For some reason, this week I’ve been bombarded with questions regarding configuring the 6509 Catalyst for NetFlow.

Being a switch/router hybrid model, the configurations are a little different from standard CISCO routers models, like the 2811, but not too much.

I would also recommend checking out this great resource directly from CISCO to configure the 6509 Catalyst for NetFlow.

With most CISCO routers, there are two sets of commands used to enable NetFlow. However, with the 6509, there are technically three sets of commands.

To enable NetFlow on the router, you need the following:

ip flow-export source (insert interface name here)
ip flow-export version 5
ip flow-export destination (netflow collector ip address) (port to export flows to)
ip flow ingress layer2-switched vlan (insert vlans X,Y,X) <---- this will enable flows for all bridged traffic
ip flow-cache timeout active 1

Once those are in place, we now need to configure NetFlow for the switched traffic:

mls nde sender version 5
mls flow ip interface-full
mls nde interface
mls aging long 64
mls aging normal 64

After you have configured these globals, you now can configure each of the interfaces themselves for NetFlow:

ip route-cache flow
ip flow ingress

I have discussed the usage of the ip route-cache flow and ip flow ingress commands before. You might want to take look for more details.

That wasn’t so bad, was it?

-Nate

MRTG is a Multi Router Traffic Grapher that monitors network traffic and provides a live images of your network traffic.

The way MRTG works, as described by Wikipedia, is “MRTG uses the Simple Network Management Protocol (SNMP) to send requests with two object identifiers (OIDs) to a device. The device, which must be SNMP-enabled, will have a management information base (MIB) to look up the OIDs specified. After collecting the information it will send back the raw data encapsulated in an SNMP protocol. MRTG records this data in a log on the client along with previously recorded data for the device. The software then creates an HTML document from the logs, containing a list of graphs detailing traffic for the selected device.”

Plixer International has a variety or software that monitors network traffic.  Denika users MRTG report when monitoring and trending bandwidth usage.  It provides historical trends and real-time information on the status of network devices.  The most common use is bandwidth utilization.  However, it can be used to trend CPU, memory, hard drive space, sysUpTime, and any other SNMP OID; including non-SNMP variables (e.g. script monitoring for database activity). There is also a free Denika download.

Milton

We have developed a Call Tracking system to monitor and report statistics of our Sales and Technical Support phone activity on our Asterisk PBX system.

This call tracking system was originally created by Marcus Del Greco, a former employee of Plixer International, and has since been upgraded and maintained by me.

The result is our in-house tool plumTrack, which provides call statistics including total number of calls per person, total time on the phone (both incoming and outgoing), and also broken out by internal (company extension) calls and external calls. This is tailored very specifically to our needs, as this tool is used to base our monthly bonuses on. Management uses this tool to track how many calls to customers and how long, in minutes, we were on the phone.
Read more »

One of the many things that we pride ourselves in, is the outstanding support that we give for all of  our products.  In recent months we decided to  provide “One on One” chat support for both our evaluators and our tried and true customers.

“According to a Northstar Research Partners study commissioned by live chat vendor LivePerson, high-value customers who spend more than the average consumer are more likely to use live chat. The study says more people feel highly satisfied after receiving customer service via live chat (46 percent rate it 9 to 10 on a 10-point scale) than other forms of customer service such as a toll-free number (41 percent), e-mail support (31 percent), or online FAQs (24 percent).” – PC World

This type of thinking holds true in the Netflow world. The more we work with the person, the more comfortable they feel about Scrutinizer. It gives us the ability to understand what the person needs and how we can provide the solutions. This type of relationship is priceless.

Getting “One on One” support is easy.  If you don’t own the product and have some questions,  go to  www.plixer.com and click on the “Start Chat Now” option.  If you are having a hard time finding the link, just look for the handsome guy in the green hat.  PreSales chat is online from 8:00 am to 10:00 pm eastern.

If you own Scrutinizer you already  have the “One on One” support  link embedded in the  interface.  Just click on the small doctor icon  located in the upper right-hand side of the screen.  It’s like having your own netflow support department at your finger tips.

So the next time you have a question make sure to check out our live “On on One” support.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Overview
Seems like everyday we have someone uninstall Scrutinizer because they didn’t realize their routers and switches don’t support NetFlow or sFlow.  About 3 years ago we released a software package called nProbeLive that was similar to nProbe.

nProbe can be installed on a computer which sits on a mirrored or spanned port of a switch.  Basically, it converts the packets seen into NetFlow v5, v9 or IP FIX.

