If you are seeking a good understanding of NetFlow, or a better understanding of how it can be enabled, configured, and analyzed, the “Commercial NetFlow Applications” chapter from the book Digital Forensics for Network, Internet, and Cloud Computing can be a great resource. Written by Mike Patterson of Plixer International, Inc., the chapter details NetFlow and explains how you can capitalize on its utilization.
The Need for NetFlow
“Commercial NetFlow Applications” explains that today’s networks often operate at multigigabit speeds that can often overwhelm traditional packet-based data capture tools and data analysis methods. As a solution to this modern problem, Cisco created NetFlow. Originally released in 1996, it has had multiple updates since. NetFlow v5 is still widely utilized, but v9 is the most recent release.
But what is NetFlow?
According to the book, NetFlow likely already exists in your network infrastructure in supported devices (routers, etc.). This technology collects and categorizes IP traffic as it passes through the device interfaces. As these packets arrive, NetFlow scans them to determine the appropriate traffic flow. Focusing on flows rather than packet captures allows NetFlow to keep up with the increasing speeds of business networks.
What’s the point?
Identifying suspicious traffic for future investigation is much simpler through analyzing flows than it is through packet capture. Ultimately, the desired result of flow analytics is to understand and safeguard your network.
How is it generated?
NetFlow can be generated when traffic enters an interface. For holistic results, NetFlow should be enabled on all interfaces of all supported devices that contain traffic you are interested in analyzing. This should be done because outbound utilization is calculated by using ingress flows from other interfaces. Otherwise, traffic coming in from one interface destined for another interface will be missing from NetFlow calculation.
Once NetFlow is enabled through a few straightforward and simple commands, the router will write records for every conversation going through it and will then export them to a NetFlow collector.
It is noted that the emerging standard for NetFlow called Internet Protocol Flow Information eXport (IPFIX) is largely based on NetFlow v9, and this should not be confused with the packet sampling technology called sFlow, although NetFlow can also perform it.
The chapter explains that NetFlow v5 only supports ingress flows, while v9 supports ingress and egress. Generally speaking, ingress flows enabled on all the interfaces of the switch or router will deliver the information needed for an investigation. However, there are multiple reasons you may be required to enable egress NetFlow in addition to ingress NetFlow.
More to Come
The information Mike Patterson provided in Digital Forensics for Network, Internet, and Cloud Computing elaborates further on NetFlow v9 benefits and uses. He discusses Flexible NetFlow, sFlow, and how Scrutinizer handles both. Check out Digital Forensics for more information.