Академический Документы
Профессиональный Документы
Культура Документы
Slide 1 ___________________________
___________________________
___________________________
___________________________
Slide 2 ___________________________
Agenda
___________________________
• Introduction to NetFlow
how it works, what it is
___________________________
• Why is NetFlow so popular?
NetFlow costs less and works better
• Configuring and Working with NetFlow ___________________________
a glimpse into the power of NetFlow
• Threat Detection Methods
using flows to detect malware ___________________________
• FlowSensor Technology
generate NetFlow v9 from a SPAN
• Cisco Flexible NetFlow Lab ___________________________
set up and work with NetFlow
Slide 3 ___________________________
Lancope NetFlow Ninjas Blog
___________________________
http://netflowninjas.typepad.com
___________________________
___________________________
___________________________
___________________________
3
NetFlow 101 Boot Camp March 18, 2010
Slide 4 ___________________________
___________________________
___________________________
___________________________
___________________________
Slide 5 ___________________________
Network Flow Collection
___________________________
___________________________
___________________________
___________________________
___________________________
Slide 6 ___________________________
The Life of a Flow
___________________________
google.com 10.1.1.1
Cisco Router
___________________________
___________________________
___________________________
NetFlow Packet Header
StealthWatch
Flow Collector
___________________________
6 6
NetFlow 101 Boot Camp March 18, 2010
Slide 7 ___________________________
Flow Collection Methods
___________________________
• Traditional NetFlow
• Provides router interface statistics
StealthWatch
• Very easy to deploy; available for Flow Collector ___________________________
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or
response time information
• FlowSensor Appliance Edition (AE)
NetFlow ___________________________
• Enables flow monitoring where
traditional NetFlow is not
Cisco
available Catalyst ___________________________
• Provides flow performance 6500
Slide 8 ___________________________
Wide Support for NetFlow
___________________________
Cisco 1900
Cisco 1700
Cisco 800 Cisco 2800 ___________________________
Not Supported
Cisco 3750
Huawei Quidway
Cisco 2900
___________________________
Juniper Networks
___________________________
Slide 9 ___________________________
Wide Support for NetFlow
___________________________
___________________________
___________________________
___________________________
___________________________
9
NetFlow 101 Boot Camp March 18, 2010
Slide 10 ___________________________
Flow Collection Methods
___________________________
• Traditional NetFlow
• Provides router interface statistics
StealthWatch
• Very easy to deploy; available for Flow Collector ___________________________
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or
response time information ___________________________
NetFlow + latency
• FlowSensor Appliance Edition (AE)
statistics
• Enables flow monitoring where
traditional NetFlow is not
available ___________________________
• Provides flow performance FlowSensor
AE
information such as round-trip
time and server response time
• Requires SPAN port or Ethernet ___________________________
tap SPAN port
Slide 11 ___________________________
Flow Collection Methods
___________________________
• Traditional NetFlow
• Provides router interface statistics StealthWatch
Flow Collector
• Very easy to deploy; available for ___________________________
“free” almost anywhere Cisco
equipment is found
• No packet-level visibility or NetFlow + VM
information
response time information ___________________________
• FlowSensor Appliance Edition (AE) physical
networ
• Enables flow monitoring where k
traditional NetFlow is not
available virtual
___________________________
VM VM VM machine
• Provides flow performance guests
Slide 12 ___________________________
NetFlow v5 (most common)
___________________________
___________________________
___________________________
___________________________
12
NetFlow 101 Boot Camp March 18, 2010
Slide 13 ___________________________
NetFlow v9 (newer and more powerful)
___________________________
___________________________
___________________________
___________________________
___________________________
* 160+ fields to choose from including payload
sections
13
Slide 14 ___________________________
NetFlow v9 – NBAR support!
___________________________
Network-Based Application Recognition being
integrated with NetFlow in Cisco IOS-based
products ___________________________
** available Q4 2009 from Lancope
Over 600 applications supported.... ___________________________
___________________________
___________________________
14
Slide 15 ___________________________
___________________________
___________________________
___________________________
___________________________
15
NetFlow 101 Boot Camp March 18, 2010
Slide 16 ___________________________
NetFlow for the Network Team
___________________________
NetFlow Packet
flow1
StealthWatch
___________________________
Flow Collector
flow2
...
