Let us start with our core product for NPMD (Network Performance Monitoring and Diagnostics) - Flowmon OS which runs on your appliances (both hardware and virtual probes and collectors). Recently, we released a major new version - Flowmon 9.0. The product introduces performance improvements, web GUI enhancements, and also a new version of the operating system.
Performance and GUI Improvements
Transitioning to CentOS 7 positively enhances the performance and responses of Flowmon solution. After the upgrade, you will notice the web GUI responds much faster. We also more than tripled the number of flow sources that can export flow data into one Flowmon Collector appliance (from 3000 sources to 10 000 in Flowmon 9.0). Besides performance improvements, there are also new GUI features like downloading traffic charts from Report page in png format. So, if you see an interesting traffic chart you need to report on, you can easily download the picture. Another change is the management of channels in Profile editing. Individual channels are now on each line and by clicking on the pencil icon, a new dialog window shows where you can edit the channels just as you are familiar with doing. This change helps with managing profiles with large amounts of channels.
Fig 1: New profile and channels editing.
New Operating System
The most important news in Flowmon 9.0 is under the hood and unfortunately not seen by the eyes of users. However, it has huge impacts on the future development and performance of the whole system. Flowmon 9.0 now uses a new operating system - CentOS 7. This will enable us to grow and stay aligned with the latest standards.
Flowmon ADS 9.0
Flowmon ADS 9.0 is optimized for Flowmon OS 9.x platform. This version also introduces changes under the hood like a new database for data processing to improve system performance and several other improvements. The most anticipated feature is the ability to create custom behavior patterns.
User defined behavior patterns
User defined behavior patterns is a new feature allowing advanced users to customize and extend the detection capabilities of Flowmon ADS. Using SQL-like syntax, you can define behavior patterns that search over flow data for specific behavior in network traffic. Example use-cases are detecting protocol anomalies, specific malware and ransomware, SQL injection, devices with outdated and vulnerable operating systems and much more. User defined behavior patterns has the same event pipeline like other detection methods, so you can assign it to perspectives, assign priorities, report, and alert on detected behaviors, etc.
Fig 2: Sample use-cases.
As you can see, you can use various fields from flow data, variables, function, operators and regular expressions to define behavior patterns. There are many possibilities, described in detail in the Flowmon ADS user guide. If you are interested how user defined behavior patterns helped to detect recent threats like WannaCry ransomware infection or Intel® ATM vulnerability then check out the blog for more info.
Flowmon APM 4.0
Flowmon APM 4.0 is also optimized for the Flowmon 9.0 platform running on CentOS 7. The main new feature of this release is recalculating historical statistics for newly created groups. Groups enable you to monitor a subset of the application. For example, you can create groups for a specific part of the application (customer portal), for clients in an internal network or particular branch, or group for PHP files only. Groups help with troubleshooting and fast identification of problematic parts of an application. The new feature allows a problem-free way to define a new group ad hoc and discover root causes of problems in applications.
Fig. 3: Groups in Flowmon APM.
Flowmon DDoS Defender 3.02 & 4.0
Recently, we released a new version of our module for DDoS attack protection - Flowmon DDoS Defender 3.02. This version is available for Flowmon 8.x . The feature set will be the same as in version 4.0, but this version will be available for Flowmon OS 9.0. This version brings several improvements in GUI and functionality (more details can be found in the release notes) as well as better performance, but the most interesting feature is native support of F5.
The new version of Flowmon DDoS Defender extends native support of DDoS attack mitigation solutions with F5 BIG-IP and VIPRION solutions. The integration is based on F5 API and allows a way to fully automate the mitigation of DDoS attacks. That means that after DDoS attack detection in Flowmon DDoS Defender, the module automatically redirects traffic to the F5 device and configures it for attack mitigation. After the attack ends, Flowmon DDoS Defender rollbacks the routing and F5 configuration changes. All this can be started either manually or automatically upon detecting the attack.
Fig 4: Mitigation start in Flowmon DDoS Defender.