SonicWALL 232-000861-00 manual

Using saved Scrutinizer reports, the Flow Analytics Module can monitor and send out syslogs when traffic patterns violate specified thresholds. For example, the Flow Analytics Module can be used to monitor an application for a certain ToS within a class A subnet.

•Enhanced Security Awareness

o Administrators can create a list of banned applications to be alerted upon traffic identification o Detect malicious traffic such as DDoS attacks, worm traffic and more

o Detect numerous types of network scans such as SYN, XMAS & FIN o Detect rouge IP addresses that lie outside of predefined subnets

The enhanced security functionality alone makes Scrutinizer with Flow Analytics an invaluable tool in an administrator’s arsenal. Know exactly what is happening on the network- where traffic originated, where it is going and what type of traffic it is. Is someone planning an attack by scanning the corporate network? Did one of the servers get infected with malware and launch a DDoS attack? Scrutinizer can automatically detect these activities and alert administrators immediately upon detection.

At the heart of Scrutinizer’s attack detection capabilities are a behavioral analysis engine and a periodically updated known threats database. IT administrators can use Scrutinizer to identify and alert on threats such as DDoS attacks, port scanning, attacks from infected hosts behind the firewall. In turn this allows the administrator to remediate threats by making configuration changes, such by disabling ports, and modifying ACLs, on routers, switches and firewalls. Scrutinizer uses configurable algorithms to analyze flow data from the entire network infrastructure, or from a pre-configured sub selection of devices and exporter tables to automatically send syslog messages when trouble arises. Using Scrutinizer IT staff can identify: RST/ACK worms, zero-day worms, SYN Floods, DoS, DDoS attacks, NULL, FIN, XMAS scans, port scanning, P2P file sharing, Excessive ICMP unreachable, Excessive Multicast traffic, Prohibited traffic being tunneled through allowed protocols (DPI on TCP port 80), Known compromised internet hosts, illegal IP addresses, Policy violations and internal misuse, Poorly configured or rouge devices, Unauthorized application deployments

The Flow Analytics Module can utilize the local DNS to resolve IP addresses in real-time. This allows Scrutinizer to group traffic into domains without having to define ranges of IP addresses which could otherwise quickly become a nightmare to manage. With this feature, Scrutinizer can be configured to monitor traffic to or from specific domains and alert an administrator when preconfigured thresholds are met or exceeded.

The history of repeat offenders can be easily identified through the use of a Unique Index (UI) to manage traffic counts. In addition, the Flow Analytics Module helps locate machines involved with DDoS attacks or infected with viruses/worms.

The Flow Expert Window provides insight to immediate network problems as they occur to identify and resolve DoS attacks, bottlenecks, network scans, improperly terminated connections and more. Traditionally, the functionality provided by this "Expert Window" feature has only found in packet analyzers.

•Supported protocols & other technical specifications

o Support for L7 application awareness by using NBAR or IPFIX o Automatic DNS resolution

Tired of looking at a list of meaningless IP addresses? Wouldn’t it be great if the flow-analyzer could perform reverse DNS lookups on those addresses in real time? Want to know what specific Web 2.0 applications are being accessed on the network? Scrutinizer with the Flow Analytics module can do all that. Administrators running Flexible NetFlow with NBAR or IPFIX with extensions can easily identify applications such as YouTube, Facebook, eBay and more instead of just seeing ’TCP port 80’ on the report.

SonicWALL Scrutinizer 9.0.1 Release Notes

P/N 232-000861-00 Rev A

10