___________________________
Network Team Compliance and Auditing Security Team
Interface utilization PCI Compliance File sharing
Billing and chargeback HIPAA Compliance Malware outbreak detection
QOS monitoring SCADA Security Network acceptable use
BGP ASN monitoring Sarbanes-Oxley Flow forensics
___________________________
MPLS visibility Data loss prevention
Application troubleshooting
___________________________
Slide 17 ___________________________
NetFlow Compliance and Auditing
___________________________
NetFlow Packet
flow1
StealthWatch
___________________________
Flow Collector
flow2
...
___________________________
Network Team Compliance and Auditing Security Team
Interface utilization PCI Compliance File sharing
Billing and chargeback HIPAA Compliance Malware outbreak detection
QOS monitoring SCADA Security Network acceptable use
BGP ASN monitoring Sarbanes-Oxley Flow forensics
___________________________
MPLS visibility Data loss prevention
Application troubleshooting
___________________________
Slide 18 ___________________________
NetFlow for the Security Team
___________________________
NetFlow Packet
flow1
StealthWatch
___________________________
Flow Collector
flow2
...
___________________________
Network Team Compliance and Auditing Security Team
Interface utilization PCI Compliance File sharing
Billing and chargeback HIPAA Compliance Malware outbreak detection
QOS monitoring SCADA Security Network acceptable use
BGP ASN monitoring Sarbanes-Oxley Flow forensics
___________________________
MPLS visibility Data loss prevention
Application troubleshooting
___________________________
NetFlow 101 Boot Camp March 18, 2010
Slide 19 ___________________________
NetFlow vs. SNMP
___________________________
SNMP
___________________________
___________________________
NetFlow ___________________________
___________________________
19
Slide 20 ___________________________
NetFlow Reporting and Drilldown
___________________________
___________________________
___________________________
___________________________
___________________________
20
Slide 21 ___________________________
Visibility Lost Due to Emerging Tech
___________________________
Emerging network technologies are outpacing traditional
network monitoring techniques such as SNMP and SPAN/tap-
based technology... ___________________________
“10G Ethernet is so fast few probe
technologies can keep up and those
that can are too expensive”
Slide 22 ___________________________
10G+ Ethernet
___________________________
“10G Ethernet is so fast few probe technologies can keep up and those
that can are too expensive”
___________________________
traditional
Ethernet
sensor
___________________________
Where
to plug
in?
___________________________
___________________________
22
Slide 23 ___________________________
NetFlow in a 10G+ Ethernet Environment
___________________________
“10G Ethernet is so fast few probe technologies can keep up and those
that can are extremely expensive”
StealthWatch
Flow Collector ___________________________
___________________________
___________________________
___________________________
23
Slide 24 ___________________________
Virtualization
___________________________
“Virtualization hides whole network segments from the network
manager’s view, making VM2VM communication problems difficult to
troubleshoot”
___________________________
VM1 VM2 VM3
virtual
machines
physical ___________________________
network
VM2VM
virtual
traditional
Ethernet probe
switches ___________________________
physical machine
___________________________
24
NetFlow 101 Boot Camp March 18, 2010
Slide 25 ___________________________
NetFlow in the Virtual Environment
___________________________
___________________________
VM VM VM
virtual
machines
physical
network ___________________________
promisc VM2VM
capture
NetFlow v9 virtual
switches
VM Server ___________________________
StealthWatch
Flow Collector
___________________________
*** Cisco Nexus 1000v also supports NetFlow
***
25
Slide 26 ___________________________
MPLS and Multi-point VPNs
___________________________
“MPLS and multi-point VPNs create a meshed WAN that’s
expensive to monitor adequately”
___________________________
traditional
Ethernet
sensor
___________________________
___________________________
___________________________
26
Slide 27 ___________________________
MPLS and Multi-point VPNs
___________________________
Fully meshed connectivity circumvents network monitoring deployed at
the “hub” location…
___________________________
___________________________
___________________________
___________________________
27
NetFlow 101 Boot Camp March 18, 2010
Slide 28 ___________________________
MPLS and Multi-point VPNs
___________________________
Full visibility requires a probe at each location throughout the WAN…
___________________________
___________________________
___________________________
___________________________
28
Slide 29 ___________________________
NetFlow Collection in the WAN
___________________________
Deploy a StealthWatch NetFlow collector at a central location and
enable NetFlow at each remote site…
