FOR
DUMmIES
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Publishers Acknowledgments
Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Vertical Websites Project Editor: Jennifer Bingham Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan Composition Services Senior Project Coordinator: Kristie Rees Layout and Graphics: Claudia Bell, Carl Byers, Lavonne Roberts Proofreader: Dwight Ramsey Special help: Angela Frechette Cannon
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
etwork flow records provide a valuable source of information for security analysts seeking to augment other controls and conduct forensic investigations. I hope that this short book will get you started with NetFlow for security and whet your appetite for more information about this cutting-edge technology.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
Understand the basics of configuring NetFlow on commonly used Identify the role that NetFlow information plays in a network security
f youre not already leveraging NetFlow information in your security infrastructure, youre missing out on a tool that provides valuable network intelligence. In many cases, you already have the majority of the equipment you need to get started on your network! So why do many organizations fail to take advantage of this rich data source? In some cases, they simply havent yet made the investment of time required to get NetFlow up and running properly. Other organizations may have tried using NetFlow data in the past and were frustrated by the insufficient analysis capabilities of outdated analysis tools. In this chapter, I explore the basics of NetFlow technology and the role it can play in your security infrastructure. I also cover the basic configuration required to get NetFlow up and running on your network.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
What Is NetFlow?
NetFlow is a feature built into many network devices manufactured by Cisco, Juniper, Nortel, SonicWall, and others. It captures basic information about every IP conversation that takes place through the monitored device, including the identities of the systems involved in the conversation, the time of the communication, and the amount of data transferred. You might think of NetFlow records as a phone bill for your network, as shown in Figure 1-1. It cant tell you what was said on your network, but it gives you a good idea who was talking and how much they said. NetFlow provides information about the conversations that take place on your network similar to the information phone bills provide about voice conversations.
Figure 1-1: How NetFlow provides you with information similar to a phone bill. (Source: Lancope, Inc.)
Take a moment to think about the potential applications of these records. In addition to the obvious network diagnostic and maintenance uses of this data, NetFlow information can also be a critical tool for security analysts trying to identify anomalous activity or reconstruct the sequence of events when responding to an incident.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
NetFlow versions
Cisco developed the original NetFlow standard but it quickly became adopted as an industry standard. Over time, this standard evolved through Version v1 v2-v4 v5 v6 v7 v8 v9 v10 nine versions until culminating in the most recent release of IPFIX. The following table gives you a rundown on the different versions of NetFlow.
Status Original version of NetFlow, now obsolete Working versions that were never released Most commonly deployed version today, only supports IPv4 Working version that was never released Used only on some Cisco Catalyst switches Never widely adopted Next-generation flow formatting that supports IPv6, MPLS & multicast IPFIX, the industry standardized version of v9
NetFlow records provide a rich source of data for security analysts to mine. Some of the most commonly used data elements generated by NetFlow include: Source IP address Destination IP address Source port Destination port Protocol Timestamps for the flow start and conclusion Amount of data passed These are only a small sampling of the many data fields available to NetFlow analysts.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Traditional NetFlow
Although NetFlow was originally created by Cisco for use on their routers and switches, the networking community quickly adopted it as an Internet standard and many manufacturers now support NetFlow. Some of the major platforms that allow direct export of flow records in NetFlow format include: Cisco routers and switches Cisco ASA firewalls Juniper routers and switches Citrix NetScaler BlueCoat PacketShaper Palo Alto next-generation firewalls Nortel Networks Ethernet Routing Switches This is a small, representative list of the manufacturers and devices supporting NetFlow data collection. If youre using different devices on your network, consult with the manufacturer to determine whether theyre NetFlow-compatible. If youre not running the current firmware on your network device, check whether upgrades are available. Many vendors added NetFlow support to their devices after the initial release and a firmware upgrade may be all you need to get up and running.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
NetFlow generation
In some cases, security analysts may not be able to gain access to NetFlow data from the organizations network devices. This might be because the devices arent capable of generating NetFlow exports, network engineers are unwilling to provide access to those records, or concerns exist about the overhead introduced on the networking device. If this is the case in your organization, you may wish to consider the use of dedicated NetFlow exporters to collect the same information sometimes enhanced with application performance metrics. These devices can be attached to the network in the following ways: Switch port analyzer (SPAN) Mirror port Ethernet test access port (TAP) Installed as a virtual machine on VMware ESX server
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Configuring NetFlow
Generally speaking, its easy to perform a basic NetFlow configuration on most supported devices. Youll need to configure the device to enable NetFlow collection and direct the flow data to the NetFlow collector of your choice. In this section, I look at configuring NetFlow support on two commonly used devices: Cisco routers and Cisco Adaptive Security Appliances (ASAs).
