Related
Recommended

The Two Faces of NetFlow

mfmahler
2 minute read time

Enabling NetFlow will give you some insight on what your network actually carries emoticons_happy.png

-- Nicolas Fischbach in Black Hat conference

Even though we discuss NetFlow in this article, the content also applies to other flow technologies: J-Flow, sFlow, NetStream, etc. emoticons_happy.png

In the discussion of my first June Ambassador blog post The Cost of InfoSec Stewardshipjswanprovided a great idea of reducing information $ecurity costs: implementing solutions that can be used for multiple purposes. He stated, for example, that NetFlow could be used by multiple departments in an organization like Operations, Security, Networking, and Help Desk.

My organization is mainly a Cisco shop, so we implement NetFlow. Since I split my working hours in Network Security and in Data Center / Campus Networking, I have opportunities to use NetFlow as an information security tool and a network performance tool. We, as many organizations, were introduced NetFlow analyzer by different vendors as a security tool. NetFlow analyzer vendors know that many organizations lack in knowledge of what's going on in their network. The vendors also know that by showing the executives the unexpected Top Talkers in the network after one or two days of the POC, the executives will be convinced to pull out the checkbook.

The NetFlow solution for security doesn't come cheap. The cost of the NetFlow analyzer is one thing. You need FULL NetFlow, rather than SAMPLED NetFlow, for network forensics. If you have a scale-out network, you'll need multiple flow collectors and in turn you'll need more storage. In the end, it is a good idea to present to the CIO that this solution is multi-purpose.

Do you want to hear a true story of the "alternative" usage of NetFlow? A Windows server admin accidentally clicked "Go" in "Default Server" of the Rapid Deployment System. Immediately hundreds of servers were… "defaulted" and started PXE boot. Countless alerts showed up in the NOC monitoring system. Within five minutes, the IT managers of different departments stormed in the poor network manager's office and asked what's wrong the network (pretty common, I guess). Executives commanded to reboot this switch and that router. After the pale-face Windows admin confessed his mistake to the people, everyone didn't know where to start to identify all damaged servers in the next 45 minutes.

The NetFlow guy in another office was notified about the incident. He calmly ran a NetFlow report for all PXE boot traffic for the period of the incident. That report saved many lives that day.

Does your organization implement NetFlow or any other flow technology for information security?

Is that technology also used for something other than security?

Do you have any story to share?

I hope your story is not that scary.

Parents

  • If you understand your network topology, NetFlow is probably the single most useful tool you can have after basic performance monitoring/alerting. The biggest problems people run into at the beginning usually have to do with not really understanding their own network topology -- this is common in cases where the network was built by consultants and then left to the operators without much training or documentation. Because NetFlow is fundamentally oriented towards interfaces rather than nodes, it's easy to get confused about the direction of traffic flow or the routed path taken by a flow. Most flow analyzers have a way to summarize interface data into node data, but often this just makes things even more confusing. When people first get a flow analyzer, I encourage them to look at it with a network map in hand.

    Also, it's handy to keep in mind that you can use NetFlow features at the CLI without a collector or analyzer. In the Cisco world, the "show ip flow top-talkers" and "show ip cache flow" commands are a great source of data if you have NetFlow configured on the device, even if it's not exporting.

Comment

  • If you understand your network topology, NetFlow is probably the single most useful tool you can have after basic performance monitoring/alerting. The biggest problems people run into at the beginning usually have to do with not really understanding their own network topology -- this is common in cases where the network was built by consultants and then left to the operators without much training or documentation. Because NetFlow is fundamentally oriented towards interfaces rather than nodes, it's easy to get confused about the direction of traffic flow or the routed path taken by a flow. Most flow analyzers have a way to summarize interface data into node data, but often this just makes things even more confusing. When people first get a flow analyzer, I encourage them to look at it with a network map in hand.

    Also, it's handy to keep in mind that you can use NetFlow features at the CLI without a collector or analyzer. In the Cisco world, the "show ip flow top-talkers" and "show ip cache flow" commands are a great source of data if you have NetFlow configured on the device, even if it's not exporting.

Children
No Data
Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.