___________________________
StealthWatch
Flow Collector
NetFlow Packet ___________________________
NetFlow Packet
___________________________
___________________________
29
Slide 30 ___________________________
Quick Recap
___________________________
30
NetFlow 101 Boot Camp March 18, 2010
Slide 31 ___________________________
___________________________
Configuring and Working
with NetFlow ___________________________
___________________________
___________________________
___________________________
31
Slide 32 ___________________________
Flow Replication
___________________________
___________________________
___________________________
___________________________
___________________________
32
Slide 33 ___________________________
Flow Replication Modes
___________________________
Unicast Mode
___________________________
___________________________
___________________________
33
NetFlow 101 Boot Camp March 18, 2010
Slide 34 ___________________________
Flow Replication: UDP Samplicator
___________________________
http://freshmeat.net/projects/samplicator/
___________________________
___________________________
___________________________
___________________________
34
Slide 35 ___________________________
Active vs. Inactive Timeouts
___________________________
Active Timeout
• configures longest amount of time a flow can stay in the cache regardless
of activity
• Recommend 1 minute
___________________________
• All exporters should have similar active timeouts
• Cisco default of 30 minutes is far too long
Inactive Timeout ___________________________
• configures how long a flow can be inactive before it is expired from the
cache
• Recommend 15 seconds (which is also the IOS default)
• All exporters should have similar inactive timeouts
___________________________
Cisco Router
___________________________
35
Slide 36 ___________________________
Configuring NetFlow – Traditional Method
___________________________
Configure “Active”
Timeout ___________________________
Enable NetFlow for
each interface on the
router
___________________________
(also: “ip flow ingress”)
Specify a destination
for the flows
___________________________
___________________________
36
NetFlow 101 Boot Camp March 18, 2010
Slide 37 ___________________________
Configuring NetFlow – Flexible NetFlow (FnF)
___________________________
• Tells router
which fields to
extract from ___________________________
flows
• “match” is key
field
• “collect” is non- ___________________________
key
___________________________
___________________________
37
Slide 38 ___________________________
Configuring NetFlow – Flexible NetFlow (FnF)
___________________________
• Configure “exporter”
• Tells the router where to ___________________________
send the flows.
___________________________
___________________________
___________________________
38
Slide 39 ___________________________
Configuring NetFlow – Flexible NetFlow (FnF)
___________________________
• Configure “monitor”
• Sets up the cache timeouts and ___________________________
type
___________________________
___________________________
___________________________
39
NetFlow 101 Boot Camp March 18, 2010
Slide 40 ___________________________
Configuring NetFlow – Flexible NetFlow (FnF)
___________________________
• Enable NetFlow on each interface
• Reference the “monitor” ___________________________
command in the interface config
___________________________
___________________________
___________________________
Blog entry describing FnF in detail...
http://netflowninjas.typepad.com/blog/2009/0
8/index.html
40
Slide 41 ___________________________
___________________________
___________________________
___________________________
___________________________
41
Slide 42 ___________________________
Ingress vs. Egress NetFlow
___________________________
___________________________
___________________________
___________________________
___________________________
42
NetFlow 101 Boot Camp March 18, 2010
Slide 43 ___________________________
NetFlow on the Catalyst 6500
___________________________
Catalyst 6500
(MSFC) NetFlow
___________________________
___________________________
(Sup) NetFlow
___________________________
___________________________
43
Slide 44 ___________________________
Helpful Links re: CPU and bandwidth consumption from NetFlow
___________________________
Cisco Whitepaper: NetFlow Performance Analysis
http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb
9.shtml ___________________________
Fully loaded ISR running software IOS ~15%
CPU uptick resulting from NetFlow enablement.
___________________________
44
Slide 45 ___________________________
Viewing NetFlow bps rate per exporter
___________________________
___________________________
___________________________
___________________________
___________________________
45
NetFlow 101 Boot Camp March 18, 2010
Slide 46 ___________________________
___________________________
___________________________
___________________________
___________________________
46
Slide 47 ___________________________
Troubleshooting with NetFlow
___________________________
• Several approaches to working with flow data...
