Wednesday, July 13, 2016

Netflow Collectors

 on  with No comments 
In , ,  
One of the big topics currently in Cisco's security track is Netflow.  According to Cisco, "NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing."  With all of it's known, and yet to be discovered uses, it's no doubt that NetFlow will continue to be a big part of Cisco's security exams for the foreseeable future, as well as potentially finding it's way into other tracks if it's not already there.

NetFlow, and it's industry standard brother IPFIX, differ from the average technology in that you cannot immediately see the results of your work in the lab when you enable it on one or more routers.  When you deploy a routing protocol, you will see network routes appear in other routers, but when you deploy Netflow, nothing noticeable happens on your routers.  Instead, you need to utilize a NetFlow collector.  Cisco lists a few freely available collectors on their site, buts incomplete to say the least.  So in this post, I'll go over a couple that I've used in the past.

The first collector that I used was Alienvault.  Alienvault is a freely available SIEM system based on their OSSIM technology.  At my previous job, we used Alienvault for server monitoring, network packet sniffing and vulnerability scanning, so it only seemed natural to start experimenting with it's NetFlow collection capability to supplement what we were already doing with it.  Alienvault comes as a .iso installer which appears to be running on a Debian or Ubuntu platform.

However, for someone who isn't already using Alienvault, there's quite a learning curve involved, as you would expect because of all that it does.  You don't simply install it and then point your NetFlow exporters in it's general direction.  Because of this, it's hard to recommend as a NetFlow collector unless you're looking to also get started with SIEM or already know the platform.  Because of it being the only collector I knew initially, I dragged my heels for a while before digging into NetFlow, and I already knew the platform.  Still, the price is right for a SIEM platform that does netflow, packet capture, IDS via SNORT, SNMP, syslog, and dozens of other things and even makes an attempt to correlate data from all of these disperse sources.

Next is the second Collector I came across, Plixer's Scrutinizer.  The free edition comes from the recommendation of Kieth Barker in the CCNP Security series.  With the free edition, you can collect flows in nearly all versions of NetFlow, sFlow, IPFIX and others from an unlimited number of devices, create filters on the fly, produce reports in a number of different platforms.  The catch is that with the free edition, you can only work with data from the past 5 hours, and you're limited to up to 10k flows/second.  All in all, a great option for the lab since the limitation shouldn't bother you at all, and so many features are still enabled.  You get Scrutinizer as a virtual machine appliance in either VMWare or Hyper-V format.  While I have not tried to deploy it in VirtualBox, I can't imagine that you won't be able to get it to work there with little to no effort as it runs on CentOS.

Lastly, based on the recommendation of a friend, I tried out Paessler's PRTG Network Monitor.  All the expected bells and whistles are here, which can be easily verifed by looking at the manual which weighs in at 3152 pages, but where PRTG differs from Alienvault and Scrutinizer is that it runs on Microsoft Windows.  While Windows Server 2012R2 is recommended (and where I'm running it currently), it will install and function on any version of Windows 7 and up.  Yes, you can run it on a desktop.  While this makes no difference to me, I know a lot of people are allergic to Linux.  The system requirements are much lighter as well, a simple deployment for approximately 100 devices only calls for 2 CPU cores, 3GB RAM, and 250GB of disk space for 1 year of data retention.

While these three are far from the only NetFlow collectors out there for labbers, they are the only three that I've personally used.  A lot of people swear by SolarWinds Real-Time NetFlow Traffic Analyzer and nProbe, and if your Wireshark skills are strong, you theoretically don't even need a collector.  There's also minimalist tools such as fprobe and flowd.

What NetFlow collector are you using?


Post a Comment

Discuss this post!