Index
A
ACI (Application Centric Infrastructure) in data center, 30
Adaptive Security Device Manager (ASDM), 153-155
adjusting NetFlow timers in Cisco Nexus 7000 (example 6-18), 166
Ambari, 126
AMP (Advanced Malware Protection), 3
AMP for Networks, 176
amplification attacks, 249-250
appliances
FlowCollector, 145
SMC (StealthWatch Management Console), 147
Application Centric Infrastructure (ACI) in data center, 30
application recognition, 22
Application Visibility and Control (AVC). See Cisco AVC (Application Visibility and Control)
applications, Flexible NetFlow key fields, 63
applying flow monitor to interface
in Cisco Nexus 1000V, 164
Flexible NetFlow, 73
applying NetFlow monitor and sampler (example 6-20), 166
apt package database update (example 4-7), 95
ASA 5500-X series, 3
ASA 5585-X Adaptive Security Appliances, 3
ASDM (Adaptive Security Device Manager), 153-155
attack continuum, 2-3, 130-131. See also denial-of-service (DoS) attacks; distributed denial-of-service (DDoS) attacks
AVC (Application Visibility and Control). See Cisco AVC (Application Visibility and Control)
Avro, 126
B
back doors, 174
bag manipulation tools in SiLK, 88-89
BDAS (Berkeley Data Analytics Stack), 126
unstructured versus structured data, 112-113
big data analytics, 111
Hadoop-related projects, 126
IoE (Internet of Everything), 127
OpenSOC, 115
components, 116
BYOD (bring your own device), 187
C
cache (NetFlow), 4
types of, 6
Caligare, 75
capacity planning, 14-15, 267-269
capture command (example 7-45), 230
CAPWAP (Control and Provisioning of Wireless Access Points), 26
case studies
DDos attack identification, 250-254
intellectual property theft, 259-262
monitoring cloud usage, 269-271
monitoring guest users and contractors, 262-267
Cassandra, 126
cflowd, 80
Chukwa, 126
Cisco AMP for Endpoints, 175-176
Cisco AMP for Networks, 176
Cisco ASA
clear logging command options, 193
logging buffer-size command, 193
logging buffered command, 191
logging timestamp command, 194
models, list of, 148
NetFlow support, 140
NSEL
deploying in cluster configuration, 151-153
show logging command, 191
Cisco ASA 5500-X Series Next-Generation Firewalls, 171-172
Cisco ASA with FirePOWER Services, 171-172
Cisco AVC (Application Visibility and Control), 22
application recognition, 22
management and reporting systems, 23
metrics collection and exporting, 23
wireless LAN deployment scenario, 25-26
Cisco Cloud Email Security, 179
Cisco CSR (Cloud Services Router) 1000V deployment scenario, 32-33
Cisco CTD (Cyber Threat Defense) Solution, 21-22, 77, 129
AMP for Networks, 176
Cisco ASA 5500-X Series Next-Generation Firewalls, 171-172
Cisco ASA with FirePOWER Services, 171-172
Cisco Cloud Email Security, 179
Cisco Hybrid Email Security, 179-180
FireSIGHT Management Center, 173
Lancope StealthWatch System. See Lancope StealthWatch System
NetFlow configuration
in Cisco Nexus 7000 series, 164-166
NSEL. See NSEL (NetFlow Secure Event Logging)
Cisco CWS (Cloud Web Security), 185-186
Cisco ESA (email security appliances) models, 177-179
Cisco Feature Navigator, 21
Cisco FirePOWER 7000 series appliances, 172
Cisco FirePOWER 8000 series appliances, 172
Cisco FirePOWER 9300 series appliances, 172
Cisco FireSIGHT Management Center, 173
Cisco Flexible NetFlow. See Flexible NetFlow
Cisco Hybrid Email Security, 179-180
Cisco IOS devices
clear log command, 193
logging buffered command in, 190
service timestamps command, 193
show logging command, 192
troubleshooting
communication problems with NetFlow collector, 201-204
debugging flow records, 212-213
displaying flow exporter templates and export IDs, 207-212
preventing export storms, 213-214
verifying flow monitor configuration, 204-206
Flexible NetFlow support, 134
NetFlow support, 133
Cisco IOS-XE software, Flexible NetFlow support, 136
Cisco IOS-XR software
NetFlow support, 134
troubleshooting
architecture configuration, 217-219
flow exporter statistics and diagnostics, 219-222
