Chapter 5: Network Visibility and Segmentation PDF

Summary

This document discusses Network Visibility and Segmentation, key concepts in network security. It details various technologies like NetFlow and IPFIX for network traffic analysis and Cisco security products. The chapter includes a "Do I Know This Already?" quiz to help assess the reader's understanding of the topics covered.

Full Transcript

# Chapter 5: Network Visibility and Segmentation

This chapter covers the following topics:

- Introduction to Network Visibility
- NetFlow
- IP Flow Information Export (IPFIX)
- NetFlow Deployment Scenarios
- Cisco Secure Network Analytics and Cisco Secure Cloud Analytics
- Cisco Cognitive Intelligence and Encrypted Traffic Analytics (ETA)
- NetFlow Collection Considerations and Best Practices
- Configuring NetFlow in Cisco IOS and Cisco IOS-XE
- Configuring NetFlow in NX-OS
- Introduction to Network Segmentation
- Micro-segmentation with Cisco ACI
- Segmentation with Cisco ISE

The following SCOR 350-701 exam objectives are covered in this chapter:

- Domain 6: Secure Network Access, Visibility, and Enforcement
- 6.4 Describe the benefits of device compliance and application control
- 6.5 Explain exfiltration techniques (DNS tunneling, HTTPS, email, FTP/SSH/SCP/SFTP, ICMP, Messenger, IRC, NTP)
- 6.6 Describe the benefits of network telemetry
- 6.7 Describe the components, capabilities, and benefits of these security products and solutions
- 6.7.a Cisco Secure Network Analytics
- 6.7.b Cisco Secure Cloud Analytics
- 6.7.c Cisco pxGrid
- 6.7.d Cisco Umbrella Investigate
- 6.7.e Cisco Cognitive Intelligence
- 6.7.f Cisco Encrypted Traffic Analytics
- 6.7.g Cisco Secure Client Network Visibility Module (NVM)

## "Do I Know This Already?" Quiz

The "Do I Know This Already?" quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the "Exam Preparation Tasks" section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 5-1 lists the major headings in this chapter and their corresponding "Do I Know This Already?" quiz questions. You can find the answers in Appendix A, "Answers to the 'Do I Know This Already?' Quizzes and Q&A Sections."

| **Foundation Topics Section** | **Questions** |
|---|---|
| Introduction to Network Visibility | 1 |
| NetFlow | 2-3 |
| IP Flow Information Export (IPFIX) | 4-5 |
| NetFlow Deployment Scenarios | 6 |
| Cisco Secure Network Analytics and Cisco Secure Cloud Analytics | 7-8 |
| Cisco Cognitive Intelligence and Encrypted Traffic Analytics (ETA) | 9 |
| NetFlow Collection Considerations and Best Practices | 10 |
| Configuring NetFlow in Cisco IOS and Cisco IOS-XE | 11 |
| Configuring NetFlow in NX-OS | 12 |
| Introduction to Network Segmentation | 13 |
| Micro-segmentation with Cisco ACI | 14 |
| Segmentation with Cisco ISE | 15 |

**CAUTION:** The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for the purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following technologies can be deployed to gain network visibility and awareness of security threats?
- NetFlow
- IPFIX
- Cisco Secure Network Analytics (formerly known as Cisco Stealthwatch)
- All of these answers are correct.

## Foundation Topics

### Introduction to Network Visibility

Network visibility is one of the most important pillars within any cybersecurity program and framework. In fact, two of the most important components of a cybersecurity program that go together are visibility and control. Total network visibility and complete control of all elements in your network are easier said than done (especially when organizations have their applications and data hosted in multi-cloud environments). However, at least maintaining a good level of visibility among all these environments is crucial to maintain services and business continuity. You must design an architecture that should be flexible while improving security without relying on a single technology or product. Multiple technologies and features are used throughout the network to obtain visibility into network behavior and to maintain control during abnormal or malicious behavior.

How good is your network if you cannot manage it when an outbreak or attack is underway? Visibility is twofold. Network administrators and cybersecurity professionals should always have complete visibility of networking devices and the traffic within their infrastructure. At the same time, intruders must not have visibility to unnecessary services or vulnerable systems that can be exploited within an organization.

