So we received a comment from a reader who had mixed experiences with NetFlow.
On a small WAN (~10) users it generated about 10% of traffic volume, which was expected. The results, however, left him puzzled, as his network has a lot of Citrix and WAFS traffic.
The majority (50% – 80% of traffic) appeared ‘unidentified’. He was thinking this occurred because both ISA and WAFS protocols use AH (Authentication Header) which makes it hard to identify.
I approached SecurityDude, one of our other blog writers, for advice…being a humble marketing lackey myself.
“AH” is IPSec Authentication Header (IP Protocol 51). If the Netflow router they are using can only see IPSec encapsulated frames, NetFlow would mark them “unidentified’. The AH header is inserted right after the IP header, so although the traffic is not encrypted, L4 and higher info is buried after the AH header and not processed by NetFlow.
They should run NetFlow on a router one hop behind their Internet edge to gather statistics on the traffic before & after IPSec mucks with it.
WAFS (Wide Area File Services) is a Cisco product that optimizes p2p WAN links. It should have no impact on Netflow (that I can think of).”
Hope this helps.
March 3, 2008 at 10:40 am |
[...] Network Observations Monitoring the trends in network and application performance « Network Advice: Handling Unidentifiable NetFlow Traffic [...]