1. Introducing netflow
– To record responses about how the network is operating is very important. NetFlow is a tool embedded in Cisco IOS software to analyze network activity to help solve this problem.
– It allows network administrators to have full tools to know the time, location, object as well as how network traffic flows.
– Netflow helps professional administrators identify and solve problems:
- Quality of Service (QoS)
- Recognize the signs or risks of denial of service (DoS) attacks, virus distribution
- Analyze new applications and their impact on the network: identify new network applications such as VoIP…
- Reduce WAN traffic overload
- Troubleshooting and identifying network system weaknesses
- Detect unauthorized WAN traffic
- Secure the network system, detect unusual incidents
- Divide bandwidth appropriately for each different type of network service
– Start from Asa version 8.2(1) NetFlow SecureEvent Logging (NSEL) is supported.
– The current version of NetFlow is version 9
2. Operational idea of Netflow on Firewall ASA
– NetFlow works by creating a NetFlow cache which contains information about all active flows.
– NetFlow cache is built by processing packets in the flow through a standard switched path. In a stream it only records the first packets and it reuses these records for other packets in that stream until the stream ends. These records will be saved in Netflow Cache.
– That packet will be checked in the routing table for information
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol type
- ToS bytes (type of service)
- interface layer of the switching device
- …..
– Each record in the NetFlow cache contains attribute fields. Each stream record is created by comparison
- Attributes of packets
- Count the number of packets and bytes of each stream.
– An example of a NetFlow cache might have information such as:
- Flow information is very useful for understanding network activity
- The source IP address indicates the object that is generating the traffic
- The destination IP address indicates the object that is receiving the traffic
- Port indicates the type of application that is using the traffic
- The service layer prioritizes traffic
- The device interface shows how the network device uses traffic
- Check packets and bytes for traffic volume
- Flow timestamps indicate the flow’s lifetime; Through timestamps, you can calculate the number of packets and bytes transmitted per second.
- Next hop IP address
- Subnet mask of source and destination addresses
- TCP flags.
– You can then export these records to a data collection device. There are 2 ways to view data in Netflow
- CLI: use Command, this mode helps you know changes immediately
- NetFlow collector: This mode will transfer data from the NetFlow cache to a reporting server called “NetFlow collector”.
3. NetFlow collector Cisco ASA
– NetFlow collector is responsible for collecting flow information and synthesizing them to create a report
Unlike SNMP, NetFlow periodically sends information to the NetFlow reporting collector.
– NetFlow cache continuously updates records from Router, SW… it will find in the cache the flows that have ended and these flows will be sent to the NetFlow collector server. The stream will end when network communication ends.
– The amount of data sent to the collector is only accounted for 1.5% traffic switching in the router
– NetFlow’s detailed records of each packet provide a complete and detailed view of all network traffic passing through the router or switch.
– Here are the basic steps to make a NetFlow report:
- NetFlow is configured to capture the flow into the NetFlow cache
- NetFlow export is configured to send flows to the Collector
- The NetFlow cache searches for a finished flow and sends information about that flow to the NetFlow collector server.
- Approximately 30-50 flows are encapsulated and sent as UDP to the NetFlow collector server.
- NetFlow collector software generates real-time and historical reports from data
– Method Router or Switch the flow decision is sent to the NetFlow Collector:
- A stream is ready to be exported when it has been inactive for a certain period of time or the stream has existed (active) beyond the allowed active time.
- There is a timer that determines whether a thread is inactive or has existed for too long, and the default time for a thread to be inactive is 15 seconds, while the default time limit for a thread’s activity is 30 minutes. Collector can combine flows and provide a summary of network traffic.
– Location of NetFlow in the network: NetFlow is often used at the central site because all network traffic from other remote sites is analyzed and monitored by NetFlow. The location of NetFlow deployment depends on the network structure. If the reporting collection server is located in a central location, the most optimal location to install NetFlow is near that server.
– Format of data sent by NetFlow: NetFlow data sent to the collector includes a header and the sequence of subsequent records. The header contains information about the sequence number, record number and system time. The The flow record contains information about the flow, e.g
- IP address
- port, routing information.
– There are different versions of Cisco NetFlow such as 1,5,7,8,9 with different data formats.
Xem tiếp...