Re: [swinog] netflow capable switches

[Guazzoni Daniele, CH]

And here the english version for those who can only resolve wikipedia.de... ;-)

Cisco routers that have the Netflow feature enabled generate netflow records; 
these are exported from the router in User Datagram Protocol (UDP) or Stream 
Control Transmission Protocol (SCTP) packets and collected using a netflow 
collector. Other vendors provide similar features for their routers but with 
different names:

* Jflow or cflowd for Juniper Networks
* NetStream for Huawei Technology
* Cflowd for Alcatel-Lucent

NetFlow and IPFIX

Although initially implemented by Cisco, NetFlow is emerging as an IETF 
standard: Internet Protocol Flow Information eXport (IPFIX). Based on the 
NetFlow Version 9 implementation, IPFIX is going to be the industry standard in 
the very near future. Network infrastructure vendors, including Nortel Networks 
and others, are already adding IPFIX support to their devices. 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Iseli
Sent: Freitag, 18. Juli 2008 14:10
To: [EMAIL PROTECTED]
Subject: Re: [swinog] netflow capable switches

German Wikipedia says:

Netflow war ursprünglich eine Cisco-Technik, wird jetzt jedoch von vielen 
Herstellern unterstützt. Neben Netflow gibt es auch noch cFlow (Juniper) und 
Netstream (Huawei). Beide sind technisch identisch mit Netflow. Es existieren 
verschiedene Versionen von Netflow. Netflow Version 9 ist als offener Standard 
in der RFC 3954 beschrieben. Netflow Version 5 ist die in der Praxis am 
häufigsten verwendete Version. sFlow (RFC 3176) verwendet statistisches 
Sampling und ist inkompatibel zu Netflow. Es existieren jedoch Konverter. Der 
IPFIX Standard (RFC 3917) wird herstellerunabhängig entwickelt und stellt eine 
Erweiterung von Netflow Version 9 dar.

In that case - good luck :-)

Regards,
Mario
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.5.1/1559 - Release Date: 7/17/2008 6:08 
PM

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.1/1559 - Release Date: 7/17/2008 6:08 
PM


This e-mail, any associated files and the information contained in them are 
confidential and is intended for the addressee(s) only. If you have received 
this message in error please notify the originator and delete the email 
immediately. The unauthorised use, disclosure, copying or alteration of this 
message is strictly forbidden. E-mails to and from the company are monitored 
for operational reasons and in accordance with lawful business practices. Any 
opinions expressed are those of the individual and do not necessarily represent 
the views of the company. The company does not conclude contracts by email and 
all negotiations are subject to contract. We make every effort to maintain our 
network free from computer viruses but accept no responsibility for any viruses 
which might be transferred by this e-mail.


This e-mail, any associated files and the information contained in them are 
confidential and is intended for the addressee(s) only. If you have received 
this message in error please notify the originator and delete the email 
immediately. The unauthorised use, disclosure, copying or alteration of this 
message is strictly forbidden. E-mails to and from the company are monitored 
for operational reasons and in accordance with lawful business practices. Any 
opinions expressed are those of the individual and do not necessarily represent 
the views of the company. The company does not conclude contracts by email and 
all negotiations are subject to contract. We make every effort to maintain our 
network free from computer viruses but accept no responsibility for any viruses 
which might be transferred by this e-mail.
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] netflow capable switches

[Pascal Gloor]

Mario,

Julien is french speaking and he asked in english... maybe an  
enlgish answer would better fix no ? :P



Pascal
SwiNOG Minority Defender Moderator




smime.p7s
Description: S/MIME cryptographic signature
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] netflow capable switches

[Mario Iseli]

German Wikipedia says:

Netflow war ursprünglich eine Cisco-Technik, wird jetzt jedoch von vielen 
Herstellern unterstützt. Neben Netflow gibt es auch noch cFlow (Juniper) und 
Netstream (Huawei). Beide sind technisch identisch mit Netflow. Es existieren 
verschiedene Versionen von Netflow. Netflow Version 9 ist als offener Standard 
in der RFC 3954 beschrieben. Netflow Version 5 ist die in der Praxis am 
häufigsten verwendete Version. sFlow (RFC 3176) verwendet statistisches 
Sampling und ist inkompatibel zu Netflow. Es existieren jedoch Konverter. Der 
IPFIX Standard (RFC 3917) wird herstellerunabhängig entwickelt und stellt eine 
Erweiterung von Netflow Version 9 dar.

