You are previewing Network Security with NetFlow and IPFIX: Big Data Analytics for Information Security.
O'Reilly logo
Network Security with NetFlow and IPFIX: Big Data Analytics for Information Security

Book Description

A comprehensive guide for deploying, configuring, and troubleshooting NetFlow and learning big data analytics technologies for cyber security

Today’s world of network security is full of cyber security vulnerabilities, incidents, breaches, and many headaches. Visibility into the network is an indispensable tool for network and security professionals and Cisco NetFlow creates an environment where network administrators and security professionals have the tools to understand who, what, when, where, and how network traffic is flowing.

Network Security with NetFlow and IPFIX is a key resource for introducing yourself to and understanding the power behind the Cisco NetFlow solution. Omar Santos, a Cisco Product Security Incident Response Team (PSIRT) technical leader and author of numerous books including the CCNA Security 210-260 Official Cert Guide, details the importance of NetFlow and demonstrates how it can be used by large enterprises and small-to-medium-sized businesses to meet critical network challenges. This book also examines NetFlow’s potential as a powerful network security tool.

Network Security with NetFlow and IPFIX explores everything you need to know to fully understand and implement the Cisco Cyber Threat Defense Solution. It also provides detailed configuration and troubleshooting guidance, sample configurations with depth analysis of design scenarios in every chapter, and detailed case studies with real-life scenarios.

You can follow Omar on Twitter: @santosomar

  • NetFlow and IPFIX basics

  • Cisco NetFlow versions and features

  • Cisco Flexible NetFlow

  • NetFlow Commercial and Open Source Software Packages

  • Big Data Analytics tools and technologies such as Hadoop, Flume, Kafka, Storm, Hive, HBase, Elasticsearch, Logstash, Kibana (ELK)

