Advanced NetFlow Traffic Analysis

Securing Remote Networks Against Cyber Threats: part 1

Sun, 09 Jun 2013 11:21:06 -0500

Managed Security Service Providers (MSSP) are depending on NetFlow and IPFIX as one of the top 3 enablers for improving network threat detection for onsite as well as remote sites. The distributed NetFlow collection nature of this technology allows IT security teams to gain threat insight into remote areas without actually visiting each location.

Most firewalls today including those from Barracuda, Cisco ASA, Palo Alto Networks, SonicWALL and others provide NetFlow or IPFIX exports which with the right flow analytics solution, allow for several types of additional threat detection methods.

Why Companies Turn to MSSPs

With 50% of Internet thefts occurring at companies with less than 2500 employees and the cost of hiring a security expert increasing, many organizations are turning to MSSPs in hopes of gaining access to a team of security experts. In turn, MSSPs provide their customers with services in areas such as virus blocking, IDS, VPN and firewall maintenance. Monthly fees generally include a block of hours for system changes, modifications and upgrades. When they aren’t working on specific customer issues, they collaborate with other experts to identify the latest threats and the best security countermeasures. Because these experts can’t wait for the next software update to fight the latest cyber battle, security teams often turn to flow technologies to monitor for the latest malware.

“IPS (or deep packet inspection) is our #1 security defense; Netflow is a very close #2 – Gavin Reid, Manager of Cisco CSIRT.

Threat Detection with NetFlow

Traditionally, NetFlow and IPFIX have been used by MSSPs to perform Network Behavior Analysis by running dozens of algorithms against the flows collected. Examples include:

Breach Attempts: Looks for many small flows from one source to one destination. This can indicate things such as a brute force password attack. A typical scenario would be a dictionary attack on an SSH server.
DDoS: Identifies a Distributed Denial of Service attack such as those that can be launched by a BOTNET.
DNS Violation: Alerts when a host initiates an excessive number of DNS queries. This can help to identify hosts that may be infected with a mailer worm or other issues that require an inordinate number DNS lookups.
FIN Scan: The FIN scan’s “stealth” frames are unusual because they are sent to a device without first going through the normal TCP handshaking routine.
ICMP Destination Unreachable: This is a message that comes back from the router to the requesting host stating that it doesn’t have a route to the destination network of the target host.

ICMP Port Unreachable: This is a message that comes back from the destination server stating that it will not open communication on the specified port requested by the host.
Nefarious Activity Violation: Looks for hosts communicating with many hosts with a low number of flows. An example would be a port 80 scan of an entire subnet.
NULL Scan: The null scan turns off all TCP flags in an attempt to open a connection with the target host. Sometimes it consists of flows where the source port is 0 with various destination ports.
RST/ACK: RST/ACK packets are connection denials that come back from destinations to the originating hosts. It can be caused by network scanning.
SYN scan/flood: SYN packets are sent out in an attempt to make a network connection with a target host. It can be caused by network scanning.
Unfinished Flows: Identifies hosts that have a high percentage of unfinished flows. This indicates scanning, Malware or poorly configured applications on a host.
XMAS Tree scan: The Xmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set. This is called a Xmas tree scan because of the alternating bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.

The above algorithms are an excellent step toward the automation of detecting malware that could be trying to penetrate and compromise hosts on the network. Notice that these algorithms focus on network behavior analysis as deep packet inspection to match packets to signatures isn’t generally possible with NetFlow. Much like a flu virus, malware can use a polymorphic technique which means it can constantly vary its structure and content in order to avoid detection. Solutions which perform deep packet inspection in an attempt to pattern match through the use of constantly updated signatures can easily be evaded by this dynamic technique. Even with all the above, more needs to be done to detect the latest forms of malware and this means thinking outside the proverbial threat detection box.

“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”Dmitri Alperovitch, former VP of Threat Research, McAfee®

Read Part 2 on IP host reputation.

]]> Tags: threat detection cyber threats Related tags: threat detection, netflow ipfix, packet inspection, behavior analysis, unfinished flows, network
, threat detection cyber threats

Follow me:

Router Overhead When Enabling NetFlow

Wed, 01 May 2013 14:59:34 -0500

Are you concerned about the router overhead when enabling NetFlow? You should be if the router already has a busy CPU. Make sure you trend the CPU utilization on a busy router before you try enabling NetFlow or IPFIX. In most cases enabling these network traffic monitoring exports won’t impact performance however, they could however on an already over worked appliance.

In most vendor implementations, flow technology is implemented in software. This results in only a small performance hit in well-written flow programs. In earlier versions of NetFlow (e.g. NetFlow v1), a busy router could be brought to its knees by enabling NetFlow. Enabling NetFlow on the Cisco Catalyst 4500, 6500, 7600, 10000 and 12000 routers can result in the following CPU increase:

# of Active Flow Cache Entries	Additional CPU Utilization
10000	<4%
45000	<12%
65000	<16%

CAUTION: enabling conventional software implementations of NetFlow on very busy routers manufactured by most vendors can in some cases cause unacceptable performance issues. In these cases, reducing the flow tuple or implementing flow sampling are options to consider.

Cisco Systems, Enterasys, Extreme Networks and Dell Sonicwall develop firewalls, routers and switches that support NetFlow and IPFIX in hardware with no impact to the CPU. SonicWALL exports IPFIX with over a dozen different templates and claims less than a 1% impact on CPU utilization. Other vendors like Enterasys have implemented unsampled NetFlow capable ASICs that are capable of exporting line rate flow exports. With flow volumes exceeding 500,000 flows per second, the performance problem often moves from the exporter to the collector as no single flow collection appliance on the market today can handle this flow rate and distributed NetFlow solutions can’t always help when all the flows are coming from one exporter.

Distributed NetFlow collectors allow administrators to break up the collection of flows into groups with each collector receiving from a set of routers. Because the configuration of hundreds of routers is often involved, a NetFlow replicator (aka NetFlow duplicator) is often implemented. The Flow Replicator allows administrators to configure the routers to send flows to a single appliance. The Flow Replicator then splits up the flows to different collectors. This configuration allows administrators to balance the collection loads.

