7 Replies Latest reply on Aug 13, 2008 10:41 AM by Network_Guru

    Netflow Proxy/Probe

      I have a question that has problem been answered and more importantly the answer is probably right in front of my face.  Our initial interests in using Netflow was to monitor internal/WAN traffic.  However, the need has arisen that we are wanting to monitor the traffic going into/out of our DMZ from our Internet connection.  Because of security restrictions we are not allowed to send netflows directly from our public facing DMZ into our internal netflow collector.  What options does the Orion package offer to allow me to put something like a netflow proxy or probe in a zone of our DMZ that the public facing side would send to and then that proxy would send the netflow into our internal collector?  I know there are packages out there that can do it but I'm hoping I can do it with our current setup.  We have Orion NPM with NTA.  Thank you in advance.

        • Re: Netflow Proxy/Probe
          Andy McBride

          Hi tkelly,

          We have a NetFlow remote receiver for just this case. Sales can give you all the info.


            • Re: Netflow Proxy/Probe

              Thank you.  I'll contact sales.

                • Re: Netflow Proxy/Probe

                  OK, so I spoke with sales and they told me they don't have a "Netflow Remote Receiver" and that the only way to get what I need using our current setup would be to purchase a small license for NPM and NTA.  I really don't see this as being a viable response to this scenario.  So having said that, I'd be interested to see how other people are doing this.

                • Re: Netflow Proxy/Probe



                  We need a receiver for the DMZ as well, is there a product to to this without buying a new car again?

                    • Re: Netflow Proxy/Probe
                      Andy McBride

                      The extra NPM/NTA works as a remote reciever. That's how it is done.

                        • Re: Netflow Proxy/Probe

                          That's exactly what sales told me.  I just found it hard to believe that someone who designed a product like this didn't have some sort of remote probe or collector that could be provided.  Especially since all it's needing to be is a Netflow forwarder and really doesn't have to do a whole heck of a lot more.  I can't justify the expense of several thousand dollars for something like that.  I doubt I could justify much of any expense just for something like that. 

                          • Re: Netflow Proxy/Probe

                            There are a couple of ways to do this securely.

                            Method one:
                            Use a /30 private IP address as the loopback on your DMZ/Internet router.
                            Add the /30 private IP subnet as a secondary interface on the FW interface which has your Netflow router in it.
                            Setup the Netflow source as the new private loopback IP to send flows to to the private IP interface on the FW.
                            Setup a NAT rule on the FW to NAT this private IP to your Netflow server IP.
                            Create a FW rule which only allows the single UDP port from the private loopback IP of the router to the Netflow server.
                            (you could do PAT as well, if you subscribe to the security by obscurity methodology).

                            Method two:

                            Use 802.1Q trunking between your router and FW to isolate the netflow traffic in it's own Vlan.
                            This keeps the Netflow traffic out of band between the router and FW.
                            Using Cisco's Private VLAN technology will add additional security to this design.