Plug a Hole in Cisco's NetFlow Coverage

By Drew Robb | Dec 17, 2009 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3854196/Plug-a-Hole-in-Ciscos-NetFlow-Coverage.htm

Netflow has changed since Cisco first introduced it. To get the maximum security benefit from this useful protocol, make sure collectors operating on your network are able to collect, analyze and store Flexible NetFlow templates and data.


Cisco dominates the networking hardware market, and with its Adaptive Security Appliance (ASA) it is looking to extend its reach into network security. The ASA, however, can introduce a security issue. The appliance supports both Simple Network Management Protocol (SNMP) and Flexible NetFlow, both of which can provide essential information on security threats. However, most NetFlow monitoring vendors support only earlier versions of NetFlow, not Flexible NetFlow, and thus they are blind as to the source of threatening packets.

NetFlow, originally released as part of Cisco's Internetwork Operating System (IOS) and now also used by other switch and router vendors, provides certain information on the packets flowing through a port. The network device gathers the data and exports it to a server running software to collect and report on the NetFlow data (i.e., the Collector).

Flexible NetFlow - an extension of NetFlow v.9 - allows administrators to specify the fields they want to gather on the packet flows. It provides enhanced optimization, reduces costs, and improves capacity planing and security detection beyond traditional flow technologies. For the ASA appliances, it solves the problem of Network Address Translation (NAT), which makes it appear that all the traffic is coming from a single host - the firewall.

Read "Plugging the Cisco ASA Security Hole" at Enterprise IT Planet