Collection vendors like to tout their collection rates in the multiple million flows per second however, the architecture to support this flow rate is solely dependent on a multitude of individual collectors each limited to 100K-200K flows per second. To reduce the volume, flow sampling or PSAMP is considered. Shortening the size of the flow tuple can also lead to less flows exported. The problem with many hardware implementations of NetFlow and IPFIX is that modifications to the tuple are not possible. Cisco and Plixer are the only vendors I know off that support this practice.

]]> Tags: distributed NetFlow collectors, distributed NetFlow solutions, netflow duplicator, netflow replicator, network traffic monitoring Related tags: enabling netflow, netflow ipfix, distributed netflow, overhead enabling, router overhead, netflow
, distributed NetFlow solutions, distributed NetFlow collectors, network traffic monitoring, netflow replicator, netflow duplicator

Follow me:

Related Entries

Building a NetFlow Cache: Exporting IPFIX - Mar 12, 2013

Amazon EC2 Monitoring: Network Performance - Jan 25, 2013

Nimsoft Service Desk Pricing: Distributed NetFlow Solutions - Sep 24, 2012

Ingress NetFlow or Egress NetFlow part 2 - Jun 22, 2012

How to roll out BYOD Security: Best Network Management - Apr 24, 2012

Migrating to Flexible NetFlow : BEST PRACTICES - Mar 08, 2012

Dropped NetFlow : Flow Sequence Numbers - Jan 29, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Router Overhead When Enabling NetFlow

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Cisco Wireless Controller NetFlow Configuration

Mon, 15 Apr 2013 05:39:00 -0500

Two months ago we started playing with the Cisco Wireless Controller NetFlow configuration and got it to export flows with NBAR support. Pretty cool stuff. We were given a Cisco 2500 series to play with and once we had flows going to our NetFlow analyzer, it became clear why this hardware is part of the Cisco AVC family of NetFlow capable solutions.

Here’s a break down on some of features as well as the hardware required for AVC support on the wireless controllers:

AVC works on traffic from Cisco APs in “Local Mode”, FlexConnect central switching and OEAP traffic.
AVC is based on port, destination and heuristics which allows reliable packet classification with deep visibility.
AVC looks into the initial setup of the client flow (first 10-20 packets) so loading on the controller system is minimal.
Available for all current generation Cisco controllers supporting v7.4 - Cisco 2504, 5508, WiSM2, Flex 7500 and 8500

Application Visibility and Control

Cisco Application Visibility and Control (AVC) solution is a suite of services that provides application-level classification, monitoring, and traffic control to improve application performance. It is available within the following hardware families:

Cisco Integrated Services Routers Generation 2 (ISR G2)
Cisco ASR 1000 Series Aggregation Service Routers (ASR 1000s)
Cisco Wireless LAN Controllers

The Cisco AVC Solution helps you:

Identify and classify over 1,000 applications by leveraging NBAR
Monitor next generation flow statistics such as response time, latency, jitter, and other application performance metrics
Export NetFlow version 9 or IP information export (IPFIX)
Set different QoS priorities based on application
Dynamically choose network paths based on performance

Cisco Wireless Controller NetFlow Configuration

The Cisco wireless controller NetFlow configuration is shown below.

A few minutes after our NetFlow analyzer started receiving the flows, I saved some reports and created a custom Cisco Wireless Controller NetFlow dashboard:

As one of my co-workers pointed out in his post on Cisco wireless NetFlow support these reports are a bit unique and won’t work with just any ol’ NetFlow collector. We had to create special provisions in our NetFlow reporting interface. This hardware exports 2 templates. One is the NBAR option template, the 2^nd is the actual flows which contain the following elements:

Client Source MAC : Key Field
Client Source IP : Key Field
SSID Name : Key Field
Application ID
Direction
Byte Count
Packet Count
In DSCP
Out DSCP
Last AP MAC

Notice anything missing?

]]> Tags: Cisco application visibility and control, Cisco Wireless Controller NetFlow Configuration, Cisco wireless netflow support, Netflow analyzer, Netflow collector, Netflow reporting Related tags: cisco wireless, wireless controller, controller netflow, netflow configuration, netflow analyzer, cisco
, Cisco Wireless Controller NetFlow Configuration, Cisco application visibility and control, Netflow analyzer, Netflow collector, Netflow reporting, Cisco wireless netflow support

Follow me:

Nimsoft Service Desk Pricing: Distributed NetFlow Solutions - Sep 24, 2012

Flexible NetFlow Configuration example for Performance Monitoring for TCP, VoIP and Cisco NBAR - Jul 12, 2012

Migrating to Flexible NetFlow : BEST PRACTICES - Mar 08, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Cisco Wireless Controller NetFlow Configuration

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Building a NetFlow Cache: Exporting IPFIX

Tue, 12 Mar 2013 16:28:49 -0500

Most engineers implementing NetFlow or IPFIX know how to get started. Where they sometimes stumble is in the area of a properly structured export with well thought out relationships between the templates. Today I want to provide an good example.

This post on building a NetFlow Cache and exporting IPFIX is pretty deep. For this reason, my prior post on Exporting NetFlow or IPFIX really should be reviewed first. A flow cache entry in a router or switch is built using the first packet between two hosts and the cache table is maintained for all active connections (i.e. flows). When a packet comes into the device, its tuple is compared to existing entries in the cache table. A match of the key fields triggers a flow entry update where packet, byte counts and perhaps other fields are incremented and updated. Packets that don’t match a flow entry are compared to policy (e.g. firewall or ACL rules) and are ultimately dropped or used to create new cache entries. Flow entries are exported to a flow collector periodically based on timers (I.e. Active Timeout) or flow behaviors.
When talking with a vendor about building out a flow cache, it is very important that we first establish what we want to export. For most vendor implementations, this decision is easy and they copy NetFlow v5. Some software developers however, want to take their flow export to another level and provide the very best in Network Traffic Monitoring metrics. To do this, a list of all the details that need to be exported should be created.

All of the data available in NetFlow v5
VoIP details on caller ID, Codec, Jitter and packet loss
Cloud service details on round trip time, URLs and deep packet inspection details that identify tricky applications like Skype, Webex and BitTorrent.
Interface names and speeds to avoid the reporting tools dependency on SNMP
Syslog and trap message details

The next step is to layout the IPFIX elements needed for each template. We have to use IPFIX because in all likelihood your company name isn’t Cisco and even if it is, the list includes elements that will end up being variable length fields such as URL and syslog details. These are, for all practical reasons, difficult to export using NetFlow v9. Let’s get started on IPFIX template creation and take the list above one item at a time. Each element name is preceded by an IANA or a dot separated vendor specific IE.