In that case - good luck :-)

Regards,
Mario
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] netflow capable switches

[julien mabillard]

Hi,
this might be a naive question but still needs a good answer ;-)

Are there ethernet switches else as cisco that can provide
netflow traffic informations? Or do they use snmp for the same
informations instead?

thank you.

-- 
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] NetFlow

[Yann Berthier]

On Tue, 30 Aug 2005, Viktor Steinmann wrote:

> We used netflow on all external interfaces towards upstream & 
> peerings, so we could find out, how much traffic we were exchaning 
> with which AS. It's quite a nice feature for peering policy decisions 
> (or the decision, if you should change your upstream)
> 
> The tool we used was flowscan 
> (http://www.caida.org/tools/utilities/flowscan/), but I hear there 
> are others as well (especially, if you are willing to shed out some money 
> :-))
> 
> Another nice use for netflow data are intrusion detection systems, 
> that can find out unusual traffic patterns with heuristic methods. 
> Since those systems are quite expensive, I don't have any first-hand 
> experience, but I hear, they have a long learning period, need a lot 
> of tweaking until they do, what they're supposed to do...   If you're 
> interested in this stuff, I guess Nico (Fischbach) is your man :-)

   As I have worked with Nico on this area (security uses of NetFlow),
   i'll take the freedom to hijack his potential answer :) The fact is,
   you don't necessarily need to put big bucks, and simple heuristics
   such as top speakers (top in bytes, packets, and / or duration) can
   learn you a lot about potential misuses on your network. Good free
   software is avalaible for that (nfdump / nfsen has already been
   advertized by his author :))

   In fact, we have set up a list [1] to host this kind of discussions
   related to NetFlow: analysis, heuristics to be used, database design
   (or not), ... At the end of the day, i'm not sure we all can come
   with something as cool as the arbor products, but if it permits to
   get the job done ... 

   (sorry for you nanogers)

  - yann

   [1] http://www.csrrt.org.lu/mailman/listinfo/flowop
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] NetFlow

[Nicolas Strina]

Hello,

Also for security features you can have a look at Arbor solutions
(http://www.arbor.net). We are using this system for our network and
it's damn hot :P

Cu,

Nico




--On August 30, 2005 12:25:31 -0400 Raffael Marty <[EMAIL PROTECTED]> wrote:

| I am doing some research on NetFlow and wanted to ask you guys a few
things:
|
| How are you using NetFlow? For what purposes? Billing? Security? Do you
| have NetFlow enabled on all your routers? Do you enable it on all the
| interfaces or just on the external/internal interface? Do you
utilize any
| tool to stitch the NetFlows back together? Why would you do that?
|
| I guess you can tell that I was never exposed to NetFlow in the ISP
world.
| Any answers or comments are really appreciated.

You may have a look at our tools from SWITCH-CERT. We use them mostly
for security
related issues.

Backend:  
Frontend: 

- Peter

|
| Thanks
|
|   -raffy
|
| --
|   Raffael Marty, GCIA, CISSP
|   Senior Security Engineer @ ArcSight Inc.
| ___
| swinog mailing list
| swinog@lists.swinog.ch
| http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
|



--
___ SWITCH - The Swiss Education and Research Network __
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog




signature.asc
Description: OpenPGP digital signature
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] NetFlow

[Peter Haag]

-BEGIN PGP SIGNED MESSAGE-



- --On August 30, 2005 12:25:31 -0400 Raffael Marty <[EMAIL PROTECTED]> wrote:

| I am doing some research on NetFlow and wanted to ask you guys a few things:
|
| How are you using NetFlow? For what purposes? Billing? Security? Do you
| have NetFlow enabled on all your routers? Do you enable it on all the
| interfaces or just on the external/internal interface? Do you utilize any
| tool to stitch the NetFlows back together? Why would you do that?
|
| I guess you can tell that I was never exposed to NetFlow in the ISP world.
| Any answers or comments are really appreciated.

You may have a look at our tools from SWITCH-CERT. We use them mostly for 
security
related issues.

