The goal of this guide is to create a minimalistic and virtualized laboratory infrastructure in a home environment so that everyone can become familiar with all the features that the Noction Flow Analyzer (NFA) provides before actually deploying the NFA in the enterprise network.
Our home network consists of two key components - nProbe Pro and NFA. The role of nProbe is to create and export flows to NFA, which is as a flow collector and analyzer.
Simply put, NProbe is an input device or resource that is used to generate metadata from network traffic, while NetFlow is a processor and output device in one that evaluates and displays that metadata.
Both nodes run as x86 virtual machines and Oracle VirtualBox. iWe chose VirtualBox because, in our opinion, it is the most commonly used hypervisor in the home environment, freely available for Windows and Linux, and user-friendly.
The network scheme is shown on the Figure 1. Each device has two gigabit Ethernet network cards. One of the interfaces interconnects the virtual machines and is used to transfer the flows exported by nProbe to NFA. Namely, those are interfaces eth1 (nProbe) and enp0s3 (NFA) configured as VBox Internal Network types. The second network card - the eth0 (nProbe) and enp0s8 (NFA) interfaces, is bridged to the network from which the flows are exported.
Figure 1 – Home Network with NFA and nProbe
The eth0 interface (nProbe) is set to promiscuous mode so that VirtualBox can mirror all network traffic from the monitored network 192.168.88.0/24 to Nprobe (Figure 2). In a real-world scenario, we would probably use a dedicated TAP device instead or configure a SPAN port on the network device.
Figure 2 - Interface Eth0 Set to Promisc Mode and Bridged to Monitored Network
1. Home Network Infrastructure Description
1.1 Flow Exporter - nProbe Pro
nProbe is a software NetFlow v5/v9/IPFIX probe able to collect, analyze and export network traffic reports using the standard Cisco NetFlow v5/v9/IPFIX format. nProbe supports variety of plugins that extend nProbe with additional capabilities.
Each plugin dissects a specific network traffic/protocol, e.g. DHCP, HTTP, DNS, FTP, GTPV, IMAP, SQL, NETBIOS, POP, RADIUS, RTP, SIP, SMTP, SSDP. For instance, you can collect HTTP URLs, response codes or methods, etc.
Note: Multiple plugins can be loaded at the same time during start of nProbe, but each plugin must be licensed. NProbe itself must be also licensed, otherwise the number of exported flows is limited.
The success of security incident investigations very often depends on the ability of flow exporters to collect these additional network traffic parameters and on the ability of flow analyzers to understand these parameters.
If you do not have a valid nProbe license, you can configure an existing network device (router/switch or firewall) to acts as a flow exporter if it is capable of generating and exporting flows. For example, MikroTik is very common hardware that you can use for this purpose. Personally, I use nProbe because I do not want to be limited by the capabilities of flow exporters and nProbe Pro is de facto standard among flow exporters.
1.1.1 NProbe System Requirements
According to the hardware sizing for small network with traffic less than 100 MBps, two CPU cores and 2GB RAM would be sufficient for a VM with installed nProbe. However, to save hardware resources, we will use the following VM settings:
- 1 x CPU Core
- 1024 MB RAM
- HDD SATA 10GB
- 2 x NIC - Intel PRO/1000MT Desktop
Software:
- Debian GNU/Linux 10 (buster) kernel 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28) x86_64 GNU/Linux
- nProbe v.9.1.201023 (r6969)
- pfring 7.9.0-3252
1.2 Noction Flow Analyzer
Noction Flow Analyzer (NFA) is a flow collector and analyzer brought by Noction. The collector processes the most common types of NetFlow - NetFlow (v5 and 9), IPFIX, sFlow, NetStream (Huawei), J-Flow (Juniper).
NFA uses two databases - MySQL and ClickHouse. MySQL possesses configuration, dashboard, device, and user information. SQL query editor can be used to extract the data from MySQL database.
ClickHouse is a column-oriented database management system (DBMS) for the online analytical processing of queries (OLAP). It is extremely fast and it is used for real-time queries.
1.2.1 NFA System Requirements
Below are the recommended system requirements provided by Noction:
Hardware Requirements:
- x86_64 architecture
- minimum 4x core CPU (8x core CPU recommended), SSE4.2 support
- minimum 32GB of RAM (64GB RAM recommended; 128GB RAM – optimal)
- minimum 250GB SSD storage (500GB SSD storage recommended)
Software Requirements:
- Ubuntu 20.04 LTS
- NFA 21.10.0 RELEASE build6287 30-day trial version
Again, we ignore the recommended minimum system requirements to save computer resources. The generated network traffic on our home network is relatively low, so the number of exported flows will also be low. Therefore, we install NFA on the server edition of Ubuntu 20.04.3 LTS with the following hw parameters for VMs:
NFA Hardware Settings for Home Use:
- 6144 MB RAM
- HDD SATA 100GB
- 2 x NIC - Intel PRO/1000MT Desktop
2. Getting 30-day Free Trial NFA License
Noction offers a 30-day free trial of NFA (Figure 3). For that, we need to register an account on Noction's web site. However, Noction requires a company email address as a verification address, otherwise they will not allow to register an account. As a workaround, we will use a temporary email generator and use the generated email address for account verification.