Be sure to take notice that IANA defined IEs are always the preference over vendor specific IEs. The vendor specific IEs are followed by the vendor Private Enterprise Number (PEN) (e.g. .32473).

A) Template: All of the data available in NetFlow v5/v9. This template is easy to define because all of the information necessary has been defined by IANA:

1 octetDeltaCount
2 packetDeltaCount
4 protocolIdentifier
5 ipClassOfService
6 tcpControlBits

Sent as 0 for non TCP traffic

7 sourceTransportPort
8 sourceIPv4Address
9 sourceIPv4PrefixLength
10 ingressInterface
11 destinationTransportPort
12 destinationIPv4Address
13 destinationIPv4PrefixLength
14 egressInterface
15 ipNextHopIPv4Address
16 bgpSourceAsNumber
17 bgpDestinationAsNumber
21 flowEndSysUpTime
22 flowStartSysUpTime
95 Application ID

This element causes another template below

148 Flow ID

This element is used to link to other templates

The above template is used for all protocols not sent by a more specific template. See below.

B) Template: VoIP details on caller ID, Codec, Jitter and packet loss. These elements are exported using a new template that contains meta data related to the flows exported above for the UDP real-time protocol (RTP). It contains the following IDs:

148 Flow ID

Links to the flow in A)

400.32473 Caller ID
401.32473 Codec
402.32473 Jitter
403.32473 Packet Loss

C) Template: Cloud service details on round trip time, URLs and deep packet inspection details that identify tricky applications like Skype and BitTorrent. These elements are exported using a meta data template similar to the one created in b). In this case however, the template is only used for TCP traffic and includes the following IDs:

148 Flow ID

Links to the flow in a)

501.32473 Round Trip Time
503.32473 URL

D) Template: Interface names and speeds to avoid the reporting tools dependency on SNMP:
- 10 ingressInterface
- 82 interfaceName
- 83 interfaceDescription
- 82.32473 ifSpeed

IMPORTANT: Always check with IANA for the IE before creating one with the company PEN! This helps guarantee wider acceptance from collectors built by different vendors and improves cross vendor reporting.

E) Template: Syslog and trap message details:
- 322 observationTimeSeconds
- 700.32473 Facility
- 701.32473 Severity
- 8 sourceIPv4Address
- 10 ingressInterface
- 12 destinationIPv4Address
- 704.32473 Message

F) Template: Application Name - This template provides the correlation between the application ID and the actual name of the application. There is an effort underway to standardize this export which would allow consistency across vendors.

95 Application ID

Links to the flow in a)

96 Application Name

With the templates above defined, it is time to find an IPFIX software solution that will export the data from your appliance. There are plenty of open source projects on the Internet that can do this. One favorite is IPFIXify which also takes care of the template refresh (e.g. every 1-5 minutes) that has to be reported periodically. IPFIXify also exports the RFC 5610 details. To learn more about the above process, consider purchasing my book on NetFlow and IPFIX titled Unleashing the Power of NetFlow and IPFIX.

]]> Tags: book on NetFlow and IPFIX, Building a NetFlow Cache, Exporting IPFIX, NetFlow and IPFIX, Network Traffic Monitoring Related tags: netflow ipfix, jitter packet, vendor specific, codec jitter, exported using, template
, book on NetFlow and IPFIX, Network Traffic Monitoring, Building a NetFlow Cache, Exporting IPFIX, NetFlow and IPFIX

Follow me:

Related Entries

Router Overhead When Enabling NetFlow - May 01, 2013

Amazon EC2 Monitoring: Network Performance - Jan 25, 2013

Ingress NetFlow or Egress NetFlow part 2 - Jun 22, 2012

How to roll out BYOD Security: Best Network Management - Apr 24, 2012

Migrating to Flexible NetFlow : BEST PRACTICES - Mar 08, 2012

Dropped NetFlow : Flow Sequence Numbers - Jan 29, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Building a NetFlow Cache: Exporting IPFIX

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Amazon EC2 Monitoring: Network Performance

Fri, 25 Jan 2013 22:20:55 -0500

We recently did a cost analysis where we considered outsourcing to Amazon’s EC2 (Elastic Computing Cloud) service and the topic of network performance monitoring among other issues came up. We considered the amount of bandwidth we would use as well as how we would monitor the quality of service our customers were gaining through our use of EC2 and the final decision was that Amazon EC2 was not of us.

Amazon EC2 services allow companies to create a server hosted by Amazon and manipulate it pretty much as if it were your own. Once configured, the server can either sit on the internet for remote access or a VPN can be setup to allow the Amazon hosted server to sit on your internal network. It is a great concept. To monitor network performance to and from the hosted server, we planned on installing the nProbe to monitor TCP connection times to all of our customers. This would allow us to trend metrics on round trip times (RTT) and gain metrics on the Cisco IP SLA monitors used to verify acceptable connection times.

The nProbe, similar to Cisco’s performance monitoring Flexible NetFlow technology for medianets, watches TCP handshakes to provide metrics on RTT. Understandably this technology is not ideal for long lived TCP connections as a 2nd TCP hand shake doesn’t occur during a long lived connection. In our implementation however, nearly all connections are short lived hence a technology leveraging TCP handshakes to calculate a RTT works fine if not ideal because the RTT measured is of the actual end user connection and not a synthetic transaction like when using IP SLA monitors. There is a great white paper on calculating latency with NetFlow and TCP flags.

Imagine leveraging a cloud service like salesforce.com and being able to gain metrics on every TCP connection. You would be able to gain insight on which remote offices, subnets and individuals within those groups are seeing the worse connection times. Being a network traffic monitoring company, we have grown accustom to always having this type of insight at our finger tips. The more we looked at the Amazon EC2 service offering the more attractive it became until we started crunching the numbers.

Because we maintain a network traffic baseline of current traffic patterns, we were able to calculate the Amazon EC2 costs times our expected bandwidth use for an entire year. The final figures were in favor of us buying a bigger server and having it hosted at our local service provider. We learned that although Amazon’s Elastic Computing Cloud is an attractive offering for many applications, it was not ideal for our specific use. The bandwidth our server would use made the switch to Amazon EC2 cost prohibitive.