flow monitor statistics and diagnostics, 222-226
flow producer statistics and diagnostics, 226-228
show commands, 228
Cisco ISE (Identity Services Engine), 77, 186-187
Cisco Nexus 1000V NetFlow configuration, 160-164
flow exporter definition, 162-163
flow monitor application to interface, 164
flow monitor definition, 163-164
flow record definition, 161-162
Cisco Nexus 7000 series NetFlow configuration, 164-166
flow exporter definition, 165
flow monitor application to interface, 164
flow monitor definition, 165
flow record definition, 165
timer adjustments, 166
Cisco NGA (NetFlow Generation Appliance)
configuration
in data center, 30-31, 166-167
troubleshooting
flow collector information, 236-237
flow exporter information, 237
flow monitor information, 238-239
flow record information, 237-238
managed devices, 235
show commands, 245
show tech-support command, 239-245
Flexible NetFlow support, 138
Cisco Platform Exchange Grid (pxGrid), 187
Cisco SenderBase, 178
Cisco SMA (Security Management Appliance), 184-185
Cisco VNI (Visual Networking Index), 112
Cisco WSA (Web Security Appliance), 180-183
ClamAV, 175
clear log command in Cisco IOS devices, 193
clear logging command options in Cisco ASA, 193
CLI (command-line interface)
Cisco NGA configuration, 169-171
Cloud Email Security, 179
cloud environment deployment scenario, 32-33
cloud usage, monitoring, 269-271
Cloud Web Security (CWS), 185-186
clustering, NSEL deployment in, 151-153
Cognitive Security, 113
collecting process (CP), 16
commercial monitoring and analysis software packages
Lancope StealthWatch System, 76-79
list of, 75
Plixer International Scrutinizer, 79-80
communication problems with NetFlow collector, troubleshooting, 201-204
configuration
Cisco IOS-XR software, 217-219
Cisco NGA (NetFlow Generation Appliance)
distribution switches, 268
flow exporter configuration, 71-73
flow monitor application to interface, 73-74
flow monitor configuration for IPv4 or IPv6, 69-70
flow record configuration, 67-69
Internet-edge router, 251
flow monitors, verifying, 204-206
NetFlow
in Cisco Nexus 7000 series, 164-166
defining export policy, 157-159
disabling redundant syslog messages, 155-156
configuration files, SiLK, 87
contractors, monitoring, 262-267
Control and Provisioning of Wireless Access Points (CAPWAP), 26
counters, Flexible NetFlow non-key fields, 63
counting flow records with SiLK, 88
CP (collecting process), 16
CPU utilization, 190
credit card theft case study, 254-259
D
daemons, SiLK, 87
data center deployment scenario, 28-32
data FlowSets
definitions, 54
format, 54
data leak detection, 9
DDoS (distributed denial-of-service) attacks, 247
amplification attacks, 249-250
direct attacks, 248
identifying
in enterprise networks, 250-253
in service provider networks, 253-254
clear log command in Cisco IOS devices, 193
clear logging command options in Cisco ASA, 193
CPU utilization, 190
logging buffered command
in Cisco ASA, 191
in Cisco IOS devices, 190
logging buffer-size command in Cisco ASA, 193
logging timestamp command in Cisco ASA, 194
service timestamps command in Cisco IOS devices, 193
show logging command
in Cisco ASA, 191
in Cisco IOS devices, 192
debug flow exporter command, 202
options, 202
output, 209
debug flow monitor command output (example 7-28), 209
debug flow record command output (example 7-30), 212
debugging flow records, 212-213
defining flow collector (example 6-22), 170
defining flow exporter
in Cisco Nexus 1000V, 162
in Cisco Nexus 7000 series, 165
in Cisco NGA, 170
defining flow monitor
in Cisco Nexus 1000V, 163
in Cisco Nexus 7000 series
custom records, 165
original records, 165
in Cisco NGA, 170
defining flow record
in Cisco Nexus 1000V, 161
in Cisco Nexus 7000 series, 165
defining NSEL export policy (example 6-3), 159
denial-of-service (DoS) attacks, 247
deploying
NSEL in cluster configuration, 151-153
deployment scenarios, 24
direct DDoS attacks, 248
disabling redundant syslog messages (example 6-2), 157
