morning presetnation

8/7/2019 Morning presetnation

1/29

NetFlow 101 Boot Camp March 18, 2010

Slide 1

1

Introduction to Ciscos

NetFlow Technology

Adam Powers, CTO

NetFlow 101 Seminar, 2010

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 2

Agenda

2

Introduction to NetFlowhow it works, what it is

Why is NetFlow so popular?NetFlow costs less and works better

Configuring and Working with NetFlowa glimpse into the power of NetFlow

Threat Detection Methodsusing flows to detect malware

FlowSensor Technologygenerate NetFlow v9 from a SPAN

Cisco Flexible NetFlow Labset up and work with NetFlow

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 3

Lancope NetFlow Ninjas Blog

3

http://netflowninjas.typepad.com

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


2/29


Slide 4

4

Introduction to NetFlow

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 5

Network Flow Collection

5

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 6

NetFlow Packet Header

StealthWatchFlow Collector

The Life of a Flow

Cisco Router

6

google.com 10.1.1.1

6

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


3/29


Slide 7

Flow Collection Methods

Traditional NetFlow Provides router interface statistics Very easy to deploy; available for

free almost anywhere Cisco

equipment is found No packet-level visibility or

response time information FlowSensor Appliance Edition (AE)

Enables flow monitoring wheretraditional NetFlow is notavailable

Provides flow performanceinformation such as round-triptime and server response time

Requires SPAN port or Ethernettap

FlowSensor Virtual Edition (VE) Installs into VMware ESX to

monitor VM2VM communications


NetFlow

CiscoCatalyst

6500

7

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 8

Wide Support for NetFlow

8

Nortel Networks

Cisco 3900

Juniper Networks

Cisco 800

Huawei Quidway

Cisco 2900

Cisco 1900

Cisco 7200 VXR

Cisco Nexus7000

Cisco XR 12000

Cisco 2800

Cisco 7600

Cisco 1700

Cisco Catalyst 6500

Cisco 3750

Not Supported

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 9

Wide Support for NetFlow

9

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


4/29


Slide 10



free almost anywhere Cisco

equipment is found No packet-level visibility or

response time information FlowSensor Appliance Edition (AE)

Enables flow monitoring wheretraditional NetFlow is notavailable





NetFlow

FlowSensorAE


SPAN port

tap

10

+ latencystatistics

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 11



free almost anywhere Ciscoequipment is found

No packet-level visibility orresponse time information

FlowSensor Appliance Edition (AE) Enables flow monitoring where

traditional NetFlow is notavailable





VM VM VMvirtualmachineguests

VMware ESX 3.5/4.0

Host

virtualswitches

VM2VM

physicalnetwor

k

packetcapture

NetFlow


11

+ VMinformation

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 12

NetFlow v5 (most common)

12

* fixed format, cannot be extended to include newfields

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


5/29


Slide 13

NetFlow v9 (newer and more powerful)

13

* 160+ fields to choose from including payloadsections

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 14

NetFlow v9 NBAR support!

14

Network-Based Application Recognition beingintegrated with NetFlow in Cisco IOS-based

products

** available Q4 2009 from Lancope

Over 600 applications supported....

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 15

15

Why is NetFlow so popular?

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


6/29


Slide 16

NetFlow for the Network Team

NetFlow Packet

flow1

flow2...

Network TeamInterface utilization

Billing and chargebackQOS monitoring

BGP ASN monitoringMPLS visibility

Application troubleshooting

Security TeamFile sharing

Malware outbreak detectionNetwork acceptable use

Flow forensicsData loss prevention

StealthWatch

Flow Collector

Compliance and AuditingPCI Compliance

HIPAA ComplianceSCADA SecuritySarbanes-Oxley

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 17

NetFlow Compliance and Auditing

NetFlow Packet

flow1

flow2

...











___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 18

NetFlow for the Security Team

NetFlow Packet

flow1

flow2

...











___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


7/29


Slide 19

NetFlow vs. SNMP

19

SNMP

NetFlow

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 20

20

NetFlow Reporting and Drilldown

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 21

Visibility Lost Due to Emerging Tech

Emerging network technologies are outpacing traditionalnetwork monitoring techniques such as SNMP and SPAN/tap-based technology...

Virtualization hides whole networksegments from the network managersview, making VM2VM communicationproblems difficult to troubleshoot

MPLS and multi-point VPNs createa meshed WAN thats expensive to

monitor adequately

10G Ethernetis so fast few probetechnologies can keep up and thosethat can are too expensive

These issues result in an inability to react to network problemsbecause of a basic lack of .

21

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


8/29


Slide 22

10G+ Ethernet

10G Ethernet is so fast few probe technologies can keep up and thosethat can are too expensive

22

traditionalEthernetsensor

Whereto plug

in?