We will certainly consider this service in the future and you can bet when we do, the use of Cisco Performance Monitoring and or the nProbe will be part of the solution. Learn more by watching the Network Performance Monitoring webcast.]]> Tags: amazon ec2 monitoring, flexible netflow, network performance monitoring, network traffic monitoring Related tags: performance monitoring, network performance, connection times, cloud service, network traffic, amazon
, network performance monitoring, flexible netflow, network traffic monitoring, amazon ec2 monitoring

Follow me:

Related Entries

Router Overhead When Enabling NetFlow - May 01, 2013

Building a NetFlow Cache: Exporting IPFIX - Mar 12, 2013

NetFlow Training Schedule for 2012 - Aug 11, 2012

Ingress NetFlow or Egress NetFlow part 2 - Jun 22, 2012

How to roll out BYOD Security: Best Network Management - Apr 24, 2012

Monitoring BYOD traffic with NetFlow - Mar 24, 2012

Migrating to Flexible NetFlow : BEST PRACTICES - Mar 08, 2012

Monitoring Video Performance with NetFlow - Feb 19, 2012

End to End Visibility : Network Flow Path - Feb 06, 2012

Dropped NetFlow : Flow Sequence Numbers - Jan 29, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Amazon EC2 Monitoring: Network Performance

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Enterasys Dragon: Intrusion Prevention System Log Analysis

Thu, 13 Dec 2012 21:37:08 -0500

Network threat detection solutions generally share some common attributes with routers, switches, firewalls and even servers. The one I want to focus on today is logging and specifically those from the Dragon Intrusion Prevention System. If we can get the machine messages, in this case syslogs, from all systems into a somewhat similar format and in one location, we can then correlate the data and look for events across systems even if they perform very different functions on the network. In the end, this will improve network visibility and security event awareness.

Most Intrusion Prevention Systems (IPS) export some type of machine log which contains all kinds of details related to the threats detected or that match certain criteria. Some IPS appliances are a bit more verbose and export details about every connection - kind of like NetFlow or IPFIX. For example the export from the Dragon IPS includes the details shown in the following figure:

Notice in the above that several fields are similar to that exported by NetFlow capable switches.

dragonEventDateTime
sourceIPv4Address
destinationIPv4Address
sourceTransportPort
destinationTransportPort
protocolIdentifier

The other fields that are enterprise specific to the IPS log export include:

dragonSensorName
dragonEventName
dragonEventDirection
dragonEventFlagsField
dragonEventHeader
dragonEventData

By leveraging IPFIXify, we can start exporting logs with IPFIX which supports a format similar to NetFlow. We can then trend the events that occurred over time. Compare this to a top applications report using NetFlow, sFlow or IPFIX:

By drilling in on one of the above Dragon “Event Names” or changing the report type, we can then view a report that looks very similar to another typical NetFlow trend. This is a great way to improve Dragon log reporting.

Collecting and warehousing all of the logs generated by network gear in a standard format ensure greater visibility and security across the enterprise because it means we point and search in one place.

]]> Tags: Dragon log reporting, exporting logs with IPFIX, Log Analysis, Netflow capable, Network threat detection solutions, switches Related tags: intrusion prevention, prevention system, dragon intrusion, visibility security, netflow, dragon
, Network threat detection solutions, exporting logs with IPFIX, Log Analysis, Dragon log reporting, Netflow capable, switches

Follow me:

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Next Generation Firewalls with Application Performance Monitoring In Mind

Sat, 01 Dec 2012 10:55:17 -0500

When choosing a next generation firewall, consumers are fortunate in that these appliances have an array of functions to choose from. Although the primary goal is a solution that will help the business protect the company’s crown jewels from Internet bots and other types of network threats, other features such as Application Performance Monitoring are a growing concern.

First is Security

With the constant introduction of new types of malware that is often capable of modifying its own communication behaviors, the firewall is without a doubt an organizations premier security layer against most types of threats. What capabilities make up a next generation firewall and why is it the most important network security layer maintained by just about every company connected to the cloud?

Years ago we only needed passwords and anti-virus software to protect ourselves from malware. With the introduction of the Internet came great freedoms and insight but, it also forced us to heighten our awareness. Network threats now come in many forms as well as motivations. Key loggers want the passwords to the sites you visit on-line (E.g. banks accounts) and Advanced Persistent Threats (APT) want your company’s intellectual property (E.g. customer lists, engineering designs). To provide deeper protection against these types of insidious threats, many Next-Generation Firewalls (NGF) include features previously only found in Intrusion Prevention Systems (IPS). These next generation firewalls can include features such as:

Deep Packet Inspection (DPI): were analysis on connections can even inspect SSL encrypted sessions for the deepest level of protection. DPI can also re-encrypt SSL traffic to allow security services to be applied to all traffic
Intrusion Protection System (IPS): helps prevent a comprehensive array of network and application layer threats by scanning packet payloads for exploits targeting critical internal systems
Content Filtering: blocks multiple categories of objectionable web content
Signature Scanning: watches every packet and scans for bit patterns or flow behaviors that match constantly updated signatures.
Application Intelligence: real-time insight and control of traffic which has been broken down by applications or even users or content. The prioritization of traffic headed for the Internet is critical to most businesses leveraging important bottom-line cloud services

Second is Application Performance Monitoring

I have found that the last point above is where next-generation firewalls start to separate themselves from the other players in the market. Features such as WAN acceleration and application prioritization are built-in features of the next generation firewalls that make it onto the short list of possible vendors. What then separates the men from the boys? Answer: The amount of support extended to Application Performance Monitoring (APM) seems like a natural feature that most of them would add yet, only one next generation firewall vendor actually delivers on application performance monitoring metrics and it is exported in the form of IPFIX.

IPFIX is the proposed standard for NetFlow and the technology that most firewall vendors are migrating to. Although nearly all enterprise class firewalls today support either NetFlow or IPFIX, not all of them export details on layer 7 applications, usernames, URLs, jitter and packet loss. Although some firewalls provide details such as “flow denied”, finding out exactly which ACL or specific policy blocked the flow can be cumbersome. The SonicWALL has clear advantages.

The ability to perform DPI and recognize layer 7 applications such as Salesforce.com, Webex or BitTorrent is just the beginning. How do we know if a cloud service such as VoIP is experiencing priority if the firewall doesn’t export details such as jitter or packet loss?

