How often you need to know who is sitting behind that IP address right now or who was logged there one month ago? Flow monitoring will give you information about IP, MAC address or DNS name but getting the user identity is usually time consuming task of analyzing the auditing logs of Active Directory or network access control system.
However, having the user identity directly in flow monitoring system is not that difficult. All you need is a reliable source of user identities providing IP address, user identity and time stamp. This general concept enables to integrate information about users in flow data from various sources like Active Directory, Cisco Identity Services Engine, Checkpoint firewall, VPN or using simple DHCP server (having as user identity name of PC). All you have to do is send these logs to Flowmon Collector using syslog protocol and adjust the parsing rule to understand the log and retrieve information about IP, user identity and time. And you have to do it online so Flowmon can create a map of user identities related to active IPs and store this information as part of flow data as they reach to Collector. Adding user identities retrospectively in GUI when needed is not an approach that can work.
Each flow record than contains items “source IP user ID” and “destination IP user ID” which enables you to look for particular traffic related to concrete user. When investigating security incident that happened one week ago you still have accurate information about users hidden behind involved hosts. New top N statistics based on user identities are available which means that you can use this attribute in online analysis as well as long term reporting.
Moreover, this attribute can be used for filtering using keyword “uid” or “src uid” or “dst uid” to show only traffic related to particular users. Information about user identity is part of each flow record.
This feature is available since Flowmon 7.02.00 as part of Flowmon Collector without the need of any additional licenses. Using Flowmon Configuration Center you can configure external syslog sources as well as parsing rules for individual log formats. Looking into third party systems for user identities while analyzing flow data is no longer needed therefore troubleshooting and investigation of security incidents is more efficient and less time consuming.
Pavel Minarik
As Vice President of Technology at Progress Software, I'm responsible for overarching technology strategy and architecture of our Enterprise Application Experience products such as Flowmon, Loadmaster and What's Up Gold and experimental development in this area.
My vision is to empower enterprises with always on application experience accompanied with secure and well performing digital environment. On premise. In the data center. In private & public cloud. Consolidated picture of the network, applications and security in single Application Delivery, NetOps & SecOps solution with easy to use and flexible user interface providing insight out of the box.
As a senior researcher of Institute of Computer Science of Masaryk University I have participated in several research and development projects in domain of network traffic monitoring, analysis and cyber security. I'm author of more than ten publications in the domain of behavior analysis and several algorithms for traffic processing and anomaly detection summarized in PhD thesis “Building a System for Network Security Monitoring”.