1. NetFlow 란
♦ 기존 스위치, 라우터 장비에서는 전송되는 프레임 패킷과 트래픽의 통계만 확인
- 원격으로 SNMP 폴링을 통해 인터페이스의 사용량만 측정하는 것에 한계 존재
- 트래픽 Burst로 인하여 해당 인터페이스를 차단만 확인 가능
- 누가(Source-IP), 누구에게(Destination-IP), 어떤 용도로(Port) 전송하는지 확인 불가
- 빠른 장애 해결 및 보안을 위해 분석이 Flow 분석이 필요
2. Features
♦ 스위치와 라우터에서도 전송되는 Packet의 IP, Port, ToS, Protocol 등을 Netflow를 통해 확인 가능
- 위와 같이 Source Interface, Source IP, Destnation IP, Destnation Port, 해당 Flow의 Packet과 Rate, Destination interface 확인
- 대다수의 장비가 Netflow를 지원하거나 유사한 기능을 지원
- IETF 표준인 Internet Protocol Flow Information eXport (IPFIX)
- 산업표준인 sFlow[대다수의 업체가 지원]
- 그 외 JFlow, NetStream, CFlowd, AppFlow 등이 존재
3. Benefits
트래픽을 서비스 및 IP 별로 확인 하여 서버 향후 정책 수립문제가 발생 될 수 있는 비정상 트래픽 확인외부로 유출 되는 트래픽 확인보안사고 이후 원인 파악의 근거4. NetFlow 지원 장비 목록
Vendor and type Models NetFlow Version Implementation Comments Cisco IOS-XR routers CRS, ASR9000 old 12000 v5, v8, v9 Software running on line card CPU Comprehensive support for IPv6 and MPLS Cisco IOS routers 10000, 7200, old 7500 v5, v8, v9 Software running on Route Processor support for IPv6 or MPLS require recent model and IOS Cisco Catalystswitches 7600, 6500, 4500 v5, v8, v9 Dedicated hardware TCAM, also used for ACLs. Support for IPv6 on high-end models RSP720 and Sup720, but at most 128K or 256K flows per PCF card. Cisco Nexusswitches 7018, 7010 v5, v9 Dedicated hardware TCAM, also used for ACLs. Up to 512K flows. Support IPv4/IPv4/L2. MPLS not supported Juniper legacy routers M-serie, T-serie, MX-serie with DPC v5, v8 Software running on Routing Engine, called software jflow IPv6 and MPLS not supported Juniper legacy routers M-serie, T-serie, MX-serie with DPC v5, v8, v9 Software running on service PIC, called hardware jflow orsampled IPv6 or MPLS supported on MS-DPC, MultiService-PIC, AS-PIC2 Juniper routers MX-serie with MPC-3D, future FPC5 for T4000 v5, IPFIX Hardware (trio chipset), called inline jflow IPv6 requires JUNOS 11.4R2 (back port target), MPLS support unknown, MPC3E excluded until 12.3 Alcatel-Lucentrouters 7750SR v5, v8, v9,IPFIX Software running on Central Processor Module IPv6 or MPLS using IOM3 line cards or better Huawei routers NE5000E NE40E/X NE80E v5, v9 Software running on service cards Support for IPv6 or MPLS is unknown EnterasysSwitches S-Serie and N-Serie v5, v9 Dedicated hardware IPv6 support is unknown INVEA-TECH probes FlowMon Probe 1000, 2000, 4000, 6000, 10000, 20000 v5, v9, IPFIX Software or hardware-accelerated Comprehensive support for IPv6 and MPLS, wire-speed Nortel Switches Ethernet Routing Switch 5500 Series (ERS5510, 5520 and 5530) and 8600 (Chassis-based) v5, v9, IPFIX Software running on line card CPU Comprehensive support for IPv6 PC and Servers Linux FreeBSD NetBSD OpenBSD v5, v9, IPFIX Software like fprobe or ipt-netflow IPv6 support depend on the software used VMware servers vSphere 5.x v5 Software IPv6 support is unknown Mikrotik RouterOS RouterOS 3.x, 4.x, 5.x v1, v5, v9 Software and Routerboard hardware IPv6 support is unknown