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 23

NetFlow in a 10G+ Ethernet Environment

10G Ethernet is so fast few probe technologies can keep up and thosethat can are extremely expensive

23


___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 24

Virtualization

Virtualization hides whole network segments from the networkmanagers view, making VM2VM communication problems difficult totroubleshoot

VM1 VM2 VM3

virtual

switches

virtual

machines

physical machine

physicalnetwork

traditionalEthernet probe

VM2VM

24

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


9/29


Slide 25

VM VM VM virtualmachines

VM Server

virtualswitches

VM2VM

physicalnetwork

promisccapture

NetFlow v9

NetFlow in the Virtual Environment

*** Cisco Nexus 1000v also supports NetFlow***

25


___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 26

MPLS and Multi-point VPNs

MPLS and multi-point VPNs create a meshed WAN thatsexpensive to monitor adequately

traditionalEthernetsensor

26

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 27


Fully meshed connectivity circumvents network monitoring deployed atthe hub location

27

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


10/29


Slide 28


Full visibility requires a probe at each location throughout the WAN

28

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 29

NetFlow Collection in the WAN

NetFlow Packet

NetFlow Packet

Deploy a StealthWatch NetFlow collector at a central location andenable NetFlow at each remote site

29


___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 30

Quick Recap

Virtualization hides whole networksegments from the network managersview, making VM2VM communicationproblems difficult to troubleshoot

MPLS and multi-point VPNs createa meshed WAN thats expensive to

monitor adequately

10G Ethernetis so fast few probetechnologies can keep up and thosethat can are too expensive

30

network speed has no effecton NetFlow

enable NetFlow at each remotelocation for WAN visibility

invest in Nexus 100v orFlowSensortechnology

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


11/29


Slide 31

31

Configuring and Working

with NetFlow

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 32

Flow Replication

32

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 33

Flow Replication Modes

33

Unicast Mode

Promiscuous Mode

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


12/29


Slide 34

Flow Replication: UDP Samplicator

34

http://freshmeat.net/projects/samplicator/

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 35

Active vs. Inactive Timeouts

Active Timeout

configures longest amount of time a flow can stay in the cache regardlessof activity

Recommend 1 minute

All exporters should have similar active timeouts

Cisco default of 30 minutes is far too longInactive Timeout

configures how long a flow can be inactive before it is expired from thecache

Recommend 15 seconds (which is also the IOS default)

All exporters should have similar inactive timeouts

35

Cisco Router

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 36

Configuring NetFlow Traditional Method

Configure ActiveTimeout

Enable NetFlow foreach interface on therouter(also: ip flow ingress)

Specify a destinationfor the flows

36

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


13/29


Slide 37

Configuring NetFlow Flexible NetFlow (FnF)

37

Tells routerwhich fields toextract fromflows

match is keyfield

collect is non-key

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 38


38

Configure exporter Tells the router where to

send the flows.

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 39


39

Configure monitor Sets up the cache timeouts and

type

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


14/29


Slide 40


40

Enable NetFlow on each interface Reference the monitor

command in the interface config

http://netflowninjas.typepad.com/blog/2009/08/index.html

Blog entry describing FnF in detail...

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 41

41

Lab Exercise #1, #2

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 42

Ingress vs. Egress NetFlow

42

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


15/29


Slide 43

NetFlow on the Catalyst 6500

43

(Sup)

(MSFC) NetFlow

NetFlow

Catalyst 6500

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 44

http://www.cisco.com/en/US/tech/tk812/technologies_white_paper0900aecd802a0eb9.shtml

Cisco Whitepaper: NetFlow Performance Analysis

http://lancope.com/netflowcalculator.aspx

Lancope NetFlow Bandwidth Calculator

Helpful Links re: CPU and bandwidth consumption from NetFlow

44

1200 flows per second for each 250Mbps oftraffic. That's about 680Kbps of NetFlow v5traffic arriving at the collectorper 250Mbps oftraffic seen by the exporter.

Fully loaded ISR running software IOS ~15%CPU uptick resulting from NetFlow enablement.

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 45

Viewing NetFlow bps rate per exporter

45

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


16/29


17/29


Slide 49

Direct access via CLI (Flexible NetFlow)

49

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 50

Direct access via CLI (Flexible NetFlow)

50

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 51

Flow-tools, ntop and other open source

FLOW-TOOLS Collection of small open source programs to post process Cisco NetFlow

compatible flows Written in C, designed to be fast and lean Allows for text-based reporting, storage, and analysis of flows Installation with configure;make;make install on most platforms

(FreeBSD, Linux, Solaris, BSDi, NetBSD) Only supports NetFlow v1/5/7

http://www.splintered.net/sw/flow-tools

NTOP Lightweight, open-source, web-based flow reporting technology Similar to the Linux top utility but for network traffic rather than

processes Installation with configure;make;make install on most platforms

(FreeBSD, Linux, Solaris, BSDi, NetBSD) Support for NetFlow v1/5/7/9 and sFlow

htt ://www nto or51

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


18/29


Slide 52

ntop web-UI

52

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 53

Enable NetFlow on your Linksys router!