The following are the most common technologies that can be used to obtain and maintain complete network visibility:

- NetFlow
- IPFIX
- Cisco Secure Network Analytics (formerly known as Cisco Stealthwatch)
- Intrusion detection system/intrusion prevention system (IDS/IPS)
- Cisco Secure Endpoint (formerly known as Cisco Advanced Malware Protection (AMP) for Endpoints and Networks)

### NetFlow

NetFlow is a technology originally created by Cisco that provides comprehensive visibility into all network traffic that traverses a Cisco-supported device. NetFlow was initially created for billing and accounting of network traffic and to measure other IP traffic characteristics such as bandwidth utilization and application performance. NetFlow has also been used as a network-capacity planning tool and to monitor network availability. Nowadays, NetFlow is used as a network security tool because its reporting capabilities provide nonrepudiation, anomaly detection, and investigative capabilities. As network traffic traverses a NetFlow-enabled device, the device collects traffic flow information and provides a network administrator or security professional with detailed information about such flows.

NetFlow provides detailed network telemetry that allows the administrator to perform the tasks:

- See what is actually happening across the entire network.
- Identify DoS attacks.
- Quickly identify compromised endpoints and network infrastructure devices.
- Monitor network usage of employees, contractors, or partners.
- Obtain network telemetry during security incident response and forensics.
- Detect firewall misconfigurations and inappropriate access to corporate resources.

**TIP:** NetFlow supports both IP Version 4 (IPv4) and IP Version 6 (IPv6).

Defending against cybersecurity attacks is becoming more challenging every day, and it is not going to get any easier. The threat landscape is evolving to a faster, more effective, and more efficient criminal economy profiting from attacks against users, enterprises, services providers, and governments. Organized cybercrime, with its exchange of exploits, is booming and fueling a very lucrative economy. Threat actors nowadays have a clear understanding of the underlying security technologies and their vulnerabilities. Hacker groups now follow software development life cycles, just like enterprises follow their own. These bad actors perform quality-assurance testing against security products before releasing them into the underground economy. They continue to find ways to evade common security defenses. Attackers follow techniques such as the following:

- Port and protocol hopping
- Tunneling over many different protocols
- Encryption
- Utilization of droppers
- Social engineering
- Exploitation of zero-day vulnerabilities

Security technologies and processes should not focus only on defending against Internet threats, but should also provide the ability to detect and mitigate the impact after a successful attack.

Security professionals must maintain visibility and control across the extended network during the full attack continuum:

- Before the attack takes place
- During an active attack
- After an attacker starts to damage systems or steal information

Cisco security products provide protection throughout the attack continuum. Devices such as the Cisco Secure Firewall and Cisco Secure Endpoint provide a security solution that helps discover threats and enforce and harden policies before an attack takes place. In addition, you can detect attacks before, during, and after they have already taken place with NetFlow. These solutions provide the capabilities to contain and remediate an attack to minimize data loss and additional network degradation.

### The Network as a Sensor and as an Enforcer

Many organizations fail to use one of the strongest tools that can help protect against today’s security threats: the network itself. For example, Cisco Catalyst switches, data center switches, Aggregation Services Routers (ASRs), Integrated Services Routers (ISRs), Cisco Secure Firewalls, NetFlow generation appliances (FlowSensors), Cisco Secure Endpoint (formerly known as Advanced Malware Protection (AMP)), and wireless products, in conjunction with the Cisco Application Centric Infrastructure (ACI), can protect before, during, and after an attack.

The network can be used in security in two different, fundamental ways:

- The network as a sensor: NetFlow allows you to use the network as a sensor, giving you deep and broad visibility into unknown and unusual traffic patterns, in addition to compromised devices.
- The network as an enforcer: You can use Cisco TrustSec to contain attacks by enforcing segmentation and user access control. Even when bad actors successfully breach your network defenses, you thus limit their access to only one segment of the network.