• Direct router access via CLI ___________________________
• Flow-tools, ntop and other open source
• Commercial NetFlow Collector
___________________________
___________________________
___________________________
47
Slide 48 ___________________________
Direct router access via CLI (Traditional)
___________________________
___________________________
___________________________
___________________________
___________________________
Malware Target Hosts Target Port
Infected (0x87=135)
Host
48
NetFlow 101 Boot Camp March 18, 2010
Slide 49 ___________________________
Direct access via CLI (Flexible NetFlow)
___________________________
___________________________
___________________________
___________________________
___________________________
49
Slide 50 ___________________________
Direct access via CLI (Flexible NetFlow)
___________________________
___________________________
___________________________
___________________________
___________________________
50
Slide 51 ___________________________
Flow-tools, ntop and other open source
___________________________
FLOW-TOOLS
• Collection of small open source programs to post process Cisco NetFlow
compatible flows
• Written in C, designed to be fast and lean ___________________________
• Allows for text-based reporting, storage, and analysis of flows
• Installation with “configure;make;make install” on most platforms
(FreeBSD, Linux, Solaris, BSDi, NetBSD)
• Only supports NetFlow v1/5/7 ___________________________
http://www.splintered.net/sw/flow-tools
NTOP ___________________________
• Lightweight, open-source, web-based flow reporting technology
• Similar to the Linux “top” utility but for network traffic rather than
processes
• Installation with “configure;make;make install” on most platforms ___________________________
(FreeBSD, Linux, Solaris, BSDi, NetBSD)
• Support for NetFlow v1/5/7/9 and sFlow
51
http://www ntop org
NetFlow 101 Boot Camp March 18, 2010
Slide 52 ___________________________
ntop web-UI
___________________________
___________________________
___________________________
___________________________
___________________________
52
Slide 53 ___________________________
Enable NetFlow on your Linksys router!
___________________________
___________________________
___________________________
___________________________
___________________________
53
<non-confidential>
Slide 54 ___________________________
Flow-tools CLI
___________________________
___________________________
___________________________
___________________________
src src dst dst proto pkts octets
interface IP interface IP
start and src dst TCP
___________________________
end times port port flags
(2=SYN)
54
NetFlow 101 Boot Camp March 18, 2010
Slide 55 ___________________________
...other open source
___________________________
Introduction to Cisco IOS NetFlow - A Technical Overview
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_whit
e_paper0900aecd80406232.html
___________________________
___________________________
___________________________
___________________________
55
Slide 56 ___________________________
NetFlow Deduplication
___________________________
___________________________
___________________________
___________________________
___________________________
56
Slide 57 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
The scenario:
• 8pm EDT, worker arrives at home
and logs into the corporate VPN to
finish up some work left over from ___________________________
the office earlier in the day.
• Worker forgets to log
off the VPN.
• Worker’s wife sits down at the ___________________________
same computer and begins
downloading season 2 of
The Office in HD from iTunes
• The corporate VPN Concentrator ___________________________
suffers under the load caused
by the downloads
(4Mbps max VPN throughput)
The result:
___________________________
• Users on the west coast (5pm PDT)
experience severe reduced
performance and begin to
57 complain.
NetFlow 101 Boot Camp March 18, 2010
Slide 58 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
58
Slide 59 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
59
Slide 60 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
60
NetFlow 101 Boot Camp March 18, 2010
Slide 61 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
61
Slide 62 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
62
Slide 63 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
63
NetFlow 101 Boot Camp March 18, 2010
Slide 64 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
64
Slide 65 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
65
Slide 66 ___________________________
Troubleshooting with NetFlow: An Example
___________________________
___________________________
___________________________
___________________________
___________________________
66
NetFlow 101 Boot Camp March 18, 2010
Slide 67 ___________________________
___________________________
___________________________
___________________________
___________________________
67
Slide 68 ___________________________
___________________________
___________________________
___________________________
___________________________
___________________________
68
Slide 69 ___________________________
Flow-based Threat Detection
___________________________
StealthWatch
Flow Collector