displaying
flow exporter templates, 207-212
flow records
predefined Cisco Nexus 1000V records, 160
with SiLK, 87
distributed denial-of-service (DDoS) attacks. See DDoS (distributed denial-of-service) attacks
distribution switch Flexible NetFlow configuration (example 8-2), 268
DoS (denial-of-service) attacks, 247
downloaders, 174
E
east-to-west communication, 28
Elasticsearch, 92
elasticsearch.yml configuration file (example 4-8), 96-105
ELK (Elasticsearch, Logstash and Kibana), 80, 92-109
deployment topology, 94
Elasticsearch, 92
Kibana, 93
Marvel and Shield, 94
email security appliances (ESA) models, 177-179
email-based threats
Cisco Cloud Email Security, 179
Cisco Hybrid Email Security, 179-180
list of, 177
enforcer, network as, 4
enterprise networks, identifying DDoS attacks, 250-253
EP (exporting process), 16
ESA (email security appliances) models, 177-179
Evident Software Evident Analyze, 75
exabytes, 112
examples
adjusting NetFlow timers in Cisco Nexus 7000, 166
applying flow monitor to interface, 73, 164
applying NetFlow monitor and sampler, 166
apt package database update, 95
capture command, 230
clear logging command options in Cisco ASA, 193
configuring NSEL using the CLI, 155
configuring sampled NetFlow in Cisco Nexus 7000, 166
creating IPv4 flow record with key and non-key fields, 169
debug flow exporter and debug flow monitor command output, 209
debug flow exporter command, 202
debug flow exporter command options, 202
debug flow record command output, 212
debugging specific flow exporter, 203
defining flow collector, 170
defining flow exporter
in Cisco Nexus 1000V, 162
in Cisco Nexus 7000 series, 165
in Cisco NGA, 170
defining flow monitor
in Cisco Nexus 1000V, 163
in Cisco NGA, 170
with custom record in Cisco Nexus 7000, 165
with original record in Cisco Nexus 7000, 165
defining flow record
in Cisco Nexus 1000V, 161
in Cisco Nexus 7000 series, 165
defining NSEL export policy, 159
disabling redundant syslog messages, 157
displaying predefined flow records, 160
distribution switch Flexible NetFlow configuration, 268
elasticsearch.yml configuration file, 96-105
Flexible NetFlow configuration, 73
incorrectly configured logstash-netflow.conf file, 234
installing NFdump in Ubuntu, 81-82
Internet-edge router Flexible NetFlow configuration, 251
IPFIX export format enabled, 74
logging buffer-size command in Cisco ASA, 193
logging buffered command
in Cisco ASA, 191
in Cisco IOS devices, 190
nfcapd command usage, 83
nfcapd daemon command options, 84
nfdump man pages excerpt, 86
Oracle Java PPA installation, 95
ping command output, 203
preventing export storms, 214
processing and displaying nfcapd files with nfdump, 84
RTP-R1 Flexible NetFlow configuration, 195
service timestamps command, 193
show capture command output, 230
show capture netflow-cap detail command output, 231
show capture netflow-cap dump command output, 232
show flow collector command output, 236
show flow command options, 236
show flow exporter command output
in Cisco IOS and IOS XE devices, 201
in Cisco IOS-XR software, 220
in Cisco Nexus 1000V, 163
in Cisco NGA, 237
Flexible NetFlow, 72
show flow exporter export-ids netflow-v9 command output, 208
show flow exporter NX-OS command output, 215
show flow exporter option application table command output, 209
show flow exporter statistics command output, 202
show flow exporter templates command options, 207
show flow exporter templates command output, 207
show flow exporter-map command output in Cisco IOS-XR, 221
show flow interface command output
in Cisco Nexus 1000V, 164
in Cisco NX-OS software, 216
show flow interface GigabitEthernet 0/0 command output, 204
show flow monitor command options, 205
show flow monitor command output
in Cisco IOS and IOS XE devices, 204
in Cisco IOS-XR software, 222
in Cisco Nexus 1000V, 164
in Cisco NGA, 239
Flexible NetFlow, 70
show flow monitor monitor-name cache summary command options in Cisco IOS-XR, 225