Big Problem
A mirrored port may send in and out traffic ‘OUT’ the spanned port so the nProbe sees it all as ‘IN’ traffic.  What’s the problem? It will generally over state utilization on the interface and it is difficult to determine what was sent Vs. received.  Explaining this issue became exhausting so we posted a nProbe FAQ on it.

Wireshark or nProbe ?
NetFlow Analysis does not give nearly the insight as Packet Analysis however, it causes much less traffic.  If you need archiving of high level information (i.e who is talking with who and with what), use nProbe.  If you are trying to get juicy details like URLs, etc. use Wireshark.

Scrutinizer Vs. Wireshark
We look at Scrutinizer as being to NetFlow what Wireshark is to packet analysis.  The archiving capabilities of NetFlow and sFlow are much more efficient.  The details however, are left to packet analysis.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

“I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” stated Robert O. Carr, Heartland’s founder, chairman and chief executive officer of Heartland Payment systems.  Heartland Payment systems is a large provider of credit and debit payment and check management services based in NJ.

In a Networkworld.com article, “Debit-card processor claims data breach part of global fraud operation”, Ellen Messmer, senior editor for Networkworld.com, explains how Heartland was hit by a massive security breach that compromised customer card data that crossed Heartland’s network. 

Robert H.B. Baldwin Jr., Heartland’s president and CFO, said “About 100 million card transactions per month occur on the affected systems which provide processing to merchants and businesses.”

I’m sure several initial questions were asked like, “How did this happen?”  “Why didn’t the firewall and IDS prevent this?”  “Why didn’t antivirus pick this up?”  “What security do we have?!!!” I wonder what the answers were.  Crickets with the occasional whimper?  “Yes, it is a problem and we are working on it…” , “I don’t know.” 

Baldwin says the computer forensics conducted by the company has uncovered evidence of multiple instances of malicious software on the Heartland network, although he didn’t disclose the exact number of identified instances.

In the Heartland Official statement there was a clue as to how the breach was carried out.  “Cyber criminals to use the same or slightly modified techniques over and over again.”

So the picture is starting to look like a modified worm and or trojan was created to circumvent antivirus was introduced to the network internally, or through an open port.  Once the right nodes or servers were infected, open season on credit card information collection was initiated.

The last paragraph of the Networkworld article Baldwin states “The company is taking steps to improve its network security by adding what it referred to as “a next-generation program designed to flag network anomalies in “real-time” to better identify possible criminal activity but didn’t go into details.”

In today’s world anybody can learn how to hack and create worms and viruses by a simple Google search, increasing the sophistication and the number of people looking to steal information.  At the core of the attack, symptoms and network behavior are actually very similar.  This is why real-time network traffic anomaly detection is a critical step in securing a network and by Heartland’s published statements they seem to agree.

A tool that would have likely caught this breach is the Netflow Behavior Analysis(NBA) module for the Scrutinizer Netflow Analyzer.  It’s a system designed to look for malicious traffic trends that are flying under the radar of existing conventional countermeasures.

Scrutinizer NBA continually tallies and sizes up the conversations from all flow sending devices and helps identify:

• Zero-day worms, SYN Floods and DoS attacks
• ICMP Destination Unreachable
• Bleeding Edge Attacks
• Policy violations and internal misuse
• Poorly configured and unauthorized devices
• Unauthorized Application Deployments
• Suspicious NetBIOS-based services
• Excessive Multicast Traffic
• Unauthorized or incorrectly configured server activity
• P2P traffic, such as Bit Torrent (even if encrypted)
• Root causes of network slow downs
• Serious vs. trivial network incidents

What happened to Heartland is an example of why having a real-time network behavior analysis tool in place like Plixer’s Netflow Behavior Analysis module can be the key to avoiding catastrophic security breaches.

Plixer offers free evaluations of Scrutinizer and The Flow Analytics/NBA module, so there’s no reason why you shouldn’t check it out, if you don’t already have it.

Check out the Netflow Behavior Analysis Brochure on the Plixer website.

Good luck to Heartland and I hope they’re able to recover from this.

Raul Duran

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

If you’ve ever configured a router for NetFlow, you may have had to work with either, or both, of these commands.

When configuring NetFlow on your router, you have two sets of configurations to setup. First, being your global commands that define which version of NetFlow is being used, where the flows will be exported, and on what port.

After configuring the global commands, however, you also need to configure the interfaces that will be using NetFlow. To enable flows on an interface, you have two commands that are very similar in nature, but used in different circumstances.

For more information regarding NetFlow configurations, check out this Activating NetFlow Guide.

So, back to the original question: “Do I use ip route-cache flow or ip flow ingress?”

Deciding which interfaces you want to monitor will answer this question.

