About Network Visibility Module
Because users are increasingly operating on unmanaged devices, enterprise administrators have less visibility into what is going on inside and outside of the network. The Network Visibility Module (NVM) collects rich flow context from an endpoint on or off premise and provides visibility into network connected devices and user behaviors when coupled with a Cisco solution such as Stealthwatch, Splunk, or a third-party solution. The enterprise administrator can then do capacity and service planning, auditing, compliance, and security analytics. Network Visibility Module provides the following services:
-
Monitors application use to enable better informed improvements (expanded IPFIX collector elements in nvzFlow protocol specification: https://developer.cisco.com/site/network-visibility-module/) in network design.
-
Classifies logical groups of applications, users, or endpoints.
-
Finds potential anomalies to help track enterprise assets and plan migration activities.
This feature allows you to choose whether you want the telemetry targeted as opposed to whole infrastructure deployment. The Network Visibility Module collects the endpoint telemetry for better visibility into the following:
-
The device—the endpoint, irrespective of its location
-
The user—the one logged into the endpoint
-
The application—what generates the traffic
-
The location—the network location the traffic was generated on
-
The destination—the actual FQDN to which this traffic was intended
When on a trusted network, AnyConnect Network Visibility Module exports the flow records to a collector such as Stealthwatch, Splunk, or a third-party vendor, which performs the file analysis and provides a UI interface and reports. The flow records provide information about the capabilities of the user, and the values are exported with ids (such as LoggedInUserAccountType as 12361, ProcessUserAccountType as 12362, and ParentProcessUserAccountType as 12363). For more information about Cisco Endpoint Security Analytics (CESA) built on Splunk, refer to http://www.cisco.com/go/cesa. Since most enterprise IT administrators want to build their own visualization templates with the data, we provide some sample base templates through a Splunk app plugin.
NVM on Desktop AnyConnect
Historically, a flow collector provided the ability to collect IP network traffic as it enters or exits an interface of a switch or a router. It could determine the source of congestion in the network, the path of flow, but not much else. With Network Visibility Module on the endpoint, the flow is augmented by rich endpoint context such as type of device, the user, the application, and so on. This makes the flow records more actionable depending on the capabilities of the collection platform. The exported data provided with Network Visibility Module which is sent via IPFIX is compatible with Cisco NetFlow collectors and Splunk, as well as other 3rd party flow collection platforms. See platform-specific integration documentation for additional information, For example, Splunk integration is available via https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html.
When using Network Visibility Module Collector in releases 4.9 or later, you must use Splunk app 3.x to view the additional parameters.
The AnyConnect profile for Network Visibility Module gets pushed from the ISE or Secure Firewall ASA headend if this feature is enabled. On the ISE headend, you can use the standalone profile editor, generate the Network Visibility Module service profile XML, upload it to ISE, and map it against the new Network Visibility Module module, just as you do with Network Access Manager. On the Secure Firewall ASA headend, you can use either the standalone or ASDM profile editor.
Network Visibility Module gets notified when the VPN state changes to connected and when the endpoint is in a trusted network.
Note |
If you are using Network Visibility Module with Linux, make sure that you have completed the preliminary steps in Using Network Visibility Module on Linux. |
Standalone NVM
For those who do not have AnyConnect deployment or are using another VPN solution, you can install the Network Visibility Module standalone package for your Network Visibility Module needs. This package works independently but provides the same level of flow collection from an an endpoint as the existing AnyConnect Network Visibility Module solution. If you install the standalone Network Visibility Module, the active processes (such as the Activity Monitor on macOS) indicate the use.
Standalone Network Visibility Module is configured with the Network Visibility Module Profile Editor, and Trusted Network Detection (TND) configuration is mandatory. Using the TND configuration, Network Visibility Module determines if the endpoint is on the corporate network and then applies the appropriate policies.
Troubleshooting and logging is still done by AnyConnect DART, which can be installed from the AnyConnect package.
Deployment Modes
-
anyconnect-win-[version]-nvm-standalone-k9.msi (for Windows)
-
anyconnect-macos-[version]-nvm-standalone.dmg (for macOS)
-
anyconnect-linux64-[version]-nvm-standalone.tar.gz (for Linux)
Additionally Network Visibility Module is a core part of Cisco XDR. You can send telemetry directly to Cisco XDR without needing an on-premise collector by installing the XDR Default Deployment on your endpoints. Cisco XDR uses this data to create new detections, correlate multiple events into a single incident, and fill invisibility gaps in your network. Within XDR, you can navigate to Client Management > Deployments to see a list of all Secure Client deployments in your Cisco XDR organization and allows users to define a list of all packages and related profiles that must be installed on all computers in a specific deployment within an organization. Refer to XDR documentation for further details.
The Standalone Network Visibility Module does not depend on VPN for its functionining; therefore, you can deploy it on the endpoint without having to install VPN.
If standalone Network Visibility Module is already installed, you can seamlessly migrate to a full AnyConnect installation of the same or higher version, and all Network Visibility Module data files and profiles will be retained.
-
downgrading standalone Network Visibility Module
-
installing an older version of AnyConnect Network Visibility Module where a newer version of standalone Network Visibility Module already existed. This scenario would result in uninstallation of standalone Network Visibility Module.
-
installing any version of standalone Network Visibility Module where AnyConnect Network Visibility Module already existed
NVM on Mobile AnyConnect
The Network Visibility Module (NVM) is included in the latest version of the AnyConnect Secure Mobility Client for Android available in the Google Play Store. Network Visibility Module is supported on Samsung devices running Samsung Knox version 2.8 or later. No other mobile devices are currently supported.
Network Visibility Module on Android is part of the service profile configurations. To configure Network Visibility Module on Android, the AnyConnect Network Visibility Module profile is generated by the AnyConnect Network Visibility Module Profile Editor, and then pushed to the Samsung mobile device using Mobile Device Management (MDM).
Guidelines
-
Network Visibility Module is supported on Samsung devices running Samsung Knox version 3.0 or later. No other mobile devices are currently supported.
-
On mobile devices, connectivity to the Network Visibility Module Collector is supported over IPv4 or IPv6.
-
Data collection traffic on Java based apps is supported.