IETF STANDARD ENSURES NETWORK-ATTACHED NODES ‘COUNT’

“Security managers may soon have a standard to identify how many computers
are connected to the corporate LAN–and then flag potential breaches when
that count is off.

A consortium of seven vendors, including Hewlett-Packard and Foundry
Networks, have submitted an IETF draft standard known as sFlow (RFC 3176),
a packet-based sampling technology that watches for denial-of-service
attacks and misconfigured computers without installing agents on every
device.

This eliminates a major security headache: not knowing what’s accessing
network resources. In particular, administrators can’t reliably identify
unauthorized NAT devices, which often appear as legitimate hosts, says
Peter Phaal, president of network monitoring vendor InMon Corp., part of
the sFlow consortium. Yet a NAT–which can also be a wireless device–can
be a gateway to unlimited numbers of other computers.

An sFlow setup has two parts: an agent embedded in a switch, router or
standalone sensor; and a centralized analyzer. The agent applies an
algorithm to network traffic to identify different devices, even when
they’re of identical operating systems. The results can also be used to
fine-tune or audit firewalls and other network devices.

The set-up works akin to the well-known ping command–send a signal, then
see how long it takes to return–with a twist. Frequently, the switch can
discern the actual number of computers touching the Internet connection.

sFlow consists of a packet sampling algorithm, typically performed by the
switching/routing ASICs, and an sFlow Agent–a software process running as
part of the network management software within the device. The sFlow Agent
combines flow samples (generated by the packet sampling function),
interface counters and the state of the forwarding/routing table entries
associated with each sampled packet, into an sFlow datagram, which is
immediately forwarded to a central sFlow collector.

This means that the sFlow Agent does very little processing of the data,
minimizing CPU and memory requirements. Meanwhile, a central sFlow
collector receives a continuous stream of sFlow datagrams from across the
network and analyzes them to form a real-time view of most L2-L7 traffic
flows across the entire network.”

Sorry about the length of this post folks - but the Security Wire Digest newsletter items seem to be very slow in making it to the SearchSecurity website.