Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Glossary

Glossary

  • AES: the Advanced Encryption Standard, also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. See Advanced Encryption Standard at Wikipedia for more.
  • (An) Application: is an abstract entity within the Application Layer that specifies the shared communications protocols and interface methods used by a particular Flow Object on your network.
  • Application Layer: An application layer is an abstraction layer that specifies the shared communications protocols and interface methods used by hosts in a communications network. The application layer abstraction is used in both of the standard models of computer networking: the Internet Protocol Suite (TCP/IP) and the OSI model. Although both models use the same term for their respective highest level layer, the detailed definitions and purposes are different. See application layer at Wikipedia for more.
  • Appid: the application ID is a unique identifier for each application. In GigaFlow, Appid is a positive or negative integer value. The way in which the Appid is generated depends on which of the 3 ways the application is defined within the system. Following the hierarchy outlined in Configuration > Profiling -- Apps/Options -- Defined Applications, a negative unique integer value is assigned if (1) the application is associated with a Profile Object or (2) if it is named in the system. If the application is given by its port number only (3), a unique positive integer value is generated that is a function of the lowest port number and the IP protocol.
  • ARP: the Address Resolution Protocol is a protocol used by the Internet Protocol (IP) to map IP network addresses to the hardware (MAC) addresses used by a data link protocol. Although a Layer 2 protocol, ARP is used by routers in Layer-3 as opposed to Layer-2 switching, where CAM tables are used. See Address Resolution Protocol (arp) by Godred Fairhurst for more.
  • Alert: is a GigaFlow record that is created when a monitored flow pattern matches certain criteria. Alerts are usually triggered by unwanted behaviour on the nework. See System > Alerting.
  • Allowed: in GigaFlow, an allowed flow pattern is one that will not cause an exception, i.e. trigger an alert. This is used in in GigaFlow's Profiler. See Configuration > Profiling for more.
  • Base DN: or Base Distinguished Name. In the LDAP directory, each object has a unique path to its place in the directory. This path is the DN. The base DN is the start part of this LDAP path. See Lightweight Directory Access Protocol at Wikipedia for more.
  • Blacklist: this is a list of known malevolent or likely malevolent IP addresses, compiled from online threat lists.
  • CAM: a content-addressable memory (CAM) table is the usual implementation of a MAC table, more correctly called a forwarding information base (FIB). A CAM table is a dynamic list of MAC addresses and their corresponding ports. The CAM table is used to enable Layer-2 switching, i.e. direct connections between machines within a LAN at the Layer-2 level. The CAM table is closely associated with the ARP table. See forwarding information base at Wikipedia for more.
  • Class of Service (COS): Class of service is a parameter used in data and voice protocols to differentiate the types of payloads contained in the packet being transmitted. See class of service at Wikipedia for more.
  • Client: a client is a piece of computer hardware or software that accesses a service made available by a server, in this case GigaFlow. See client (computing) at Wikipedia for more.
  • Context (SNMP): SNMP contexts provide VPN users with a secure way of accessing MIB (management information base) data. See Cisco for more.
  • Deduplication: In computing, data deduplication is a specialized data compression technique for eliminating duplicate copies of repeating data. See data deduplication at Wikipedia for more.
  • Destination IP Address: the destination IP address is the intended receiver of information in a computer-to-computer communication.
  • Device: see Infrastructure Device.
  • Domain Controller: On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain. See domain controller at Wikipedia for more.
  • DSCP: or Type of Service. "The type of service (ToS) field in the IPv4 header has had various purposes over the years, and has been defined in different ways by five RFCs. The modern redefinition of the ToS field is a 8-bit differentiated services field (DS field) which consists of a 6-bit Differentiated Services Code Point (DSCP) field and a 2-bit Explicit Congestion Notification (ECN) field". See type of service at Wikipedia for more.
  • DNS: the Domain Name System is the naming system used by all devices connected to the Internet. See Domain Name System at Wikipedia for more.
  • Entry: an entry flow pattern in GigaFlow is a flow pattern used to define a Profile to be tested against an Allowed profile. This concept is used in GigaFlow's Profiler tool. See Configuration > Profiling for more.
  • Exceptions: this is the flow records that have not matched the Allowed Flow record template.
  • (GigaFlow) Event: is a GigaFlow record that is created when a monitored flow pattern matches certain criteria. Some things that will trigger an event record include:
    • Attempts to access blacklisted resources.
    • Profile exceptions, i.e. behaviours deviating from norms.
    • A SYN flood event.
    • A lost neighbour.
    • A new connected device sending flows.
    • A connected device that stops sending flows.

