About Network Visibility Module
Because users are increasingly operating on unmanaged devices, enterprise administrators have less visibility into what is going on inside and outside of the network. The Network Visibility Module (NVM) collects rich flow context from an endpoint on or off premise and provides visibility into network connected devices and user behaviors when coupled with a Cisco solution such as Stealthwatch, or a third-party solution such as Splunk. The enterprise administrator can then do capacity and service planning, auditing, compliance, and security analytics. NVM provides the following services:
-
Monitors application use to enable better informed improvements (expanded IPFIX collector elements in VzFlow protocol specification) in network design.
-
Classifies logical groups of applications, users, or endpoints.
-
Finds potential anomalies to help track enterprise assets and plan migration activities.
This feature allows you to choose whether you want the telemetry targeted as opposed to whole infrastructure deployment. The NVM collects the endpoint telemetry for better visibility into the following:
-
The device—the endpoint, irrespective of its location
-
The user—the one logged into the endpoint
-
The application—what generates the traffic
-
The location—the network location the traffic was generated on
-
The destination—the actual FQDN to which this traffic was intended
When on a trusted network, AnyConnect NVM exports the flow records to a collector such as Cisco Stealthwatch or a third-party vendor such as LiveAction, which performs the file analysis and provides a UI interface. Another third-party vendor such as Splunk may also provide a UI interface to see the reports. Since most enterprise IT administrator want to build their own visualization templates with the data, we provide some sample base templates through a Splunk app plugin.
NVM on Desktop AnyConnect
Historically, a flow collector provided the ability to collect IP network traffic as it enters or exits an interface of a switch or a router. It could determine the source of congestion in the network, the path of flow, but not much else. With NVM on the endpoint, the flow is augmented by rich endpoint context such as type of device, the user, the application, etc. This makes the flow records more actionable depending on the capabilities of the collection platform. The exported data provided with NVM which is sent via IPFIX is compatible with Cisco NetFlow collectors as well as other 3rd party flow collection platforms such as Splunk, IBM Qradar, LiveAction. Please see platform-specific integration documentation for additional information, For example, Splunk integration is available via https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html.
If you choose to install the Network Visibility Module, the About screen of the AnyConnect Secure Mobility Client UI lists it as installed. No other indication exists on the AnyConnect UI when NVM is running.
An AnyConnect profile for NVM gets pushed from the ISE or ASA headend if this feature is enabled. On the ISE headend, you can use the standalone profile editor, generate the NVM service profile XML, upload it to ISE, and map it against the new NVM module, just as you do with Web Security, Network Access Manager, and such. On the ASA headend, you can use either the standalone or ASDM profile editor.
NVM gets notified when the VPN state changes to connected and when the endpoint is in a trusted network.