Scrutinizer from Plixer is a dedicated solution for managing all types of Flow traffic from your network and turning them into detailed information on your network and also highlights security issues.
How does Scrutinizer work?
Typically people talk in terms of NetFlow (Cisco term), but there are many different types of flow outputs depending on your hardware. Plixer accepts traffic from NetFlow (all types), S Flow, J Flow, R Flow, C Flow, NetStream and the newest standard that’s trying to pull all these together, IPFIX.
Whatever the flow output, Scrutinizer can turn it into useful data about how busy your network is and who is using up all the bandwidth. In a modern network, more and more devices are producing flow outputs which contain useful information about what traffic they are seeing and how its being handled.
Devices that now produce Flow outputs include Firewalls, Layer 3 switches, Load Balancers, SDN routers, ESX hosts, VMware, Citrix , Packet brokers etc and with the flexibility of the template format in IPFIX they can now add more and more information into the Flow outputs that used to be hidden to anything but deep packet inspection (DPI).
With modern IPFIX flow formats, there are templates which the exporting device can use to utilize extra fields in the flows with information specific to them. The collector (a server with the Plixer software on it) then receives the different flow types and modifies the extra fields required in the database to make sense of this.
In a modern network, many of the devices can produce flow data about the traffic passing through them and the decisions they make.
The NetFlow data is a great way of monitoring who is using the capacity in your network and what applications are involved. You can then drill into the data to see individual conversations and who is talking to which server. The database processes all the flows hence you can produce a history of connections showing you what a specific device has connected to over time.
- Utilization across the WAN and LAN
- Top Conversations
- Top Applications in use
- Busiest Interfaces
- Reporting how busy a remote site is
- Analyzing the activity of a particular server or PC
If something nasty does get inside your network it will more than likely want to hide in the general noise of the network and not appear in the usual dashboards. However the Virus/Worm/Mallware that’s inside your network will want to do two things:-
- Move about, learn the network and find potential host machines
- Get out to the internet, probably by disguising itself as some sort of legitimate traffic
The advantage of Scrutinizer over most solutions here is that it processes every single flow from the network hardware so its in a position to spot all the traffic flows and the patterns they produce. Most solutions state they “keep all the flows” which means they are stored but not processed hence they would be no visibility of these lower level traffic types and the security issues they hide.
By looking at the patterns and flows hiding in the general network noise Plixer’s security engine can spot the activity which is suspicious and start to flag it. This patterns carry a risk score and as the activity takes place the score against certain devices adds up to highlight there might be issues. This is called a Threat Index and there is a specific dashboard showing this activity.
If more detail is required then there is an extra module called FlowPro which takes a copy of the traffic and specifically looks for known DNS security issues. Over 90% if current Mallware uses rouge DNS messages to export data out of networks and into the Web. This includes:
- Attempts to talk to Command and Control sites
- DNS data exfiltration attempts
- Attempts to connect to user defined DNS sites
- Requests to unregistered DNS servers
Another added benefit of this is technology is that is also produces detailed information on networks and server response times and VoIP call metrics.
Below are some products you may be interested in.