nanog mailing list archives

Re: NetFlow - path from Routers to Collector

From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Wed, 2 Sep 2015 19:03:20 +0200

We use the VRF approach not because we think this will give us more
stability ie. no fate sharing, but because it is best practice in a
security perspective. We keep our internal network separated from customer
traffic for the same reason our customers run firewalls.

Minimize the attack surface. Customers or people from the internet should
not be able to even attempt hacking the infrastructure. They should not be
able to send packets that will get routed to the collector.

ACLs is a poor man's solution compared to running in a VRF or equallent
(vlan).

Regards

Baldur
Den 02/09/2015 18.31 skrev "Serge Vautour" <sergevautour () yahoo ca>:

Hello again,

Well, this generated a bit more discussion than I was expecting. I've
retained the following from all your comments:

-Doing flow export over an OOB network can help make sure you still "see"
your network during a DDoS
-If we do this over an OOB network, it may not work over the OOB port on
the RE/RSP.

I do have some specific questions for the folks who are OK with doing this
inband:

-Are you concerned with someone intercepting the Flow streams? I assume if
someone has the ability to do so, you've got bigger problems.
-If we make the assumption that someone can intercept the Flow steam, do
you think the data in the steam can be used for anything? It's just L3 & L4
headers. In other words, do you feel an OOB network is require to secure
the flow data?

Thanks again, your comments are very helpful.

Serge

--------------------------------------------
On Tue, 9/1/15, Serge Vautour <sergevautour () yahoo ca> wrote:

 Subject: NetFlow - path from Routers to Collector
 To: nanog () nanog org
 Received: Tuesday, September 1, 2015, 12:33 PM

 Hello,

 For those than run Internet connected routers, how do you
 get your NetFlow data from the routers to your collectors?
 Do you let the flow export traffic use the same links as
 your customer traffic to route back to central collectors?
 Or do you send this traffic over private network management
 type path? If you send this traffic over the "Internet"
 (within your AS), are you worried about security?

 Thanks,
 Serge

Current thread:

RE: NetFlow - path from Routers to Collector, (continued)
- - - RE: NetFlow - path from Routers to Collector White, Andrew (Sep 10)
    - Re: NetFlow - path from Routers to Collector Todd K Grand (Sep 10)
    - Re: NetFlow - path from Routers to Collector Niels Bakker (Sep 01)
    - Re: NetFlow - path from Routers to Collector Roland Dobbins (Sep 01)
    - Re: NetFlow - path from Routers to Collector Leo Bicknell (Sep 01)
    - Re: NetFlow - path from Routers to Collector Mark Tinka (Sep 01)
    - Re: NetFlow - path from Routers to Collector Pierfrancesco Caci (Sep 01)
    - Re: NetFlow - path from Routers to Collector Roland Dobbins (Sep 02)
- Re: NetFlow - path from Routers to Collector Serge Vautour (Sep 02)
  - Re: NetFlow - path from Routers to Collector Roland Dobbins (Sep 02)
  - Re: NetFlow - path from Routers to Collector Baldur Norddahl (Sep 02)
- Re: NetFlow - path from Routers to Collector James Bensley (Sep 11)
  - RE: NetFlow - path from Routers to Collector Erik Sundberg (Sep 11)
- Re: NetFlow - path from Routers to Collector Avi Freedman (Sep 01)
  - Re: NetFlow - path from Routers to Collector Roland Dobbins (Sep 01)
- Re: NetFlow - path from Routers to Collector Avi Freedman (Sep 01)
  - Re: NetFlow - path from Routers to Collector Roland Dobbins (Sep 01)
- Re: NetFlow - path from Routers to Collector Avi Freedman (Sep 01)
  - Re: NetFlow - path from Routers to Collector jim deleskie (Sep 01)
    - Re: NetFlow - path from Routers to Collector Roland Dobbins (Sep 01)
  - RE: NetFlow - path from Routers to Collector Frank Bulk (Sep 05)

(Thread continues...)