[nsp] NetFlow through a firewall?
Dmitri Kalintsev
dek at hades.uz
Thu May 8 09:26:27 EDT 2003
GRE or IPSec, if it is *so* important?
SY,
--
D.K.
On Wed, May 07, 2003 at 02:59:01PM -0400, Temkin, David wrote:
> Thanks. My thought exactly, but I know my security team will ask the
> question, so I figured I'd try to be armed with something :-)
>
> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Wednesday, May 07, 2003 2:58 PM
> To: Temkin, David
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] NetFlow through a firewall?
>
>
> Hi,
>
> On Wed, May 07, 2003 at 02:46:22PM -0400, Temkin, David wrote:
> > Has anyone sucessfully passed NetFlow traffic through a firewall? If
> > anyone has any pointers (ie, how to do this securely...) I'd love to
> > hear them.
>
> It's not trivial, as NetFlow is source-spoofeable UDP.
>
> On the other hand - the worst thing that people can do is send you faked
> accounting records (which the flow sequence number checks should catch) and
> maybe crash your netflow software.
>
> It should be fairly safe if you make sure you don't permit source spoofed
> UDP packets (with a source IP of your routers) from "outside", and then
> permit only those sources through your firewall.
>
> gert
>
>
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
>
More information about the cisco-nsp
mailing list