Explanation/Reference:
Section: Design Methodologies Explanation
Explanation:
NetFlow is a Cisco IOS feature that can collect timestamps of traffic flowing between a particular source and destination for the purpose of reviewing in an audit. NetFlow can be used to gather flowbased statistics, such as packet counts, byte counts, and protocol distribution. A device configured with NetFlow examines packets for select Layer 3 and Layer 4 attributes that uniquely identify each traffic flow. The data gathered by NetFlow is typically exported to management software. You can then analyze the data to facilitate network planning, customer billing, and traffic engineering. A traffic flow is defined as a series of packets with the same source IP address, destination IP address, protocol, and Layer 4 information.
Although NetFlow does not use Layer 2 information, such as a source Media Access Control (MAC) address, to identify a traffic flow, the input interface on a switch will be considered when identifying a traffic flow. Each NetFlowenabled device gathers statistics independently of any other device; NetFlow does not have to run on every router in a network in order to produce valuable data for an audit. In addition, NetFlow is transparent to the existing network infrastructure and does not require any configuration changes in order to function.
Simple Network Management Protocol (SNMP) is used to monitor and manage network devices by collecting data about those devices. The data is stored on each managed device in a data structure known as a Management Information Base (MIB). Three versions of SNMP currently exist: SNMPv1, SNMPv2, and SNMPv3. SNMPv1 and SNMPv2 do not provide authentication, encryption, or message integrity. Thus access to management information is based on a simple password known as a community string; the password is sent as plain text with each SNMP message. If an attacker intercepts a message, the attacker can view the password information. SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not viewed or tampered with during transmission.
Remote Monitoring (RMON) and RMON2 are protocols that extend the standard MIB data structure and enable a managed device to store statistical data locally. Because an RMON-capable device can store its own statistical data, the number of queries by a management station is reduced. RMON agents use SNMP to communicate with management stations. Therefore, RMON does not need to implement authentication, encryption, or message integrity methods.
Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is a security appliance that serves as the focal point for security events on a network. CS-MARS can discover the topology of the network and the configurations of key network devices, such as Cisco security devices, third-party network devices, and applications. Because CS-MARS has a more comprehensive view of the network than individual network security devices have, CS-MARS can identify false positives and facilitate the mitigation of some types of security issues. For example, once CS-MARS has identified a new Intrusion Prevention System (IPS) signature, it can distribute this signature to all of the relevant IPS devices on the network.
Reference:
Cisco: Cisco IOS Switching Services Configuration Guide, Release 12.2: NetFlow Overview