====== IPv6 Security Lab - Netflow ====== ===== Exploring Netflow ===== Netflow identifies anomalous and security-related network activity by tracking network flows. NetFlow data can be viewed and analysed via the command line interface (CLI), or the data can be exported to a commercial or freeware NetFlow collector for aggregation and analysis. NetFlow collectors, through long-term trending, can provide network behaviour and usage analysis. NetFlow functions by performing analysis on specific attributes within IP packets and creating flows. Version 5 is the most commonly used version of NetFlow, however, version 9 is more extensible and is required to support IPv6. NetFlow flows can be created using sampled traffic data in high-volume environments. Cisco Express Forwarding (CEF) is a prerequisite to enabling NetFlow. NetFlow can be configured on routers and switches. In older releases of Cisco IOS software, the command to enable NetFlow on an interface was: ip route-cache flow In newer releases of Cisco IOS (12.4 onwards), the command has been replaced by: ip flow {ingress | egress} The following configuration illustrates the basic configuration of this feature. ip flow-export destination ip flow-export version ! interface fastethernet 0/0 ip flow ingress ip flow egress ! The following is an example of NetFlow output from the router command line interface. The ''SrcIf'' attribute can aid in traceback. router#show ip cache flow IP packet size distribution (26662860 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .741 .124 .047 .006 .005 .005 .002 .008 .000 .000 .003 .000 .001 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .001 .007 .039 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 55 active, 65481 inactive, 1014683 added 41000680 ager polls, 0 flow alloc failures Active flows timeout in 2 minutes Inactive flows timeout in 60 seconds IP Sub Flow Cache, 336520 bytes 110 active, 16274 inactive, 2029366 added, 1014683 added to flow 0 alloc failures, 0 force free 1 chunk, 15 chunks added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 11512 0.0 15 42 0.2 33.8 44.8 TCP-FTP 5606 0.0 3 45 0.0 59.5 47.1 TCP-FTPD 1075 0.0 13 52 0.0 1.2 61.1 TCP-WWW 77155 0.0 11 530 1.0 13.9 31.5 TCP-SMTP 8913 0.0 2 43 0.0 74.2 44.4 TCP-X 351 0.0 2 40 0.0 0.0 60.8 TCP-BGP 114 0.0 1 40 0.0 0.0 62.4 TCP-NNTP 120 0.0 1 42 0.0 0.7 61.4 TCP-other 556070 0.6 8 318 6.0 8.2 38.3 UDP-DNS 130909 0.1 2 55 0.3 24.0 53.1 UDP-NTP 116213 0.1 1 75 0.1 5.0 58.6 UDP-TFTP 169 0.0 3 51 0.0 15.3 64.2 UDP-Frag 1 0.0 1 1405 0.0 0.0 86.8 UDP-other 86247 0.1 226 29 24.0 31.4 54.3 ICMP 19989 0.0 37 33 0.9 26.0 53.9 IP-other 193 0.0 1 22 0.0 3.0 78.2 Total: 1014637 1.2 26 99 32.8 13.8 43.9 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/1 192.168.128.21 Local 192.168.128.20 11 CB2B 07A 3 Gi0/1 192.168.150.60 Gi0/0 10.89.17.146 06 0016 101F 55 Gi0/0 10.89.17.146 Gi0/1 192.168.150.60 06 101F 0016 9 Gi0/1 192.168.150.60 Local 192.168.206.20 01 0000 0303 11 Gi0/0 10.89.17.146 Gi0/1 192.168.150.60 06 07F1 0016 1 ===== Netflow for IPv4 ===== To get some practice, we will first turn on Netflow for IPv4. The IPv4 command set uses Cisco’s original Netflow configuration. For IPv6 flow information, we can only use Flexible Netflow, and we will try that out in the next section. ==== Activating Netflow for IPv4 ==== Each Group should turn on Netflow on the border router of their AS. To do this, simply go to the border interface and do something similar to this: interface fastethernet 0/0 ip flow ingress ip flow egress ! Once this has been running for a few minutes, commands like “show ip cache flow” will display output similar to that from the introduction above. To create traffic for Netflow to see, try some ICMPs, traceroutes, and even telnet or ssh to other routers in the lab. This will generate traffic, and the info will persist in Netflow’s cache for a few minutes. ==== Top talkers in Netflow ==== Each team should also configure a set of top-talkers, to see what the busiest source and destinations are. Try this configuration: ip flow-top-talkers top 20 sort-by bytes This displays the top 20 talkers, sorting them in descending order of bytes transferred. Try some of the other CLI options available under the ip flow-top-talkers configurations. There are many match options: gw(config-flow-top-talkers)# match ? byte-range Match a range of bytes class-map Match a class destination Match destination criteria direction Match direction flow-sampler Match a flow sampler input-interface Match input interface nexthop-address Match next hop output-interface Match output interface packet-range Match a range of packets protocol Match protocol source Match source criteria tos Match TOS Try some of these and see what happens to the output. ===== Netflow for IPv6 ===== Cisco IOS used to support IPv6 with standard Netflow. But this was only briefly the case in IOS 12.3 and 12.4. From 12.4T onwards, IPv6 support in Netflow was replaced by Flexible Netflow for IPv6 (it is also available for IPv4). ==== Activating Netflow for IPv6 ==== The configuration syntax for Flexible Netflow is somewhat different and a lot more sophisticated. First off we need to create Flow Monitors for our incoming and outgoing Netflow captures. Here is an example flow monitor FLOW-MONITOR-V6-IN cache timeout active 300 record netflow ipv6 original-input ! flow monitor FLOW-MONITOR-V6-OUT cache timeout active 300 record netflow ipv6 original-output ! And then we apply these flow monitors to the interface we want to monitor: interface FastEthernet0/0 ipv6 flow monitor FLOW-MONITOR-V6-IN input ipv6 flow monitor FLOW-MONITOR-V6-OUT output ! ==== Top talkers in Flexible Netflow ==== The top talkers in the Flexible Netflow configuration is somewhat different – there is no need to create a specific stanza to set up the top talkers as the router can simply display the top talkers from the command line. Here is an example show flow monitor FLOW-MONITOR-V6-OUT cache aggregate \ ipv6 source address ipv6 destination address sort counter \ bytes top 20 This is all one command line and displays the top 20 talkers for outbound traffic, sorting them in descending order of bytes transferred. The command above can be modified to look at the inbound traffic also, by using the inbound flow monitor. ===== Summary ===== While this exercise has shown how to set up Netflow for both IPv4 and IPv6, it has a more serious aspect. It is possible for a network operator to very simply see what traffic is traversing their network. If it very easy to spot malicious activity, scanning, etc, simply by looking at the flow data and searching for particular signatures (tcp or udp ports, addresses, etc). This makes Netflow a valuable security tool for all network operators, whether they are running an IPv4-only network, or are dual stack IPv4 and IPv6. Try some of the other CLI options available under the ''show flow monitor'' command. [[:training:apricot2019:agenda| Back to Agenda page]]