Professional Documents
Culture Documents
Tavve Software Co. One Copley Plaza Suite 480 Morrisville, NC 27560 +1 919-460-1789 www.tavve.com
Executive Summary
With the proliferation of DMZs (so-called De-Militarized Zones or firewall protected areas) and extranets today, network managers are increasingly faced with the problem of collecting data from NetFlow and sFlow enabled equipment when security policy prevents UDP to cross the firewall from these segregated areas. This paper discusses three solutions for NetFlow and sFlow collection from the DMZ: 1) add collectors into DMZ, 2) use a separate network management network, or 3) add proxy collectors into DMZ. This paper discusses the problem the security policy creates and three solutions for this problem.
A variety of applications are available today to process collected NetFlow or sFlow data from the hardware vendors and from NetScout, Hewlett-Packard, Hitachi, InMon, QoSmetrics, and others. Many network managers depend upon this data to properly manage their networks. Those managers depend upon the information from all locations in the network, even remote or off-limits networks such as DMZ subnets, extranets, or remote sites. Collector nGenius
No NetFlow / sFlow Data
X
Firewall
X
NetFlow / sFlow Data
Enabled Device
agent
When the firewall will no longer pass UDP traffic, the sFlow and NetFlow traffic is blocked as well. The firewall becomes an obstacle, preventing this data from reaching the collector. For example, see Figure 2 depicting a NetFlow enabled device failing to transmit NetFlow to its nGenius collector. Clearly, if the firewall blocks NetFlow or sFlow traffic from the Collector, it is time to rearchitect this part of the network management design. In the remainder of this paper, we will look at three possible solutions: (1) adding a collector on the DMZ side, (2) using a separate management network, or (3) using a proxy collector.
Admin
Firewall
Collector
Enabled Device
agent
agent
To implement this solution, you will need a collector in every isolated DMZ that contains NetFlow or sFlow enabled devices, even if that DMZ only contains a few devices. For each collector, you need to 1. Acquire and install a computer as the hardware for the collector 2. Purchase and install the collector software 3. Add a firewall rule (or more) so the collector can communicate with the server
4. Add a firewall rule (or more) so the system and database administrator can access the collector system 5. Configure the NetFlow or sFlow devices to use the new collector The advantage of this solution is: 1. That it requires no more expertise to setup collection in a DMZ than ordinarily needed in the enterprise. The disadvantages of this solution are: 1. The extra cost required for multiple collectors 2. The additional hardware cost involved with those new collectors 3. The added labor cost involved with OS, software, and database setup 4. The delays or justifications with security to negotiate all those new firewall rules 5. The ongoing labor cost involved with OS, software, and database maintenance
Admin
Collector
nGenius Collector
NetFlow data
X
Firewall
X
Enabled Device
agent agent
Figure 4. A separate network management subnet bypasses firewall Copyright 2005 Tavve Software Co.
To implement this solution, you will need a dedicated interface per device: 1. Dedicate an Ethernet interface on each router to the network management network 2. Connect your switchs network management LAN port to the network management network. If your switch does not have a dedicated management port, then it cannot be part of this solution. 3. Add an extra network interface to the collector host 4. Configure all these dedicated interfaces to be on the same subnet The advantages of this solution are: 1. This is a very low cost approach, presuming the dedicated interface cost is low. 2. There is no need for a dedicated collector 3. No proxy software or appliance is needed The disadvantages of this solution are: 1. It may be difficult to get approval from your security group. Security groups consider the scenario where a DMZ device becomes compromised. In such a scenario, security may be concerned that attacking traffic may infiltrate the network management network. In turn, the attacking traffic could infiltrate the collector host before ultimately attacking the corporate network. Such an attack would circumvent the protection of the firewall, which is undesired. 2. Some network equipment (such as switches) do not have a dedicated network management interface, rendering this solution incomplete.
Server
nGenius Server
Database synch/update
Collector
nGenius Collector
NetFlow/sFlow data
Admin
Proxy Software
Ranger Gateway
Firewall
Proxy Collector
ZoneRanger DMZ#1
ZoneRanger DMZ#2
NetFlow/sFlow data
NetFlow/sFlow data
Enabled Device
agent
agent
If the proxy collector is an appliance, such as ZoneRanger, you do not need to configure rules for system administrator or database administrator access through the firewall to it. The one firewall rule that allows the ZoneRanger to communicate with the complementary Ranger Gateway software also allows configuration by web browsing to a Ranger Gateway port. The advantages of this solution are: 1. The ZoneRanger appliance does not require system or database administrators to setup or maintain the network management support team configures it 2. No more additional collectors required than usual 3. Only one firewall rule (per proxy collector) needed in firewall (easier to negotiate with security) 4. Aside from proxying NetFlow or sFlow data, it proxies other network management traffic (SNMP, traps, syslogs)
The disadvantage of this solution is: 1. It is a new tool, so some learning is required
Conclusion
When the security policy of your enterprise prevents you from sending your NetFlow or sFlow data to your enterprise-side collector, you can choose one of three solutions: (a) add a collector into each isolated DMZ, (b) use a separate network management network, or (c) add a proxy collector into each isolated DMZ. Depending upon product and ongoing administration costs, one solution may be more favorable than the other for your enterprise. References / Further Reading 1. "NetFlow Services and Applications" White Paper by Cisco Systems, Inc. Copyright 1992--2002 Cisco Systems, Inc. http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm 2. "Traffic Monitoring using sFlow" by sFlow.org. Copyright 2003 sFlow.org http://www.sFlow.org/sFlowOverview.pdf 3. "Juniper Networks Solutions for Network Accounting" White Paper by Chuck Semeria and Hannes Gredler. Copyright 2001 Juniper Networks. http://www.juniper.net/solutions/literature/white_papers/200010.pdf 4. "IPFIX fine-tines traffic analysis" article from 8/11/03 NetworkWorldFusion by Paul Kohler and Benoit Claise. Copyright 2003 Network World, Inc. http://www.nwfusion.com/news/tech/2003/0811techupdate.html with diagram http://www.nwfusion.com/graphics/2003/0811tu.gif 5. "Resource Links / Encyclopedia / S / sFlow" from NetworkWorldFusion Resource Encyclopedia. Copyright 1994-2005 Network World, Inc. http://www.nwfusion.com/details/6416.html?def 6. "Using sFlow" by sFlow.org Copyright 2003-2004 sFlow.org. http://sflow.org/using_sflow/index.php