About Network Visibility Module
Because users are increasingly operating on unmanaged devices, enterprise administrators have less visibility into what is going on inside and outside of the network. The Network Visibility Module (NVM) collects rich flow context from an endpoint on or off premise and provides visibility into network connected devices and user behaviors when coupled with a Cisco solution such as Stealthwatch, or a third-party solution such as Splunk. The enterprise administrator can then do capacity and service planning, auditing, compliance, and security analytics. NVM provides the following services:
-
Monitors application use to enable better informed improvements (expanded IPFIX collector elements in nvzFlow protocol specification: https://developer.cisco.com/site/network-visibility-module/) in network design.
-
Classifies logical groups of applications, users, or endpoints.
-
Finds potential anomalies to help track enterprise assets and plan migration activities.
This feature allows you to choose whether you want the telemetry targeted as opposed to whole infrastructure deployment. The NVM collects the endpoint telemetry for better visibility into the following:
-
The device—the endpoint, irrespective of its location
-
The user—the one logged into the endpoint
-
The application—what generates the traffic
-
The location—the network location the traffic was generated on
-
The destination—the actual FQDN to which this traffic was intended
When on a trusted network, AnyConnect NVM exports the flow records to a collector such as Cisco Stealthwatch or a third-party vendor such as Splunk, which performs the file analysis and provides a UI interface and reports. The flow records provide information about the capabilities of the user, and the values are exported with ids (such as LoggedInUserAccountType as 12361, ProcessUserAccountType as 12362, and ParentProcessUserAccountType as 12363). For more information about Cisco Endpoint Security Analytics (CESA) built on Splunk, refer to http://www.cisco.com/go/cesa. Since most enterprise IT administrators want to build their own visualization templates with the data, we provide some sample base templates through a Splunk app plugin.
NVM on Desktop AnyConnect
Historically, a flow collector provided the ability to collect IP network traffic as it enters or exits an interface of a switch or a router. It could determine the source of congestion in the network, the path of flow, but not much else. With NVM on the endpoint, the flow is augmented by rich endpoint context such as type of device, the user, the application, etc. This makes the flow records more actionable depending on the capabilities of the collection platform. The exported data provided with NVM which is sent via IPFIX is compatible with Cisco NetFlow collectors as well as other 3rd party flow collection platforms such as Splunk, IBM Qradar, LiveAction. See platform-specific integration documentation for additional information, For example, Splunk integration is available via https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html.
If you choose to install the Network Visibility Module, the About screen of the AnyConnect Secure Mobility Client UI lists it as installed. No other indication exists on the AnyConnect UI when NVM is running.
An AnyConnect profile for NVM gets pushed from the ISE or ASA headend if this feature is enabled. On the ISE headend, you can use the standalone profile editor, generate the NVM service profile XML, upload it to ISE, and map it against the new NVM module, just as you do with Network Access Manager. On the ASA headend, you can use either the standalone or ASDM profile editor.
NVM gets notified when the VPN state changes to connected and when the endpoint is in a trusted network.
Note |
If you are using NVM with Linux, make sure that you have completed the preliminary steps in Using NVM on Linux. |
NVM on Mobile AnyConnect
The Network Visibility Module (NVM) is included in the latest version of the Cisco AnyConnect Secure Mobility Client for Android, Release 4.0.09xxx, available in the Google playstore. NVM is supported on Samsung devices running Samsung Knox version 2.8 or later. No other mobile devices are currently supported.
Network Visibility on Android is part of the service profile configurations. To configure NVM on Android, an AnyConnect NVM profile is generated by the AnyConnect NVM Profile Editor, and then pushed to the Samsung mobile device using Mobile Device Management (MDM). The AnyConnect NVM Profile Editor from AnyConnect release 4.4.3 or later is required to configure NVM for mobile devices.
Guidelines
-
NVM is supported on Samsung devices running Samsung Knox version 3.0 or later. No other mobile devices are currently supported.
-
On mobile devices, connectivity to the collector is supported over IPv4 or IPv6.
-
Data collection traffic on Java based apps is supported.