    See Dashboards > Events for more.

  • Flow: a flow is a unique stream of packets in one direction. Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share the following 7 values:
    • Ingress interface (SNMP ifIndex).
    • Source IP address.
    • Destination IP address.
    • IP protocol.
    • Source port for UDP or TCP, 0 for other protocols.
    • Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols.
    • IP Type of Service.

    (Taken from Wikipedia.)

    GigaFlow supports NSEL, sFlow v5, jFlow, IPFIX, Netflow v5 and Netflow v9.

  • Flow Object: this is the abstract grouping of a series of flows that can be called by the profiler. Flow Objects are defined in the Profiler. See Configuration > Profiling for more.
  • Flow Posture: if a flow creates a black-list or profile event, an event or alert flow record is created.
  • Flow Record Fields in GigaFlow with Java types:
    • customerid integer: stores the traffic group source identifier.
    • device numeric(39,0): stores the numeric IPV6 address of the device sending us the flow/syslog records.
    • engineid integer: stores the traffic group destination identifier.
    • srcadd numeric(39,0): stores the numeric IPV6 address of the source for the traffic in this record.
    • dstadd numeric(39,0): stores the numeric IPV6 address of the destination for the traffic in this record.
    • nexthop numeric(39,0): stores the numeric IPV6 address of the nexthop for the traffic in this record.
    • inif integer: SNMP ifIndex of the input interface that seen the traffic for this flow.
    • outif integer: SNMP ifIndex of the output interface that seen the traffic for this flow.
    • pkts bigint: number of packets transmitted in this flow.
    • bytes bigint: number of octets/bytes transmitted in this flow.
    • firstseen bigint: millisecond timestamp of when this flow started.
    • duration bigint: millisecond duration of this flow.
    • srcport integer: source port number for traffic in this flow record.
    • dstport integer: destination port number for traffic in this flow record.
    • flags integer: TCP flags as an integer value.
    • proto integer: IP Protocol number for this flow record.
    • tos integer: IP TOS/COS value for this flow record.
    • appid integer: assigned application ID; the lowest of src/dst port number.
    • srcas integer: source AS number used for this flow.
    • dstas integer: destination AS number used for this flow.
    • userid text COLLATE pg_catalog."default": user ID for this flow, may be as sent or inferred from other sources.
    • userdomain text COLLATE pg_catalog."default": user domain for this flow, may be as sent or inferred from other sources.
    • srcmac bigint: source MAC address (Java long value), either as supplied or inferred from other sources.
    • dstmac bigint: destination MAC address (Java long value), either as supplied or inferred from other sources.
    • postureid integer: marking to indicate this flow is of interest (due to blacklist or profiling problems).
    • spare integer: used to store the first packet response value. -1 = unset, -2 = no response in scope.
    • url text COLLATE pg_catalog."default": free text field; used for application names or URL data.
    • fwextcode integer: additional field used to identify traffic (from Cisco NSEL).
    • fwevent integer: additional field used to identify events (from Cisco NSEL).
  • FlowSec: see Secflow.
  • Hash function: a hash function is any function that can be used to map data of arbitrary size to data of a fixed size. Hash functions are used to uniquely identify secret information, for example user login data. See hash function at Wikipedia for more.
  • Hits: in GigaFlow, this is the number of flow records that have matched a particular filter, rule or Allowed profile.
  • (SNMP) IfIndex: From Cisco - "One of the most commonly used identifiers in SNMP-based network management applications is the Interface Index (ifIndex) value. IfIndex is a unique identifying number associated with a physical or logical interface. For most software, the ifIndex is the name of the interface".
  • Infrastructure Device: is any computing machine connected to your network.
  • IP Address: an Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing. See IP address at Wikipedia for more.
  • LAN: A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. See local area networkat Wikipedia.
  • Layer-2 (L2): in the seven-layer OSI model of computer networking, the data link layer is Layer-2. This layer is the protocol layer that transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment. See network layer at Wikipedia for more.
  • Layer-3 (L3): in the seven-layer OSI model of computer networking, the network layer is Layer-3. The network layer is responsible for packet forwarding including routing through intermediate routers. The TCP/IP Internet Layer is a subset of the OSI Network Layer. See network layer at Wikipedia for more.
  • LDAP: the Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users. See Lightweight Directory Access Protocol Wikipedia for more.
  • Lost Neighbour: a monitored IP address that disappears.
  • MAC Address: the media access control address of a device is a unique identifier assigned to a network interface controller (NIC) for communications at the data link layer of a network segment. See MAC address> at Wikipedia for more.
  • MD5: or Message-Digest-5 algorithm is a hash function designed by Ronald Rivest at MIT. See hash function.
  • Nashorn: is a JavaScript engine developed in the Java programming language by Oracle. GigaFlow uses Nashorn to power its JS functionality. See Nashorn (JavaScript engine) at Wikipedia and Oracle Nashorn at Oracle for more.
  • Network Address Translation (NAT): is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. See Network address translation at Wikipedia for more.
  • NetFlow: is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. GigaFlow supports NSEL, sFlow v5, jFlow, IPFIX, Netflow v5 and Netflow v9. See also Flow. See NetFlow at Wikipedia for more.
  • Poller: A Poller is a collection of devices and template management information base (MIB) variables configured in the LAN management solution (LMS) to monitor the utilization and availability levels of devices that are connected to the network. (Cisco).
  • PostgreSQL: GigaFlow uses PostgreSQL for its databasing. See PostgreSQL for more.
  • Profile Monitoring: GigaFlow actively monitors flows on your network and matches patterns against flow Profiles created using the Profiler tool. See Configuration > Profiling for more.
  • Profiler: GigaFlow allows the creation of an abstract profile. A profile is a flow object that is itself a combination of flow objects. A profile defines an acceptable flow pattern for your network. This concept is used in GigaFlow's Profiler tool. See Configuration > Profiling for more.
  • Router: a router is a networking device that forwards data packets between computer networks. A router is primarily a Layer-3 device. See router (computing) at Wikipedia for more.
  • Sample Rate (Netflow): some devices, especially older ones, can send sFlow and jFlow in a sampled format. GigaFlow supports sampled data, re-sampling to the correct rate. By default, if the sample rate is contained in the flow record, GigaFlow will use this to resample. If the sample rate is not contained in the flow record, it can be set manually for the device.