show flow monitor name NY-ASR-FLOW-MON-1 cache format record command output, 72
show flow monitor RTP-DC-MONITOR-1 cache command output in Cisco NX-OS, 216
show flow monitor RTP-FLOW-MONITOR-1 cache command output, 205
show flow monitor RTP-FLOW-MONITOR-1 statistics command output, 206
show flow monitor type performance-monitor command output, 214
show flow monitor-map command output, 226
show flow platform producer statistics command output, 227
show flow record command output
in Cisco IOS and IOS XE devices, 198
in Cisco Nexus 1000V, 162
in Cisco NGA, 238
Flexible NetFlow, 69
show flow record RTP-FLOW-RECORD-1 command output, 197
show flow sw-monitor RTP-DC-MONITOR-1 statistics command output in Cisco NX-OS, 216
show flow trace command options, 228
show flow-export counters command output
in Cisco ASA, 229
NSEL monitoring, 159
show ip router 172.18.104.179 command output, 203
show logging command
in Cisco ASA, 191
in Cisco IOS devices, 192
show managed-device command output, 235
show running-config flow exporter command output
in Cisco IOS and IOS XE devices, 196
Flexible NetFlow, 72
show running-config flow monitor command output, 70
show running-config flow record command output
in Cisco IOS and IOS XE devices, 196
Flexible NetFlow, 69
show tech command output, 239-244
exploits, 174
export IDs, displaying, 207-212
export packets (NetFlow v9), 44
field descriptions, 45
header format, 44
export policies (NSEL), defining, 157-159
export storms, preventing, 213-214
exporting metrics, 23
exporting process (EP), 16
F
filtering flow records with SiLK, 87
FireSIGHT Management Center, 173
firewalls
Cisco ASA 5500-X Series Next-Generation Firewalls, 171-172
personal firewalls, 175
with Cisco CTD, 132
distribution switches, 268
flow exporter configuration, 71-73
flow monitor application to interface, 73-74
flow monitor configuration for IPv4 or IPv6, 69-70
flow record configuration, 67-69
Internet-edge router, 251
flow information gathered, 5
flow monitors, 65
flow samplers, 66
IPFIX export format, 74
predefined records, 65
user-defined records, 65
simultaneous application tracking, 60
supported platforms
Cisco IOS software, 134
Cisco IOS-XE software, 136
Cisco NX-OS software, 138
supported protocols, 59
troubleshooting
communication problems with NetFlow collector, 201-204
debugging flow records, 212-213
displaying flow exporter templates and export IDs, 207-212
preventing export storms, 213-214
verifying flow monitor configuration, 204-206
Flexible NetFlow configuration (example 3-9), 73
flow collectors
defining, 170
gathering information about, 236-237
troubleshooting communication problems, 201-204
flow directors in clustering, 152
flow exporters
defining
in Cisco Nexus 7000 series, 165
in Cisco NGA, 170
displaying templates and export IDs, 207-212
IPFIX export format, 74
statistics and diagnostics
in Cisco IOS-XR software, 219-222
in Cisco NGA, 237
troubleshooting communication problems, 201-204
flow file utilities, SiLK, 90-91
flow forwarders in clustering, 152
NetFlow v1, 40
NetFlow v5, 41
NetFlow v7, 42
flow monitors
application to interface
in Cisco Nexus 1000V, 164
in Cisco Nexus 7000 series, 164
defining
in Cisco Nexus 7000 series, 165
in Cisco NGA, 170
Flexible NetFlow, 65
application to interface, 73-74
statistics and diagnostics
in Cisco IOS-XR software, 222-226
verifying configuration, 204-206
flow owners in clustering, 152
flow producers in Cisco IOS-XR software, 226-228
flow records, 6
counting with SiLK, 88
creating with key and non-key fields, 169
defining
in Cisco Nexus 7000 series, 165
displaying
predefined Cisco Nexus 1000V records, 160
with SiLK, 87
filtering with SiLK, 87
predefined records, 65
user-defined records, 65
format
NetFlow v1, 40
NetFlow v5, 41
NetFlow v7, 42
gathering information about, 237-238
grouping with SiLK, 88
mating with SiLK, 88
sorting with SiLK, 87
Flow Replicator (Plixer), 79-80
flow samplers, Flexible NetFlow, 66
appliances, 145
