In 7.3.2, QRadar flows support even more VLAN information, with the exciting new addition of VLAN information into domain definitions. If you assign VLAN information in your domains, you can achieve VLAN aware multi-tenancy. This means that you can configure the traffic from your payroll network to be hidden from an analyst who is only authorized to view traffic from your HR systems. You can also search, filter, write rules and generate offenses based on VLAN fields.
This article outlines what the new VLAN fields are, where they will appear in QRadar and how you can use them to your advantage.
The new VLAN fields
If you are familiar with QRadar, you may have seen some VLAN fields on IPFIX flows. These would appear in the Flow Details screen, in the filters and queries you created, and even in the asset database. However, VLAN information has expanded beyond these two IPFIX fields, and is found in many more of the flow sources that QFlow supports, including – IPFIX, NetFlow v9, J-Flow v9, sFlow v5 and raw packets. This new, extended support includes extraction and usage of 802.1q, 802.1ad and non-802.1q VLAN fields.
So where do these fields appear? If you open the Flow Details screen of a flow from a VLAN, you will see the new fields:
New VLAN fields visible in the Flow Details screen
You can see all the relevant VLAN fields from the original flow, with two additional fields – Enterprise VLAN ID and Customer VLAN ID. You can use these two fields to normalize the variety of different VLAN fields to two fields that are consistent across flow sources. The Enterprise VLAN ID represents the outer VLAN tag, but it may be set to 0 if the traffic is not nested. The Customer VLAN ID represents the inner VLAN tag. These are the two VLAN fields used in domain assignment.
Creating a domain using VLAN and assigning a tenant
In QRadar 7.3.2 and later, if you go to Domain Management and create a new domain, you will see a new option in the Flows category – “Flow VLAN IDs”. Here you can assign a combination of Enterprise and Customer VLAN IDs, which maps all incoming flows with matching VLAN IDs to that domain.
New Flow VLAN ID domain configuration tab
Below you can see two new domains that have been created based on VLAN information. We have assigned tenants created in “Tenant Management” to each of these domains.
Assignment of VLAN aware domains to QRadar tenants
For more information about multi-tenancy, see: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_adm_tenant_mgmt_overview.html
Users with access to the payroll tenant are able to see traffic on their VLAN, and users with access to the HR tenant are able to see traffic on their VLAN, – but neither can see each other’s. By separating the traffic that each tenant is able to see, based on the VLAN definitions, you can enforce the same partitioning structure you have on your network.
Writing rules based on VLAN information
With these new fields, you should also consider what security insights this information will be able to give you into your network. Should particular VLANs only be seeing traffic from a set range of hosts? Should some VLANs only be seeing outgoing traffic? Are there VLANs on your network that you didn’t expect to see at all? These are all questions that can be incorporated into your QRadar rule set and used to alert you to suspicious activity.
Consider the case where a particular set of hosts and VLANs are used for internal communication only. You could detect violations to this requirement by implementing the following example. Here we have a rule detecting illegal outbound traffic from a set of hosts on two specified VLANs.
Rule detecting illegal outbound traffic from hosts on set VLANs
In this example we are using Enterprise VLAN ID and Customer VLAN ID to build the rule, but any of the new VLAN fields could be used.
If you use these new 7.3.2 flow features, you can provision tenants using VLAN information and hunt for anomalies in your VLAN traffic. Jose Bravo has put together a fantastic video walk-through of this new feature here.