NetFlow Placement with MARS50

Answered Question
Feb 18th, 2008

Hello,


I'm deploying a MARS50. We have a WAN aggregation router followed by a team of PIX535s then a Campus Aggregation Router. Both routers are 6500s with IDSM-2's.


I know the MARS50 is underpowered for our deployment so we're trying to get the most bang for the buck. I'm getting Syslogs from the PIX & routers and currently NetFlow from the Inside router. I'm thinking of moving the NetFlow to the outside router as I've read we should get better sessionization with the denies from the PIX. Enabling the IDSMs is for later in the process. Any comments or suggestions on whether the NetFlow data is better obtained before or after our border firewall?

Correct Answer by mhellman about 9 years 5 days ago

I see. Well, I personally still don't see a lot of value in collecting netflow out in front of your firewall. You've got all the denies in the Pix...so the numbers are still there for making up numbers about ROI;-)


The campus router has more value IMHO because you'd see internal<-->internal traffic which you otherwise might not have any insight into.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
mhellman Tue, 02/19/2008 - 07:08

I suppose it would depend a lot on where your assets are. Frankly, I'm not sure either is very valuable but it depends on how your routing works. Is traffic between WAN's routed through the WAN aggregation router and is all campus traffic routed through the campus aggregation router?

GrumpyBear Thu, 02/21/2008 - 09:21

The WAN aggregation router aggregates all our Internet & other external connections as well as connections to all our other sites. Our Assets are behind the firewall. The Campus aggregation router would see all the egress & ingress traffic to our external sites and the Internet as well as half of the Campus traffic transiting it.

The MARS documentation and some of the books are a little vague about which devices to enable NetFlow on but they imply in a couple of places that NetFlow from in front of the is useful in reporting on inbound attacks while the pix deny logs filter out a lot of the false positives. Management would like to see reporting on what threats have been mitigated to gauge the ROI.

mhellman Thu, 02/21/2008 - 11:17

my 2 cents:

The campus traffic may have value because the netflows will represent events not represented by the firewall xlate, accept and deny logs. My impression is that firewall xlate/accept/denies are pretty much equivalent to netflow data in MARS and will trigger the same rules. It seems to me that netflows from the WAN router would already be represented by the Pix logs and netflows would not provide any additional value. this assumes that all netflow data would be represented by a PIX accept or deny log message.





GrumpyBear Thu, 02/21/2008 - 13:50

OK - further information - we only log denies on the pix and those are 300MB daily so logging the accepts would result in a huge increase in the log files.

Correct Answer
mhellman Sun, 02/24/2008 - 20:23

I see. Well, I personally still don't see a lot of value in collecting netflow out in front of your firewall. You've got all the denies in the Pix...so the numbers are still there for making up numbers about ROI;-)


The campus router has more value IMHO because you'd see internal<-->internal traffic which you otherwise might not have any insight into.

Actions

This Discussion