Describing Components, Capabilities, & Benefits of NetFlow¶
NetFlow Introduction¶
What is Flow?¶
Information about the packets that traverse a router
Source and destination, ports, and the protocol being used
NetFlow¶
Created by Cisco
Netflow records stored in NetFlow cache
NetFlow records are small
Receipt of the traffic
Flows are unidirectional
Send to stealthwatch for analytics
User ports
Data center
VPNs
Internet Edge
Sample traffic
May miss important packets
Netflow Benefits¶
Use existing hardware
Dont need to purchase expensive network tap infrastructure
Network as a sensor
Gain insight about the traffic using the network
Use information to make strategic business decisions
Aditional NetFlow Benefits¶
Use NetFlow information to make design changes
Test different changes and verify the traffic is being shaped the way you want to
Use NetFlow to troubleshoot issues and find root cause
NetFlow Secuirty Benefits¶
Quickly identify suspicious traffic
Concerning Port (the type of traffic doesn’t match the services)
Wrong Industry (traffic flowing to sites that your organisation doesnt do buisness with)
Embargoed Countries (Traffic leaves the country your org resides in destined to an embargoed country)
Network as an Enforcer¶
Integrate with different Cisco tools
Segment traffic
Switch can apply ACLs dynamically
NetFlow Versions & Flow Standards¶
NetFlow Versions¶
Netflow v1:
Limited to IPv4 without network masks
Obsolete
Netflow v5:
Can collect IP ToS, ASN, network masks
Netflow v9:
Template based
Can add or remove infor without rewriting code
NetFlow v9¶
Template is included in NetFlow packet
Stealthwatch will know what info to expect
UDP 2055
127 different field types
Flexible NetFlow¶
Different cache buckets
Can have different data stored in different caches
Allow for users to create their own fields of what to collect on
IPFIX¶
IETF standard based on NetFlow v9
Supports templates
UDP 4739
Configuring NetFlow¶
Create flow record
Create flow exporter
Create flow monitor
Apply flow monitor to interface
Cisco Stealthwatch¶
Stealthwatch¶
Normalize traffic and find anomalies
Spike in traffic
Suspicious IPs and ports
Malware in encrypted traffic
Concern index
Associate users to flow
Flow generated for all traffic
Usages:
PxGrid
Custom policies
Forensics
Generate reports
Stealthwatch Components¶
SMC
Used to interact with flow and what analyses the flow
Flow collector
Device that all network devices send flow to
Associate Proxy information with flow data
Both flow collector and SMC are required for Stealthwatch
Aditional Stealthwatch Benefits¶
Flow sensor
Generate flow for devices that cannot do it natively
Can be used for layer 2 only traffic
UDP Director
Aggregates flow and sends to stealthwatch
Allows devices to only send flow to one destination