### What Is a Flow?

A flow is a unidirectional series of packets between a given source and destination. In a flow, the same source and destination IP addresses, source and destination ports, and IP protocol are shared. This is often referred to as the five-tuple. Figure 5-1 illustrates a five-tuple example.

| | **Five (5) Tuple** |
|---|---|
| **Source IP** | **Source Port** | **Destination IP** | **Destination Port** | **Protocol** |
| **10.1.1.2 ** | **1872** | **10.2.2.3** | **443** | **TCP** |

Figure 5-2 shows an example of a flow between a client and a server.

[Diagram of client (10.1.1.2), router (configured with NetFlow), server (10.2.2.3) with connection between client and server at the top, labeled "HTTPS."]

**TIP:** The NetFlow database is often called the NetFlow cache.

Depending on the version of NetFlow, the router can also gather additional information, such as type of service (ToS) byte, differentiated services code point (DSCP), the device's input interface, TCP flags, byte counters, and start and end times.

Flexible NetFlow, Cisco's next-generation NetFlow, can track a wide range of Layer 2, IPv4, and IPv6 flow information, such as the following:

- Source and destination MAC addresses
- Source and destination IPv4 or IPv6 addresses
- Source and destination ports
- TOS
- DSCP
- Packet and byte counts
- Flow timestamps
- Input and output interface numbers
- TCP flags and encapsulated protocol (TCP/UDP) and individual TCP flags
- Sections of packet for deep packet inspection
- All fields in IPv4 header, including IP-ID, TTL, and others
- All fields in IPv6 header, including Flow Label, Option Header, and others
- Routing information such as next-hop address, source autonomous system number (ASN), destination ASN, source prefix mask, destination prefix mask, Border Gateway Protocol (BGP) next hop, and BGP policy accounting traffic index

NetFlow protocol data units (PDUs), also referred to as flow records, are generated and sent to a NetFlow collector after the flow concludes or expires (times out).

There are three types of NetFlow cache:

- **Normal cache:** This is the default cache type in many infrastructure devices enabled with NetFlow and Flexible NetFlow. The entries in the flow cache are removed (aged out) based on the configured timeout active seconds and timeout inactive seconds settings.
- **Immediate cache:**
- Flow accounts for a single packet
- Desirable for real-time traffic monitoring and distributed DoS (DDoS) detection
- Used when only very small flows are expected (for example, sampling)

**NOTE:** The use of the immediate cache may result in a large amount of export data. This subsequently increases the CPU and memory utilization of the network infrastructure device.
- **Permanent cache:**
- Used to track a set of flows without expiring the flows from the cache.
- The entire cache is periodically exported (update timer).
- The cache is a configurable value.
- After the cache is full, new flows will not be monitored.
- Uses update counters rather than delta counters.

Many people often confuse a flow with a session. All traffic in a flow is going in the same direction; however, when the client establishes the HTTP connection (session) to the server and accesses a web page, it represents two separate flows. The first flow is the traffic from the client to the server, and the other flow is from the server to the client.

NetFlow was originally created for IP accounting and billing purposes; however, it plays a crucial role for the following:

- Network security
- Traffic engineering
- Network planning
- Network troubleshooting

**TIP:** Do not confuse the feature in Cisco IOS and Cisco IOS-XE software called IP Accounting with NetFlow. IP Accounting is a great Cisco IOS and Cisco IOS-XE tool, but it is not as robust or as well-known as NetFlow.

### NetFlow for Network Security and Visibility

NetFlow is a tremendous security tool. It provides nonrepudiation, anomaly detection, and investigative capabilities. Complete visibility is one of the key requirements when identifying and classifying security threats.

The first step in the process of preparing your network and staff to successfully identify security threats is achieving complete network visibility. You cannot protect against or mitigate what you cannot view/detect. You can achieve this level of network visibility through existing features on network devices you already have and on devices whose potential you do not even realize. In addition, you should create strategic network diagrams to clearly illustrate your packet flows and where, within the network, you may enable security mechanisms to identify, classify, and mitigate the threat. Remember that network security is a constant war. When defending against the enemy, you must know your own territory and implement defense mechanisms in place.

