4 Replies Latest reply on Apr 3, 2008 11:06 AM by jswan

    Netflow Security


      How big of a security threat is it if any to say send netflow traffic from a router outside your firewall back into your network?  If it is a big no no, then how do you recommend grabbing netflow from a internet router outside a firewall?  Can an ACL be used along with a static route on a firewall?



        • Re: Netflow Security

          Netflow doesn't have many security features,  but you could do a pretty good job of lowering your threat when you are running all of the traffic through the firewall.

          you would want an acl for you port number along with the static route like you already suggested. Most routers are directly connected to the firewall so the chance for sniffing your packets is not a large concern and to be honest the info you would receive from netflow is something you already would have if you had a sniffer on the router anyways.  On the outside of the firewall everything is going to natted so very little information should be available.  The firewall exception would be relatively easy to set up, but if you have IDS you may have to do some tuning. 

          The biggest security concern I see would be that you are creating an additional open port that could be exploited.

          • Re: Netflow Security

             If someone were able to sniff the NetFlow traffic itself that's outside your firewall, it would reveal traffic patterns, etc., but they'd probably need an analysis tool like NTA to make it happen.  An attacker could conceivably use this information to optimize his choice of attack vector(s) if he were able to subsequently enact a physical security breach inside the firewall.  Kind of a stretch, but it's possible.  YMMV.

            • Re: Netflow Security

              If you're exporting netflow data over an insecure connection (eg, outside of your firewall) then you should definitely encrypt it. See section 10 of RFC 3954.

              eg, one way to do this would be to create a crypto tunnel between the router and collector, and export your netflow data through the tunnel.

                • Re: Netflow Security

                  In Cisco-land at least, a router won't send its own Netflow traffic through a local native IPSec tunnel--at least on the 2800 series, anyway. I had to put it into an IPSec encrypted GRE tunnel to get this to work. FYI.