« Understanding IPv6 | Main | Migrating Routing Protocols »
October 2, 2007
Network Security and Netflow
A couple things I'd like to mention in this post...First off, I just finished looking through End-to-End Network Security from Cisco Press...Very nice. If you've ever wanted to get into network security, this is a great starting point. It talks about major areas of network security to address and the tools you can use to do it.
So that brings me to my second thought...Someone talk to me about Netflow. Netflow is one of the tools this book mentions that you can use to analyze your network traffic. In it's basic form, Netflow tracks all the "flows" (aka traffic) going through your router. You can categorize it per-application and even get down to a per-user level (so you can finally figure out who is killing the Internet connection with their peer-to-peer traffic). Every time I want to get into the Netflow world, I seem to get lost in a land of build-your-own linux applications or extremely expensive Windows applications. Is there someone out there who knows of a good, free/cheap, easy to use Windows application that can take the Netflow data and put it into a web page format (much like MRTG/PRTG)? This seems like too cool of a tool to pass up.
As a side-note, it looks like Aaron has gone into the development shop on Netflow...MAN I wish I could do that. Cursed linux people :).
Posted by JC at October 2, 2007 4:24 PM
Trackback Pings
TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/158
Comments
Hi,
There is some time since I use this software:
http://manageengine.adventnet.com/products/netflow/cisco-netflow.html
It is windows based and it's free to use for 2 interfeces.
Hope that this will help you!
Posted by: Lucian at October 2, 2007 5:03 PM
You should learn unix (or linux) since your favorite brand of routers are based on unix.
Try Fedora or Ubuntu. You have have all the cool stuff like a tftp server, a syslog server, etc.
Posted by: Joe at October 2, 2007 8:09 PM
Seriously, learn Linux ;) Fedora comes with flow-tools which provides the collector and tools. Flow-scan is a good tool do interpret the data, and I've been working on writing a peering analysis tool at http://taind.sourceforge.net/
Sean
Posted by: Sean at October 3, 2007 5:44 AM
I have used solarwinds, manageengine for netflow analysis and Crannog-Software's (bought by Fluke) Netflow Tracker is the best I have seen.
The interface is so intuitive and really easy to use, I believe that the eval version works for 30 days.
Posted by: Mark at October 3, 2007 6:34 AM
I'd love to learn Linux/Unix...it's just one of those things where I get bogged down with useless junk...like finding a network card driver and ensuring IRQ ports are configured correctly. Ugh.
Thanks for the links above! I'll check them out.
Posted by: JC at October 3, 2007 8:08 AM
Here's an article on NetFlow from TechRepublic:
http://blogs.techrepublic.com.com/networking/?p=302&tag=nl.e115
and one of the embedded URLs is a cisco.com page with free NetFlow software links:
http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml
Enjoy, :D
Posted by: Derek at October 4, 2007 3:36 AM
commercial - Peakflow from arbor
free - ntop
Posted by: jose at October 5, 2007 12:55 PM
You might want to take a look at http://nfsen.sourceforge.net/ & http://nfdump.sourceforge.net/.
Posted by: oddbjorn at October 7, 2007 3:40 AM
Take a look a Plixer scrutinizer. It's the best net flow analyzer I have found. While not 100% free, the free version works quite well.
Posted by: Jon at October 14, 2007 7:21 PM
You can try ntop with netflow configured, it works like a charm, but Cronnog is still the better tool so far.
Posted by: Javyn at October 17, 2007 11:54 PM
Ive been looking at ntop.
Much as id love to spend time setting this up on linux i simply dont have time. Ntop is open source but you need to compile it yourself if you want to run on Windows. You can buy a pre-compiled version from ntop (www.ntop.org) or you could try this free pre-compiled version.
http://www.openxtra.co.uk/freestuff/ntop-xtra.php
It might not be the latest version but it seems to work OK for me.
Posted by: Andy at October 29, 2007 1:44 PM
I would second scrutinizer it does come with a cost but their support is excellent and the product is Windows point and click easy. Alarms can be generated based on thresholds defined, real time stats, reporting so on and so on. The full blown version isn't free but it is really cheap compared to the other options out there.
Posted by: pingFX at December 7, 2007 8:18 AM
There is a start-up that has a search engine designed to help sort and analyze netflow data for security. You can see a demo of the product here.
http://www.packetanalytics.com/demo.php
I pinged them and they mentioned it would available for download in January.
Posted by: Brian Despain at December 11, 2007 6:13 AM