FlowCollector VE (virtual edition), 146
flowd, 80
flows
Flexible NetFlow key fields, 61
IPFIX. See IPFIX
sessions versus, 6
FlowSets
template FlowSets
field descriptions, 46
field type definitions, 47
flowtools, 80
flowviewer, 80
Fluke Networks, 75
credit card theft case study, 254-259
intellectual property theft case study, 259-262
G
grouping flow records with SiLK, 88
guest users, monitoring, 262-267
GUI (graphical user interface), Cisco NGA configuration, 168-169
H
Hewlett Packard NetFlow Insight, 75
HIPS (host intrusion prevention systems), 175
hybrid cloud environments, 32-33
Hybrid Email Security, 179-180
I - J
IBM NetFlow Aurora, 75
IdeaData NetFlow Auditor, 75
immediate cache, 6
Immunet, 175
credit card theft case study, 254-259
intellectual property theft case study, 259-262
indicators of compromise (IOCs)
big data analytics, 111
InfoVista 5View NetFlow, 75
initialization, Cisco NGA, 167-168
installing
intellectual property theft case study, 259-262
interface
Flexible NetFlow key fields, 61
flow monitor application to, 73-74
in Cisco Nexus 1000V, 164
in Cisco Nexus 7000 series, 164
internal buffer, logging messages to, 190-194
Internet edge
Flexible NetFlow configuration, 251
Internet Protocol Flow Information Export. See IPFIX
IOCs (indicators of compromise)
big data analytics, 111
IoE (Internet of Everything), 127
IoT (Internet of Things), 127
IP Accounting, NetFlow versus, 6-7
IP labeling files in SiLK, 89
IPFIX (Internet Protocol Flow Information Export)
architecture, 16
Flexible NetFlow IPFIX export format, 74
mediators, 17
NetFlow comparison, 57
SCTP, 20
SiLK utilities, 90
IPFIX export format enabled (example 3-10), 74
IPFlow, 80
IPset manipulation tools in SiLK, 88-89
IPv4
Flexible NetFlow key fields, 61
Flexible NetFlow non-key fields, 64
flow monitor configuration, 69-70
flow record creation, 169
IPv6
Flexible NetFlow key fields, 61
Flexible NetFlow non-key fields, 64
flow monitor configuration, 69-70
iSiLK, 80
K
key fields in Flexible NetFlow records, 61-63
key loggers, 174
Kibana, 93
L
Lancope NetFlow Bandwidth Calculator, 37
Lancope StealthWatch System, 75-79
FlowCollector, deployment topology, 142-146
FlowReplicator, deployment topology, 146-147
SMC. See SMC (StealthWatch Management Console)
LAN-to-LAN VPN (virtual private network) deployment scenario, 34-35
Layer 2 services, Flexible NetFlow key fields, 61
Layer 3 routing protocols, Flexible NetFlow key fields, 62
listeners, 179
logging buffered command
in Cisco ASA, 191
in Cisco IOS devices, 190
logging buffer-size command in Cisco ASA, 193
logging messages
logging timestamp command in Cisco ASA, 194
logic bombs, 174
logstash-netflow.conf file (example 7-49), 234
M
Mahout, 126
mailers, 173
malware
AMP for Networks, 176
email attachments, 177
HIPS, 175
personal firewalls, 175
managed devices, troubleshooting, 235
ManageEngine NetFlow Analyzer, 75
management and reporting systems, 23
Marvel, 94
master units in clustering, 152
mating flow records with SiLK, 88
mediators, IPFIX, 17
metering process (MP), 16
metrics, collection and exporting, 23
mitigation accelerator, network as, 4
monitoring
guest users and contractors, 262-267
monitoring and analysis software packages
commercial packages
Lancope StealthWatch System, 76-79
list of, 75
Plixer International Scrutinizer, 79-80
open source packages
ELK (Elasticsearch, Logstash and Kibana), 92-109
list of, 80
NfSen, 86
MP (metering process), 16
multicasts
Flexible NetFlow key fields, 63
Flexible NetFlow non-key fields, 64
N
NAT stitching, 79
NBAR2 (Network Based Application Recognition Version 2), 22
NetFlow
commercial monitoring and analysis software packages
Lancope StealthWatch System, 76-79
list of, 75
Plixer International Scrutinizer, 79-80
configuration
in Cisco Nexus 7000 series, 164-166
deployment scenarios, 24
Flexible NetFlow. See Flexible NetFlow
IPFIX comparison, 57
open source monitoring and analysis software packages