### NetFlow for Anomaly Detection and DDoS Attack Mitigation

You can use NetFlow as an anomaly-detection tool. Anomaly-based analysis keeps track of network traffic that diverges from "normal" behavioral patterns. Of course, you must first define what is considered to be normal behavior. You can use anomaly-based detection to mitigate DDoS attacks and zero-day outbreaks. DDoS attacks are often used maliciously to consume the resources of your hosts and network that would otherwise be used to serve legitimate users. The goal with these types of attacks is to overwhelm the victim network resources, or a system's resources such as CPU and memory. In most cases, this is done by sending numerous IP packets or forged requests.

A particularly dangerous attack is when an attacker builds up a more powerful attack with a more sophisticated and effective method of compromising multiple hosts and installing small attack daemons. This is what many call zombies or bot hosts/nets. Subsequently, an attacker can launch a coordinated attack from thousands of zombies onto a single victim. This daemon typically contains both the code for sourcing a variety of attacks and some basic communications infrastructure to allow for remote control.

Typically, an anomaly-detection system monitors network traffic and alerts and then reacts to any sudden increase in traffic and any other anomalies.

**TIP:** NetFlow, along with other mechanisms such as syslog and SNMP, can be enabled within your infrastructure to provide the necessary data used for identifying and classifying threats and anomalies. Before implementing these anomaly-detection capabilities, you should perform traffic analysis to gain an understanding of general traffic rates and patterns. In anomaly detection, learning is generally performed over a significant interval, including both the peaks and valleys of network activity.

Figure 5-3 shows a dashboard from Cisco Secure Cloud Analytics (formerly known as Cisco Stealthwatch Cloud).

[Diagram of Cisco Secure Cloud Analytics dashboard.]

Secure Cloud Analytics captures network traffic from either an on-premises network or a public cloud environment. Its purpose is to identify hosts and understand their normal behavior. If any changes in device behavior could impact network security, Secure Cloud Analytics generates alerts.

To track the state of your network, Secure Cloud Analytics employs dynamic entity modeling. An entity can refer to various items, such as a host or endpoint on your network, or even a Lambda function within your AWS deployment. Dynamic entity modeling collects information about these entities based on the traffic they generate and the activities they perform on your network.

Secure Cloud Analytics then assigns roles to entities based on their typical actions. For example, if an entity sends traffic associated with email servers, it would be assigned the role of an email server. One entity can have multiple roles. Additionally, observations are recorded about an entity's behavior on the network. These observations represent specific facts, such as establishing a heartbeat connection with an external IP address, interacting with an entity on a watchlist, or initiating a remote access session with another entity. Observations alone do not carry meaning beyond their representation of the observed behavior.

Using a combination of roles, observations, and threat intelligence, Secure Cloud Analytics generates alerts, which indicate possible malicious behavior detected by the system. When reviewing an alert through the Secure Cloud Analytics web portal UI, you can access the supporting observations that led to the alert's generation. This way you can gather additional context about the entities involved, including their transmitted traffic, and any available external threat intelligence.

**NOTE:** Cisco Secure Network Analytics (formerly known as Cisco Stealthwatch) and Cisco Secure Cloud Analytics (formerly known as Cisco Stealthwatch Cloud) will be covered later in this chapter.

### Data Leak Detection and Prevention

Many network administrators, security professionals, and business leaders struggle in the effort to prevent data loss within their organizations. The ability to identify anomalous behavior in data flows is crucial to detect and prevent data loss. The application of analytics to data collected via NetFlow can aid security professionals in detecting anomalous large amounts of data leaving the organization and abnormal traffic patterns inside of the organization.

Using NetFlow along with identity management systems, an administrator can detect who initiated the data transfer, the hosts (IP addresses) involved, the amount of data transferred, and the services used.

In addition, the administrator can measure how long the communications lasted and the frequency of the same connection attempts.

**TIP:** Often, tuning is necessary because certain traffic behavior could cause false positives. For instance, your organization may be legitimately sharing large amounts of data or streaming training to business partners and customers. In addition, analytics software that examines baseline behavior may be able to detect typical file transfers and incorporate them into existing baselines.

