NetFlow & IPFIX
What is Normal?
- Protocol usage
- What routing protocols do you typically use?
- Traffic patterns
- Who are our top talkers?
- Geolocation
- What is the geographic location of the client?
- The more traffic, the better Idea we will have of what normal is
- Top Talkers
- Top Destinations
- Where are useres headed?
NetFlow
-
Cisco propietary
-
Next generation of traffic monitoring
- We are looking at the metadata
-
Collect flows by interface
-
Pushes details to a collector
-
Externally stored and analyzed
-
Supported on routers, switches, firewalls and more
- Provided that they are all Cisco - mmmm not necessarily.
-
*NetFlow is not sFlow
- sFlow is a Sample, menaning Im gonna give you 50 packets, when I do this is a full packet.
- Not as good
- In NetFlow we are looking at the metadata
- sFlow is a Sample, menaning Im gonna give you 50 packets, when I do this is a full packet.
Advantages of NetFlow
- Baselines
- Troubleshooting
- Monitoring
- Detailed auditing
- Anomaly detection
- Indications of compromise
- DDoS, worm, malware detection
- DDoS - many bots, lots of compromised systems, All trying to hit you at once
- Worm - exploiting a vulnerability in an automated fashion
- *Capabilities depend based on intelligence of collector
IP Flow Information Export (IPFIX)
- Standardized flow export mechanism
- We can do this on devices other than just Cisco
- Push mechanism
- Extensible
- Different vendors can modify the messages
- Exporters
- Collectors
- The Centralized Server: Software that is running on a server.
- Generating statistics
- Has a web interface
- The Centralized Server: Software that is running on a server.
- Many-to-many
- NetFlow V10 in Cisco
vendors Who Support IPFIC
-
Aruba (HP)
-
Barracuda Networks
-
Blue Coat
-
Chackpoints
-
Cisco Systems
-
Citrix
-
Fortinet
-
F5 Networks
-
Jupiter Networks
-
Palo Alto
-
Plixier
-
SonicWall
-
VMware
-
ZTE
-
*Many more