Home > Articles > NetFlow for Cybersecurity

NetFlow for Cybersecurity

Chapter Description

In this sample chapter from CCNA Cyber Ops SECOPS 210-255 Official Cert Guide, readers learn how to configure basic NetFlow in a Cisco device. Content also covers the industry standard IPFIX as well as how NetFlow is used for cybersecurity and incident response.

This chapter starts with an introduction to NetFlow and then covers details about all the different NetFlow versions. In this chapter, you will learn how to configure basic NetFlow in a Cisco device. You will also learn about the industry standard IPFIX as well as how NetFlow is used for cybersecurity and incident response. This chapter also covers examples of commercial and open source NetFlow analysis tools.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in this chapter’s topics. The 10-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time. Table 4-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.

Table 4-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping

Foundation Topics Section

Questions Covered in This Section

Introduction to NetFlow

1–3

NetFlow Versions

4–5

IPFIX

6

NetFlow for Cybersecurity and Incident Response

7–8

NetFlow Analysis Tools

9–10

  1. Which of the following are some common uses of NetFlow? (Choose three.)

    1. To see what is actually happening across the entire network

    2. To identify DoS attacks

    3. To quickly identify compromised endpoints and network infrastructure devices

    4. To perform network scans to detect vulnerabilities

  2. Flexible NetFlow, Cisco’s next-generation NetFlow, can track a wide range of Layer 2, IPv4, and IPv6 flow information. Which of the following are examples of that information? (Choose four.)

    1. Source and destination IPv4 or IPv6 addresses

    2. Source and destination ports

    3. Packet and byte counts

    4. Flow timestamps

    5. Usernames

    6. Application ID

  3. NetFlow supports different types of cache. Which of the following are the NetFlow cache types? (Choose three.)

    1. Normal

    2. Flexible

    3. Immediate

    4. Permanent

  4. IPFIX is a flow standard based on what version of NetFlow?

    1. Version 1

    2. Version 5

    3. Version 7

    4. Version 9

  5. What is one of the benefits of NetFlow templates?

    1. Templates make flow records more organized and better structured.

    2. Templates provide a vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added.

    3. Templates provide a faster way of processing NetFlow records.

    4. Templates can be used to detect zero-day attacks faster because they provide support for indicators of compromise.

  6. What protocol is used by IPFIX for packet transport?

    1. SNMP

    2. HTTPS

    3. SCTP

    4. TLS

  7. NetFlow is a great tool for anomaly and DDoS detection. Before implementing these detection capabilities, you should perform which of the following tasks?

    1. Enable NetFlow in more than two interfaces.

    2. Enable BGP for route redirection.

    3. Develop a traffic baseline.

    4. Enable anti-spoofing protection.

  8. Many network telemetry sources can also be correlated with NetFlow when responding to security incidents and performing network forensics. Which of the following are examples of other telemetry sources that can be correlated with NetFlow? (Choose two.)

    1. Dynamic Host Configuration Protocol (DHCP) logs

    2. VPN logs

    3. Core dumps

    4. Process utilization and hardware inventory logs

  9. Which of the following are examples of open source tools that can be used for NetFlow analysis? (Choose three.)

    1. SiLK

    2. Elasticsearch, Logstash, Kibana (ELK)

    3. Lancope

    4. Graylog

  10. Which of the following are components of the Cisco Lancope StealthWatch solution?

    1. StealthWatch Management Console

    2. FlowCollector

    3. FlowConnector

    4. ISE Connector

2. Foundation Topics | Next Section

There are currently no related articles. Please check back later.