### Incident Response, Threat Hunting, and Network Security Forensics

NetFlow is often compared to a phone bill. When police want to investigate criminals, for instance, they often collect and investigate their phone records. NetFlow provides information about all network activity that can be very useful for incident response and network forensics. This information can help you discover indicators of compromise (IOCs).

The National Institute of Standards and Technology (NIST) created the following methodology on security incident handling, which has been adopted by many organizations, including service providers, enterprises, and government organizations:

- Step 1. Preparation
- Step 2. Detection and analysis
- Step 3. Containment, eradication, and recovery
- Step 4. Post-incident activity (postmortem and lessons learned)

**NOTE:** The NIST Computer Security Incident Handling Guide is Special Publication 800-61 Revision 2. The NIST SP 800-61 R2 publication can be downloaded from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

NetFlow plays a crucial role in the preparation phase and the detection and analysis phase. Information collected in NetFlow records can be used to identify, categorize, and scope suspected incidents as part of the identification. NetFlow data also provides great benefits for attack traceback and attribution. In addition, NetFlow provides visibility of what is getting into your network and what information is being exfiltrated out of your network.

Figure 5-4 shows an example of how a botnet is performing a DDoS attack against the corporate network. NetFlow in this case can be used as an anomaly-detection tool for the DDoS attack and also as a forensics tool to potentially find other IOCs of more sophisticated attacks that may be carried out incognito.

[Diagram of a botnet performing a DDoS attack.]

Figure 5-5 shows how a "stepping-stone" attack is carried out in the corporate network. A compromised host in the call center department is exfiltrating large amounts of sensitive data to an attacker on the Internet from a server in the data center.

[Diagram of a stepping-stone attack.]

You can also use NetFlow in combination with DNS records to help you detect suspicious and malicious traffic, such as the following:

- Suspicious requests to .gov, .mil, and .edu sites when you do not even do business with any of those entities
- Large amount of traffic leaving the organization late at night to suspicious sites
- Traffic to embargoed countries that should not have any business partners or transactions
- Suspicious virtual private network (VPN) requests and VPN traffic
- Requests and transactions to sites without any content
- Pornography sites or any other corporate policy violations
- Illegal file-sharing sites
- Crypto mining informational sites

Syslog and packet captures are also often used in network forensics; however, an area where these traditional network forensics tools fall short is in coverage. For instance, it is very difficult to deploy hundreds of sniffers (packet-capture devices) in the networks of large organizations. In addition, the cost will be extremely high. When a security incident or breach is detected, the incident responders need answers fast! They do not have time to go over terabytes of packet captures, and they can definitely not analyze every computer on the network to find the root cause, miscreant, and source of the breach. You can use NetFlow to obtain a high-level view of what is happening in the network, and then the incident responder can perform a deep-dive investigation with packet captures and other tools later in the investigation. Sniffers can be then deployed as needed in key locations where suspicious activity is suspected. The beauty of NetFlow is that you can deploy it anywhere you have a supported router, switch, Cisco ASA, Cisco FTD, or Cisco Secure Firewall; alternatively, you can use the Cisco Secure Network Analytics FlowSensor.

**TIP:** The FlowSensor is a network appliance that functions similarly to a traditional packet capture appliance or IDS in that it connects into a Switch Port Analyzer (SPAN), mirror port, or a Test Access Port (TAP). The FlowSensor augments visibility where NetFlow is not available in the infrastructure device (router, switch, and so on) or where NetFlow is available but you want deeper visibility into performance metrics and packet data. You typically configure the FlowSensor with the FlowCollector. You will learn more about the Cisco Secure Network Analytics solution later in this chapter.

NetFlow can fill in some of the gaps and challenges regarding the collection of packet captures everywhere in the network. It is easier to store large amounts of NetFlow data because it is only a transactional record. Therefore, administrators can keep a longer history of events that occurred on their networks. Historical records can prove very valuable when investigating a breach. Network transactions can show you where an initial infection came from, what command-and-control channel was initiated by the malware, what other computers on the internal network were accessed by that infected host, and whether other hosts in the network reached out to the same attacker or command-and-control system, as demonstrated earlier at a high level.

