NetFort Advertising

Monitoring Network Traffic Going In and Out of Your Network

Why you need to watch out for traffic going in and out of your network

One of the most common requests from customers at the moment is the need to create LANGuardian reports which show what network traffic is entering and leaving their network. The recent WannaCry Ransomware outbreak has really made this type of reporting vital for all Network and Security Managers. WannaCry actively scanned for networks which had TCP port 445 opened and then used a vulnerability in SMBv1 to access network file shares.

Leaving Ransomware to one side, it is always good practice to keep a very close eye on your network perimeter. Even if you have a very good Firewall, mistakes can happen and rogue traffic will get through or users will use various methods including tunneling, external anonymizers and VPNs to get around firewall rules.

Defining what is your network edge

Typically, your network edge perpetrates the local subnets on your network from all the external subnets out on your network. Many of you will use private addresses internally, but it is not uncommon to find public IP blocks in use as well. In order to report on what is entering and leaving your network, you need to define what subnets are in use. If you only use private address ranges then your internal networks could be represented as this list of subnets.

10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Creating subnet variables for use with LANGuardian reports

While you can use subnets directly within LANGuardian reports, you can save some time in the long run by using report variables. Click on the gear symbol top right and select Customization. From here, click on Report Variables and then Add New Report Variable.

  • Create a variable called External by using the subnet filter !10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
  • Create a variable called Internal by using the subnet filter 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12

Note that you will need to change the subnet lists above if you use public IP blocks inside your network. Just add them to the list using comma separators.

Top Tip: Add all of your remote sites and VLAN subnets as report variable to speed up troubleshooting. You can quickly see what applications are hogging bandwidth on WAN links by using LANGuardian to focus on traffic associated with the relevant subnet ranges.

Network edge report variables

Creating custom LANGuardian reports to focus on network edge activity

There are two reports I recommend you look at when it comes to network edge activity.

  1. Top external clients connecting inbound to my network
  2. Internal to External traffic flows

The steps to create a custom Top Clients report are as follows:

  1. Use the search box to locate the Bandwidth :: Top Clients report
  2. Click on the Source IP/Subnet box and select External
  3. Click Run Report
  4. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  5. Enter a name and description, then click Save

The new report will be listed in the My Reports section

The steps to create a custom Internal to External report are as follows:

  1. Use the Search box to locate the Bandwidth :: Sessions report.
  2. Click on the Source IP/Subnet field and select Internal
  3. Click on the Destination IP/Subnet field and select External
  4. Click Run Report
  5. When LANGuardian displays the report, click Actions on the report menu bar and select Save As.
  6. Enter a Name and Description, then click Save.

The new report will be listed in the My Reports section.

network sessions

Take a read of this blog post, if you would like to learn more on how to monitor network traffic on your network. It contains some handy tips on how to get visibility as to what is happening inside your network.