[unisog] Cisco netflow and argus (was registering servers)

Tim Eden (te) te at unsw.edu.au
Mon Jul 31 23:24:15 GMT 2006


There are a number of companies that have security/monitoring products 
based around netflow. One that I've tested on our network is Crannog's 
Netflow Tracker, see their demo site:

http://demo.netflowtracker.net/index.jsp

It certainly doesn't look like netflow will be superceded anytime soon 
as there is plenty of work going into version 9 and 10:

http://www.cisco.com/en/US/products/ps6601/products_white_paper09186a00800a3db9.shtml
http://en.wikipedia.org/wiki/Netflow#Versions

As far as I can tell there is no mention of it using TCP so it looks 
like even the newer versions still use UDP.

Cheers,

Tim


John Kristoff wrote:
> On Mon, 31 Jul 2006 10:24:04 +1000
> Rudolph Pereira <rudolph at usyd.edu.au> wrote:
>
>   
>> Does anyone have pointers to papers or other concrete descriptions of
>> problems with netflow on cisco routers making them useless (ok: less
>> useful) for security incident investigation and/or accounting/traffic
>> analysis? We're having more problems with them as time goes on, and I
>> suspect that netflow is more and more likely to become a second-class 
>> citizen on cisco platforms and would like some data to backup a case
>> for abandoning it altogether in favour of something like argus.
>>     
>
> Can you describe what you mean by "more problems"?  NetFlow is wildly
> popular, and has been increasingly so over the last 6 or so years.  So
> much in fact that at least one company, Arbor Networks, has been doing
> quite well selling a security-oriented product around the feature.
>
> In my experience, network-oriented people tend to use NetFlow, security
> people\ want Argus or something that can "see the entire packet".  They
> each have their strengths and weaknesses.  Why not leverage that and
> use both?  Many people do.  It will also give you some verification
> that you seem to be asking for.  A basic NetFlow monitoring system is
> relatively cheap to run so I'd advise against getting rid of it if you
> already have something running.
>
> John
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.dshield.org/pipermail/unisog/attachments/20060801/9d29c5ee/attachment-0001.htm 


More information about the unisog mailing list