The logging facility on Cisco routers, switches, Cisco ASA, Cisco FTD, and other infrastructure devices allows you to save syslog messages locally or to a remote host. By default, routers send logging messages to a logging process. The logging process controls the delivery of logging messages to various destinations, such as the logging buffer, terminal lines, a syslog server, or a monitoring event correlation system such as Elastic Search, Logstash and Kibana (known as the ELK stack), Graylog, Splunk, and others. You can set the severity level of the messages to control the type of messages displayed, in addition to a timestamp to successfully track the reported information. Every security professional and incident responder knows how important it is to have good logs. There is no better way to find out what was happening in a router, switch, and firewall at the time that an attack occurred. However, like all things, syslog has limitations. You have to enable the collection of logs from each endpoint; so in many environments, syslog coverage is incomplete, and after a computer has been compromised, it is not possible to trust the logs coming from that device anymore. Syslog is extremely important, but it cannot tell you everything.

Many network telemetry sources can also be correlated with NetFlow while responding to security incidents and performing network forensics, including the following:

- Dynamic Host Configuration Protocol (DHCP) logs
- VPN logs
- Network address translation (NAT) information
- 802.1X authentication logs
- Server logs (syslog)
- Web proxy logs
- Spam filters from email security appliances such as the Cisco Secure Email appliances (formerly known as the Cisco Email Security Appliance (ESA)).

Figures 5-6, 5-7, and 5-8 list different event types, their source, and respective events that can be combined with NetFlow while responding to security incidents and performing network forensics.

Figure 5-6 shows event types and respective sources that can be used for attribution.

| | |
|---|---|
| **DHCP Server Logs** | **• IP assignments to systems** <br> **• MAC addresses** |
| **VPN Logs** | **• IP assignments to users** <br> **• VPN source addresses** <br> **• Traffic statistics (i.e., AnyConnect Telemetry Module)** |
| **NAT Gateway** | **• NAT logs** <br> **• PAT logs** |
| **802.1X Authentication Logs** | **• IP address assignments** <br> **• Policy assignments** <br> **• Security posture logs (if TrustSec is deployed)** <br> **• MAC addresses** |

Figure 5-7 shows event types and respective sources of underlying system activity.

| | |
|---|---|
| **Application Server Logs** | **• Authentication and authorization events** <br> **• Services starting and stopping** <br> **• Configuration changes** <br> **• Security events** |
| **Web Server Logs** | **• Access logs** <br> **• Error logs** |
| **Domain Controllers** | **• Authentication and authorization events** <br> **• Failed logins** |
| **LDAP Servers** | **• Authentication and authorization events** <br> **• Failed logins** |

Figure 5-8 shows event types of web proxy, spam filters, and firewall logs.

| | |
|---|---|
| **Web Proxy Logs** | **• Web malware downloads** <br> **• Malicious URLS** <br> **• Command-and-control (C2) connections** <br> **• Communication compromised or malicious sites** |
| **Spam Filter Logs** | **• Malicious URLs** <br> **• Malicious email attachments** <br> **• Spearphishing campaigns** |
| **Firewall Logs** | **• Access control logs** <br> **• Malicious email attachments** <br> **• Deep packet inspection logs** |

It is extremely important that your syslog and other messages are timestamped with the correct date and time. This is why the use of Network Time Protocol (NTP) is strongly recommended.

### IP Flow Information Export (IPFIX)

The Internet Protocol Flow Information Export (IPFIX) is a network flow standard led by the Internet Engineering Task Force (IETF). IPFIX was created for a common, universal standard of export for the flow information from routers, switches, firewalls, and other infrastructure devices. IPFIX defines how flow information should be formatted and transferred from an exporter to a collector. IPFIX is documented in RFC 7011 through RFC 7015 and RFC 5103. Cisco NetFlow Version 9 is the basis and main point of reference for IPFIX. IPFIX changes some of the terminologies of NetFlow, but in essence they are the same principles as NetFlow Version 9.