Above the SonicWALL Next-Generation Firewall not only provides details on packet loss and latency (I.e. jitter) it even provides caller ID. When a user calls the help desk complaining about voice quality to a remote office, you can bet they won’t know the IP address they were trying to reach but, they will be ready to recite the telephone number they had called. A firewall vendor claiming WAN optimization capabilities without Application Traffic Analytics isn’t ready to claim support for Application Performance Monitoring. SonicWALL is a clear leader in this area.

]]> Tags: Advanced persistent threats, Application performance monitoring, Intrusion Protection Systems, Key loggers, Network threats, Next generation firewall Related tags: performance monitoring, application performance, generation firewalls, generation firewall, network threats, application
, Next generation firewall, Application performance monitoring, Network threats, Advanced persistent threats, Key loggers, Intrusion Protection Systems

Follow me:

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Next Generation Firewalls with Application Performance Monitoring In Mind

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

Sun, 25 Nov 2012 10:31:43 -0500

Palo Alto Networks is showing further commitment to NetFlow Reporting by including a Firewall Event element in PAN-OS 5.0. This new field will provide a few new advantages to Firewall Administrators. These improvements to their NetFlow export can be seen in multiple ways:
The ability to trend flows Deleted, Created or Denied for example allows administrators to gain visibility into historical baselines on how the Next Generation Firewall traditionally treats traffic headed for the internet.

If an abnormal spike or drop occurs in the above trend, administrators can drill in to find out what machines were involved and which applications were being used at the time. This data can also be bundled together with multiple firewalls to gain a more enterprise view of the corporate Internet behavior.

Administrators can use the above report to set thresholds on volumes of unacceptable 'denied' events. If a host causes connections in a way that violates a threshold, unacceptable rates of denied violations can trigger events which lead to notifications.

Administrators can also use the NetFlow Reporting solution to filter for a specific host which might be having trouble communicating through the Next Generation Firewall. They can then run a Palo Alto Networks 'Events' report to find out what specifically is in the end systems traffic that is causing a "Flow Denied" event to occur.

Configuring a Palo Alto Networks Firewall to export NetFlow is straight forward process and the value gained is considerable. Industry leading NetFlow features include:

Application Awareness: They use Deep Packet Inspection (DPI) to identify and separate applications that share ports such as TCP 80.
Username: If users have to authenticate with Active Director or LDAP, the firewall can tie the username to the flows. This eases trouble shooting efforts during times of forensic analysis.
Network Address Translation: This can be a big time saver when trying to find out what an IP address was internally before it was NAT'ed by the firewall.
Firewall Event: The newest edition to their export provides the values outlined above.
Syslog Correlation with NetFlow: The message log exported by the firewall can be formatted into IPFIX and correlated with the NetFlow data to ensure speedy identification of potential attacks

Vendors recognize that Flow technology is a primary feature necessary to be a contender in the Next Generation Firewall space. Clearly Palo Alto Networks understands which features matter most and has moved quickly to service the needs of their customer base and has partnered with Plixer to bring them to market.

The combined Plixer and Palo Alto solution also includes:

Host reputation monitoring
Enterprise application usage and performance monitoring
Mitigation of evolving threats
Audit trails of all internal and external traffic
The very best in network performance reporting

With thousands of customers, Scrutinizer plays a key role across global 2000 enterprises and governments. Scrutinizer can detect zero-day types of malware including APT attacks.

]]> Tags: Firewall Event, Netflow reporting, Next Generation Firewall, Palo Alto NetFlow Partner, Palo Alto Networks, Palo Alto Pan OS 5.0 Related tags: firewall event, generation firewall, netflow reporting, netflow export, firewall, netflow
, Firewall Event, Netflow reporting, Palo Alto Networks, Next Generation Firewall, Palo Alto NetFlow Partner, Palo Alto Pan OS 5.0

Follow me:

Next Generation Firewalls with Application Performance Monitoring In Mind - Dec 01, 2012

Nimsoft Service Desk Pricing: Distributed NetFlow Solutions - Sep 24, 2012

Migrating to Flexible NetFlow : BEST PRACTICES - Mar 08, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

IPFIX Vendors should implement RFC 5610

Wed, 07 Nov 2012 22:08:14 -0500

This is a call to all the great companies to date that have implemented IPFIX. It is clear that IPFIX is the next generation protocol for to be included with most network monitoring solutions and for this reason, I'd like this companies and those considering IPFIX to include support for RFC 5610 or some similar sort of technology. Without support for this RFC, deciphering new elements is nearly impossible. The situation IPFIX collector vendors are facing is similar to trying to look decipher traps or browse OIDs without a MIB file.

Below is a template being received from a device where the IPFIX collector does not know how to interpret a field. Notice the 2nd column below '13745_33071' :

You can see above that the data in this field did not get translated to the proper format. Support for RFC 5610 allows vendors to export details pertaining the element IDs contained within the templates. If exported by each IPFIX vendor, the collector could read in the RFC 5610 template and know how to display the contents held within each vendor specific element. BTW: those numbers in the column header stand for:

13745 = plixer
33071 = unique element ID

Notice that the value above shows up as a square. This is because our IPFIX collector didn't know how to decode this data which resulted in our front end trying to display the binary information. Without a RFC 5610 template, we have to tell another developer how to decode the value which allows the front end to display it like this:

Notice the new column above 'object_id' (i.e. 13745_33071). This is the ID of the object being polled. Without RFC 5610 support we are stuck in a situation like we are with SNMP. We have to find and compile the SNMP MIB before we can understand the OID that is in the SNMP trap. Folks, we are repeating a not so good portion of history if we don't start implementing RFC 5610. Right now we have to call the vendor, support doesn't know what we are talking about, they call us back, they set a meeting time with the product manager. The product manager doesn't know what we are talking about. The product manager reaches out to the developer who creates a file which is shared with us. This file tells us how to hard code into our collector how to interpret the vendor specific elements. It's tiring and unnecessary.

I really don't want to see the efforts of Boschi, Trammell, Hitachi Europe, Mark, Fraunhofer IFAM, Zseby and Fraunhofer FOKUS go in vain. Please contact us if your company would like to consider implementing RFC 5610. We have experience with the release of IPFIXify which is a gateway for translating syslogs, event logs and SNMP traps to IPFIX.

]]> Tags: Element ID, IPFIX collector, Network monitoring, RFC 5610 Related tags: product manager, ipfix collector, vendor specific, ipfix, support, collector
, IPFIX collector, RFC 5610, Element ID, Network monitoring

Follow me:

Related Entries

Ingress NetFlow or Egress NetFlow part 2 - Jun 22, 2012

Ingress NetFlow or Egress NetFlow part 1 - May 31, 2012

Monitoring BYOD traffic with NetFlow - Mar 24, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: IPFIX Vendors should implement RFC 5610

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Log Management Solutons

Sun, 14 Oct 2012 22:03:39 -0500

Here is some good news for the log management software industry: appliance vendors exporting machine messages (e.g. syslog, SNMP Traps, Event Logs, NetFlow, etc.) can now export everything in one common format using IPFIX. This technology has been around for years and allows vendors to export machine messages in a structured format. Unlike traditional logs which are unstructured, IPFIX messages are much easier to save to a database and query. Experienced system admins know that the problem they face when trying to manage logs or analyze logs is often the sheer volume. Most log analyzer tools start to choke under a massive volume. IPFIX is a technology break through that solves scalability issues for most consumers. Cisco ASA syslog reporting can be improved by exporting the messages as IPFIX as shown below:

Log collection and processing companies understand that collecting massive amounts of messages is the easy part. Pouring and sifting through the data to perform investigative routines or some type of security log analysis can bring many log reporting systems to their knees. Often times the primary reason extreme processing power is needed to compile the results is due to the unstructured nature of the messages piles.

When I was a kid and my mom asked me to fold 3 loads of laundry that had been piled onto the couch, I often sorted it first into categories so that things like matching ‘white’ socks became an easier task. Well, if you apply this logic to log management, it makes sense to put all messages into some type of similar log structure. By using something like IPFIX to format and export the messages, the logs can be queried easier which ultimately results in much faster processing times for applications such as Splunk and Scrutinizer.

IPFIX has benefits over other message types (syslogs, SNMP Traps, event logs, etc.) because it breaks up the messages into well-defined elements. For example, if we are breaking apart syslogs, facility and severity would be two different elements. Also, inside a syslog is the actual message which is typically a variable length text string. In that text string, the order of the contents can differ greatly between vendors not to mention lack of delimitation to determine how the different portions of the message should be separated. Basically, this portion of the message is the wild west where vendors export anything they want. This unstructured format is what can lead to error prone slow queries. Some Splunk issues are caused by this.

IPFIX still allows vendors to export anything they want but, they have to do it neatly, orderly and specify the format and contents of the data by putting it into elements. Many elements are standardized in fact, there are hundreds of them. IPFIX exporting Vendors look for standard elements before they start specifying unique ones. This is what we mean by structured data. A structured data query looks for something like all messages that include an IP address of 10.1.1.5. With IPFIX, there is only one element across all vendors that carries this field. With syslogs, traps and event logs, the query has to go looking for the IP address in each message. This leads to slow queries and missed messages. In accurate and slow reports is not what you want.

If you don’t have the luxury of being able to take advantage of IPFIX, you have a couple of options:

IPFIXify - is a free utility that allows hardware vendors and end consumers to export anything they want via IPFIX. For example, it can be installed on Microsoft servers to export event logs or it can be run as a service on any 64 bit OS and using a configuration file, it will export all machine logs as IPFIX.
Flow Replicator – is an appliance which acts as a gateway for machine messages. For example, it rips apart syslogs and event logs and sends them off in structured format inside IPFIX datagrams to a collector like Scrutinizer for further processing.

Below is a diagram outlining a typical configuration.

Cisco Systems and SonicWALL were some of the first vendors to take advantage of IPFIX for the above purpose. Make sure you keep your ears open for this emerging technology.

]]> Tags: analyze logs, log analyzer, Log management, log management solutions, log reporting systems, manage logs, security log analysis, splunk issues Related tags: vendors export, export anything, machine messages, traps event, advantage ipfix, ipfix
, Log management, log management solutions, manage logs, analyze logs, log analyzer, security log analysis, log reporting systems, splunk issues

Follow me:

Related Entries TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Log Management Solutons

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Nimsoft Service Desk Pricing: Distributed NetFlow Solutions

Mon, 24 Sep 2012 10:11:34 -0500

The Nimsoft Service Desk claims that it will allow you to coordinate and accelerate incident response and proactive IT management. This of course will in turn increase user satisfaction, reduce costs, and help meet business objectives. In many cases when vendors like Nimsoft (owned by Computer Associates) try to provide the all-encompassing solution, they sometimes turn to best of breed vendors like Plixer to provide highly specialized solutions to address specific areas of IT. In this case: NetFlow and IPFIX.

In the past, the Nimsoft support team in sales relied on Scrutinizer to provide the NetFlow reporting capability in NimBus.

Scrutinizer NetFlow Analyzer helped address one of the Nimsoft problems when it came to NetFlow analysis. Apparently the NetQoS solution which is also owned by Computer Associates was too expensive at the time for some customers. Zenoss, Spiceworks and Uptime Devices also leverage Scrutinizer for NetFlow collection.

One of the many keys to large scale NetFlow Deployments today is in distributed NetFlow solutions. Plixer aims to aid partners and OEM vendors once again by releasing an enhanced distributed NetFlow, sFlow and IPFIX architecture. With each Scrutinizer collector receiving over 100K flows per second, Plixer aims to exceed 3 million flows per second.

Nimsoft customers can contact Plixer with technical questions on the integration between the two products.

]]> Tags: distributed NetFlow solutions, netflow reporting, Nimsoft problems, nimsoft service desk, nimsoft service desk pricing, nimsoft support Related tags: distributed netflow, computer associates, nimsoft service, owned computer, scrutinizer netflow, netflow
, nimsoft service desk, nimsoft service desk pricing, nimsoft support, netflow reporting, Nimsoft problems, distributed NetFlow solutions

Follow me:

Related Entries

Router Overhead When Enabling NetFlow - May 01, 2013

Cisco Wireless Controller NetFlow Configuration - Apr 15, 2013

Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0 - Nov 25, 2012

Migrating to Flexible NetFlow : BEST PRACTICES - Mar 08, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Nimsoft Service Desk Pricing: Distributed NetFlow Solutions

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

NetFlow Training Seminar: NetFlow University

Tue, 04 Sep 2012 10:37:08 -0500

Are you looking to attend a NetFlow training seminar or a NetFlow University? There are two companies offering these types of courses and both offer Cisco CPE credits toward Cisco Certification.

The first course is an Advanced NetFlow Training course offered by Plixer. The Agenda is as follows:

Troubleshooting the network with NetFlow
- Optimizing BYOD & cloud services
- NetFlow Sizing (NetFlow Calculator)
- Finding specific traffic by leveraging filters
- Leveraging identity aware flow data
- Network Access Translation
- Cisco ASA, Catalyst Switches, ISRs and other hardware vendors
Internal network threat detection with NetFlow
- Tuning behavior algorithms (e.g. DDos, Excessive SYNs, etc.)
- Creating custom monitors
- Hunting through the data, finding a breach, where did it come from?
- Tracking all lateral movements of a threat
- IP host reputation monitoring
- Event correlation and setting notifications
NetFlow replication
- Scaling NetFlow collection
- Distributed collection
- Flow deduplication and stitching
Configure Flexible NetFlow
Generate traffic within the lab
View resulting NetFlow reports and alerts
Leveraging new NetFlow and IPFIX technologies
- NBAR2
- Performance Monitoring (Medianet)
- Performance Routing
- Performance Agent
- Smart Logging Telemetry
- Cisco TrustSec
Q&A

The Plixer class is not a sales pitch. It covers what is possible with NetFlow as well as where the technology is going “The Future of NetFlow”.

The second course “University of NetFlow” is offered by Lancope and is an introductory course on how to configure NetFlow. It covers the basics:

Gain end-to-end visibility into all application and network traffic across physical and virtual networks
Gain real-time overview of network usage, network performance and host integrity
Identify what is actually happening on your network (when and by whom)
Pinpoint zero-day and unknown threats that bypass perimeter security
Demonstrate Faster Incident Resolution & detailed Forensic data
Demonstrate Compliance
Regain network visibility lost through MPLS migrations
Pro-actively monitor for threats impacting network performance and application availability
Profile hosts to specify allowed service usage and alarm on disallowed usage or out of profile conditions
Gain a better understanding of the impact of new application and service deployments

Source: Lancope.com

Both are hands on courses from successful companies. If you have any questions, reach to our instructors, as they have experience with both courses. Learn more about Lancope Competitors.

]]> Tags: Lancope NetFlow Seminar, NetFlow Calculator, NetFlow Training Seminar, NetFlow University, Threat detection with NetFlow, University of NetFlow Related tags: netflow training, netflow university, sales pitch, training seminar, network performance, netflow
, NetFlow University, Lancope NetFlow Seminar, University of NetFlow, NetFlow Training, NetFlow Calculator, Threat detection with NetFlow, lancope competitors

Follow me:

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: NetFlow Training Seminar: NetFlow University

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

NetFlow Training Schedule for 2012

Sat, 11 Aug 2012 12:07:28 -0500

The 2012 NetFlow Training Schedule has been posted and the agenda looks to provide a thorough overview on what is possible with NetFlow and IPFIX technologies. Some NetFlow seminars are really a sales pitch to push the vendor solution. This NetFlow training course focuses on the latest Cisco Flexible NetFlow exports as well as the industry trend toward IPFIX.

This course is not limited to Cisco and includes VMware NetFlow training as well as flows exported from Palo Alto, SonicWALL and other firewalls.

The agenda covers:

8:30 - 9:00 am Registration and Breakfast 9:00 - 10:15 am Welcome and Introductions

Introduction to Cisco NetFlow, IPFIX & sFlow
What devices support NetFlow and IPFIX
Methods of collection and distribution

10:15 - 10:30 am Break / Networking 10:30 - 11:45 am NetFlow Impact on the Network/Devices

Troubleshooting the network with NetFlow
- Optimizing BYOD & cloud services
- Finding specific traffic by leveraging filters
- Leveraging identity aware flow data
- Network Access Translation
- Cisco ASA, Catalyst Switches, ISRs and other hardware vendors
Internal network threat detection with NetFlow
- Tuning behavior algorithms (e.g. DDos, Excessive SYNs, etc.)
- Creating custom monitors
- Hunting through the data, finding a breach, where did it come from?
- Tracking all lateral movements of a threat
- IP host reputation monitoring
- Event correlation and setting notifications
NetFlow replication
- Scaling NetFlow collection
- Distributed collection
- Flow deduplication and stitching

11:45 - 1:00 pm Lunch

Lunch provided by Plixer International

1:00 - 4:30 pm Hands-on NetFlow Lab

Configure Flexible NetFlow
Generate traffic within the lab
View resulting NetFlow reports and alerts
Leveraging new NetFlow and IPFIX technologies
- NBAR2
- Performance Monitoring (Medianet)
- Performance Routing
- Performance Agent
- Smart Logging Telemetry
- Cisco TrustSec
Q&A

2:00 - 2:15 pm Break / Networking 4:30 pm Dismissal

This NetFlow class is offered in the following Cities:

Washington DC
Houston, TX
Los Angeles, CA
Pittsburgh, PA
Seattle, WA
Tampa, FL
San Jose, CA
Salt Lake, UT
Cincinnati, OH
Dallas, TX
Edison, NJ
Detroit, MI
Raleigh, NC

Come learn from the experts in NetFlow as this cause is taught by Tom Pore, Adam Powers (formerly of Lancope) and Michael Patterson.

This class covers some of the basics of NetFlow right up to the latest and greatest in Flexible NetFlow and IPFIX.

]]> Tags: Flexible netflow, Ipfix, Netflow class, Netflow seminar, Netflow training Related tags: netflow ipfix, netflow training, flexible netflow, break networking, training schedule, netflow
, Netflow training, Netflow seminar, Netflow class, Flexible netflow, Ipfix

Follow me:

Monitoring BYOD traffic with NetFlow - Mar 24, 2012

Monitoring Video Performance with NetFlow - Feb 19, 2012

End to End Visibility : Network Flow Path - Feb 06, 2012

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: NetFlow Training Schedule for 2012

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Flexible NetFlow Configuration example for Performance Monitoring for TCP, VoIP and Cisco NBAR

Thu, 12 Jul 2012 19:54:14 -0500

Here is a sort of generalized FnF – Flexible NetFlow configuration where I created a TCP class that includes all TCP traffic. I don't normally recommend this as typically I would identify the business applications that I want to track with performance monitor and create classes for monitoring each. If all TCP latency is desired, this should work fine. Also, this FnF configuration is based on IOS 15.2(2)T and includes Cisco NBAR configuration details as well. If an earlier IOS is being used, ignore the error when creating the flow records. Reports should still work well if of course you have the best NetFlow reporting solution.

