Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

SOLVED
Go to solution
lightxx
Frequent Advisor

Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

ok, so i'm currently evaluating Network Immunity Manager.

we have a enterprise - wide installation of HP procurves. each switch has only one IP assigned, which is "untagged" as HP calls it in our switch-management VLAN. also, there are no routes to or from that switch-management VLAN.

yet, Network Immunity Manager shows offenders coming from all VLANs (>1000) defined on our switches.

i don't quite understand how this could be possible and if this probably imposes a security risk to our network.

to my understanding, Network Immunity Manager shouldn't see ANY layer 2 traffic outside its own VLANs, aka the VLANs the switches have IPs assigned to. this is the very reason 802.1Q was created in the first place.
Network Immunity Manager should only see offenders from our switch management VLAN, yet i see enterprise wide offenders?

probably somebody could shed some light to this
5 REPLIES
Steve Britt
Respected Contributor
Solution

Re: Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

Hi Thomas,

NIM (Network Immunity Manager) inspects sFlow samples collected via ProCurve Manager (PCM) to analyze activity on the network and look for anomalous traffic. sFlow samples all traffic on a switch interface, irrespective of the VLAN that the traffic is associated with, although VLAN information about the traffic is included in the samples where applicable. This allows recipients of the samples flexibility in terms of how they analyze the samples; as you might imagine there are a lot of different things one could do with such data in terms of sample analysis.

PCM traffic management is intended to show you what is happening on an actual interface - for physical ports, "the wire" - and does not break out its analysis by VLAN as a result. This allows the administrator to assess physical utilization of the interface as a whole. In a similar fashion, NIM inspects all sFlow data collected by PCM for threats irrespective of VLAN association since a threat could originate on any VLAN.

This shouldn't pose any threat to security. The sFlow samples taken contain at most the first 128 bytes of the sampled frame, which will largely be header data. PCM and NIM only inspect the header data, and only retain list-type structures that result from the analyzed headers; NIM further distills these lists by applying sophisticated analyses to them as it looks for traffic patterns that may indicate a threat, and informs the admin using a description of the suspected attack rather than displaying exact frame contents. The very nature of sFlow, the fact that it samples the frames on an interface no more frequently than every 50th frame, also provides some security because no stateful conversation data is captured from a given traffic stream.

In terms of layer 2 traffic, the fact that NIM can see this is actually one of its points of differentation with respect to other security solutions. Most firewalls only look at layer 3 and above, but since NIM is utilizing sFlow samples it can see the entire frame in each sample including layer 2. This allows it to detect some threats that firewalls simply cannot see.

With all of that being said, there are some ways in which you can control what is reported by NIM. If you have device interfaces that are clearly unassociated with the VLANs that you want to monitor you can limit PCM's traffic collection on those ports to "statistics only" so that no sFlow is collected, or disable traffic collection on those ports altogether if you don't need it. You can do this by:

1. Selecting a group or device that you want to control sampling for in the PCM tree, and then selecting the Traffic tab shown.
2. Multi-selecting all of the ports shown in the Traffic tab or some subset upon which you wish to operate.
3. Once the desired ports are selected right-click on the "Cfg" column, choose the "Manual" submenu, and then choose "Manually enable statistics" to limit the selected ports to statistics polling only. For ports you don't need data from at all choose "Manually disable sampling and statistics".

You can also specify, within NIM, addresses to exclude from its analysis when it inspects the incoming samples for threats. Use the Agent Manager tool for the appropriate PCM agent(s), select the NIM tab, and click the "Configuration" button. Making sure the "NIM" (topmost) node is selected in the tree that is displayed, click the "Add" button and use CIDR notation to specify the Offender IP range that you want to exclude from NIM's analysis. Adding such exclusions at the "NIM" node ensures that the IP ranges are excluded from all threat analyses NIM performs - adding them at a lower node in the tree will only exclude them from the applicable subset of analyses.

I hope this helps. NIM can be a very useful tool, not just for detecting threats but also for revealing traffic patterns and content that may not have been apparent because of the fact that it looks at traffic across the whole network (as opposed to PCM traffic management, which displays traffic on a per-port basis).

Regards,

SVB
lightxx
Frequent Advisor

Re: Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

Steve,

thank you very much for your quick and highly competent answer! you managed to resolve all doubts about the security aspect.
i clicked the "submit points" button, not sure if that did anything except for redirecting me to a "thanks for the feedback" page!

thanks,
Tom
nsqtr
Occasional Visitor

Re: Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

I realize this thread is a bit dated but I'm intrigued by the statement "NIM can be a very useful tool, not just for detecting threats but also for revealing traffic patterns and content that may not have been apparent because of the fact that it looks at traffic across the whole network (as opposed to PCM traffic management, which displays traffic on a per-port basis)."

Can you elaborate? Can NIM analyze network traffic flow in aggregate and report on a network traffic event/anomaly that is, perhaps, not easily attributable to one offender (at least not initially)? How would I specify that sort of network-level analysis in NIM? thanks
Steve Britt
Respected Contributor

Re: Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

Hi,

What was meant is that PCM traffic monitoring "silos" its analysis and presentation of data to each specific interface. No cross-interface or cross-network analysis of the data is performed; you simply see what is "on the wire" for each one whether the data is acquired via sFlow or simple statistics polling.

NIM, in contrast, doesn't silo its data analysis by interface and only operates on sFlow data. So one might see data used in the analysis of a particular offender reported from all across the network by sFlow-capable devices, and the data is assembled in a manner that (in most cases) does not depend upon what interface or sampling device it was obtained from. So in that sense "yes", NIM aggregates data for its analysis.

NIM beta customers often commented that they "had no idea that was happening on my network" after looking at some of the anomalies reported by NIM. Most of the anomalies reported were not malicious attacks, but because NIM is actually sifting the collected sFlow data for specific behaviors rather than just reporting what is happening (a la PCM) NIM was able to detect behaviors and traffic patterns that they were unaware of because they didn't have the means and/or time to do that kind of analysis themselves. This sometimes caused the beta customers to take action to eliminate the behaviors (e.g. "that guy shouldn't have access to that resource") and then use NIM to confirm that the anomalies were no longer reported afterward.

NIM's NBAD-based analyses are not configurable in the sense that you can "roll your own" analysis, and the current analyzers are aimed at detecting commonly malicious behaviors that are caused by an individual. But NIM can incorporate other sources of data such as switch-based SNMP traps (e.g. virus throttling, DHCP snooping, etc.) and IDS/IPS events; the convergence of an array of events from various sources on one offender can provide additional credence regarding the identification of their behavior as potentially malicious.

I hope this answers your question ...

Regards,

SVB
nsqtr
Occasional Visitor

Re: Network Immunity Manager - why does it see VLAN traffic outside the management VLAN?

Yes, this is great. Thanks