NetFlow is a meshwork protocol that was industrial by Cisco for the group and monitoring of textile reciprocation movement aggregation that is generated by NetFlow-enabled scheme devices. NetFlow has metamorphose a de-facto business received and is buttressed by platforms remaining than Whitefish.
From a meshwork warrant monitoring appearance, NetFlow provides meeting data. NetFlow captures standard content most every IP conversation that takes property finished the monitored fabric maneuver, including the identities of the systems encumbered in the conversation, the minute of the connection, and the quantity of information transferred.
You strength judge of NetFlow records as a “sound bill” for the material. NetFlow can’t verify you what was said on the network, but it gives you a fresh tune who was talking and how much they said. NetFlow provides assemblage almost the “conversations” that demand spot on the material, corresponding to the entropy phone bills give around line conversations.
NetFlow provides a 24×7 panorama of all the textile discipline. It’s a realised canvass follow of everything that’s happened, and it is a resistless surveillance monitoring method on the system.
Suffer a second to think almost the potency applications of these Netflow records. In improver to the patent meshing diagnostic and fixing uses of this assemblage, NetFlow information can also be a appraising agency for warrantee analysts disagreeable to key anomalous trait or renew the sequence of events when responding to guarantee incidents.
NetFlow collecting and analysis act grave roles in a defense-in-depth movement to accumulation surety by augmenting the capabilities that are provided by some added instrument controls.
For ideal, malware uncovering capabilities good from NetFlow assemblage when systems statesman exhibiting patterns of conduct indicative of a insect contagion or botnet body. NetFlow-based catching is especially heavy when a scheme is septic with a zero-day danger that conventional antivirus software can’t notice.
NetFlow data also spiel a captious portrayal both in sleuthing the presence of sophisticated continuance threats and conducting post-incident forensic reasoning. NetFlow-based safeguard reasoning leverages behavioral analysis and itinerary remembering techniques that earmark for rapid espial of undocumented snipe vectors, often revealing the criticism previous in the criticise lifecycle.
Oftentimes, the leading risk to an organization’s safeguard comes not from far-away hackers but from trusty individuals with right to the photosensitive substance. The U.S federal polity practised chance with a sole Gray word psychiatrist’s supposed actions led to a monumental revelation of classified information on the WikiLeaks website. Perimeter controls are not effectual against the insider danger because those controls are typically designed to allow insiders accession to sensitive info. NetFlow technology can denote signs of insider attacks in procession, specified as intimate or outer accumulation transfers that are astronomic or to odd destinations.
The canonic production of NetFlow is a course enter. Various different formats for line records person evolved as NetFlow has developed. The most recent phylogeny of the NetFlow flow-record info is identified as NetFlow type 9. The distinctive lineament of the NetFlow Variant 9 info, which is the part for the IPFIX IETF criterional, is that it is template-based. Templates provide an extensible programme to the preserve divide, a article that should consent tense enhancements to NetFlow services without requiring concurrent changes to the primary flow-record format.
NetFlow v9 and IPFIX render mechanisms to realize not only the porthole periodical but the factual applications in use within the line. Vixenish code authors ofttimes use opening 80 to delve command-and-control interchange through endeavour firewalls. Several advanced NetFlow reasoning systems somebody the ability to appear interior the system reciprocation to fulfil deeper examination, identifying the item program in use for each session, and including that substance in the preserved flux assemblage.
Today, NetFlow is utilised as a meshing warranty tool since it provides safeguard analyst with saliency and discourse into network discipline. Withal, NetFlow information by itself is unavailing without a someone and an analysis engine to keep and related the assemblage unitedly. An instance of a NetFlow psychotherapy grouping is Cisco’s Stealthwatch. Nevertheless, there are more NetFlow accumulation and psychotherapy tools visible including whatever freeware ones.
Formerly attackers give a support on a style, they leave typically get to explore the fabric or turn sideway, search for added devices that can be compromised. A puppet that can utilize NetFlow aggregation would meliorate security professionals influence that commonwealth and ambit of a compromise. Since the assailant is perception for remaining machines on the textile to apply, they are generating traffic that can be a tell-tale sign of spiteful activities.
One of the benefits of NetFlow from a scheme precaution appearance is human uncovering and historical investigation capabilities. For lesson, a protection shrink can use NetFlow collection to related reciprocation activity from a instrumentality or to a manoeuvre, and equate the timestamp of trait against the additional logs.
ased on the collection that is provided in the fare above, it is manifest that NetFlow helps with scheme activity analysis, where an IPS has the knowledge to obturate the fight when the IPS manoeuvre is in-line with the traffic. The welfare is that NetFlow compounded with IPS can give a protection psychiatrist with circumstance for the connectedness that triggered the IPS way.
NetFlow assemblage is lendable from a broad variety of sources, including both traditional NetFlow-enabled networking and guarantee devices and special-purpose NetFlow accumulation appliances.
Sometimes, assets analysts may not be fit to advantage operation to NetFlow data from the organization’s scheme devices, which might be because the devices are not capable of generating NetFlow exports, meshwork engineers are involuntary to wage attain to those records, or concerns live nigh the return that is introduced on the networking instrumentation. In this case, you may asking to analyze devoted NetFlow exporters to amass and goods the movement substance, maybe enhanced with programme show poetics. These devices can be committed to the web in the people structure much as using Motility, or Ethernet TAP.