Backend:  
Frontend: 

- Peter

|
| Thanks
|
|   -raffy
|
| --
|   Raffael Marty, GCIA, CISSP
|   Senior Security Engineer @ ArcSight Inc.
| ___
| swinog mailing list
| swinog@lists.swinog.ch
| http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
|



- --
___ SWITCH - The Swiss Education and Research Network __
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iQCVAwUBQxVOnP5AbZRALNr/AQHiswP+JVzICPmnNCHb5rJ6fgvfs7KgwAoQlU0A
dLpkFy/FRYFA/abVSxr/vV2nlKMVq45SS/bHtma07/VZFIXOCvxi70Q5tP/11Lur
82vgtdoh5IjFfbewAQKuQ2ALpkea4ZbGoYfTo7Ql2m0uNwk8zMf5MSgqP+SS/3qK
4fh9/tDobcQ=
=1K9/
-END PGP SIGNATURE-

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] NetFlow

[Viktor Steinmann]

We used netflow on all external interfaces towards upstream & 
peerings, so we could find out, how much traffic we were exchaning 
with which AS. It's quite a nice feature for peering policy decisions 
(or the decision, if you should change your upstream)


The tool we used was flowscan 
(http://www.caida.org/tools/utilities/flowscan/), but I hear there 
are others as well (especially, if you are willing to shed out some money :-))


Another nice use for netflow data are intrusion detection systems, 
that can find out unusual traffic patterns with heuristic methods. 
Since those systems are quite expensive, I don't have any first-hand 
experience, but I hear, they have a long learning period, need a lot 
of tweaking until they do, what they're supposed to do...   If you're 
interested in this stuff, I guess Nico (Fischbach) is your man :-)


Cheers,
Viktor

At 18:25 30.08.2005, you wrote:

I am doing some research on NetFlow and wanted to ask you guys a few things:

How are you using NetFlow? For what purposes? Billing? Security? Do you
have NetFlow enabled on all your routers? Do you enable it on all the
interfaces or just on the external/internal interface? Do you utilize any
tool to stitch the NetFlows back together? Why would you do that?

I guess you can tell that I was never exposed to NetFlow in the ISP world.
Any answers or comments are really appreciated.

Thanks

  -raffy

--
  Raffael Marty, GCIA, CISSP
  Senior Security Engineer @ ArcSight Inc.
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] NetFlow

[Simon Leinen]

Raffael Marty writes:
> I am doing some research on NetFlow and wanted to ask you guys a few
> things: How are you using NetFlow? For what purposes? Billing?
> Security?

Yes, both billing (and coarse-grained traffic analysis on our upstream
and peering connections) and security (detection and localization of
malicious traffic, trend analysis, "cyberepidemiology" research).

> Do you have NetFlow enabled on all your routers?

In our setup we only use data from our border (peering) routers.

> Do you enable it on all the interfaces or just on the
> external/internal interface?

We have it enabled in the ingress direction on all interfaces, so that
we can count all traffic both inbound and outbound through the router.
Also our current platform (with current software) cannot enable
Netflow selectively.

> Do you utilize any tool to stitch the NetFlows back together? Why
> would you do that?

In the part I'm responsible for (billing etc.), I don't try to match
related unidirectional flows to bidirectional flows.  Maybe for
security applications this would be more useful.  At any rate it's
difficult in our network, because the two directions often go through
different routers.

> I guess you can tell that I was never exposed to NetFlow in the ISP
> world.  Any answers or comments are really appreciated.

I maintain a page with pointers to Netflow-related software packages -
maybe you find it useful:

http://www.switch.ch/tf-tant/floma/software.html
-- 
Simon.

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] NetFlow

[Raffael Marty]

I am doing some research on NetFlow and wanted to ask you guys a few things:

How are you using NetFlow? For what purposes? Billing? Security? Do you
have NetFlow enabled on all your routers? Do you enable it on all the
interfaces or just on the external/internal interface? Do you utilize any
tool to stitch the NetFlows back together? Why would you do that?

I guess you can tell that I was never exposed to NetFlow in the ISP world.
Any answers or comments are really appreciated.

Thanks

  -raffy

-- 
  Raffael Marty, GCIA, CISSP
  Senior Security Engineer @ ArcSight Inc.
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog