This chapter starts with an introduction to NetFlow and then covers details about all the different NetFlow versions. In this chapter, you will learn how to configure basic NetFlow in a Cisco device. You will also learn about the industry standard IPFIX as well as how NetFlow is used for cybersecurity and incident response. This chapter also covers examples of commercial and open source NetFlow analysis tools.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you identify your strengths and deficiencies in this chapter’s topics. The 10-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you determine how to spend your limited study time. Table 4-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Table 4-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section
Questions Covered in This Section
Introduction to NetFlow
NetFlow for Cybersecurity and Incident Response
NetFlow Analysis Tools
Which of the following are some common uses of NetFlow? (Choose three.)
To see what is actually happening across the entire network
To identify DoS attacks
To quickly identify compromised endpoints and network infrastructure devices
To perform network scans to detect vulnerabilities
Flexible NetFlow, Cisco’s next-generation NetFlow, can track a wide range of Layer 2, IPv4, and IPv6 flow information. Which of the following are examples of that information? (Choose four.)
Source and destination IPv4 or IPv6 addresses
Source and destination ports
Packet and byte counts
NetFlow supports different types of cache. Which of the following are the NetFlow cache types? (Choose three.)
IPFIX is a flow standard based on what version of NetFlow?
What is one of the benefits of NetFlow templates?
Templates make flow records more organized and better structured.
Templates provide a vendor-neutral support for companies that create applications that provide collector or analysis capabilities for NetFlow so that they are not required to reinvent their product each time a new NetFlow feature is added.
Templates provide a faster way of processing NetFlow records.
Templates can be used to detect zero-day attacks faster because they provide support for indicators of compromise.
What protocol is used by IPFIX for packet transport?
NetFlow is a great tool for anomaly and DDoS detection. Before implementing these detection capabilities, you should perform which of the following tasks?
Enable NetFlow in more than two interfaces.
Enable BGP for route redirection.
Develop a traffic baseline.
Enable anti-spoofing protection.
Many network telemetry sources can also be correlated with NetFlow when responding to security incidents and performing network forensics. Which of the following are examples of other telemetry sources that can be correlated with NetFlow? (Choose two.)
Dynamic Host Configuration Protocol (DHCP) logs
Process utilization and hardware inventory logs
Which of the following are examples of open source tools that can be used for NetFlow analysis? (Choose three.)
Elasticsearch, Logstash, Kibana (ELK)
Which of the following are components of the Cisco Lancope StealthWatch solution?
StealthWatch Management Console