Re: NetFlow for IDS

From: Adam Powers (
Date: 07/22/05

  • Next message: Nick Black: "Re: IDS Signature Confidence"
    Date: Fri, 22 Jul 2005 17:28:08 -0400
    To: Ron Gula <>, <>

    Okay, so sure, lots of technologies can take NetFlow and store it to disk.
    They might even extract a few stats here and there for network
    management/traffic accounting purposes. This kind of capability is trivial.
    Inclusion of vendors with this class of NetFlow support will dilute the
    value of the list Andy has introduced.

    I think the list should be limited to only those technologies that do deep
    analysis of the inbound Netflow PDUs. Stuff like...

    1. NetFlow-based attack detection. First and foremost, the NetFlow security
    vendor MUST be able to detect various types of attacks based solely on the
    NetFlow data stream. Examples include SYN/UDP/ICMP floods, fragmentation
    attacks, traffic anomalies, policy violations, and scanning of various

    2. Deduplication of NetFlow. If 2 or more NetFlow exporters see the same
    flow, the duplicate records must be counted and removed before processing.
    Non-trivial to say the least.

    3. Realtime or near-realtime operation. The technology must be able to
    process high volume NetFlow (30,000+ flows per second) in near realtime,
    alarming on events as they happen vs. batch mode hourly or daily operation.

    4. Normalization of NetFlow records; aka. "Flow Stitching". All of the
    "real" NetFlow security technologies (known affectionately as "ArOneZuCope
    Security"; Arbor, Q1Labs, Mazu, Lancope) allow for the consolidation of
    multiple NetFlow records into a single stateful record. This ability allows
    for tremendous data reduction in the overall amount of flow data being
    written to disk.

    5. Client/Server determination. A single TCP socket will result in at least
    two NetFlow records (one in each direction of the socket; client->server,
    server->client). The receiving NetFlow collector must be able to assemble
    the two flows to determine which host was the server and which was the

    6. Validation of NetFlow exporters. You must be able to not only collect
    NetFlow but alarm/alert when the exporter has failed (stopped exporting,
    misconfigured timeouts, etc).

    7. Ability to handle and make use of v7 NetFlow ("flagless" NetFlow). v7
    does not include ORed TCP flag data. Without TCP flags, NetFlow analysis is
    made far more difficult. Overcoming limitations of v7 NetFlow takes a good
    bit of thought on the vendor's part.

    8. Topology discovery and accounting. NEXTHOP data in the NetFlow PDU can be
    used for topological mapping of the network which allows the NetFlow
    security technology to determine which router is electronically "closest" to
    a given host (for use in mitigation).

    The list goes on...

    My point is that there are "NetFlow Storage Technologies" and then there are
    "NetFlow Security Technologies" (aka. "You sir, are no President Kennedy").

    Think TCPDUMP vs. snort in regards to Ethernet frame analysis.

    On 7/20/05 9:27 PM, "Ron Gula" <> wrote:

    > At 12:21 PM 7/18/2005, Gary Halleen (ghalleen) wrote:
    >> That list is handy, but incomplete.
    >> Cisco MARS should be added. MARS is a SIM product that receives log
    >> information from various sources (firewalls, routers, switches, IDS/IPS,
    >> host logs, antivirus, and more). It also receives netflow, and can
    >> provide very useful security-related information based on it.
    >> Gary
    > Along those lines, you can add any SIM that has a netflow agent or
    > a log analyzer that can read someone else's netflow logs. Tenable's
    > Thunder will do netflow in our 2.0 release and a quick survey of
    > other SIMs saw other folks had netflow agents as well.
    > Ron Gula
    > Tenable Network Security
    > ------------------------------------------------------------------------
    > Test Your IDS
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to
    > to learn more.
    > ------------------------------------------------------------------------

    Adam  Powers
    Director of Technology
    Lancope, Inc.
    c. 678.725.1028
    f. 770.225.6501
    StealthWatch by Lancope - Security Through Network Intelligence
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it 
    with real-world attacks from CORE IMPACT.
    Go to 
    to learn more.

  • Next message: Nick Black: "Re: IDS Signature Confidence"