53

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 54

Flow-tools CLI

start andend times

srcIP

srcport

dstinterface

srcinterface

dstIP

dstport

proto

TCPflags

(2=SYN)

pkts octets

54

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


19/29


Slide 55

...other open source

55

Introduction to Cisco IOS NetFlow - A Technical Overviewhttp://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 56

NetFlow Deduplication

56

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 57

Troubleshooting with NetFlow: An Example

The scenario: 8pm EDT, worker arrives at home

and logs into the corporate VPN tofinish up some work left over fromthe office earlier in the day.

Worker forgets to logoff the VPN.

Workers wife sits down at thesame computer and begins

downloading season 2 ofThe Officein HD from iTunes The corporate VPN Concentrator

suffers under the load causedby the downloads(4Mbps max VPN throughput)

The result: Users on the west coast (5pm PDT)

experience severe reducedperformance and begin tocom lain.57

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


20/29


21/29


Slide 61


61

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 62


62

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 63


63

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


22/29


Slide 64


64

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 65


65

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 66


66

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


23/29


Slide 67

67

Threat Detection Methodologies

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 68

68

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 69

Flow-based Threat Detection

69


F low-based Pattern Matching B ehavior Analysis

69

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


24/29


Slide 70

Threat Detection Method #1:

Pattern Recognition

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 71

Threat Detection Method #2:

Behavior-based Analysis

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 72

Threat Detection Method #3: Visualization

72

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


25/29


Slide 73


73

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 74


Scanning activityrepresented in a

Peer vs. Peerdiagram

74

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 75

75

FlowSensor Technology

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


26/29


Slide 76

FlowSensor Technology

Catalyst 6500(NetFlow Enabled)

Catalyst 3750(No NetFlow)

NetFlowCollector

NetFlow

FlowSensor(NetFlow Enabled)

NetFlow

76

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 77

FlowSensor AE

FlowSensor

Model Capacity Disk Interfaces List Price

AE-500 200 Mbps ** AVAILABLE Q3-2010 **

AE-1000 1 Gbps 73GB 3 or 5 $6,995

AE-2000 2.5 Gbps 160GB 3 or 5 $12,995

AE-3000 5.0 Gbps ** AVAILABLE Q2-2010 **

Light-weight, cost-effective 1Unetworkappliance

Collects Ethernet frames andexports NetFlow v9

Monitor up to (5) 3750ssimultaneously

Works withany NetFlow v9 capable flowcollector


NetFlow

77

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 78


FlowSensor VE (Virtual Edition)

Captures and records all VM2VM communications

within the virtual network environment

VMware Server

Lightweight, virtual appliance for VMware ESX 3.5 and

4.0

Exports NetFlow v9 from within the VMware ESX host

FREE to download and try

(visit lancope.com to register and download)

NetFlow

78

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


27/29


Slide 79

10G Monitoring with Stackable FlowSensors

5.0G

FlowSensorAE-2000

2.5G

Ethernet loadbalancervendors...

16x 1G


FlowSensorAE-2000

2.5G

2.5G

7.5G

10G

NetFlow

FlowSensorAE-2000

2.5G

79

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 80

NetFlow for Breadth, Packets for Depth

TraditionalNetFlow

VM Server

Flows

Stealthwatch 5.10 Screenshot

Router Info

FlowSensor AE FlowSensor VE

VM InfoLatency Info

80

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 81

Works with any NetFlow v9 collector!

!flow record l ancope_templatematch ipv4 tosmatch ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portmatch interface input

collect ipv4 dscpcollect ipv4 ttl minimumcollect ipv4 ttl maximumcollect ipv4 section header size 60collect transport tcp flagscollect interface outputcollect counter bytescollect counter packetscollect timestamp sys-uptime firstcollect timestamp sys-uptime last

!

1,000,000 record cache size>> dynamically expands with increased load

60 second active timeout,15 second inactive>> follows Cisco IOS rules for aging

Very similar to Ciscos NetFlow v9>> see equivalent IOS config at right

IPv6 aware>> your collector much be IPv6 capable

VLAN aware>> export VLAN tags in NetFlow

Cisco Flexible NetFlow Equivalent:

81

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


28/29


Slide 82

Works Best with Lancopes Collector

SRCIP DSTIP PROTO DPORT SPORT PKTS BYTES RTT SRT . ..

TCP 80 5749 73 9,092 65ms 230ms ...

TCP 5749 80 103 78,020 65ms230m

s ...

StealthWatchFlowSensor

SPAN

RTTround trip time across the networksame as ping outputSRTtime it takes the serverto process a request

82

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 83

On a Related Note: World of Warcraft

Wintergrasp

Various BGs

Grinding inNorthrend

83

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________

Slide 84

84

Thank You!

Flow-based technologies provide unrivaled scale andcost effectiveness in large enterprise environments

NetFlow is not just for netops, its value extendsacross all IT from compliance auditing to helpdesksupport

Enable NetFlow on as many devices as you can to

maximize visibility, the more the better Consider CPU and memory impact but dont dwell

on it, its not as big a problem as you may think NetFlow is ideal for monitoring port dense

datacenters and large distributed WANenvironments. No probes are required.

___________________________

___________________________

___________________________

___________________________

___________________________

___________________________


29/29


morning presetnation

Documents