NetFlow Monitoring and Analysis: The InfoSec Professional’s Guide

A Brief Introduction to NetFlow

NetFlow is data generated by network devices – routers, switches, firewalls, etc. – that contains information about the data that’s moving through the network. The term NetFlow is often used generally to refer to this type of information, but “NetFlow” is actually proprietary to Cisco. Other vendors have their own versions, such as J-Flow from Juniper, and sFlow. There are also different versions of NetFlow. The most commonly used are v5 and v9 (which includes some additional information not available in v5). IPFIX, which is also known as NetFlow v10, was created by the IETF as a common standard. This article discusses NetFlow in general and is relevant to most types of network flow data.

NetFlow is metadata – it’s data about the data traversing the network. Even though NetFlow doesn’t contain information about the contents of the data, it does provide extremely valuable insight about what’s going on in your network, including (but not limited to):

In short, NetFlow helps you understand who, what, where, when, and how network traffic is moving through the network. But in order to take advantage of this insight, you need to do two things:

1. Enable NetFlow or sFlow on your network devices. Be sure to be as inclusive as possible when determining which devices to enable NetFlow for; the more data you have, the more visibility you get – and the better prepared you are to quickly detect and mitigate security problems. Here is some guidance:
   • Flexible NetFlow export from Cisco routers
   • Simple NetFlow export from recent Cisco routers
   • NetFlow export from older Cisco routers
   • J-Flow export from Juniper SRX Series routers
   • NetFlow export on VMWare vCenter with ESXi
   • NetFlow export on Open vSwitch SDN
2. Use a NetFlow collector that offers the monitoring and analysis capabilities you need. We’ll discuss NetFlow collectors later in this article.

NetFlow for Real-time Monitoring

NetFlow was originally developed to help network admins get a better handle on what their network traffic looks like. Because NetFlow is extremely valuable for monitoring what’s going on in the network and alerting when something undesirable happens, network operations teams often use NetFlow to identify performance issues. But NetFlow is also a valuable weapon in any information security professional’s arsenal.

Network security is a nearly impossible job nowadays, with the constant evolution of threats that come from a wide range of sources. There are almost as many point solutions available as there are types of potential vulnerabilities. The problem is that even if you have the budget and manpower to deploy every kind of security point solution available, you still wouldn’t be completely protected. That’s because those tools help protect you against known threats. There is no and never will be a silver bullet, but leveraging NetFlow for information security can help you protect against unknown threats. This means you don’t have to be on the lookout for a specific threat (which requires that you understand its attributes in all potential permutations). Instead you can characterize normal operational network traffic patterns – and then quickly detect out-of-character patterns that could represent a security breach, even for unknown vectors and techniques. This could include incomplete TCP handshakes, multiple failed login attempts, unexpected connections, unusual volumes of data leaving the organization, traffic from known bad hosts/blacklisted systems, and much more.

NetFlow for Forensic Analysis

Real-time monitoring helps you identify security problems quickly, before a significant amount of damage is done. But, that’s just the first step. NetFlow also provides infosec professionals with valuable forensic analysis capabilities.

A NetFlow collector consolidates flow data from across multiple devices and interfaces, which means that you don’t need to check individual logs. This not only vastly speeds your ability to find critical information about an incident, it also provides a consolidated and comprehensive view of network traffic. You get a complete timeline that shows you what happened before, during, and after an attack. And you can easily drill down to understand the most granular details, or drill up to see trends.

This fast but comprehensive visibility enables infosec professionals to react very quickly when there’s a security breach. But savvy organizations also use NetFlow’s analysis capabilities for proactive cyber hunting, which essentially seeks to identify more unknown threats – and make them known – before they hit and cause damage.

In either case, your ability to construct a timeline of what happened requires that you retain NetFlow data for the time period in question. Since flow data is compact, it’s an effective way to provide the detail you need while at the same time enabling you to keep the data going back in time for long enough to have full context.

Not All NetFlow Collectors Are Equal

As mentioned above, simply enabling NetFlow doesn’t deliver all of these monitoring and analysis benefits. You need a NetFlow collector that uses the data and provides you with an interface to perform required tasks. There are many NetFlow collectors available that range from limited-functionality freeware to enterprise-grade solutions. As you evaluate the options for your organization, keep the following questions in mind.

How many flow types and interfaces does the collector support? Some NetFlow collectors limit you in the number of interfaces supported. And if your organization has devices with different types of flow data (NetFlow, J-flow, IPFIX, sFlow, etc.) make sure the system you select supports them all so you get maximum visibility – and protection.

How easy is configuration and tuning? Look for a NetFlow collector with an easy-to-use interface that simplifies adjustments to tailor the system to your organization’s attributes and requirements.

Does it provide advanced alerting and reporting capabilities? Alerting is critical, but it’s only useful if you get the right alerts at the right time and in the way that supports your workflows.

Does it integrate with other solutions you’ve deployed? When your NetFlow collector integrates with mitigation and other security tools, you can streamline reaction times and improve security visibility and effectiveness across the board.

How long – and how completely – is flow data retained? Look for systems that offer a high-speed database architecture that enables full recall of all network flows. This will allow virtually unlimited traffic volumes to be analyzed.

Is multi-tenant support available? If you are an ISP, managed security provider, or other organization that requires you to support multiple separate customers or business units, make sure your NetFlow collector can handle multiple end users through a single instance.

Does the solution support clustering and load balancing? Scalability is always an important consideration, and you want to make sure that your NetFlow collector supports unlimited scalability with clustering and load balancing.

[su_box title=”About Vince Berk” style=”noise” box_color=”#336588″][short_info id=’70551′ desc=”true” all=”false”][/su_box]