___________________________
Flow-based Pattern Matching Behavior Analysis
___________________________
___________________________
___________________________
69 69
NetFlow 101 Boot Camp March 18, 2010
Slide 70 ___________________________
Threat Detection Method #1:
Pattern Recognition
___________________________
___________________________
___________________________
___________________________
___________________________
Slide 71 ___________________________
Threat Detection Method #2:
Behavior-based Analysis
___________________________
___________________________
___________________________
___________________________
___________________________
Slide 72 ___________________________
Threat Detection Method #3: Visualization
___________________________
___________________________
___________________________
___________________________
___________________________
72
NetFlow 101 Boot Camp March 18, 2010
Slide 73 ___________________________
Threat Detection Method #3: Visualization
___________________________
___________________________
___________________________
___________________________
___________________________
73
Slide 74 ___________________________
Threat Detection Method #3: Visualization
___________________________
Scanning activity
___________________________
represented in a
Peer vs. Peer
diagram
___________________________
___________________________
___________________________
74
Slide 75 ___________________________
___________________________
___________________________
___________________________
___________________________
75
NetFlow 101 Boot Camp March 18, 2010
Slide 76 ___________________________
FlowSensor Technology
___________________________
FlowSensor NetFlow
(NetFlow Enabled) Collector
___________________________
NetFlow NetFlow
Catalyst 3750
(No NetFlow)
Catalyst 6500
(NetFlow Enabled) ___________________________
___________________________
___________________________
76
Slide 77 ___________________________
FlowSensor AE
___________________________
• Light-weight, cost-effective 1U
network
appliance StealthWatch
___________________________
• Collects Ethernet frames and
Flow Collector
exports NetFlow v9
___________________________
• Monitor up to (5) 3750s
NetFlow
simultaneously
• Works with FlowSensor ___________________________
any NetFlow
Model Capacity v9
Disk capable flowList Price
Interfaces
collector
AE-500 200 Mbps ** AVAILABLE Q3-2010 **
AE-1000 1 Gbps 73GB 3 or 5 $6,995
AE-2000 2.5 Gbps 160GB 3 or 5 $12,995
___________________________
AE-3000 5.0 Gbps ** AVAILABLE Q2-2010 **
77
Slide 78 ___________________________
FlowSensor VE (Virtual Edition)
___________________________
• Lightweight, virtual appliance for VMware ESX 3.5 and
4.0
• Captures and records all VM2VM communications ___________________________
within the virtual network environment
___________________________
VMware Server
StealthWatch NetFlow
___________________________
Flow Collector
78
NetFlow 101 Boot Camp March 18, 2010
Slide 79 ___________________________
10G Monitoring with Stackable FlowSensors
___________________________
Ethernet loadbalancer
vendors... 10G
FlowSensor
AE-2000 7.5G ___________________________
2.5G
5.0G
2.5G
FlowSensor
AE-2000 16x 1G ___________________________
NetFlow 2.5G
FlowSensor
StealthWatch
Flow Collector
AE-2000
___________________________
2.5G
___________________________
79
Slide 80 ___________________________
NetFlow for Breadth, Packets for Depth
___________________________
VM Server
Traditional
NetFlow
FlowSensor AE FlowSensor VE
___________________________
___________________________
Flows
Stealthwatch 5.10 Screenshot
___________________________
___________________________
80
Slide 81 ___________________________
Works with any NetFlow v9 collector!
___________________________
• 1,000,000 record cache size Cisco Flexible NetFlow Equivalent:
>> dynamically expands with increased load
!
81
NetFlow 101 Boot Camp March 18, 2010
Slide 82 ___________________________
Works Best with Lancope’s Collector
___________________________
SRCIP DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT ...
230m
TCP 80 5749 73 9,092 65ms ...
s
___________________________
StealthWatch
FlowSensor
___________________________
SPAN
___________________________
round trip time across the network time it takes the server
RTT SRT
same as “ping” output to process a request
82
Slide 83 ___________________________
On a Related Note: World of Warcraft
___________________________
___________________________
Grinding in
Wintergrasp Northrend ___________________________
Various BGs
___________________________
___________________________
83
Slide 84 ___________________________
Thank You!
___________________________
Flow-based technologies provide unrivaled scale and
cost effectiveness in large enterprise environments
___________________________
NetFlow is not just for netops, its value extends
across all IT from compliance auditing to helpdesk
support
___________________________
Enable NetFlow on as many devices as you can to
maximize visibility, the more the better
Consider CPU and memory impact but don’t dwell ___________________________
on it, it’s not as big a problem as you may think
NetFlow is ideal for monitoring port dense
datacenters and large distributed WAN
environments. No probes are required.
___________________________
84
NetFlow 101 Boot Camp March 18, 2010