ELK (Elasticsearch, Logstash and Kibana), 92-109
list of, 80
NfSen, 86
security usage
data leak detection, 9
incident response and forensics, 9-14, 254-262
Cisco ASA, 140
Cisco IOS software, 133
Cisco IOS-XR software, 134
traffic engineering and capacity planning, 14-15
troubleshooting. See troubleshooting
UDP ports, 16
versions
list of, 39
NetFlow v1, 40
NetFlow v5, 41
NetFlow v7, 42
NetFlow v1
flow header format, 40
flow record format, 40
NetFlow v5
flow header format, 41
flow record format, 41
NetFlow v7
flow header format, 42
flow record format, 42
export packets, 44
templates
benefits of, 44
data FlowSet definitions, 54
data FlowSet format, 54
field type definitions, 47
FlowSet field descriptions, 46
options template definitions, 55
options template format, 55
NetUsage, 75
network, security role of, 3-4
Network Based Application Recognition Version 2 (NBAR2), 22
network scan detection utilities, SiLK, 90
Network Time Protocol (NTP), 14
network traffic. See traffic
Next-Generation Intrusion Prevention Systems (NGIPS), 172-173
nfcapd command usage (example 4-2), 83
nfcapd daemon command options (example 4-3), 84
nfcapd files processing and displaying with nfdump (example 4-4), 84
components, 82
nfdump man pages excerpt (example 4-5), 86
NGIPS (Next-Generation Intrusion Prevention Systems), 172-173
non-key fields in Flexible NetFlow records, 63-64
normal cache, 6
north-to-south communication, 28
NoSQL, 113
NSEL (NetFlow Secure Event Logging)
defining export policy, 157-159
disabling redundant syslog messages, 156-157
deploying in cluster configuration, 151-153
NTP (Network Time Protocol), 14
NX-OS. See Cisco NX-OS software
O
Open Resolver Project, 249
open source monitoring and analysis software packages
ELK (Elasticsearch, Logstash and Kibana), 92-109
list of, 80
NfSen, 86
OpenSOC, 115
components, 116
options templates
definitions, 55
format, 55
Oracle Java PPA installation (example 4-6), 95
P
packet captures
network forensics, 12
SiLK utilities, 90
packet header format. See flow header format
packets. See export packets
Paessler PRTG, 75
Panoptis, 80
PDUs (protocol data units), 6
permanent cache, 6
personal firewalls, 175
petabytes, 112
phishing, 177
Pig, 126
ping command output (example 7-18), 203
Platform Exchange Grid (pxGrid), 187
Plixer International Scrutinizer, 75, 79-80
Plixer Scrutinizer NetFlow Analyzer, 80
port labeling files in SiLK, 89
ports, UDP ports for NetFlow, 16
predefined records in Flexible NetFlow records, 65
prefix map manipulation tools in SiLK, 88-89
preventing export storms, 213-214
private cloud environments, 32-33
protocol data units (PDUs), 6
public cloud environments, 32-33
pxGrid (Platform Exchange Grid), 187
PySiLK (Python Extension), 88
Q
QoS (quality of service)
NBAR2 and, 22
R
ransomware, 174
records. See flow records
reflected DDoS attacks, 248-249
remote-access VPN (virtual private network) deployment scenario, 33-34
rootkits, 174
routing protocols, Flexible NetFlow key fields, 62
RTP-R1 Flexible NetFlow configuration (example 7-8), 195
S
free version, 80
SCTP (Stream Control Transmission Protocol), 20
security
attack continuum, 2-3, 130-131
Cisco CTD Solution. See Cisco CTD (Cyber Threat Defense) Solution
data leak detection, 9
DDos attacks, 247
amplification attacks, 249-250
direct attacks, 248
in enterprise networks, 250-253
in service provider networks, 253-254
DoS attacks, 247
email-based threats
Cisco Cloud Email Security, 179
Cisco Hybrid Email Security, 179-180
list of, 177
incident response and forensics, 9-14
credit card theft case study, 254-259
intellectual property theft case study, 259-262
IoE (Internet of Everything), 127
malware
AMP for Networks, 176
HIPS, 175
personal firewalls, 175
OpenSOC. See OpenSOC
web security, 180
security operations centers (SOCs), 115
sensor, network as, 4
service provider networks, identifying DDoS attacks, 253-254
service timestamps command in Cisco IOS devices, 193
sessions, flows versus, 6
Shield, 94