IPFIX defines different elements that are grouped into the following 12 categories according to their applicability:

1. Identifiers
2. Metering and xporting process configuration
3. Metering and exporting process statistics
4. IP header fields
5. Transport header fields
6. Sub-IP header fields
7. Derived-packet properties
8. Min/max flow properties
9. Flow timestamps
10. Per-flow counters
11. Miscellaneous flow properties
12. Padding

IPFIX is considered to be a push protocol. Each IPFIX-enabled device regularly sends IPFIX messages to configured collectors (receivers) without any interaction by the receiver. The sender controls most of the orchestration of the IPFIX data messages. IPFIX introduces the concept of templates, which make up these flow data messages to the receiver. IPFIX also allows the sender to use user-defined data types in its messages. IPFIX prefers the Stream Control Transmission Protocol (SCTP) as its transport layer protocol; however, it also supports the use of the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) messages.

Traditional Cisco NetFlow records are usually exported via UDP messages. The IP address of the NetFlow collector and the destination UDP port must be configured on the sending device. The NetFlow standard (RFC 3954) does not specify a specific NetFlow listening port. The standard or most common UDP port used by NetFlow is UDP port 2055, but other ports like 9555, 9995, 9025, and 9026 can also be used. UDP port 4739 is the default port used by IPFIX.

Table 5-3 provides a list of IPFIX open-source tools that can help network administrators and security analysts monitor and analyze network traffic, detect anomalies, and identify potential security threats.

| **Tool Name** | **Description** | **Link** |
|---|---|---|
| **Softflowd ** | **Softflowd is a lightweight flow-based network traffic analyzer that generates IPFIX flow records. It runs on multiple platforms, including Linux, BSD, and macOS.** | **https://github.com/irino/softflowd** |
| **YAF** | **Yet Another Flowmeter (YAF) is an open-source flow-based network traffic analyzer that generates IPFIX records. It is designed to be highly scalable and can process high-volume traffic.** | **https://tools.netsa.cert.org/yaf/** |
| **Ntopng** | **Ntopng is a web-based traffic analysis tool that supports IPFIX and other flow-based protocols. It provides real-time network traffic monitoring and analysis, as well as historical data visualization.** | **https://github.com/ntop/ntopng** |
| **Argus** | **Argus is an open-source network flow monitoring tool that generates IPFIX records. It provides detailed network traffic analysis and supports real-time alerts and reporting.** | **https://qosient.com/argus/** |

## IPFIX architecture

IPFIX uses the following architecture terminology:

- **Metering process (MP):** Generates flow records from packets at an observation point. The metering process timestamps, samples, and classifies flows. The MP also maintains flows in an internal data structure and passes complete flow information to an exporting process (EP).
- **EP:** Sends flow records via IPFIX from one or more MPs to one or more collecting processes (CPs).
- **CP:** Receives records via IPFIX from one or more EPs.

Figure 5-9 illustrates these concepts and the architecture.

[Diagram of Network Traffic Analyzed being sent to meter process (MP) and exported to collecting process (CP) through exporter device(s).]

### Understanding IPFIX Mediators

IPFIX introduces the concept of mediators. Mediators collect, transform, and re-export IPFIX streams to one or more collectors. Their main purpose is to allow federation of IPFIX messages. Mediators include an intermediate process (ImP) that allows for the following:

- NetFlow data to be kept anonymously
- NetFlow data to be aggregated
- Filtering of NetFlow data
- Proxying of web traffic
- IP translation

Figure 5-10 shows a sample architecture that includes an IPFIX mediator.

[Diagram of Network Traffic Analyzed being sent to meter process (MP) and exported to mediator (and then on to collecting process (CP) through exporter device(s).]

### IPFIX Templates

An IPFIX template describes the structure of flow data records within a data set. Templates are identified by a template ID, which corresponds to a set ID in the set header of the data set. Templates are composed of information element (IE) and length) pairs. IEs provide field type information for each template. Figure 5-11 illustrates these concepts.

[Diagram of IPFIX Template structure with different information element (IE) and length pairs.]

