by adopting network behavior analysis technology that collects NetFlow data over an MPLS WAN.

Using network behavioral analysis technology to track NetFlow data over an MPLS WAN is helping AirTran Airways with compliance of the network monitoring requirements of the Payment Card Industry (PCI) Data Security Standard (DSS).

Michelle Stewart, the airline's manager of data security, told attendees at this week's Cisco Live conference that her company uses the StealthWatch network behavioral analysis (NBA) product from Lancope to achieve this compliance.

Requirement 10 of the PCI standard mandates that companies which process credit card transactions track and monitor all access to network resources and cardholder data. If a business is conducting transactions over the network, it must be able to demonstrate to auditors that it tracks that information and has controls in place to alert network managers to suspicious activity.

"Our concern was that we needed to address the spirit of PCI compliance and meet those requirements within severe budget restraints. We are a low-cost carrier," Stewart said. "And if we're going to get technology, we're going to leverage it in as many areas as possible."

However, AirTran operates an MPLS WAN, which can be costly and difficult to track for PCI compliance.

"In a classic hub-and-spoke model [such as frame relay], it's very easy to monitor. Everything goes through a central site. If you have three or four regional data centers, you can deploy heavyweight probes there and you're all set," said Adam Powers, CTO of Lancope. "Unfortunately, nowadays we have more and more customers who are buying into the many-to-many WAN [such as MPLS]. Now, each of these nodes communicates with each other, and the probe doesn't really see anything."

Instead of deploying a large number of expensive probes everywhere throughout the network, network managers have the option of setting their network devices to send NetFlow information directly to NetFlow analysis tools.

NetFlow is a data collection feature built into routers, switches and other network devices built by Cisco and other vendors. Whenever a packet passes through a device, a NetFlow record of that packet, including its source, destination and type of service, is recorded in the device's memory. Network managers can set those devices to send NetFlow information to flow collectors that create a record of network activity with the information.

"Instead of putting probes out at each MPLS node, you can just turn on NetFlow and those routers will ship their NetFlow information to a collector," Powers said. "Then the collector manager can repurpose or reconstruct the information based on all the information it gets from all the different collectors."

Network behavior analysis products like Lancope's StealthWatch observe this NetFlow data to establish a baseline of normal behavior on the network. If it sees a spike of unusual activity, the NetFlow monitor can alert the network administrator.

Stewart said that the dashboard features of StealthWatch make it easy for her staff to pinpoint the source of unusual activity.

"My staff could quickly and easily get ramped up and very easily double-click on any of the virtual elements in the dashboard for more information to drill down to see what alarms are all about," she said. "We can also look at a traffic dashboard and see a spike in traffic."

From the dashboard, Stewart's staff can look at a spike in traffic and instantly know whether it's an internal or external device, she said. For instance, they can drill down and see that increased activity is coming from a PC at a ticketing counter. With a simple series of clicks, the security analyst can determine that someone is streaming Internet radio at a ticket counter, which is out of policy.

Stewart also likes the accountability that Lancope can provide by linking NetFlow information to individual users.

"We've found instances where our IT staff are using remote administrator to remote into PCs and maintain them," she said. "And there were users who said someone remoted into [their] PC and didn't identify themselves. We are better able to educate our IT staff on how they're supposed to be informing the user before remoting onto their PCs."

Powers admitted that the use of NetFlow data to track MPLS traffic is relatively new. His company is still trying to figure out what kind of MPLS tagging in NetFlow people want. "This PCI stuff hasn't been tested that well yet," he said. "It will be interesting to see how well these NetFlow approaches hold up and all the approaches people have to satisfying these requirements."

Let us know what you think about the story; email: Shamus McGillicuddy, News Editor

Dig Deeper on Network Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.