show audit-trail command, 245
show cache statistics cumulative monitor_name command, 245
show cache statistics rates monitor_name command, 245
show capture command output (example 7-46), 230
show capture netflow-cap detail command output (example 7-47), 231
show capture netflow-cap dump command output (example 7-48), 232
show cdp settings command, 245
show collector statistics collector_name command, 245
show cpu command, 190
show dataport statistics cumulative command, 245
show dataport statistics rates command, 245
show dataport statistics rates queues command, 245
show exporter statistics exporter_name command, 245
show flow collector command output (example 7-52), 236
show flow command options (example 7-51), 236
show flow exporter command output
in Cisco IOS and IOS XE devices, 201
in Cisco IOS-XR software, 220
in Cisco Nexus 1000V, 163
in Cisco NGA, 237
Flexible NetFlow, 72
show flow exporter export-ids netflow-v9 command output (example 7-27), 208
show flow exporter NX-OS command output (example 7-33), 215
show flow exporter option application table command output (example 7-29), 209
show flow exporter statistics command output (example 7-14), 202
show flow exporter templates command options (example 7-26), 207
show flow exporter templates command output (example 7-25), 207
show flow exporter-map command output in Cisco IOS-XR (example 7-38), 221
show flow filter filter_name command, 245
show flow interface command output
in Cisco Nexus 1000V, 164
in Cisco NX-OS software, 216
show flow interface GigabitEthernet 0/0 command output (example 7-20), 204
show flow monitor command options (example 7-22), 205
show flow monitor command output
in Cisco IOS and IOS XE devices, 204
in Cisco IOS-XR software, 222
in Cisco Nexus 1000V, 164
in Cisco NGA, 239
Flexible NetFlow, 70
show flow monitor monitor-name cache summary command options in Cisco IOS-XR (example 7-40), 225
show flow monitor name NY-ASR-FLOW-MON-1 cache format record command output (example 3-7), 72
show flow monitor RTP-DC-MONITOR-1 cache command output in Cisco NX-OS (example 7-35), 216
show flow monitor RTP-FLOW-MONITOR-1 cache command output (example 7-23), 205
show flow monitor RTP-FLOW-MONITOR-1 statistics command output (example 7-24), 206
show flow monitor type performance-monitor command output (example 7-32), 214
show flow monitor-map command output (example 7-41), 226
show flow platform nfea interface command, 228
show flow platform nfea policer np command, 228
show flow platform nfea sample command, 228
show flow platform nfea sp location command, 228
show flow platform producer statistics command output (example 7-42), 227
show flow record command output
in Cisco IOS and IOS XE devices, 198
in Cisco Nexus 1000V, 162
in Cisco NGA, 238
Flexible NetFlow, 69
show flow record netflow layer2-switched input command, 217
show flow record RTP-FLOW-RECORD-1 command output (example 7-11), 197
show flow sw-monitor RTP-DC-MONITOR-1 statistics command output in Cisco NX-OS (example 7-36), 216
show flow timeout command, 217
show flow trace command, 228
show flow trace command options (example 7-43), 228
show flow-export counters command output
in Cisco ASA, 229
NSEL monitoring, 159
show hardware flow aging command, 217
show hardware flow entry address table-address type command, 217
show hardware flow ip command, 217
show hardware flow sampler command, 217
show hardware flow utilization command, 217
show inventory command, 245
show ip command, 245
show ip router 172.18.104.179 command output (example 7-19), 203
show log config command, 245
show log patch command, 245
show log upgrade command, 245
show logging command
in Cisco ASA, 191
in Cisco IOS devices, 192
show managed-device command output (example 7-50), 235
show patches command, 245
show processes cpu command, 190
show running-config flow exporter command output
in Cisco IOS and IOS XE devices, 196
Flexible NetFlow, 72
show running-config flow monitor command output (example 3-4), 70
