A comprehensive guide for deploying, configuring, and troubleshooting NetFlow and learning big data analytics technologies for cyber security
Today's world of network security is full of cyber security vulnerabilities, incidents, breaches, and many headaches. Visibility into the network is an indispensable tool for network and security professionals and Cisco NetFlow creates an environment where network administrators and security professionals have the tools to understand who, what, when, where, and how network traffic is flowing.
Network Security with NetFlow and IPFIX is a key resource for introducing yourself to and understanding the power behind the Cisco NetFlow solution. Omar Santos, a Cisco Product Security Incident Response Team (PSIRT) technical leader and author of numerous books including the CCNA Security 210-260 Official Cert Guide, details the importance of NetFlow and demonstrates how it can be used by large enterprises and small-to-medium-sized businesses to meet critical network challenges. This book also examines NetFlow's potential as a powerful network security tool.
Network Security with NetFlow and IPFIX explores everything you need to know to fully understand and implement the Cisco Cyber Threat Defense Solution. It also provides detailed configuration and troubleshooting guidance, sample configurations with depth analysis of design scenarios in every chapter, and detailed case studies with real-life scenarios.
You can follow Omar on Twitter: @santosomar
- NetFlow and IPFIX basics
- Cisco NetFlow versions and features
- Cisco Flexible NetFlow
- NetFlow Commercial and Open Source Software Packages
- Big Data Analytics tools and technologies such as Hadoop, Flume, Kafka, Storm, Hive, HBase, Elasticsearch, Logstash, Kibana (ELK)
- Additional Telemetry Sources for Big Data Analytics for Cyber Security
- Understanding big data scalability
- Big data analytics in the Internet of everything
- Cisco Cyber Threat Defense and NetFlow
- Troubleshooting NetFlow
- Real-world case studies
Autorentext
Omar Santos is a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) part of Cisco's Security Research and Operations. He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products. Omar has been working with information technology and cyber security since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and for the U.S. government. Prior to his current role, he was a Technical Leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.
Omar is an active member of the security community, where he leads several industrywide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure.
Omar is the author of several books and numerous whitepapers, articles, and security configuration guidelines and best practices. He has also delivered numerous technical presentations at many conferences and to Cisco customers and partners, in addition to many C-level executive presentations to many organizations. Omar is the author of the following Cisco Press books:
- CCNA Security 210-260 Official Cert Guide, ISBN-13: 9781587205668
- Deploying Next-Generation Firewalls Live Lessons, ISBN-13: 9781587205705
- Cisco's Advanced Malware Protection (AMP), ISBN-13: 9781587144462
- Cisco ASA Next-Generation Firewall, IPS, and VPN Services (3rd Edition), ISBN-10: 1587143070
- Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition), ISBN-10: 1587058197
- Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance, ISBN-10: 1587052091
- Cisco Network Admission Control, Volume: Deployment and Management, ISBN-10: 1587052253
- End-to-End Network Security: Defense-in-Depth, ISBN-10: 1587053322
Inhalt
Introduction xvi
Chapter 1 Introduction to NetFlow and IPFIX 1
Introduction to NetFlow 1
The Attack Continuum 2
The Network as a Sensor and as an Enforcer 3
What Is a Flow? 4
NetFlow Versus IP Accounting and Billing 6
NetFlow for Network Security 7
Anomaly Detection and DDoS Attacks 8
Data Leak Detection and Prevention 9
Incident Response and Network Security Forensics 9
Traffic Engineering and Network Planning 14
IP Flow Information Export 15
IPFIX Architecture 16
IPFIX Mediators 17
IPFIX Templates 17
Option Templates 19
Introduction to the Stream Control Transmission Protocol (SCTP) 19
Supported Platforms 20
Introduction to Cisco Cyber Threat Defense 21
Cisco Application Visibility and Control and NetFlow 22
Application Recognition 22
Metrics Collection and Exporting 23
Management and Reporting Systems 23
Control 23
Deployment Scenarios 24
Deployment Scenario: User Access Layer 24
Deployment Scenario: Wireless LAN 25
Deployment Scenario: Internet Edge 26
Deployment Scenario: Data Center 28
Public, Private, and Hybrid Cloud Environments 32
Deployment Scenario: NetFlow in Site-to-Site and Remote VPNs 33
NetFlow Remote-Access VPNs 33
NetFlow Site-to-Site VPNs 34
NetFlow Collection Considerations and Best Practices 35
Determining the Flows per Second and Scalability 36
Summary 37
Chapter 2 Cisco NetFlow Versions and Features 39
NetFlow Versions and Respective Features 39
NetFlow v1 Flow Header Format and Flow Record Format 40
NetFlow v5 Flow Header Format and Flow Record Format 41
NetFlow v7 Flow Header Format and Flow Record Format 42
NetFlow Version 9 43
NetFlow and IPFIX Comparison 57
Summary 57
Chapter 3 Cisco Flexible NetFlow 59
Introduction to Cisco's Flexible NetFlow 59
Simultaneous Application Tracking 60
Flexible NetFlow Records 61
Flexible NetFlow Key Fields 61
Flexible NetFlow Non-Key Fields 63
NetFlow Predefined Records 65
User-Defined Records 65
Flow Monitors 65
Flow Exporters 65
Flow Samplers 66
Flexible NetFlow Configuration 66
Configure a Flow Record 67
Configuring a Flow Monitor for IPv4 or IPv6 69
Configuring a Flow Exporter for the Flow Monitor 71
Applying a Flow Monitor to an Interface 73
Flexible NetFlow IPFIX Export Format 74
Summary 74
Chapter 4 NetFlow Commercial and Open Source Monitoring and Analysis Software Packages 75
Commercial NetFlow Monitoring and Analysis Software Packages 75
Lancope's StealthWatch Solution 76
Plixer's Scrutinizer 79
Open Source NetFlow Monitoring and Analysis Software Packages 80
NFdump 81
NfSen 86
SiLK 86
SiLK Configuration Files 87
Filtering, Displaying, and Sorting NetFlow Records with SiLK 87
SiLK's Python Extension 88
Cou…