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
10
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
11
Youll find detailed configuration instructions in the documentation for your network device, but rest assured, its just as simple as the processes outlined here!
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
12
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
ecurity and networking professionals in a variety of industries are turning to NetFlow as a defensive tool against a variety of emerging security threats. The rapidly changing nature of the threat landscape and advances in information technology demand tools capable of adapting to new attacks. In this chapter, I look at the trends driving the adoption of NetFlow as a security tool.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
14
Low Risk
Automated Attacks
High Risk
APTs
Insider Threats
Industrialized Attacks
Figure 2-1: The evolving threat landscape includes two very high risk items: advanced persistent threats and the threats posed by insiders. (Source: Lancope, Inc.)
Two threats warrant particular attention from security analysts: the advanced persistent threat (APT) and the insider threat.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
15
The nature of APTs means that the carefully constructed perimeter security controls put in place by enterprise security professionals are simply insufficient. The persistent hacker leveraging advanced techniques will likely find an opportunity to breach that perimeter and find a path onto the internal network. In this case, NetFlow data can play a critical role both in detecting the presence of an APT and conducting post-incident forensic analysis. NetFlow-based security analysis leverages behavioral analysis and pattern recognition techniques that allow for rapid detection of undocumented attack vectors, often revealing APT attackers early in the attack lifecycle.
Insider threat
In many cases, the greatest risk to an organizations security comes not from far-away hackers but from trusted individuals with access to sensitive information. The federal government experienced this in 2010 when the alleged actions of a single Army intelligence analyst led to a massive disclosure of classified information on the WikiLeaks website. As with APTs, perimeter controls arent effective against the insider threat because those controls are designed to permit insiders access to sensitive information! NetFlow technology can identify signs of insider attacks in progress, such as internal or external data transfers that are unusually large or to atypical destinations.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
16
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
17
NetFlow technology plays an important role in identifying and reacting to the risks posed by mobile devices. As traffic to and from these devices traverses the internal network, NetFlow captures the patterns of their network behavior and can quickly alert security professionals to any anomalous activity. No other monitoring technology provides such rapidly deployable, broad coverage at such a low cost to the organization.
Virtualization
Organizations are quickly embracing the use of virtualization technology to host many virtual servers on a single hardware platform. This provides many apparent benefits to the enterprise, including: Recapture of computing resources (CPU cycles, memory, storage) that would otherwise go unused. Reduced hardware footprint, allowing greater data center density. Smaller environmental impact, reducing carbon emissions. Virtualization comes, however, with challenges for network security analysts. Communications between guest systems running on the same virtual host never touch an actual hardware switch or cross a network wire. Instead, they are routed through a virtual switch that exists in the memory of the virtualization host. The communications taking place over virtual switches are difficult to protect with conventional security tools, and are invisible to traditional NetFlow technology. For this reason, many organizations are adopting NetFlow solutions that have specialized virtual network collectors, such as Lancopes StealthWatch FlowSensor VE (virtual edition). For more about this, see Chapter 3.
18
High-speed networking
Many organizations are moving to higher speed networks in response to increased user demand for data-intensive applications. In many cases, networks with 10Gbps segments are capable of generating hundreds of thousands of network flows per second. This increase in bandwidth requires a scalable NetFlow analysis system capable of monitoring massive amounts of data in real time.
MPLS environments
Multiprotocol Label Switching (MPLS) networks are turning the hierarchical Ethernet paradigm on its head. Unlike traditional data networks, MPLS networks dont utilize a centralized hub where security analysts can attach a monitoring device to capture all traffic. NetFlow architectures for MPLS networks must take this into account and use a series of flow sensors or exporters placed in strategic positions throughout the enterprise network.
IPv6 deployment
The rapid depletion of available IP address space is beginning to drive the long-anticipated adoption of IPv6 networking, especially in larger organizations. Those enterprises with IPv6 networking in place or planning deployment of such networks in the near future should be sure to select a NetFlow solution that accommodates IPv6 addressing.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3
an appropriate solution
etFlow provides a valuable source of information about activity on your network in a consistent, standardized format supported by many networking and security vendors. Collecting data, however, is where the standardization stops. Many different systems provide the ability to collect and analyze NetFlow data, ranging from open-source packages with limited functionality to commercial systems with advanced analysis capabilities.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
20
Providing network engineers with a robust tool for troubleshooting network performance issues. Complying with regulatory requirements to retain network connection information. As you consider various NetFlow collection and analysis platforms, keep your objectives front-of-mind and allow them to drive your product selection process.
FLOW COLLECTION Stores and analyzes ows up to 2,000 ow sources at up to 120,000 ows per second (fps).
Flows
StealthWatch FlowCollectors
NETFLOW EXPORTERS NetFlow is generated either by Cisco equipment or a StealthWatch FlowSensor (in areas without NetFlow support)
VE
VM
VM
Figure 3-1: Scalable NetFlow analysis platforms use three layers of devices: NetFlow exporters, flow collectors, and a management console. (Source: Lancope, Inc.)
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
21
NetFlow exporters
A wide variety of devices are capable of generating NetFlow data and exporting it to a flow collection system. There are three basic categories of NetFlow exporters: Routers, switches, and firewalls. Network infrastructure components are in a unique position to capture and export NetFlow information due to their central location in the network. In many cases, an organizations existing network infrastructure is already capable of generating NetFlow records and exporting them to a collection system. Dedicated flow sensors. NetFlow collection system vendors also offer passive flow sensors that may be connected to a network tap in a manner similar to an intrusion detection system. They then monitor traffic on the tap, generating flow records for each connection encountered. Virtual flow sensors. Specialized flow sensors operate in virtualized networking environments, monitoring the traffic passing through a virtual switch and exporting flow records to the collection system. You can limit the amount of data exported by NetFlow devices using Ciscos Flexible NetFlow (FNF) technology. For more about this technology, see Chapter 6.
Flow collectors
Flow collectors are the workhorses of the NetFlow analysis system. They receive flow records from exporters and perform a number of critical tasks, including: Flow deduplication. In networks with multiple flow exporters, the same network connection may be captured multiple times. Flow collectors must watch for this and remove duplicate records before performing security analysis on the flows. Flow stitching. NetFlow generates unidirectional records, resulting in two different flow records for each network
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
22
Behavioral analysis and pattern recognition. Securityoriented flow collectors will provide algorithms and mechanisms for analyzing flows to detect security threats. Flow storage. The flow collector will store weeks, months, perhaps even years worth of flow data. The collectors flow database is used to perform detailed forensics and incident response. The number of flow collectors you need will depend upon the amount of NetFlow data generated on your network. This is normally measured in flows per second. Chapter 6 discusses a technique for estimating your networks flow rate.
Management console
In large networks, multiple flow collectors are needed to collect flows. When multiple collectors are used, a central management console is a must. The management console provides the day-to-day interface used by networking and security professionals to interact with and manage the NetFlow analysis platform. Management consoles typically offer a wide set of features, including: Dashboards providing analysts with quick overviews of network activity. Advanced analytic capabilities to visualize abnormal behavior. Alarms that immediately alert analysts when certain suspicious conditions occur. A management interface that allows the reconfiguration of the NetFlow analysis system. Management of the security policy across multiple collectors. Per-user access restrictions to the flow data.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
23
Before selecting a system, be sure to give the management console a test drive. Its helpful to go back to your objectives and prepare a list of common tasks that you expect analysts will perform and then walk through those tasks in the management console. Theres nothing like hands-on experience to help you evaluate a product.
Security indexes
NetFlow analysis platforms have access to a large amount of data about anomalous connections, and analysts may struggle to identify the significant data that requires their immediate attention. One approach to this problem is the use of security indexes that summarize this data into easily prioritized scores.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
24
FLOWS
B E H A V I O R
Number of concurrent ows Packets per second Bits per second New ows created Number of SYNs sent Time of day Number of Syns received Rate of connection resets Duration of the ow Over 80+ other attributes
Critical Servers
Exchange Servers
Web Servers
Marketing
Figure 3-2: Network behavior analysis algorithms allow you to baseline normal behavior for a host and alert security analysts to future deviations from that baseline. (Source: Lancope, Inc.)
For example, Lancopes StealthWatch System provides three indexes for anomalous behavior: The Concern Index (CI) tracks hosts that appear to pose a threat to the integrity of your network. The Target Index (TI) tracks hosts that the system suspects may be the victims of suspicious activity. The File Sharing Index (FSI) monitors systems that appear to be engaged in peer-to-peer (P2P) file sharing activity.
Security alarms
One of the most important features of a NetFlow analysis system is its capability to run in an unmanned mode, freeing analysts to perform other tasks. This is done through the use of security alarms that may be triggered by violations of an organizations security policy or significantly anomalous network behavior (see Figure 3-3).
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
25
Figure 3-3: With the StealthWatch Concern Index, administrators can easily determine which issues need to be dealt with first for optimum network protection. (Source: Lancope, Inc.)
A NetFlow system should be capable not only of generating alarms but also of triaging them by severity level. For example, the Lancope StealthWatch System uses a five-tier system that assigns different colors to alarms: Red: Critical severity Orange: Major severity Yellow: Minor severity Blue: Trivial severity Light blue: Informational Analysts can use this color coding to quickly identify the security alarms that require immediate attention. Alarm information can also be exported from the system via syslog, SNMP, or e-mails sent to the network security analyst.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
26
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4
your network
Correlating NetFlow records with information from other systems Using NetFlow analysis techniques to gain situational awareness,
etFlow records, combined with an effective analysis platform, can provide important capabilities to security analysts struggling to maintain visibility into a complex enterprise network. One of the most valuable characteristics of a NetFlow analysis platform is its ability to reduce the mean time to know (MTTK) for a security event. In this chapter, I look at a number of the specific security applications of NetFlow data.
28
Figure 4-1: This screenshot from the StealthWatch Management Console demonstrates the consolidation of information from local and remote networks into a single view. (Source: Lancope, Inc.)
Identity awareness
Almost every security investigation that begins with NetFlow records at some point requires identifying the individual user and/or system involved in a communication. Unfortunately, generic NetFlow doesnt provide this information, because
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
29
NetFlow exporters dont have access to information not found in the packets comprising the flow. Some NetFlow systems provide security analysts with the added ability to correlate identity information from other sources, such as the identity of an individual user, retrieved from a Windows domain controller, proxy server, or a VPN concentrator. Identity-aware NetFlow collectors bridge the gap between IP addresses and users.
Worm detection
Worms are an especially virulent form of malicious code that exploit network vulnerabilities to spread from system to system without user intervention. This often takes the form of infecting a host system and then using that system to scan the local network for other systems that might be vulnerable to attack. The worm then infects those vulnerable systems and continues its spread outward. This pattern of contact is easily modeled. One system (the original infection) begins scanning the network, contacting many other systems. Then a subset of those systems (the next round of victims) exhibit the same behavior. NetFlow analysis can identify these systems due to their unique pattern of anomalous activity (see Figure 4-2).
Botnet detection
Many hackers maintain networks of systems used to conduct other malicious activity, such as waging distributed denial of service attacks. These networks, known as botnets (short for network of robots), often lie dormant for long periods of time until activated by the hacker (or botmaster).
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
30
Figure 4-2: Advanced flow collection and analysis systems can help users easily track the spread of malware throughout their infrastructure for fast mitigation. (Source: Lancope, Inc.)
NetFlow offers security analysts the ability to detect systems on your network that may be members of a botnet and, therefore, under the control of an external party. One of the easiest ways to detect botnet activity is to look for systems communicating with known command-and-control servers used by botmasters to control their botnets. IP reputation lists such as ZeuS Tracker (https://zeustracker.abuse.ch) can be integrated into the StealthWatch FlowCollector for easy detection of botnet activity within the network. IP addresses from the ZeuS Tracker list are automatically pushed into the collector and matched against the IP addresses found within the incoming flows. When an internal host attempts to communicate with a botnet command-and-control server, the flows are flagged and brought to the security administrators attention.