If you are interested in monitoring flows on a physical interface, you would use ip route-cache flow. By enabling ip route-cache flow on the physical interface, it will in turn enable flows on all subsequent sub-interfaces.

But let’s say that you are not interested in seeing flows on sub-interfaces x,y and z; but you do want to see flows on subs a, b and c, from that same interface. This is where the command comes into use.

So as a quick summary:
ip route-cache flow will enable flows on the physical interface and all sub-interfaces associated with it.

ip flow ingress will enable flows on individual sub-interfaces, as opposed to all of them on the same interface.

Cisco’s article on Netflow and subinterface support offers a wealth of information on this subject.

**NOTE** With NetFlow v5, we only had the option to monitor inbound statistics using the ip flow ingress command. However, with the release of NetFlow v9, we now have the option to monitor traffic leaving each interface via ip flow egress. Check out this blog which tackles the question: Which one is better to use? Ingress or Egress?

-Nate

You would not believe how many times  I have had people ask , “Does the FREE version of Scrutinizer run on Linux?”.  Happily,  I can answer  “Yes”.  You can download the Virtual Appliance and the VMWare player from Plixer.com. The package is easy to install and a snap to run.  It offers all the same options that you would have in a normal install and best of all it’s FREE.

If you have any issues with the VM install make sure to give us a call (207) 324-8805.

Still give’n that no bull support – Jimmy D

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Last Wednesday started like most days, tackling the project list. While multi-tasking I began putting final touches on my documentation for 3rd Party integration with Zenoss. At the same time I was testing the new web server I recently built which would serve as a replacement for our current server. It was just about noon when I needed to test reboot functionality and I issued a reboot command to our current web server (accidently). I figured it would take 5 or so minutes to reboot, so I waited around and set a “ping -t www.plixer.com”…

The server wasn’t coming up…

This was about the time my heart started racing. The corporate site was down and I didn’t know why. I grabbed my cell phone and numbers for the NOC at the Time Warner Data Center, where our server is hosted. Suddenly remembering that I dropped my Jeep off that morning to have new speakers installed. I borrow a friend’s car and drive up to Time Warner. By the time I get there 45 minutes have passed and I have a bad feeling things aren’t going to go smoothly.The stress builds.

I hook the server up to a KVM and sure enough, my server has crashed with a fatal kernel error. The server wasn’t going back online any time soon. Luckily I have a backup server, for just this purpose, with most of the websites up and running. I call in a quick IP change and www.plixer.com is back up. This blog, however, was running on a slightly outdated backup and needs updating immediately. I race back to the office with my old dead server in hand. There is a kernel error and the server just won’t boot. Since our websites are up, I just need to pull the latest copy off of the dead server. This is where the live linux distro comes into play.

I have always walked around with a live CD in my bag whether it’s Knoppix, Ubuntu, or openSuSE. In the past I’ve used a live CD to save files from a corrupt windows servers and workstations, but never a Linux server. This was the first time, and I stumbled my way through it. With the live distro I was able to mount the disk, tar up needed directories, and sftp them up to the new server. Phew! All is well.

Since I struggled through this I might as well lay out exactly what I did to get the job done in high hopes that it will help someone else down the road.

First of all you need a live CD. Download a live distro and burn to CD; in this example I used openSuSE 11.0 Live CD.

Boot the server to the live CD. In my experience it will automatically pick up an IP address from our DHCP server, this is great!

I start looking around to see if the hard disk mounted automatically, it did not. I try a few commands to mount sda, sda1, hda, etc… they all fail. I don’t know the name of the physical disk to mount. In an attempt to find out what the physical disk is called, I launch Yast and click on Hardware.

Now click on Hardware Information to find disk information, it will scan your server looking for all installed hardware. Once the inventory is returned, expand out Disk and you should see any physical disks you have. Found it, /dev/sda2

Now I need to mount the drive. To do this, launch xterm and run

su root

This will give you privilege to mount the drive. Now run:

mount /dev/sda2 /mnt

This command mounts the physical disk to /mnt.

At this point you can cd to /mnt and run ls to see your file system.

Now that the physical disk has been mounted and access is granted you will need to tar up any directories you want to save. It is very useful to tar a directory because all files and subdirectories  will tar recursively unless you specify otherwise. The nice part about tarring a directory is that it is untarred as a directory rather than as individual files.

I wanted to grab the latest copy of our blog. To tar up the blog directory I ran:

tar cvzf blog.tgz www.plixer.com/blog/

use sftp to upload or move your tar file and to extract the contents of your tarball run:

tar xvzf blog.tgz

With the site extracted, everything is back up and running. My live linux distro saves the day again.

-Tom Pore
Follow me on Twitter