As shown in Figure 7-10, Cisco NetFlow can be used primarily as a security analysis tool to identify and classify
DoS attacks, viruses, worms, and network anomalies in real-time. The data can further be invaluable in forensic
processes to gather details and comprehend security incidents. NetFlow is completely transparent to the
existing network, including end stations, application software, and any devices on the network.
Figure 7-10. Using NetFlow for Security Analysis
NetFlow is supported on most Cisco platforms via ASICs, Cisco IOS, and Cisco Catalyst Operating System
(CatOS) software.
How NetFlow Works
NetFlow classifies packets by the direction of their flow and identifies packet flows for both ingress and egress IP
packets. Each flow is defined by its unique seven-key characteristics: ingress interface, IP protocol type, typeof-
service (ToS), source and destination IP addresses, and source and destination port numbers, as shown in
Example 7-21. The information gathered with NetFlow is like a phone bill that provides all the required
information for traffic profiling and determining the "who, what, when, where, and how" of network traffic.
NetFlow is usually deployed across the edge of a network to monitor peer interfaces, because these are the
potential ingress points for most attacks.
Pages:
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397