  • Additional Telemetry Sources for Big Data Analytics for Cyber Security

  • Understanding big data scalability

  • Big data analytics in the Internet of everything

  • Cisco Cyber Threat Defense and NetFlow

  • Troubleshooting NetFlow

  • Real-world case studies

  • Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. About the Author
    5. About the Technical Reviewers
    6. Dedication
    7. Acknowledgments
    8. Contents at a Glance
    9. Contents
    10. Command Syntax Conventions
    11. Introduction
      1. Who Should Read This Book?
      2. How This Book Is Organized
    12. Chapter 1. Introduction to NetFlow and IPFIX
      1. Introduction to NetFlow
        1. The Attack Continuum
        2. The Network as a Sensor and as an Enforcer
        3. What Is a Flow?
      2. NetFlow Versus IP Accounting and Billing
      3. NetFlow for Network Security
        1. Anomaly Detection and DDoS Attacks
        2. Data Leak Detection and Prevention
        3. Incident Response and Network Security Forensics
      4. Traffic Engineering and Network Planning
      5. IP Flow Information Export
        1. IPFIX Architecture
        2. IPFIX Mediators
        3. IPFIX Templates
        4. Introduction to the Stream Control Transmission Protocol (SCTP)
      6. Supported Platforms
      7. Introduction to Cisco Cyber Threat Defense
      8. Cisco Application Visibility and Control and NetFlow
        1. Application Recognition
        2. Metrics Collection and Exporting
        3. Management and Reporting Systems
        4. Control
      9. Deployment Scenarios
        1. Deployment Scenario: User Access Layer
        2. Deployment Scenario: Wireless LAN
        3. Deployment Scenario: Internet Edge
        4. Deployment Scenario: Data Center
        5. Public, Private, and Hybrid Cloud Environments
        6. Deployment Scenario: NetFlow in Site-to-Site and Remote VPNs
        7. NetFlow Collection Considerations and Best Practices
        8. Determining the Flows per Second and Scalability
      10. Summary
    13. Chapter 2. Cisco NetFlow Versions and Features
      1. NetFlow Versions and Respective Features
        1. NetFlow v1 Flow Header Format and Flow Record Format
        2. NetFlow v5 Flow Header Format and Flow Record Format
        3. NetFlow v7 Flow Header Format and Flow Record Format
      2. NetFlow Version 9
      3. NetFlow and IPFIX Comparison
      4. Summary
    14. Chapter 3. Cisco Flexible NetFlow
      1. Introduction to Cisco’s Flexible NetFlow
        1. Simultaneous Application Tracking
        2. Flexible NetFlow Records
        3. Flow Monitors
        4. Flow Exporters
        5. Flow Samplers
      2. Flexible NetFlow Configuration
        1. Configure a Flow Record
        2. Configuring a Flow Monitor for IPv4 or IPv6
        3. Configuring a Flow Exporter for the Flow Monitor
        4. Applying a Flow Monitor to an Interface
      3. Flexible NetFlow IPFIX Export Format
      4. Summary
    15. Chapter 4. NetFlow Commercial and Open Source Monitoring and Analysis Software Packages
      1. Commercial NetFlow Monitoring and Analysis Software Packages
        1. Lancope’s StealthWatch Solution
        2. Plixer’s Scrutinizer
      2. Open Source NetFlow Monitoring and Analysis Software Packages
        1. NFdump
        2. NfSen
        3. SiLK
        4. Elasticsearch, Logstash, and Kibana Stack
      3. Summary
    16. Chapter 5. Big Data Analytics and NetFlow
      1. Introduction to Big Data Analytics for Cyber Security
        1. What Is Big Data?
        2. Unstructured Versus Structured Data
        3. Extracting Value from Big Data
      2. NetFlow and Other Telemetry Sources for Big Data Analytics for Cyber Security
      3. OpenSOC
        1. Hadoop
        2. Flume
        3. Kafka
        4. Storm
        5. Hive
        6. Elasticsearch
        7. HBase
        8. Third-Party Analytic Tools
        9. Other Big Data Projects in the Industry
      4. Understanding Big Data Scalability: Big Data Analytics in the Internet of Everything
      5. Summary
    17. Chapter 6. Cisco Cyber Threat Defense and NetFlow
      1. Overview of the Cisco Cyber Threat Defense Solution
      2. The Attack Continuum
        1. Cisco CTD Solution Components
        2. NetFlow Platform Support
      3. Deploying the Lancope StealthWatch System
        1. Deploying StealthWatch FlowCollectors
        2. StealthWatch FlowReplicators
        3. StealthWatch Management Console
      4. Deploying NetFlow Secure Event Logging in the Cisco ASA
        1. Deploying NSEL in Cisco ASA Configured for Clustering
        2. Configuring NSEL in the Cisco ASA
      5. Configuring NetFlow in the Cisco Nexus 1000V
        1. Defining a Flow Record
        2. Defining the Flow Exporter
        3. Defining a Flow Monitor
        4. Applying the Flow Monitor to an Interface
      6. Configuring NetFlow in the Cisco Nexus 7000 Series
      7. Configuring the Cisco NetFlow Generation Appliance
        1. Initializing the Cisco NGA
        2. Configuring NetFlow in the Cisco NGA via the GUI
        3. Configuring NetFlow in the Cisco NGA via the CLI
      8. Additional Cisco CTD Solution Components
        1. Cisco ASA 5500-X Series Next-Generation Firewalls and the Cisco ASA with FirePOWER Services
        2. Next-Generation Intrusion Prevention Systems
        3. FireSIGHT Management Center
        4. AMP for Endpoints
        5. AMP for Networks
        6. AMP Threat Grid
        7. Email Security
        8. Web Security
        9. Cisco Identity Services Engine
      9. Summary
    18. Chapter 7. Troubleshooting NetFlow
      1. Troubleshooting Utilities and Debug Commands
      2. Troubleshooting NetFlow in Cisco IOS and Cisco IOS XE Devices
        1. Cisco IOS Router Flexible NetFlow Configuration
        2. Troubleshooting Communication Problems with the NetFlow Collector
        3. Additional Useful Troubleshooting Debug and Show Commands
      3. Troubleshooting NetFlow in Cisco NX-OS Software
      4. Troubleshooting NetFlow in Cisco IOS-XR Software
        1. Flow Exporter Statistics and Diagnostics
        2. Flow Monitor Statistics and Diagnostics
        3. Displaying NetFlow Producer Statistics in Cisco IOS-XR
        4. Additional Useful Cisco IOS-XR Show Commands
      5. Troubleshooting NetFlow in the Cisco ASA
      6. Troubleshooting NetFlow in the Cisco NetFlow Generation Appliance
        1. Gathering Information About Configured NGA Managed Devices
        2. Gathering Information About the Flow Collector
        3. Gathering Information About the Flow Exporter
        4. Gathering Information About Flow Records
        5. Gathering Information About the Flow Monitor
        6. Show Tech-Support
        7. Additional Useful NGA show Commands
      7. Summary
    19. Chapter 8. Case Studies
      1. Using NetFlow for Anomaly Detection and Identifying DoS Attacks
        1. Direct DDoS Attacks
        2. Reflected DDoS Attacks
        3. Amplification Attacks
        4. Identifying DDoS Attacks Using NetFlow
        5. Using NetFlow in Enterprise Networks to Detect DDoS Attacks
        6. Using NetFlow in Service Provider Networks to Detect DDoS Attacks
      2. Using NetFlow for Incident Response and Forensics
        1. Credit Card Theft
        2. Theft of Intellectual Property
      3. Using NetFlow for Monitoring Guest Users and Contractors
      4. Using NetFlow for Capacity Planning
      5. Using NetFlow to Monitor Cloud Usage
      6. Summary
    20. Index
    21. Code Snippets