[nsp] NetFlow through a firewall?

Temkin, David temkin at sig.com
Wed May 7 22:56:55 EDT 2003


A couple of people suggested that, but that's making it *worse* - not
better... I'd rather open a single application specific UDP port through my
firewall than open an entire tunnel that if someone compromises the router
can gain full access inside...


-----Original Message-----
From: Dmitri Kalintsev [mailto:dek at hades.uz] 
Sent: Wednesday, May 07, 2003 6:26 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [nsp] NetFlow through a firewall?


GRE or IPSec, if it is *so* important?

SY,
--
D.K.

On Wed, May 07, 2003 at 02:59:01PM -0400, Temkin, David wrote:
> Thanks.  My thought exactly, but I know my security team will ask the 
> question, so I figured I'd try to be armed with something :-)
> 
> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Wednesday, May 07, 2003 2:58 PM
> To: Temkin, David
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [nsp] NetFlow through a firewall?
> 
> 
> Hi,
> 
> On Wed, May 07, 2003 at 02:46:22PM -0400, Temkin, David wrote:
> > Has anyone sucessfully passed NetFlow traffic through a firewall?  
> > If
> > anyone has any pointers (ie, how to do this securely...) I'd love to 
> > hear them.
> 
> It's not trivial, as NetFlow is source-spoofeable UDP.
> 
> On the other hand - the worst thing that people can do is send you 
> faked accounting records (which the flow sequence number checks should 
> catch) and maybe crash your netflow software.
> 
> It should be fairly safe if you make sure you don't permit source 
> spoofed UDP packets (with a source IP of your routers) from "outside", 
> and then permit only those sources through your firewall.
> 
> gert
> 
> 
> --
> USENET is *not* the non-clickable part of WWW!
>  
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


IMPORTANT:The information contained in this email and/or its attachments is
confidential. If you are not the intended recipient, please notify the
sender immediately by reply and immediately delete this message and all its
attachments.  Any review, use, reproduction, disclosure or dissemination of
this message or any attachment by an unintended recipient is strictly
prohibited.  Neither this message nor any attachment is intended as or
should be construed as an offer, solicitation or recommendation to buy or
sell any security or other financial instrument.  Neither the sender, his or
her employer nor any of their respective affiliates makes any warranties as
to the completeness or accuracy of any of the information contained herein
or that this message or any of its attachments is free of viruses.




More information about the cisco-nsp mailing list