[Flow-tools] Encrypt netflow exports using IPSec?

Joe Loiacono jloiacon at csc.com
Wed Jun 4 08:49:19 EDT 2008 

Haven't done IPSEc from a Cisco device before so I can't really help. But 
if it's a 6500, I know the netflow gets exported from the MSFC and the 
Supervisor separately and maybe you don't have both encrypted.

I hope you can get it going, but if not you could connect a (cheap) host 
locally and have it relay the packets via IPSEC. Actually, what I've had 
to do is run periodic 'scp' copies from a local collector back to my main 
collector when this level of security was required.

Joe




"Johannes Herlitz" <Johannes.Herlitz at satlynx.com> 
Sent by: flow-tools-bounces at list.splintered.net
06/04/2008 08:03 AM

To
<flow-tools at list.splintered.net>
cc

Subject
[Flow-tools] Encrypt netflow exports using IPSec?






Hello,
 
This is not a problem directly related to flow-tools itself, but to 
Netflow exports from a Cisco router.
 
How can I encrypt the exported UDP datagrams using IPSec?
 
The idea is simple: configure an IPSec tunnel between the Cisco router and 
the Linux box that runs ‘flow-capture’. I successfully established this 
tunnel. Just for testing, I configured a Syslog server (“logging 
10.222.1.67”). The syslog UDP datagrams are encrypted correctly. ICMP 
echos and echo-replys from the router to the Netflow-server or vice versa 
are also encrypted.
However, the Cisco router does not encrypt the Netflow datagrams. This 
clearly is a Cisco IOS bug for me.
 
Has one of you a solution of how to encrypt the exported Netflow data?
 
Below is the Cisco configuration.
 
---
crypto isakmp policy 10
 encr 3des
 hash md5 
 authentication pre-share
 group 2 
 lifetime 28800
crypto isakmp key linux address 10.222.1.67
 
crypto ipsec transform-set linux esp-3des esp-md5-hmac 
 
crypto map linux 10 ipsec-isakmp 
 set peer 10.222.1.67
 set security-association lifetime seconds 28800
 set transform-set linux 
 set pfs group2
 match address EncryptMe
 
ip access-list extended EncryptMe
 permit ip host 10.222.1.40 host 10.222.1.67
 
interface FastEthernet0
 ip address 10.222.1.30 255.255.252.0
 ip flow ingress
 crypto map linux
 
ip flow-export version 5
ip flow-export destination 10.222.1.67 9003
---
 
 
I’ve found out the Cisco correctly encrypts the exported data when using 
SCTP instead of UDP as the transport protocol. However, flow-capture does 
not support SCTP yet. Is there a way to make flow-capture accept SCTP, 
maybe with a wrapper around?
 
 
Cheers,
Johannes_______________________________________________
Flow-tools mailing list
flow-tools at splintered.net
http://mailman.splintered.net/mailman/listinfo/flow-tools

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20080604/c6eb12b1/attachment-0001.htm

More information about the Flow-tools mailing list