so working with flows
flows air really an easy way to track large amounts of
data and look at trends as to what's going on on the network.
So if you have a, um, this particular case here, this is showing traffic
over the course of 123456 days,
seven days. I'm sorry,
what is really apparent here?
There are two things that really stand out.
So the obvious one is this big green.
Oh, right here in the center. Right. What else stands out about this?
A lot of red activity.
yes. So red is actually
I can't even read that.
It's like one of those pictures. You have to sit there and cross your eyes and look at for 20 seconds before it becomes clear
after three naked. Do you see? It? Still keeps on going.
there's 11 big one. I'm still looking for your time frame.
being happened within a
The big blob is within a specific time frame. Okay,
But then, as he said, you know you it's spread out from that point. You know, it kind of peters out still, but it's still present. Okay, It looks like it might have happened at night time because you see, this thing's blob
bad stuff only happens at three. In the morning. Course. Maybe a weekend or something. We have rice still write this. So this happened on a Sunday Saturday? Probably
early morning to midday. OK,
Even a little thinner after the green Bob, The red and blue got thinner. Look. Well, so you're
kind of the right track here.
to hear. What is this? Show you. It's your baseline.
It's your baseline. Right? So you're saying that, okay, on a daily basis, you know, it kind of ebbs and flows, and this is actually probably timed with the business hours. Right? So this is, you know, eight o'clock in the morning to five a tonight, and then it dies, and then eight o'clock in the morning. This happens again. You you see the traffic grow and increase.
If you were looking at a chart like this in all of a sudden, you started to see this.
What would you think?
I need to get my resume ready? Because I'm gonna get fired. Something is very clearly not within the baseline here. Right.
So this is the real power of net flows is that you can track. You can really easily understand what your baseline is,
and then when it goes outside that baseline like you have spikes like you can see this tiny little blue spike here something was going on there.
But this is very clearly not normal. So it gives you net flows, gives you a way to visualize what your network baseline it's like and then understand. When something goes a little bit outside of the
outside of the scope,
you say that that's abnormal because I have no other week to look at
that. Actually, that's a very good point. So you would have to look at this and go do I expect toe have this was actually Microsoft sequel? That's green.
Do I expect Toe Have large Microsoft sequel transfers occur on Saturday morning,
and the answer is, it depends If you do regular data updates with a trusted third party or something, this may be normal to you.
That's a very good point. Doesn't exfiltration. Theoretically, it would only go in one direction. Yes,
so how would you actually work with flows at the tactical level so here you have flows that are generated by a sensor. This is usually ah, router, but it can be anything because there are net flow programs that you can install on hosts.
But the router here is serving as the sensor. It's, ah,
generating all of this data, this net flow data, and it's going to send it to a collector. And the collector is what's actually going to visualize or process that data for you. So what is the actual Cisco router generate? It generates something that looks like this
and this is nonsense if you had while it's not nonsense. But if you had to look at this
day in and day out, you've got your eyes out.
So there are ways to visualize this like we saw on the previous slide. And that's the job of the collector.
How do you actually export flows from devices? Well, first you need to figure out Do I want what type of flows in my tracking here am I? Do I want, you know, directional or bi directional flows? What are the keys that I actually want to set up
and how often do I want to collect this data
if I'm sampling every 30 seconds, that means every 30 seconds I'm looking at the live connections and
If I do that every hour, I have this much data. If I do it every minute,
I've got this much data. So there's a decision here about how fine grained or how much visibility you want into this
on. Decide. Based on how much data storage you have, how much processing power you have.
what? You're what you're sampling rate might be.
You'll collect it probably have, ah, database that it gets stored in. You'll have some type of flow analysis tool that looks at it. The other question you have to answer is, how long do I want to keep it?
Do I want to keep net flow data for a week for a month for a year? That goes back to your maybe your forensic requirements. So how long do you have to maintain data in order to do forensic analysis? And it might also be based off of your storage requirements.
You don't have a large server that this is running on. You may only be able to Kate keep like, a week or
a day of data or something like that.
Flow descriptors. So these are the keys that we talked about?
The more keys you use, the more data you'll end up collecting.
Because if I care about only I p address, what am I collecting?
Just the I p address. If I care about port protocol, *** number, traffic type and I p address. Now, I've got five pieces of information I need to collect,
So the more flows there are, the more keys there are. The more processing times required. More data storage requirements. There are the right choice. Here really depends on you and what your particular set up is gonna be and what you want to be able to monitor.
Flow, accounting. So if you've ever been in a hotel that, like monitors, bandwidth usage or gives you like you could be online for 24 hours or something like that, net flows support that because they can track. When did you log on? How much data have you transferred? When did you log off?
And it compares it to the hotel's policy that says you've been allowed online for 24 hours or you're only allowed to transfer one gigabyte of data, and so the accounting mechanisms within net flow give you the ability to track that type of information.