Cisco : Traffic Analysis & Encrypted Threat Analytics

Cisco Blog >Enterprise Networks

Today, knowing who is using your network is table stakes. Knowing what users are consuming on the network is essential for analysis. What applications are being used, when they are used and most importantly are those applications are safe enough and compliant with your organization policies.

Independent testing company Miercom recently carried out comprehensive set of tests to evaluate traffic analysis capabilities of Cisco's Digital Network Architecture & Huawei's Agile Solution along with few other test areas.

Application types on the network today:

[Attachment]

All major products in the networking business identifies the basic flows of the packets based on IP, port number etc. to show information about traffic to determine whether the flow is based on http (port 80), https (port 443), ftp (port 21) etc. It's very easy to identify and classify traffic based on these standard port numbers. However, now-a-days applications are evolving beyond using non-standard ports to using randomized ports. This makes it difficult to identify and classify flows based on HTTP and HTTPS. For example: A Skype call uses random higher order ports. Similarly, Bit Torrent uses randomized ports for every transaction. To identify such traffic Cisco uses deep packet inspection algorithm with its AVC (Application Visibility & Control) feature. Cisco AVC is sophisticated algorithm based on Cisco NBAR2 engine which enables consistent visibility and control across its switches, wireless & routing platforms. And offers granular and accurate application detection and control.

What about encrypted flows? There are more applications which are encrypted. Encrypted applications are difficult to identify because network devices cannot see inside encrypted packets because of technical issues or privacy concerns. Bad guys are becoming sophisticated and have begun taking advantage of the opportunity by injecting malware or ransomware inside encrypted traffic. This leaves the network administrator completely blind about network traffic which could potentially have a malware or botnet hidden inside encrypted packet.

Cisco took an innovative approach to identify threats inside the encrypted traffic with its new technology - ETA (Encrypted Threat Analytics). ETA enables Cisco's 9000 product portfolio to identify, classify & mitigate threats inside the encrypted traffic without decrypting the packets ensuring data privacy. Cisco StealthWatch platform enables multi-layered machine learning algorithm with help of 9000 series switches to offers ETA to monitor, detect, identify and mitigate threats.

Cisco StealthWatch's Cognitive Threat Analytics (CTA) dashboard showcases a number of malicious applications and activities on the network and provides a mechanism to quarantine such users from the network. ETA and CTA use innovative techniques such as sequence of packet length, timing, initial data packets to detect malicious traffic using a cloud based threat signature repository in order to keep up to date with latest threats in the world.

Miercom found out that, Huawei's networking products and features are still living in the 19 century with limited visibility of IP address & port numbers versus true application recognition. Huawei's NetStream technology (alternative to Cisco's NetFlow) running on Huawei's ENP (Ethernet Networking Processor) based switches showcased a lack of recognition resulting in poor visibility on an active network. Huawei also lacks the capability to detect any new or next-generation of threats which have begun to surface in the form of encrypted traffic.

Miercom evaluated both Huawei and Cisco based on three stages of traffic analysis-

1. Basic port based identification
2. Application level visibility
3. Threat detection in encrypted traffic

In all three test cases Huawei was only able to showcased IP address and port number on its CLI output. No useful information on the web interface.

[Attachment]

On contrary Cisco showed comprehensive output at every stage of the test especially during the stage 2 & 3.

Cisco AVC identified the accurate applications running on the network along with the amount of bandwidth they are consuming. Moreover, the collaboration applications like Spark are even classified at the sub-flow level to monitor audio/video call, messaging etc. Such granularity empowers the administrator to apply the granular policies based on application usage.

[Attachment]

Miercom was impressed with Cisco StealthWatch's detection of variety of malicious activities in the network which were completely missed by the Huawei infrastructure. Now administrator using Cisco solution can immediately response to such threat by taking corrective action to secure the network infrastructure and its users.

[Attachment]

Summary
Cisco products and services not only offers the strong foundation for your enterprise infrastructure but also make your organization ready to fight with today's hidden threats and ultimately saves lot of money in security damages. Whereas Huawei is only selling bare metal boxes which are not smart enough to offer the level of network visibility required to operate today's and tomorrow's networks.[Attachment]

Download the complete Miercom report here