[nsp] NetFlow through a firewall?

Charlie Winckless CharlieW at netarch.com
Wed May 7 14:52:23 EDT 2003 

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 
> On Wed, May 07, 2003 at 08:57:42PM +0200, Gert Doering wrote:
> > 
> > On Wed, May 07, 2003 at 02:46:22PM -0400, Temkin, David wrote:
> > > Has anyone sucessfully passed NetFlow traffic through a 
> firewall?  If anyone
> > > has any pointers (ie, how to do this securely...) I'd 
> love to hear them.
> > 
> > It's not trivial, as NetFlow is source-spoofeable UDP.
> > 
> > On the other hand - the worst thing that people can do is 
> send you faked
> > accounting records (which the flow sequence number checks 
> should catch)
> > and maybe crash your netflow software.
> 
> Or, if your netflow software has a remotely exploitable
> vulnerability, a single spoofed malicious packet might be enough
> for someone to take over your machine.  Don't laugh, it happened
> with Microsoft SQL server just a few months ago.  The question to
> ask is "Do you trust your
> Netflow software with exposure to the Internet?"

I suspect that the Cisco answer to this, as with many things 
is: IPsec. If your router runs the appropriate feature set
an IPsec tunnel appropriately controlled will protect much
of the infrastructure.

(Of course, now if you're router is compromised they can
hop straight through your firewall to the inside Netflow
machine on all ports and protocols. Which could be bad.

- --
Charlie Winckless, CCIE #7331           |           |
Senior Consulting Engineer              |           | 
Network Architechs                     |||         |||      
u: http://www.netarch.com            .|||||.     .|||||.
e:   charliew at netarch.com         .:|||||||||:.:|||||||||:.
p:    (505) 256-9047 x144           Cisco Systems Partner
f:         (505) 256-9091             Silver Certified
- -----------------------------------------------------------
Van Roy's Law:                                                       
  
     An unbreakable toy is useful for breaking other toys.
 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPrlj9srtF6HAen5cEQLWSgCgz5v9RLXJey7V6tppOW2+y+4+9eYAn3pQ
/tgy+gyiS95ruAPAA4aNli9c
=A4Qn
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list