It’s sluttish to execute a essential NetFlow constellation on most endorsed cloth devices. You faculty essential to configure the mesh gimmick in order to enable NetFlow group and candid the Netflow data to the NetFlow aggregator.
You might think of NetFlow records as a “phone bill” for the network. NetFlow can’t tell you what was said on the network, but it gives you a good idea who was talking and how much they said. NetFlow provides information about the “conversations” that take place on the network, similar to the information phone bills provide about voice conversations.
Cisco developed the original NetFlow standard, but it quickly became adopted as an industry standard. Over time, this standard evolved through nine versions until culminating in the most recent release of IPFIX. The table below shows the different versions of NetFlow.
|v1||Original version of NetFlow, now obsolete|
|v2–v4||Working versions.that were never released|
|v5||Most commonly deployed version today, only supports IPv4|
|v6||Working version that was never released|
|v7||Used only on some Cisco Catalyst switches|
|v8||Never widely adopted|
|v9||Next-generation flow formatting that supports IPv6, MPLS, and multicast|
|v10||IPFIX, the industry standardized version of v9|
ome of the most commonly used data elements that are generated by NetFlow include the following:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Timestamps for the flow start and conclusion
- Amount of data passed
The list above is a small sampling of the many data fields that are available to NetFlow analysts.
To understand NetFlow, one must first understand the concept of flows. A flow is a unidirectional series of packets between a source and a destination. In a flow, the same source IP, destination IP, source and destination ports, and IP protocols are in common. These five parameters of a flow are referred to as the five-tuple. The figure below shows the five-tuple of an HTTPS one-way communication flow.
|Source IP Address||10.1.1.1|
|Destination IP Address||220.127.116.11|
One of the benefits of NetFlow from a network security perspective is anomaly detection and historical investigation capabilities. For example, a security analyst can use NetFlow data to correlate traffic activity from a device or to a device, and compare the timestamp of activity against the other logs.
NetFlow analysis is different than signature-based IPS solutions. IPS provides levels of application awareness, network awareness, behavior baseline identification, and analysis. However, IPS is not the same as flow analysis. IPS provides deep packet and file-level analysis, while NetFlow data does not contain the actual packet data but metadata of the conversations. The table below summarize some of the differences between a typical NetFlow system versus IPS.
|Detection of threats||Flow analysis||Network traffic analysis|
|Deployment||Collectors receive flow information from the exporters (network devices)||In-line protection to drop the offending traffic|
|Privacy||Looks at header level information||Deep files and applications inspections|
|Storage||Fewer storage requirements and can be stored for years for forensic investigations||Can require large storage space, for example to also store the packets capture related to the IPS alert|
|Host-based analysis||Based on flows, no client agents required||Requires host-based IPS application running on the host|
Based on the information that is provided in the table above, it is evident that NetFlow helps with network behavior analysis, where an IPS has the ability to block the attack when the IPS device is in-line with the traffic. The advantage is that NetFlow combined with IPS can provide a security analyst with context for the communication that triggered the IPS signature.
NetFlow data is available from a wide variety of sources, including both traditional NetFlow-enabled networking and security devices and special-purpose NetFlow collection appliances.
Sometimes, security analysts may not be able to gain access to NetFlow data from the organization’s network devices, which might be because the devices are not capable of generating NetFlow exports, network engineers are unwilling to provide access to those records, or concerns exist about the overhead that is introduced on the networking device. In this case, you may wish to consider dedicated NetFlow exporters to collect and export the flow information, possibly enhanced with application performance metrics. These devices can be attached to the network in the following ways such as using SPAN, or Ethernet TAP.
It’s easy to perform a basic NetFlow configuration on most supported network devices. You will need to configure the network device in order to enable NetFlow collection and direct the Netflow data to the NetFlow collector.
The diagram below shows three of the components of the Cisco Stealthwatch system.
The Cisco Stealthwatch Management Center (Cisco SMC) is a GUI-based management console that aggregates, organizes, and presents analysis from the flow collectors via graphical representations of network traffic, user identity information, customized summary reports, and integrated security and network intelligence for drill-down analysis.
The flow collector aggregates and normalizes NetFlow and application-type data that is collected from network devices.
The flow sensor provides an overlay solution for generating NetFlow data for legacy network infrastructure devices not capable of producing line-rate, unsampled NetFlow data. Also for environments where IT security prefers a dedicated overlay architecture separate from the network infrastructure. When using the flow sensor, a copy of the network device traffic is sent to the flow sensor, for example, using SPAN.
More advanced NetFlow analytics systems like the Cisco Stealthwatch can also perform flow stitching, flow deduplication, and NAT stitching to correlate the flow data into fewer resulting records to reduce the investigation time.
- Flow stitching: NetFlow generates unidirectional records, resulting in two different flow records for each network session. The flow collector puts these back together again, giving analysts the full picture of each connection.
Flow deduplication: In networks with multiple flow exporters, the same network connection may be captured multiple times. Flow collectors must watch and remove duplicate records before performing security analysis on the flows.
NAT stitching: Unify the NAT information from inside the firewall with information from outside the firewall to pinpoint which IPs and users inside the network are responsible for a particular action.