    To manually set the sample rate for a device, go to Configuration > Infrastructure Devices > Detailed Device Information and Storage Settings.

  • Secflow records: a portmanteau of "security" and "flow". Used to denote flow records that indicate a GigaFlow security event.
  • SHA: or Secure Hash Algorithm, developed by the NSA. See hash function.
  • SIEM: In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. See Security information and event management at Wikipedia.
  • SNMP: Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more. See Simple Network Management Protocol
  • Source IP Address: the source IP address is the sender of information in a computer-to-computer communication.
  • SQL: Structured Query Language, used to interact with the PostgreSQL database. You can find a complete SQL manual at the PostgreSQL website.
  • SYN: to establish a connection, TCP uses a three-way handshake. Before a client attempts to connect with a server, the server must first bind to and listen at a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs:
    • SYN: The active open is performed by the client sending a SYN to the server. The client sets the segment's sequence number to a random value A.
    • SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set to one more than the received sequence number i.e. A+1, and the sequence number that the server chooses for the packet is another random number, B.
    • ACK: Finally, the client sends an ACK back to the server. The sequence number is set to the received acknowledgement value i.e. A+1, and the acknowledgement number is set to one more than the received sequence number i.e. B+1.

    At this point, both the client and server have received an acknowledgment of the connection. The steps 1, 2 establish the connection parameter (sequence number) for one direction and it is acknowledged. The steps 2, 3 establish the connection parameter (sequence number) for the other direction and it is acknowledged. With these, a full-duplex communication is established. See Transmission Control Protocol at Wikipedia.

  • SYN Flood: a SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. See SYN flood at Wikipedia.
  • Syslog: is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity level. See syslog at Wikipedia.
  • User: depends on context. The User can be a person authorized to log into your GigaFlow system. See System > Users for more. User can also refer to people authorized to access devices on your network.
  • VLAN: or Virtual LAN. "A VLAN is a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments ... VLANs define broadcast domains in a Layer 2 network". See Understanding and Configuring VLANs at Cisco and Virtual LAN at Wikipedia.
  • Watchlists: refers to both blacklists and the opposite, whitelists.