Christophe Olivier
Sr. Product Manager - Network Visibility and Virtualization Solution
Blog

Ixia IxFlow App v2.0 for Splunk

August 21, 2019 by Christophe Olivier

Before getting into the details, let’s get a little perspective of the challenges of the “need for speed” in today networks. But first, an obligatory look at the Top Gun 2 - Maverick trailer because "need for speed."

It is human nature to get used to “things”, and network speeds are not different. Not that long ago we were thrilled when we could get 100 Mbps, then it was 1Gbps, then 10, then 25, 40, 100 and now we are talking about 400 Gbps! With such speeds, it is hard to keep track with reality, but such speeds don’t come without challenges. Infrastructure challenges, as well as challenges associated to network security. While it was taking a few microseconds to process a small network frame at 100Mbps, at 100Gbps, we are in the realm of nanoseconds to process the same frame; in short it is not getting easier and even with constantly improving technology, the traditional approach of analyzing network packets is becoming more and more difficult. Not only because of the amount of time left to process them, but also for the volume of traffic, and amount of information and number of events that security specialists have to deal with.

One way to overcome these challenges is to leverage network metadata to reduce the volume of data necessary for the first level of investigation. Metadata can provide context about a situation and quickly help isolate an issue. It can also be correlated with other network information to provide better context. Then digging into network packet analysis can be reserved for advanced forensics.

But first, what is metadata? A basic definition is: “Data about the data”. Metadata provides useful information about applications without getting into the details. You can read more about metadata, in this blog post “What is Metadata and why it matters?

How to generate metadata and what to do with it?

There are various types of network metadata, with NetFlow being one of the more common. Ixia AppStack can be a powerful source of enriched NetFlow, also called IxFlow. IxFlow leverages the custom fields available in NetFlow v10 (IPFIX) to provide application identification, geo-location, threat information, as well as information about HTTP, DNS, SSL certificates. IxFlow generation is available in select Ixia packet brokers, as well as a virtual solution. IxFlow metadata can be exported to specialized NetFlow collectors, like Scrutinizer from Plixer, LiveAction, FlowMon, but also to SIEMs like IBM QRadar or Splunk Enterprise.

Ixia IxFlow application extensions are freely available to Ixia customers from the IBM Marketplace and on Splunkbase.

These app extensions present the IxFLow metadata in an easy to read format, in a series of dashboards, to give the network specialist access to useful information without requiring the knowledge to write complex queries. The data is conveniently presented in several pages:

  • Overview
  • Application Details
  • Web/SSL Traffic
  • DNS Traffic
  • Threat Traffic

Below are some screenshots examples of the IxFlow extension for Splunk.

IxFlow Top Source Countries in Splunk IxFlow App
IxFlow Top Source Countries in Splunk IxFlow App

 

IxFlow Packet Metadata in Splunk for Industrial IoT
IxFlow Packet Metadata in Splunk for Industrial IoT

 

 

IxFlow Threat Traffic Metadata in the Splunk IxFlow App
IxFlow Threat Traffic Metadata in the Splunk IxFlow App

 

 

IxFlow Metadata on Top Devices in Splunk IxFlow App
IxFlow Metadata on Top Devices in Splunk IxFlow App

 

 

IxFlow Browser Metadata in Splunk IxFlow App
IxFlow Browser Metadata in Splunk IxFlow App

 

More on Ixia AppStack can be found here, with more on our entire line of network packet brokers here.