Introduction

Cisco NetFlow is now the primary network accounting technology in the industry. Visibility into the network is an indispensable tool for network and security professionals. In response to new requirements and cyber security headaches, network operators and security professionals are finding it critical to understand how the network is behaving. Cisco NetFlow creates an environment where network administrators and security professionals have the tools to understand who, what, when, where, and how network traffic is flowing.

Chapter 1, “Introduction to NetFlow and IPFIX”: This chapter provides an overview of Cisco NetFlow and IPFIX. Cisco NetFlow and IPFIX provide a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, denial-of-service monitoring capabilities, and network monitoring. NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and is the leader in IP traffic flow technology.

Chapter 2, “Cisco NetFlow Versions and Features”: This chapter covers the different Cisco NetFlow versions and features available on each version. It also covers the NetFlow v9 export format and packet details, and includes a detailed comparison between NetFlow and IPFIX.

Chapter 3, “Cisco Flexible NetFlow”: Flexible NetFlow provides enhanced optimization of the network infrastructure, reduces costs, and improves capacity planning and security detection beyond other flow-based technologies available today. This chapter provides an introduction to Cisco’s Flexible NetFlow, and it covers the Flexible NetFlow components and fields. It also provides step-by-step guidance on how to configure flexible NetFlow in Cisco IOS Software.

Chapter 4, “NetFlow Commercial and Open Source Monitoring and Analysis Software Packages”: This chapter provides details about the top commercial NetFlow analyzers. It also provides detailed information about the top open source NetFlow analyzers including SiLK, Flow-tools, FlowScan, NTop, EHNT, BPFT, Cflowd, Logstash, Kibana, Elasticsearch, and others.

Chapter 5, “Big Data Analytics and NetFlow”: Big data analytics is a key and growing network security, monitoring, and troubleshooting trend. Cisco NetFlow provides a source of relevant big data that customers should be analyzing to improve the performance, stability, and security of their networks. This chapter describes how NetFlow is used for big data analytics for cyber security, along with other network telemetry capabilities such as firewall logs, syslog, SNMP, and authentication, authorization and accounting logs, in addition to logs from routers and switches, servers, and endpoint stations, among others.

Chapter 6, “Cisco Cyber Threat Defense and NetFlow”: Cisco has partnered with Lancope to deliver a solution that provides visibility into security threats by identifying suspicious traffic patterns in the corporate network. These suspicious patterns are then augmented with circumstantial information necessary to determine the level of threat associated with a particular incident. This solution allows a network administrator or security professional to analyze this information in a timely, efficient, and cost-effective manner for advanced cyber threats. This chapter provides detailed coverage of Cisco Cyber Threat Defense Solution. Cisco Cyber Threat Defense Solution utilizes the Lancope StealthWatch System to analyze NetFlow information from Cisco switches, routers, and the Cisco ASA 5500 Next-Generation Firewalls to detect advanced and persistent security threats such as internally spreading malware, data leakage, botnet command-and-control traffic, and network reconnaissance. The Cisco ISE solution supplements StealthWatch NetFlow-based behavioral threat detection data with contextual information such as user identity, user authorization level, device type, and posture. This chapter provides design and configuration guidance when deploying the Cisco Cyber Threat Defense Solution.

Chapter 7, “Troubleshooting NetFlow”: This chapter focuses on the different techniques and best practices available when troubleshooting NetFlow deployments and configurations. It assumes that you already have an understanding of the topics covered in previous chapters, such as configuration and deployment of NetFlow in all the supported devices.

Chapter 8, “Case Studies”: This chapter covers several case studies and real-life scenarios on how NetFlow is deployed in large enterprises and in small and medium-sized businesses.