By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:
• Increase visibility and security context at the network edge
• Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements
• Audit firewall rules through flow analysis
• Achieve better performance and scalability for network and security monitoring
• Save vast amounts of time and money spent correlating data points from various sources
• More confidently demonstrate compliance with regulations such as PCI
2. Agenda
The need for more information and context
– The Cyber Threat Defense
What is NSEL?
How NSEL and StealthWatch work together
Examples
Summary
3. Cyber Threat Defense Solution
Devices Internal Network
Visibility, Context, and Control
Use NetFlow Data to Extend Visibility
to the Access Layer
Unify Into a Single Pane of Glass for
Detection, Investigation and
Reporting
Enrich Flow Data With Identity, Events and
Application to Create Context
WHO
WHAT
WHERE
WHEN
HOW
Hardware-enabled
NetFlow Switch
Cisco ISE
Cisco ISR G2 +
NBAR
Cisco ASA + NSEL
Context
4. What is NSEL?
NetFlow Security Event Logging
Provides visualization into policy enforcement points
Created as an efficient event reporting mechanism:
– Syslog (Traditional Firewall event reporting mechanism)
Verbose, text based, single event per packet
~30% processing overhead
– NetFlow
Compact, binary, multiple events per packet
~7-10% processing overhead
5. NSEL Implementation Details
Cisco NSEL slightly deviates from standard NetFlow
– NSEL flow is bidirectional
– NSEL flow is equivalent to an ASA connection
– NSEL events are generated per ASA connection
Event Based
– Records were originally generated based on the 3 connection status events
– In ASA v8.4.5 flow update events are generated on activity timers
– Denied connections also generate NSEL records
NSEL records are issued for the following events
– Flow creation - Issued for every flow that is created
– Flow teardown - Issued for every successfully created flow when it ends.
– Flow denial - Issued when a flow is denied by an ACL
6. How NSEL works
Flow Created
StealthWatch
FlowCollector
StealthWatch
Management
Console
Client
Server
Cisco ASA
NSEL Record Exported
7. How NSEL works
Flow Tear Down
StealthWatch
FlowCollector
StealthWatch
Management
Console
Client
Server
Cisco ASA
NSEL Record Exported
8. How NSEL works
Flow Denied
StealthWatch
FlowCollector
StealthWatch
Management
Console
Client
Server
Cisco ASA
NSEL Record Exported
9. Flow Action
StealthWatch defines the NSEL flow event field as a Flow Action
Can provide additional context
– Identity
– Device Type
– Application Data
14. Summary
Provides Flow and Event Visibility and Context
Reports details of a flow and associated events
Provides Threat Visibility and Context
Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting+
+
NSEL
FlowCollector
StealthWatch
Management
Console
Cisco ASA