Figure 3 - Noction 30-day Free Trial Version for Download
The DEMO option on the Noction's website is meant as a one-on-one presentation of the software that one can schedule with their sales and network engineers, where Noction representatives go over NFA functionalities over an online meeting while the potential users can ask any additional questions.
2.1 Generate Temporary E-mail Address
Go to temporary email generator. Enter your name and choose an email suffix from the list. Do not close the window, once you receive the verification email from Noction, e-mail will be displayed on the page.
2.2 Creating Noction Account and Verification
Go to Noction NFA web site and click on the "START FREE TRIAL" button. Fill in all the required information, including the temporary email you generated using the mail address generator page. After you register your Noction account, you will receive a verification email with a link from billing.alerts@noction.com that is sent to your temporary email address. Click on the link inside the e-mail to verify your Noction account and complete the registration process.
2.3 Add NFA 30-day Free License to your Noction Account
Navigate to Home page in your Noction account and click the link "Place an order to get started". (Figure 4).
Figure 4 - Ordering NFA Free 30-days License Key
Now, click the button Get license (Figure 5).
Figure 5 - Getting License Key
Select No Payment Required and click Checkout button. After while, you will receive the second email in your temporary email box which contains NFA License Activation Key along with NFA installation and configuration instructions.
3. NFA Installation
As a first step, we will install Ubuntu 20.04.3 LTS server in the VirtualBox virtual machine, since Ubuntu is supported by Noction for their NFA product. We will not go into the installation of Ubuntu, if needed, please refer to the official Ubuntu installation guide.
After Ubuntu installation, please download and install NFA repo package:
$ curl -sLO http://repo-nfa.noction.com/ubuntu/nfa-repo_0.1.0-noc.deb
$ sudo dpkg -i nfa-repo_0.1.0-noc.deb
Now, we can download and import Noction public key.
$ curl -L http://repo-nfa.noction.com/repo.gpg | sudo apt-key add -
We can update our system with unsupported packages from this untrusted PPA by adding:
$ sudo add-apt-repository -y ppa:ubuntu-toolchain-r/test
It is recommended to upgrade the operating system before installing NFA.
$ sudo apt update && sudo apt upgrade
And finally, installation of NFA from Noction repository:
$ sudo apt install nfa
During installation, we will be asked to enter a password for the default user of the clickhouse server. As we mentioned before, ClickHouse is database which allows to analyze data that is updated in real time.
We will be asked for Postfix configuration, as well. Just select an option "No configuration".
4. NFA License Activation
Open your favorite web browser, enter the URL https://IP_NFA/ and login with the default username and password: admin admin
After login, NFA complains that a valid license was not found. Click the button "LICENSE PAGE" and enter the activation key. Copy the key from the second mail you have received from Noction. If needed, you can enter the license key in Management-> License section.
I noticed that every time the public IP address changes, the activation key also changes. This causes our NFA installation to become unlicensed after a some time. As a workaround, copy the new key to the NFA installation via browser.
Note: You can find the new Activation key in your Noction account (Licenses-> My Licenses and click NFA - Free trial License) Figure 6.
Figure 6 - Checking Activation Key
5. Nprobe Configuration
Assume, that nProbe Pro is successfully installed and licensed. Also, the pfring module is loaded into Linux kernel so the packet capture speed is increased.
nProbe can be used in three modes, namely:
-
Probe - packets are captured on NIC and flows sent towards Flow collector
-
Collector - flow collection only, no Probe
-
Proxy - receive flows via NetFlow and emit them (optionally combining with captured traffic) to a remote collector.
To run nProbe in probe mode, capture packets on the eth0 interface and export flows to NFA, enter the following command:
$ sudo nprobe -i eth0 -n 192.168.88.100:2055
In this case, the default template is used, no plugins are loaded and the following traffic parameters are exported:
%IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS
After several minutes, without any prior configuration, NFA will show the NetFlow statistics on the default dashboard (Figure 7):
Figure 7 - Default Dashboard with First Six Widgets from 15
To check NetFlow statistics in more detail, navigate to Data Navigation→ Data Explorer. You choose the data period here, run queries based on combination of filters to focus or broaden attention to the desired aspect of network traffic (Figure 8).
Figure 8 - NFA Data Explorer
Conclusion
Noction NFA runs amazingly fast even on my undersized hardware with five times less RAM and four times less CPU cores than the recommended minimums.
Zero touch provisioning ensures that NFA works as soon as flows are received and therefore no additional configuration is required.
Noction can analyze and display up to 55 NetFlow parameters, including BGP, MPLS and Layer 2 metada such as VLANs, L2 addresses, and many more, and this number will be expanded in the future.
Optional BGP Data add-on to NFA allows to extract BGP attributes such as AS_PATH from BGP tables of your edge routers. This feature is unique, I am not aware of it being offered by other commercial flow analyzers.
The default dashboard contains 15 widgets and gives us great overview of global statistics such as Total traffic throughput, Top throughput by protocol, Top conversations, Top souce/destination IPv4 and Ipv6 addresses, countries etc. The dashboard can be extended with custom widgets defined based on users filters. In addition, users can create their own dashboards and switch between them.
Last but not least, Noction offers a 30-day free trial of NFA, so you have plenty of time to test all the features and see if this product meets all your requirements.