Cisco Flexible NetFlow expert Mike Patterson, Denial of Service (DoS) attacks can be accurately diagnosed
Flexible NetFlow can track a wide range of IP information.
Mike Patterson - product manager for Plixer International, insists that Cisco's Activating NetFlow is the simplest way to learn who, what, when and where traffic was created on the network. Prior to NetFlow, SNMP was used to learn what connections were congested and packet analyzers were deployed to investigate the source of the volume.
NetFlow has not replaced these technologies, but works alongside them. Although NetFlow still doesn’t look beyond summarized IP traffic, with Flexible NetFlow it approaches closer to the capabilities of packet analyzers or even Intrusion Detection Systems.
“Plixer is committed to Flexible NetFlow and working directly with NetFlow engineers at Cisco to ensure we deliver competitive feature sets," said Mike.
Flexible NetFlow can track a wide range of IP information:
Flexible NetFlow, which is based on NetFlow version 9, gives administrators the ability to create customized Flow Monitors to capture specialized information for different types of applications. A Flow Monitor defines what information to collect and where to send it. With Flexible Netflow, an administrator could, for example, set up separate Flow Monitors that operate simultaneously on a single port, one to capture security data and the other to capture data for traffic analysis.
Flexible NetFlow allows administrators to create Flow Monitors which focus on collecting traffic formats from layer 2 to layer 7 with deep packet inspection for application monitoring. In short, it has the ability to launch a separate deeper flow monitor while a traditional flow monitor is transmitting to a collector.
Although it supports version 5 and IPFIX, Flexible NetFlow must leverage NetFlow v9 if the administrator wants to track up to the first 1200 bytes of the IP packet (which in many cases is the entire packet since the maximum frame size in Ethernet is 1500 bytes.)
In most cases it wouldn’t make sense to capture the first 1200 bytes of all packets as this would defeat the purpose of NetFlow's summarization architecture.
However, it may make sense to set a threshold that triggers a brief Flow Monitor. The Flow Monitor could in turn create an “Immediate” NetFlow cache on the router to capture and export the first 1200 bytes of each of the culprit's packets for several seconds.
This feature allows administrators to gather information deeper into packets for security analysis without interrupting the archiving of summarized data for historical baselines. Loaded with the actual packets, problems such as Denial of Service (DoS) and worm attacks can be thoroughly investigated and more accurately diagnosed.
Since Flexible NetFlow supports version 5, 9 and IPFIX, it will work with the existing investments in netflow analyzers or even free NetFlow analysis tools such as Plixer Scrutinizer and NTOP.
Brad Reese is research manager at BradReese.Com, advancing the careers of 600,000-plus certified individuals in the growing Cisco Career Certification Program.
