IT Certification and Training Blog

ASA Technology Update Part 4 of 4

Feb 8, 2011 10:18:00 AM / by Kelson Lawrence

By Ryan Lindfield

Netflow (8.1)

Technically, NetFlow support was introduced in 8.1, but I still consider it an exciting and relatively new feature. Also I’ve found that many administrators are not aware of it, and it’s something I think everyone should be using. As you may already know, Cisco Systems developed NetFlow as a way to export information regarding IP flows for detailed monitoring and auditing of network traffic. A flow is essentially the combination of the following pieces of information:

• source IP address and destination IP address
• source port number and destination port number
• IP protocol number
• ingress interface
• type of service

I like to compare NetFlow data to the detailed information that my cellular provider gives me each month on my bill. I can see who I communicated with, how long I communicated to them, the times that the communication took place, and whether it was a phone call or a text message. NetFlow is not a full Iplog or a capture of all data; it is simply information about the flows of data. We collect these flows and then build detailed reports and statistics from data such as the following: When are your peak traffic hours? What are your top protocols? Which are your top talkers? Who’s moving the most data? Which protocols or ports were seen today for the first time (botnet communication detection)?

NetFlow data is extremely useful to administrators. Not only does it serve as a window into current network conditions, but once archived to a database, you can gain insight into how long certain hosts have been communicating (days, weeks, years) and how often. If there is a host that has been compromised and we see that it’s been communicating with a command and control point, we can do a query against all recorded traffic and determine if other hosts are communicating with that same control point, how long this has been occurring, what data has been leaked, etc.

It is my opinion that the NetFlow collection could be useful to you, and while the full capabilities of NetFlow would be impossible to cover in this short article, I can only suggest you investigate these capabilities in the future. It may also be helpful to know that the ASA exports in a format called NetFlow V9 (or NetFlow Secure Event Logging). Without going into the differences in the different formats, I want to point out that the collector you use (central logging point) must support NetFlow V9. NetFlow V9 is not widely supported, however Plixar has a free product called Scrutinizer, which supports the ASA and NetFlow V9. I’ve used Scrutinizer, and I’m very happy with the results. Many of you will also be happy to know that Scrutinizer has a free version.

ASA Specialist Certification


813-925-0700 (opt 2)
877-333-EXAM (opt 2)
FAX: 813-925-3957

Topics: adaptive security appliance, asa, networking, netflow

Kelson Lawrence

Written by Kelson Lawrence

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

see all

Recent Posts