Browse Prior Art Database

TRIGGERED NETFLOW COLLECTION

IP.com Disclosure Number: IPCOM000239106D
Publication Date: 2014-Oct-10
Document File: 3 page(s) / 159K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method is presented herein for providing NetFlow on demand. NetFlow is enabled on specific interfaces where unidentified (unknown) endpoints are connected. Once NetFlow is triggered and the endpoint is profiled, NetFlow is disabled on the interface.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 3

TRIGGERED NETFLOW COLLECTION

AUTHORS:

Aaron Woland Vivek Santuka

CISCO SYSTEMS, INC.

ABSTRACT

    A method is presented herein for providing NetFlow on demand. NetFlow is enabled on specific interfaces where unidentified (unknown) endpoints are connected. Once NetFlow is triggered and the endpoint is profiled, NetFlow is disabled on the interface.

DETAILED DESCRIPTION

    Information from NetFlow is very useful in profiling an endpoint in a network, for the purpose of applying authorization policy and identifying a threat. However, the amount of traffic from NetFlow can overwhelm a collector or profiler.

    Network based authentication servers and/or profilers such as the Identity Services Engine (ISE) of Cisco Systems, Inc., use information from various protocols to identify an endpoint (i.e., profile an endpoint) connected to the network. This identity helps in tailoring an authorization policy or in threat analysis.

    One source of information for identification of endpoint is the NetFlow or IPFix protocol (herein summarized as NetFlow for simplicity). NetFlow collects traffic statistics from a network interface and sends it to collectors, such as ISE.

    NetFlow analysis has been identified as the only useful method of profiling endpoints from verticals such as Internet of Things (IoT), Healthcare, Manufacturing, etc. By nature, NetFlow is either enabled or disabled manually. When enabled, the amount of information sent by NetFlow, when compounded by a number of devices, overwhelms the collector. In case of ISE, such overwhelming nature prevents NetFlow from being
a useful source of information.

Copyright 2014 Cisco Systems, Inc.

1


Page 02 of 3

    A method is presented herein for triggering NetFlow on specific interfaces where unidentified (unknown) endpoints are connected, Once NetFlow is triggered and the endpoint is profiled, NetFlow is disabled on the interface.

    To achieve this, the method presented herein purposes the use of Security Group Tag (SGT) and the Cisco IOS Embedded Event Manager (EEM). Cisco EEM can be replaced with other methods such as Cisco OnePk, Software Defined Networking (SDN), OpenFlow, etc. The following details the steps of this method:

1. An unidentified endpoint attempts to authe...