IPFIX covers nearly all common flow collection use cases, such as the following:

- The traditional five-tuple (source IP address, destination IP address, source port, destination port, and IP protocol)
- Packet treatment such as IP next-hop IPv4 addresses, BGP destination ASN, and others.
- Timestamps to nanosecond resolution
- Sub-IP header fields such as source MAC address and wireless local area network (WLAN) service set identifier (SSID)
- Various counters (packet delta counts, total connection counts, top talkers, and so on)
- Flow metadata information such as ingress and egress interfaces, flow direction, and virtual routing and forwarding (VRF) information

There are numerous others defined at the Internet Assigned Numbers Authority (IANA) website: http://www.iana.org/assignments/ipfix/ipfix.xhtml.

Figure 5-12 shows an example of a template that includes different information element lengths and the association with the respective data set of flow records.

[Diagram of Detailed IPFIX Template Example, including template ID, data set, flow records.]

### Option Templates

Option templates are a different type of IPFIX templates used to define records referred to as options that are associated with a specified scope. A scope may define an entity in the IPFIX architecture, including the exporting process, other templates, or a property of a collection of flows. Flow records describe flows, and option records define things other than flows, such as the following:

- Information about the collection infrastructure
- Metadata about flows or a set of flows
- Other properties of a set of flows

### Understanding the Stream Control Transmission Protocol (SCTP)

IPFIX uses SCTP, which provides a packet transport service designed to support several features beyond TCP or UDP capabilities. These features include the following:

- Packet streams
- Partial reliability (PR) extension
- Unordered delivery of packets or records
- Transport layer multihoming

Many refer to SCTP as a simpler state machine than features provided by TCP with an "a la carte" selection of features. PR-SCTP provides a reliable transport with a mechanism to skip packet retransmissions. It allows multiple applications with different reliability requirements to run on the same flow association. In other words, it combines the best effort reliability of UDP while still providing TCP-like congestion control.

SCTP ensures that IPFIX templates are sent reliably by improving end-to-end delay.
RFC 6526 introduces additional features such as per-template drop counting with partial reliability and fast template reuse.

### Exploring Application Visibility and Control (AVC) and NetFlow

The Cisco Application Visibility and Control (AVC) solution is a collection of services available in several Cisco network infrastructure devices to provide application-level classification, monitoring, and traffic control. The Cisco AVC solution is supported by the Cisco Integrated Services Routers (ISR), Cisco ASR 1000 Series Aggregation Service Routers (ASR 1000s), and Cisco Wireless LAN Controllers (WLCs). The following are the capabilities Cisco AVC provides:

- Application recognition
- Metrics collection and exporting
- Management and reporting systems
- Network traffic control

### Application Recognition

Cisco AVC uses existing Cisco Network-Based Application Recognition Version 2 (NBAR2) to provide deep packet inspection (DPI) technology to identify a wide variety of applications within the network traffic flow, using Layer 3 to Layer 7 data. NBAR works with QoS features to help ensure that the network bandwidth is best used to fulfill its main primary objectives. The benefits of combining these features include the ability to guarantee bandwidth to critical applications, limit bandwidth to other applications, drop selective packets to avoid congestion, and mark packets appropriately so that the network and the service provider's network can provide QoS from end to end.

### Metrics Collection and Exporting

Cisco AVC includes an embedded monitoring agent that is combined with NetFlow to provide a wide variety of network metrics data. The types of metrics the monitoring agent collects include the following:

- TCP performance metrics such as bandwidth usage, response time, and latency
- VoIP performance metrics such as packet loss and jitter

These metrics are collected and exported in NetFlow v9 or IPFIX format to a management and reporting system.

In Cisco IOS and Cisco IOS-XE routers, metrics records are sent out directly from the data plane when possible, to maximize system performance. However, if more complex processing is required on the Cisco AVC-enabled device, such as if the user requests that a router keep a history of exported records, the records may be exported from the route processor at a lower speed.

You can use QoS capabilities to control application prioritization. Protocol discovery features in Cisco AVC show you the mix of applications currently running on the network. This helps you define QoS classes and policies, such as how much bandwidth to provide to mission-critical applications and how to determine which protocols should be policed. Per-protocol bidirectional statistics are available, such as packet and byte counts as well as bit rates.

After administrators classify the network traffic, they can apply the following QoS features:

- Class-based weighted fair queuing (CBWFQ) for guaranteed