WIXLIB

NetFlow 101 SeminarSeries, 2012An Introduction to Cisco’s NetFlow TechnologyKnow Your Network, Run Your Business

Agenda Introduction to NetFlowhow it works, what it is Why is NetFlow so popular?NetFlow costs less and works better How is NetFlow used?what can we do with NetFlow? Configuring and Working with NetFlowa glimpse into the power of NetFlow Cisco Flexible NetFlow Labset up and work with NetFlow Lancope’s StealthWatch Systempremium NetFlow collection and analysis

Science of Flow Analysis Lancope specializes in Behavior-based Network Flow AnalysisDetects attacks by baselining and analyzing network traffic patternsExcellent defense in depth strategy to aid in defense of critical assetsOver 600 customers world-wideOperational since 2002, located in Atlanta, GAhttp://netflowninjas.lancope.com

Introduction toNetFlowKnow Your Network, Run Your Business

Recap: The OSI ModelLowerUpperLayer-7: Application HTTP Browser, FTP, TelnetLayer-6: Presentation JPEG, GIF, MPEG-2Layer-5: Session WinSock, RPC, SQL, NFSLayer-4: Transport TCP, UDP, SPXLayer-3: Network IP, ICMP, IPXLayer-2: Data-Link Ethernet (Mac Addresses)Layer-1: Physical Hub, Cat-5 Cable

Introducing NetFlow Technologytelephone billNetFlow

Internal Visibility Through NetFlowNetFlow PacketsInternetsrc and dst ipsrc and dst portVPNstart timeend timeNetFlowmac addressbyte count- more -NetFlowDMZNetFlowInternalNetworkNetFlow Collector

Create New TCP FlowNon-Key FieldsKey 28023:14:0623:14:061195Gi4/13Gi2/1SNETFLOW CACHEDataTCP10.1.1.1102410.2.2.280SYN

Create New TCP FlowIngress and Egress ports are based on the interfaceon which the packets entered and left the .1.1.1102423.14:0723.14.071132Gi2/1Gi4/13SANETFLOW CACHESYN/ACK102410.1.1.18010.2.2.2TCPData

Update Existing TCP FlowPacket and Byte counts are incrementedaccordingly. Last Seen is also LOW CACHEDataTCP10.1.1.1102410.2.2.280ACK

Update Existing TCP 1.1.1102423.14:0723.14.082862Gi2/1Gi4/13SAPNETFLOW CACHEACK/PSH102410.1.1.18010.2.2.2TCPData

Create New UDP -NETFLOW CACHEDataUDP10.3.1.1291810.2.8.1253

Create New UDP /1Gi4/12-NETFLOW CACHE291810.3.1.15310.2.8.12UDPData

Create New ICMP 23.14.12196Gi4/19Gi2/1-Most NetFlow caches do not offer ICMP type andcode fields so the Destination Port column isoverloaded with with ICMP information.NETFLOW CACHEDataICMPECHOREQUEST10.1.1.410.2.8.14

Update Existing ICMP 23.14.132192Gi4/19Gi2/1-NETFLOW CACHEDataICMPECHOREQUEST10.1.1.410.2.8.14

Create New ICMP 3192Gi2/1Gi4/19-ECHOREQUESTECHORESPONSENETFLOW CACHE10.1.1.410.2.8.14ECHORESPONSEICMPData

Continued 523.14.15196Gi4/19Gi2/1-ICMP10.1.1.4-NETFLOW 1.1.4TCPDataData231010.2.8.1510.2.2.4443SYN

NetFlow In Action

Flow Collection Methods Traditional NetFlow– Provides router interface statistics– Very easy to deploy; available for “free”almost anywhere Cisco equipment is found– No packet-level visibility or response timeinformation FlowSensor Appliance– Enables flow monitoring where traditionalNetFlow is not available– Provides flow performance informationsuch as round-trip time and serverresponse time– URL information in Flows– Requires SPAN port or Ethernet tap FlowSensor Virtual Edition (VE)– Installs into VMware ESX to monitorVM2VM communications– Software only, no hardware requiredNetFlowCollectorNetFlowCiscoCatalyst6500

Cisco NetFlow SupportCisco 2900Cisco ASACisco 7600Cisco 1700HardwareSupportedCisco 2800Cisco 7200 VXRCisco XR 12000Cisco ISR G2Cisco ASRCisco 3560/3750-XCisco Nexus 7000Cisco Catalyst 4500Cisco Catalyst 650020 2011 Lancope , Inc. All Rights Reserved.Company Confidential (not for distribution)

