Home > Articles > Infrastructure Security and Segmentation

Infrastructure Security and Segmentation

Chapter Description

In this sample chapter from Integrated Security Technologies and Solutions - Volume I: Cisco Security Solutions for Advanced Threat Protection with Next Generation Firewall, Intrusion Prevention, AMP, and Content Security, you will review security of the three planes of network infrastructure, the importance of segmenting traffic and methods for doing so, and the benefits of NetFlow.

Visibility with NetFlow

Chapter 1 discusses the importance of visibility of assets that you are trying to secure. To effectively design and improve security, though, it is important to have visibility of your entire network. With continuous visibility, you can monitor for anomalous behavior that indicates new attacks and also monitor the effectiveness of your existing policies.

Visibility, as I like to put it, is a two-sided coin. On one side is the visibility of what and who is accessing your network and resources, while on the other side is visibility of what they are doing after being granted access.

The first side of the coin—visibility of what and who—is gathered by access control on every entry point of the network. Access control and visibility related to it are covered in Integrated Security Technologies and Solutions, Volume II.

The second side of the coin—visibility of what everyone is doing on the network—can be gathered from multiple sources. Some of it comes from various security devices in the network, such as firewalls and IPS devices, but those are reliant on traffic passing through them. A significant portion of network traffic stays internal and never passes through firewalls or IPS devices. Hence, the most important place to get visibility data is from the network itself—from the switches and routers.

The Cisco IOS application NetFlow helps in gathering this data from the network. It provides statistics on packets flowing through the network devices. Each packet that is forwarded within a router or switch is examined for a set of attributes. These attributes combined become the fingerprint of the packet and determine whether the packet is unique or similar to other packets. In most cases, these are the attributes NetFlow uses to create the fingerprint:

  • IP source address

  • IP destination address

  • Source port

  • Destination port

  • Layer 3 protocol type

  • Class of service

  • Router or switch interface

All packets with the same fingerprint are classified as a single flow, and then packets and bytes are tallied. The details of the flow are then exported to NetFlow collectors for analysis and storage.

Because a flow record is unidirectional, some products, such as Cisco Stealthwatch, further combine multiple flows to create a complete bidirectional flow record. An analysis of such unidirectional or bidirectional flows provides a baseline of the network traffic, and any anomaly can immediately be detected. In addition to behavior-based anomalies, transactional anomalies can be immediately detected. For example, if you see 5 GB of traffic being sent as ICMP packets, it immediately indicates a covert attempt to transfer data.

The configuration of NetFlow can be divided into two general steps:

  • Step 1. Enabling NetFlow: NetFlow collection needs to be enabled on a per-interface and direction basis. The ip flow {ingress|egress} command is used to enable collection.

  • Step 2. Defining the export destination: Define the destination IP address and port where the export flow data needs to be sent. The ip flow-export destination ip-address port command is used to define the export destination.

NetFlow collection can be verified with the show ip cache flow command. Example 2-62 shows how NetFlow is enabled on a router interface and a destination is configured to export the flows to.

Example 2-62 Enabling NetFlow

R1(config)#interface Gi1
R1(config-if)#ip flow ingress
R1(config)#ip flow-export destination 2055

There are currently no related articles. Please check back later.