Application awareness
In years past, security analysts were normally able to rely on destination port numbers in flow records to indicate the application in use during a particular connection. An example would include communications taking place on port 80, which normally consists of HTTP traffic.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
31
However, the ability of HTTP traffic to pass through almost all firewalls made it an easy target for application developers seeking an easy way to tunnel traffic through an organizations perimeter. Port 80 is now used for VPN connections, videoconferencing, instant messaging, gaming, VoIP calls, and many other applications. NetFlow v9 and IPFIX provide mechanisms to recognize not only the port number but all the actual applications in use within the flow. A few examples of application-aware NetFlow exporters include: Palo Alto firewalls, Lancopes FlowSensor NetFlow generator, BlueCoats PacketShaper, and Ciscos IOS 15.1 and above (via the Network-based Application Recognition feature-set). Well-intentioned application developers arent the only ones aware of this trick. Malicious code authors often use port 80 to tunnel command-and-control traffic through enterprise fire walls. Some advanced NetFlow analysis systems have the ability to peer inside network traffic and perform deeper inspection, identifying the particular application in use for each session and including that information in the retained flow data.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
32
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5
Using StealthWatchs reporting capabilities to generate the data Grouping related hosts in relational maps to gain additional insight
n this chapter, I look at several ways that Lancopes StealthWatch System enables security administrators to view NetFlow data.
Leveraging Dashboards
Reviewing a NetFlow security dashboard should be every security analysts first step in the morning. The dashboard allows you to assess the health and security of your network at a single glance, immediately identifying issues that might require further investigation (refer to Figure 4-1 for a visual). Dashboards arent just for analysts! You might consider using the security dashboard to provide managers and executives with a view into your security posture. The Lancope StealthWatch Management Console provides a dashboard view. This dashboard includes the following information:
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
34
Top Internet destinations Top internal talkers Top suspicious internal hosts Geographic activity map Relational activity map Average round trip time Total traffic to the Internet When viewing the dashboard, you might notice, for example, that an unusual host appears on your top talkers list (as illustrated in Figure 5-1). A security analyst could then drill into that traffic to conduct a follow-up investigation and determine whether it was legitimate or might indicate a security incident.
Figure 5-1: When fully leveraged, NetFlow can provide complete visibility across the entire network, along with the ability to drill down into specific communications for more effective troubleshooting. (Source: Lancope, Inc.)
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
35
Point-of-View technology
Youve probably realized by this point that StealthWatch provides a wealth of information valuable to both security and networking professionals. Different technical professionals have different needs from the system, and Lancopes Point-ofView technology helps accommodate these diverse needs. Point-of-View provides security and networking professionals with different views when they access the StealthWatch console. Security professionals will see information about violations of your organizations defined policies and potential malware infections on your network. Network professionals, on the other hand, will get technical detail on router statistics, traffic trends, and the most active hosts, for example.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
36
Figure 5-2: The StealthWatch Management Console provides administrators with a number of preconfigured reports, including a timebased view of traffic by protocol. (Source: Lancope, Inc.)
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
37
Figure 5-3: StealthWatch offers map-based views of network activity, grouping related systems by function. (Source: Lancope, Inc.)
In some cases, grouping flows by geographic location can help provide insight into activity. Figure 5-4 shows an example of this type of report, using StealthWatchs ability to superimpose a flow map over an actual map to aid in analysis.
Figure 5-4: StealthWatch also allows the grouping of systems by location and permits you to superimpose that information on an actual map. (Source: Lancope, Inc.)
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
38
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 6
s you begin to design and deploy a NetFlow analysis solution for your organization, its helpful to understand some of the industry best practices that can make your environment more productive. In this chapter, I look at a few of these best practices.
40
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
41
Figure 6-1: Determining the number of flows per second on a Cisco device using traditional NetFlow. (Source: Lancope, Inc.)
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
42
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 7
etFlow has come a long way over recent years. Previous beliefs about it being a complicated, resource-intensive technology have faded, and many organizations are embracing its unique capabilities to achieve a number of network and security management goals.
Available from existing routers and switches, NetFlow provides an extremely cost-effective tool for maintaining secure, high-performance infrastructures. This chapter discusses the top ten reasons enterprises are turning to NetFlow to improve their networks and overall security posture.
44
Reducing MTTK
The use of NetFlow data can significantly streamline network and security troubleshooting, reducing MTTK from hours or days to just minutes. Faster troubleshooting means less damaging and costly downtime for enterprises.
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
45
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
46
These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.