Wide Support for NetFlowExinda 2060Palo AltoFirewallsHuawei QuidwayJuniper NetworksBlueCoat PacketShaperSonicWall 3500Citrix NetScalerNortel Networks

Flow Collection Methods Traditional NetFlow– Provides router interface statistics– Very easy to deploy; available for “free”almost anywhere Cisco equipment is found– No packet-level visibility or response timeinformation FlowSensor Appliance– Enables flow monitoring where traditionalNetFlow is not available– Provides flow performance informationsuch as round-trip time and serverresponse time– URL information in Flows– Requires SPAN port or Ethernet tap FlowSensor Virtual Edition (VE)– Installs into VMware ESX to monitorVM2VM communications– Software only, no hardware requiredNetFlowCollectorNetFlow latency statistics URLsFlowSensorAESPAN porttap

Flow Collection Methods Traditional NetFlow– Provides router interface statistics– Very easy to deploy; available for “free”almost anywhere Cisco equipment is found– No packet-level visibility or response timeinformation FlowSensor Appliance– Enables flow monitoring where traditionalNetFlow is not available– Provides flow performance informationsuch as round-trip time and serverresponse time– URL information in Flows– Requires SPAN port or Ethernet tap FlowSensor Virtual Edition (VE)– Installs into VMware ESX to monitorVM2VM communications– Software only, no hardware required

FlowSensor VE: How It Works1VM to VMcommunications capturedby the FlowSensor2Virtualized FlowSensorcreates NetFlow v9packets just like a router3External Flow Collector hascomplete visibility into thevirtual network backplane(layer-2!)*Other virtual NetFlowenablement mechanisms:- Cisco Nexus-1000v- Xen Open vSwitchFlow Collector

NetFlow VersionsVersionStatusv1Similar to v5 but without sequence numbers or BGP infov2Never releasedv3Never releasedv4Never releasedv5Fixed format, most common version found in productionv6Never releasedv7Similar to v5 but without TCP flags, specific to Cat5k and Cat6kv8Aggregated formats, never gained wide use in the enterprisev9“Next Gen” flow format found in most modern NetFlow exporters,supports IPv6, MPLS, Multicast, many othersIPFIXSimilar to v9 but standardized and with variable length fields

NetFlow v5* (most common)* fixed format, cannot be extended to include new fields

NetFlow Version 9: Key FieldsFlowIPv4Sampler IDIP (Source orDestination)Payload SizeIP (Source orDestination)Payload SizePrefix (Source orDestination)Packet Section(Header)Prefix (Source orDestination)Packet Section(Header)Mask (Source orDestination)Packet Section(Payload)Mask (Source orDestination)Packet Section(Payload)Minimum-Mask(Source orDestination)TTLMinimum-Mask(Source ension HeadersDot1q VLANFragmentationFlagsVersionTraffic ClassHop-LimitDot1q priorityFragmentationOffsetPrecedenceFlow LabelLengthOption HeaderNext-headerIdentificationDSCPHeader LengthTOSHeader LengthVersionDirectionInterfaceInputOutputLayer 2Source VLANDest VLANSource MACaddressDestination MACaddressTotal LengthIPv6Payload Length

NetFlow Version 9: Key FieldsRoutingTransportsrc or dest ASDestination PortTCP Flag: ACKPeer ASSource PortTCP Flag: CWRTraffic IndexICMP CodeTCP Flag: ECEForwardingStatusICMP TypeTCP Flag: FINIGMP Type*TCP Flag: PSHTCP ACK NumberTCP Flag: RSTTCP Header LengthTCP Flag: SYNTCP Sequence NumberTCP Flag: URGIGP Next HopBGP Next HopInput VRFNameApplicationApplication IDMulticastReplicationFactor*RPF CheckDrop*Is-MulticastTCP Window-SizeUDP Message LengthTCP Source PortUDP Source PortTCP Destination PortUDP Destination PortTCP Urgent Pointer

NetFlow Version 9: Non-Key FieldsCountersTimestampIPv4IPv4 and IPv6BytessysUpTime FirstPacketTotal LengthMinimum (*)Total LengthMinimum (**)Bytes LongsysUpTime FirstPacketTotal LengthMaximum (*)Total LengthMaximum (**)Bytes Square SumTTL MinimumBytes Square Sum LongTTL MaximumPacketsPackets Long Plus any of the potential “key” fields: will be the value from the first packetin the flow(*) IPV4 TOTAL LEN MIN, IPV4 TOTAL LEN MAX(**)IP LENGTH TOTAL MIN, IP LENGTH TOTAL MAX

