Although NetFlow support was technically introduced in 8.1 I still find it exciting and relatively new. It’s a feature that I believe everyone should use. I have also found that administrators are not aware of it. Cisco Systems created NetFlow to allow users to export information about IP flows in order to monitor and audit network traffic. The following information is what constitutes a flow:
* Source IP address and destination IP addresses* Source port number and Destination port number* IP Protocol number* Ingress interface* Type of service
NetFlow data is a great way to compare to the monthly bill from my cellular provider. I can see who I spoke with, when I communicated with them, what time it was, and whether it was via text or phone. NetFlow is not an Iplog or a complete capture of all data. It is information about data flows. These flows are collected and then statistics are created from the data. For example, when is your peak traffic hour? What are your top protocols What are your top speakers? Who is moving the most data? What protocols or ports were first seen today (botnet communication detection).
Administrators will find NetFlow data extremely useful. It provides administrators with a window into network conditions. Once archived to a database you can also gain insight into the time and frequency of communication between hosts (days, weeks or years). If a host has been compromised and it is communicating with a command-and-control point, we can query all traffic to determine if any other hosts are also communicating with the same control point, how long, and what data has been accessed.
My opinion is that the NetFlow collection may be of use to you. While I cannot cover all the capabilities of NetFlow in this article, I can suggest that you explore these capabilities in the future. You may also find it useful to know that the ASA exports data in a NetFlow V9 format (or NetFlow Secure Events Logging). I won’t go into detail about the differences between the formats but I will say that the central logging point collector must support NetFlow V9. Although NetFlow V9 isn’t widely supported, Plixar offers a free product called Scrutinizer that supports the ASA as well as NetFlow V9. Scrutinizer has been a great tool. Scrutinizer also offers a free version, which many of you will be pleased to learn.
