Our aim isn't to transforme you into a secret agent who works for an occult power or to spy every
little movement of your users... but to have a level of control of your network which will enable you
to go from an astonished analysis (such as "Apparently Monday morning we had a five minute
network cut... What could have happened ?") to a more detailled presentation ("Monday morning at
11:32 we had a network cut of 4'23" because the computer of bobby22.bigbiz.local with the IP
192.168.23.234 initiated over three hundred connexions outwards mainly towards the website
mongros.torrent.com where the person downloaded 4Go of data").
Having had the opportunity to go and see this famous bobby22 with a printed chart showing the
results of his transfers and the reason why the network collapsed, I guaranty you that it's :
1. very funny (to be the Edward Snowden of your own LAN is very amusing !)
2. very efficient (the user knows that you know which is very deterrent !)
3. the proof that you control your network (maybe it's what you are paid to do ?)
Not forgetting that pfSense is capable of generating NetFlow flows in different versions of the
protocol (up to version 9). Linux and different variants of BSD can handle NetFlow, same applies to
VMWare.
The deployment on pfSense software is the easiest task of the set up : you only need a few clicks
to install the package and it's done !
How to implement NetFlow on your network
We have decided to use a Linux to deploy our NetFlow Collector. More precisely an Ubuntu Server
12.04.LTS which will enable us to benefit from a patched and secured collector for 5 years !
Once your Ubuntu 12.04.LTS is installed - do I need to specify that it's a headless server on which
you have only activated SSH with a Public Key authentication. After all this collector will regroup
all the frames which passed through your network. It is important to take the necessary measures in
order to secure this black box !
You took good care of deploying this sensor in a DMZ administration to isolate it as much
as possible. Finally its access will be limited by appropriate firewall rules.
Installing flowviewer
We have decided to install flowtools which will enable us to have a collector (flow-capture) and
flowviewer as frame analysis graphs. Flowviewer also needs apache to be installed.
# apt-get install apache2 flowviewer flow-tools libgd-graph-perl rrdtool
You will then need to configure in an appropriate way these different packages.
For the collector part we have used the following setting :
# cat /etc/flow-tools/flow-capture.conf
# Configuration for flow-capture
#
-w /var/flows/chabanais -n 287 -N 3 0/10.20.50.1/3002
Here flow-tools will create 287 files per day (approximately one capture file every five minutes).
Then it will stock this from the directory defined by the variable -w"/var/flows/chabanais".
After the variable defines the storage structure which will be in the form
YYYY/YYYY-MM/YYYY-MM-DD/flow-file.
Finally we define the addresses which the collector will listen to in the form of local IP's/distant
IP's/port.
After all that you can start the collector and check that it runs correctly with the controls :
# /etc/init.d/flow-capture start
# ps auxwww | grep flow-capture
root 1402 0.0 0.0 11796 1268 ? Ss Jul08 0:17 /usr/bin/flow-capture -w
/var/flows/chabanais -n 287 -N 3 0/10.20.50.1/3002
The approach of the storage and analysis of network frames by NetFlow is in many ways reserved
to an elite of System and Network administration which already has a sufficient control on its
environment and wants to go to the next level by personaly taking control of the main events !
Once again the OpenSource approach enables to choose good quality products
by overcoming excessive licence costs !
Now that you have your pfSense router and a collector, you need to do a proper operating of the
stored data. We have decided to choose flowviewer which enables us to have a good analysis tool
and can be used to do a good reporting of your network activity.
I will skip the set up which is similar to the deployment of a HTTP server with the CGI setting.
After the set up of this program you will have at your disposal a complet frame analysis tool
capable of generating custom graphs or to restore data according to your needs.
Here is the first page of your interface. Take good care of defining your pfSense router in the
configuration files. You will then be able to choose it in the appropriate pop-up.
Here is the type of custom graph which the tool is capable of giving you.
As you have just seen : it's extremely precis and very effective. There are many ways to set up your
probe and show the desired results...
If you do not wish to waist time with the setting up of your probe, we have NetFlow probes on offer
ready to be used on your network !