NetFlow Version 9 Export PacketTemplate FlowSetHEADERTemplateRecordTemplateID #1TemplateRecordTemplateID #2(SpecificFieldTypes andLengths)(SpecificFieldTypes andLengths)Template 1Template 2Data FlowSetFlowSet ID #1Data FlowSetFlowSet ID #1FlowSetID dValues)(FieldValues)

NetFlow v9: Application Aware NetFlowPalo AltoFirewallsExindaSonicWall NSALancope FlowSensorBlueCoat PacketShaperCisco ASRCisco ISR G2

Application Awarenesslayer-7layer-4

HTTP Application Awareness – Flow Payload Sampling

URL Data from the FlowSensor Added Application Details (meta-data) by extending existing Payloadfunctionality– For HTTP: Host name, path, and response code / error messages– For HTTPS: Common name and organization Flow Table is only place this information is shown

A Note on sFlow Found in Foundry, Extreme, HPProcurve, etc Uses sampling such as “1 in 128”packets The first 100 bytes of theEthernet frame is extracted andplaced into a UDP packet 1500 sFlow packets are sent tothe sFlow collector Collector scales the byte countsbased on scaling factor Performs poorly in low-bandwidthenvironment or when full flowdetails are needed (compliance)sFlow Collector

Why NetFlow?Know Your Network, Run Your Business

Business Challenges High availability and performance of the Network and its Apps Constantly evolving networks create gaps in monitoring 10G, 40G, 100G Interfaces MPLS & Multipoint VPN Lack of Internal security Gaps left by traditional security technologies High-speed, highly segmented networks IT Consumerization Rapidly evolving threats - How do we stay out of the news? Advanced Persistent Threat Denial of Service Data Exfiltration Compliance – SOX, PCI, HIPPA, etc Lack of visibility into behaviors across the network User accountability for employees, partners, consultants, customers

10G Ethernet“10G Ethernet is so fast few probe technologies can keep up and those that can are tooexpensive”traditionalEthernetsensorWhere toplug in?

10G Ethernet“NetFlow enables monitoring without the high cost of placing probes throughout thenetwork”Flow CollectorNetFlow Capable

MPLS and Multi-point VPNs“MPLS and multi-point VPNs create a meshed WAN that’s expensive to monitoradequately”traditionalEthernetsensor

MPLS and Multi-point VPNsFully meshed connectivity circumvents network monitoring deployed at the “hub”location

MPLS and Multi-point VPNsFull visibility requires a probe at each location throughout the WAN

NetFlow Collection in the WANDeploy a StealthWatch NetFlow collector at a central location and enable NetFlow ateach remote site NetFlow CollectorNetFlow PacketNetFlow Packet

NetFlow Benefits for Network Operations Fully integrated view of: Network usagePerformanceHost integrityUser behavior Diagnose the source and root cause of a network problem causingresponse time delays Network management and security operations collaboration Avoid expensive upgrades and complexity to existing networkmanagement and security architectures with fully meshednetworks Provides extensive historical and trending data to facilitate networkperformance capacity planning and resource management

Business Challenges High availability and performance of the Network and its Apps Constantly evolving networks create gaps in monitoring 10G, 40G, 100G Interfaces MPLS & Multipoint VPN Lack of Internal security Gaps left by traditional security technologies High-speed, highly segmented networks IT Consumerization Rapidly evolving threats - How do we stay out of the news? Advanced Persistent Threat Denial of Service Data Exfiltration Compliance – SOX, PCI, HIPPA, etc Lack of visibility into behaviors across the network User accountability for employees, partners, consultants, customers

Once upon a timeInternetVPNDMZInternalNetwork

The Mobile Computing EraInternetVPNDMZInternalNetwork

And now BYOD or IT work4GInternet3GInternet

BYOD is Riskiest Difficult to find common AV or hostbased IDS spanning platforms Reliant on employees to install them Cisco says 70 percent of youngworkers ignore IT ent?type webcontent&articleId 586267 Over half of all IT leaders in the U.S.say that employee-owned mobiledevices pose a greater risk to theenterprise than mobile devicessupplied by the company.