!define standard FnF record
flow record nbar-mon
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
match application name
collect datalink dot1q vlan input
collect datalink dot1q vlan output
collect datalink mac source address input
collect datalink mac source address output
collect datalink mac destination address input
collect datalink mac destination address output
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
!

!define specific record for TCP flows
flow record type performance-monitor TCP
match ipv4 protocol
match ipv4 source address
match ipv4 source prefix
match ipv4 destination address
match ipv4 destination prefix
match transport source-port
match transport destination-port
collect routing forwarding-status
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl
collect ipv4 source mask
collect ipv4 destination mask
collect transport round-trip-time
collect transport event packet-loss counter
collect interface input
collect interface output
collect counter bytes
collect counter packets
collect counter bytes rate
collect timestamp interval
collect application name
collect application media bytes counter
collect application media packets rate
collect application media event
collect monitor event
!
!Define record for VOIP flows
flow record type performance-monitor RTP
match ipv4 protocol
match ipv4 source address
match ipv4 source prefix
match ipv4 destination address
match ipv4 destination prefix
match transport source-port
match transport destination-port
match transport rtp ssrc
collect routing forwarding-status
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl
collect ipv4 source mask
collect ipv4 destination mask
collect transport packets expected counter
collect transport packets lost counter
collect transport packets lost rate
collect transport event packet-loss counter
collect transport rtp jitter mean
collect transport rtp jitter minimum
collect transport rtp jitter maximum
collect interface input
collect interface output
collect counter bytes
collect counter packets
collect counter bytes rate
collect timestamp interval
collect application name
collect application media bytes counter
collect application media bytes rate
collect application media packets counter
collect application media packets rate
collect application media event
collect monitor event

!define exporter
flow exporter export-to-scrutinizer
description FNF v9
destination x.x.x.x
source XXXXXXX !interface
transport udp 2055
option interface-table
option application-table

!create VOIP flow monitor
flow monitor type performance-monitor RTP
description RTP stats
record RTP
exporter export-to-scrutinizer
!
!create TCP flow monitor
flow monitor type performance-monitor TCP
description TCP stats
record TCP
exporter export-to-scrutinizer

!Standard FnF Monitor
flow monitor nbar-mon
description app traffic analysis
exporter export-to-scrutinizer
cache timeout active 60
record nbar-mon

!create access list to filter TCP only
access-list 100 permit tcp any any

!create class to match voice traffic. "Cisco-Phone" usually means standard RTP voice traffic. Those 3 items should catch all the voice and video.
class-map match-any realtime
match protocol rtp audio
match protocol rtp video
match protocol cisco-phone

!use TCP ACL to create a class map
class-map match-any TCP-class
match access-group 100

policy-map type performance-monitor RTPMON
!Apply monitors to perfotmance monitor Policy-Map
class realtime
   flow monitor RTP
   monitor parameters
    interval duration 10
    flows 100
class TCP-class
   flow monitor TCP
   monitor parameters
    flows 1000

!Apply ingress/egress monitors to an interface. Egress (output) commented out unless needed.
interface XXXXXX
service-policy type performance-monitor input RTPMON
!service-policy type performance-monitor output RTPMON
ip flow monitor nbar-mon input
!ip flow monitor nbar-mon output

If you are looking for the best flexible NetFlow reporting tool, you will find the leader in NetFlow within the "Medianet 2.2 Deployment Guide". Our NetFlow Analyzer can be found on page 7,8,10 & 11.

Our company is a Cisco NetFlow partner for Medianet also known as Performance Monitoring because our system provides flexible filtering and sorting with Customizable Reports on the latest flow exports (e.g. Jitter , latency).   Please let me know is you have any questions about the above configuration.

]]> Tags: best NetFlow reporting solution, Cisco NBAR configuration, Cisco NetFlow partner, flexible NetFlow configuration, Jitter, NetFlow Analyzer Related tags: performance monitor, application media, portmatch transport, destination addressmatch, transport source, monitor
, best NetFlow reporting solution, flexible NetFlow configuration, Cisco NBAR configuration, NetFlow Analyzer, Cisco NetFlow partner, Jitter

Follow me:

TrackBacks | Comments | Tag with del.icio.us | Advanced NetFlow Traffic Analysis Home | Permalink: Flexible NetFlow Configuration example for Performance Monitoring for TCP, VoIP and Cisco NBAR

Sponsored by the Call Center Outsourcing Community & the Virtual Contact Center Outsourcing Community

Ingress NetFlow or Egress NetFlow part 2

Fri, 22 Jun 2012 11:24:01 -0500

Switching from Ingress to Egress

Don't forget to read Ingress or Egress NetFlow part 1 first. What if you wake up one morning and announce to your network traffic monitoring team that for several reasons, you want to export both ingress and egress NetFlow on a few of the Cisco Routers. What will the network monitoring gurus say? Hmmmm...... Probably nothing.

The IT staff may not really care about your early morning epiphany however the NetFlow analyzer may have decided to display the data differently. Think about this: for months you have been reporting on outbound data using ingress metered NetFlow or IPFIX and now you want to display outbound utilization using egress metered NetFlow. What about the saved history in the database? All of the history is saved as ingress. Now the direction bit is flipped and you want to display outbound utilization using egress flows.

Fast forward: after a two weeks of collecting egress flows you've decided to run a NetFlow trend on outbound traffic for the last 30 days. This would cross the date line of switching from ingress to egress. What would happened in the front end of the network monitoring and reporting tool? Contact your NetFlow Vendor to find out.

Finally, there are a few different reasons to export egress NetFlow and I've heard ideas from several NetFlow experts that their hardware may end up exporting bidirectional flows in the future as this helps avoid the ingress Vs. egress discussion. Some flows like SonicWALL IPFIX exports already include bidirectional flows where a single flow contains both ingress and egress monitored traffic. Finally, I don't want to leave anyone out so I should mention that other vendors support egress as well (e.g. Adtran).