show running-config flow record command output
in Cisco IOS and IOS XE devices, 196
Flexible NetFlow, 69
show sampler name command, 217
show snmp command, 245
show tech-support command, 239-245
additional utilities, 91
configuration files, 87
counting, grouping, mating NetFlow records, 88
daemons, 87
filtering, displaying, sorting NetFlow records, 87
IP and port labeling files, 89
IPset, bag, prefix map manipulation, 88-89
network scan detection utilities, 90
packet capture and IPFIX processing utilities, 90
Python Extension (PySiLK), 88
simultaneous application tracking, Flexible NetFlow, 60
site-to-site VPN (virtual private network) deployment scenario, 34-35
slave units in clustering, 152
SLIC (StealthWatch Labs Intelligence Center), 78
SMC (StealthWatch Management Console), 22, 77-79, 142
appliances, 147
visualization examples, 140-142
SMC (StealthWatch Management Console) VE (virtual edition), 148
SMTP daemons, 179
sniffers, network forensics, 12
SOCs (security operations centers), 115
SolarWinds NetFlow Traffic Analyzer, 75
sorting flow records with SiLK, 87
SourceFire, 172
spam, 177
spammers, 174
Spark, 126
spear phishing, 177
Stager, 80
StealthWatch IDentity, 79
StealthWatch Labs Intelligence Center (SLIC), 78
StealthWatch Management Console (SMC) VE (virtual edition), 148
StealthWatch System. See Lancope StealthWatch System
Stream Control Transmission Protocol (SCTP), 20
structured data, unstructured data versus, 112-113
disabling redundant messages, 155-156
T
telemetry sources, big data analytics, 114-115
templates
benefits of, 44
data FlowSet definitions, 54
data FlowSet format, 54
field type definitions, 47
FlowSet field descriptions, 46
options templates
definitions, 55
format, 55
Tez, 126
time stamps, 14
Flexible NetFlow non-key fields, 64
logging timestamp command, 194
service timestamps command, 193
timer adjustments in Cisco Nexus 7000 series, 166
application recognition, 22
engineering and capacity planning, 14-15, 267-269
transports, Flexible NetFlow key fields, 62
trojan horses, 174
in Cisco IOS devices
communication problems with NetFlow collector, 201-204
debugging flow records, 212-213
displaying flow exporter templates and export IDs, 207-212
preventing export storms, 213-214
verifying flow monitor configuration, 204-206
Cisco IOS-XR software
architecture configuration, 217-219
flow exporter statistics and diagnostics, 219-222
flow monitor statistics and diagnostics, 222-226
flow producer statistics and diagnostics, 226-228
show commands, 228
Cisco NGA (NetFlow Generation Appliance)
flow collector information, 236-237
flow exporter information, 237
flow monitor information, 238-239
flow record information, 237-238
managed devices, 235
show commands, 245
show tech-support command, 239-245
in Cisco NX-OS software, 214-217
clear log command, 193
clear logging command options, 193
CPU utilization, 190
logging buffered command in Cisco ASA, 191
logging buffered command in Cisco IOS devices, 190
logging buffer-size command in Cisco ASA, 193
logging timestamp command, 194
service timestamps command, 193
show logging command in Cisco ASA, 191
show logging command in Cisco IOS devices, 192
network traffic, 15
U
Ubuntu
Elasticsearch installation, 96-105
Logstash installation, 107-109
UDP ports for NetFlow, 16
unstructured data, structured data versus, 112-113
user access layer deployment scenario, 24-25
user-defined records in Flexible NetFlow records, 65
V
versions of NetFlow
list of, 39
NetFlow v1, 40
NetFlow v5, 41
NetFlow v7, 42
Virtual NGIPSv for VMware, 173
virtual private network (VPN) deployment scenarios, 33-35
viruses, 173
VPN (virtual private network) deployment scenarios, 33-35
W
WCCP (Web Cache Communication Protocol), 180
Web Cache Communication Protocol (WCCP), 180
web security, 180
whaling, 177
WLAN (wireless LAN) deployment scenario, 25-26
worms, 173
X - Z
yottabytes, 112
zettabytes, 112
zombies, 8
ZooKeeper, 126