Okay, back to the basics. We’ve been working with Cisco NetFlow technology for many years now, but what is NetFlow?
NetFlow is a traffic profile monitoring technology developed by Darren Kerr and Barry Bruins at Cisco Systems, back in 1996. At that time, network monitoring mostly consisted of seeing how much traffic was traversing your network, but did not include what that traffic was.
With the introduction of NetFlow, and with the use of a NetFlow Analyzer, the following information is made available via the flow packets: source IP address, destination IP address, source port number, destination port number, protocol type, type of services, and the router input interface.
Exporting flows to a NetFlow collector provides a deeper level of detail that was up to this point unavailable in network management. This type of information has proven invaluable in detecting worms, port scans, DDoS attacks, and other security threats and network misuse.
That’s how NetFlow started and that was the typical information available in NetFlow version 5 packets.
NetFlow v9 brings us Flexible NetFlow packets (FNF), which opens the door even wider to dig deep into what is happening on your network increasing the ability for:
– Real-time network monitoring
– Application and user profiling
– Network planning and capacity planning
– Security incident detection ad classification
– Accounting and billing
– Network data warehousing, forensics, and data mining
So what’s next for NetFlow?
Extending NetFlow exports to new and different devices to the NetFlow world, such as switches, firewalls, and non-NetFlow capable devices, is the ongoing challenge for software developers.
NetFlow originally was not available for Layer 2 devices, but more and more vendors are enabling NetFlow or sFlow (sampled packets) on their switches, including Cisco 6500’s, Juniper EX3200/4200, HP Procurve, Enterasys, and many others.
Data from firewalls can be very interesting to network security managers, as that is typically the first point of entry from the internet to your network. Cisco ASA firewalls can export NetFlow packets, and with a NetFlow analyzer that can interpret the data, valuable network intrusion data can be retrieved and analyzed.
Have non-NetFlow capable devices? Installing a NetFlow probe can provide the NetFlow export data you need.
Other devices and/or applications can be monitored using IPFIX software (IP Flow Information eXport), which will generate and export flow packets to an IPFIX collector.
With continuing development, tapping into all the hardware and software that makes up your network, ensuring optimal processing and securing your network from both external and internal threats becomes easier all the time.
Stay tuned as we explore more ways to use NetFlow technology.