Installed NNA, several questions on functionality

[lucas.shelton]

We've installed NNA and are wanting to set it up to effectively and I have some questions on functionality as well as what others are alerting on, reporting, etc.

My first question is how things are correlated? For instance, if I have an edge/internet router that is sending netflow data as well as a QOS device that is sending netflow data, how many flows will the NNA see this as? Internet traffic will go through both devices so they both see everything. Will this show up as two flows, or is NNA smart enough to report this as one flow/session?

Also does anybody know how much of a performance hit network devices take when we enable netflow? I would assume our access switches wouldn't be too much of an issue, but we have several data center and core switches that have a much larger traffic load on them. Would enabling netflow degrade performance much?

My final and most important question is setting up alerting. We are a large educational institution and want to secure our network from attacks, worms, bots, etc. We recently had a user that had a virus on their machine and that virus was essentially creating thousands of sessions per second which in turn periodically took our internet down. Not having a netflow collector made it pretty difficult to find the offender. How are others using NNA? What is a good base alerting config you would recommend? The alerting function seems to leave a lot to be desired honestly, can you set up an alert based off of a query you build? We aren't security experts by any means so any help on what to alert on would be appreciated.

I guess what I'm looking for are some real world examples of how to best utilize this tool to reduce the pain from the type of situation we've had in the past.

[eloyd]

Nagios customer support will still have to provide official answers, but here are mine, as a 3rd party Nagios consulting company:

Every device needs its own data source in NNA, so if you have a router and a QoS device, you will have double data on the overlapped portion. NNA is not smart enough to report this as one flow.

Performance hits depend on your devices. Think packets per second and figure out how many extra packets per second of NetFlow data you're sending (basically, double your normal network pps rate) and your device should provide pps rates to get an idea if you are going to DoS yourself. Any commercial network device should easily be able to deal with this extra data without problem. You are using additional bandwidth, but if it's local to your network, it is not likely to be much overall use, especially if ti's VLANed or switched.

Alerting can be done in many ways, including standalone and through a Nagios monitoring host. In fact, my talk at last week's Nagios World Conference was on (partially) exactly this subject. If you're looking for what to alert on, you can go with traffic count (above/below thresholds), port source/destination count, sourced/destination IP, and other things. Once you've built a query to find your data, it's straightforward to set up an alert to notify people.

PM me if you wish to discuss outsourcing these tasks to my company, but basically everything you think you want to do is possible.

[jdalrymple]

I'm a support guy, not a developer, so I don't know how it works, but this:

Every device needs its own data source in NNA, so if you have a router and a QoS device, you will have double data on the overlapped portion. NNA is not smart enough to report this as one flow.

Is what I would expect, but it's not the behavior I've seen in testing. Somehow NNA "deduplicates" those flows internally and only reports the data once. Again, not being a developer I don't know what's going on in the code to make that happen, but I have done extensive testing where data goes through 2 or more netflow sources, but the flow size, duration, etc is only recorded once.

Also does anybody know how much of a performance hit network devices take when we enable netflow? I would assume our access switches wouldn't be too much of an issue, but we have several data center and core switches that have a much larger traffic load on them. Would enabling netflow degrade performance much?

A question better left answered by your vendors, but I suspect it's negligible. Even if it isn't, the performance impact will be at the control plane, not the data plane. Like I said - best answered by the individual source's manufacturer.

How are others using NNA? What is a good base alerting config you would recommend? The alerting function seems to leave a lot to be desired honestly, can you set up an alert based off of a query you build?

This honestly may be best answered by our customers. We just make the product, we're not the "expert users", but I'll try. You can create alerts within NNA based upon quite a number of queryable metrics, number of bytes, number of flows, number of packets or rate, and you can filter based upon port, host or whole networks. You can also select specific ports.

I highly suggest grabbing the free trial and seeing if it will work for you. If it will that's great. If it won't, tell us what's wrong and we'll try our best to make the next version suit your's and everyone else's needs better.

[lucas.shelton]

Thanks for the responses!! Can you alert on a query you've built? The alerting doesn't seem to do exactly what I want it to do. I want it to monitor sessions and alert if any single user exceeds X amount of sessions. All the other alerting seems pretty straight forward, just wanting a little more customization.

BTW, we've purchased NNA, have it installed and monitoring sources, just needing advice on what to alert on. I really don't want to have to go in and run reports or queries several times a day to prevent an incident like what happened before.

[eloyd]

You can alert on any query you can build. So if you can query per user stats, you can alert on it.

And thanks for correcting me about the data sources @jd.

[lucas.shelton]

I couldn't figure out how. When I click on Alerting->New Checks, I don't see the option to alert on a query I've built. Am I missing something?

[eloyd]

Hm. I stand corrected. Honestly, I've never looked that closely.

Let's see if we can convince Nagios developers to add that option, similar to how NLS queries can be alerts.

In the meantime, once you run a query, you have the option of copying a URL that you could use to screenscrape numbers from the result set to do alerts from Nagios Core or Nagios XI. Not fun, but straightforward with the check_http plugin.

[scottwilkerson]

I couldn't figure out how. When I click on Alerting->New Checks, I don't see the option to alert on a query I've built. Am I missing something?

Adding it as a feature request, great idea, and we should be able to get that in. For reference INTERNAL TASK ID 6561

[eloyd]

And poof, we have a feature request!

[scottwilkerson]