> For the complete documentation index, see [llms.txt](https://docs.fusion.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fusion.vectra.ai/netoflow-connector/security-considerations.md).

# Security Considerations

## Overview <a href="#overview" id="overview"></a>

NetoFlow has API access to Vectra Fusion to upload NetFlow and sFlow records. A threat actor that gains access to the system you deploy NetoFlow on in your environment could read these credentials, modify the NetoFlow code, or access these APIs directly. Therefore, it is important to implement the security concept of least privilege to reduce the risk of unauthorized access to this system.

## Best Practices <a href="#best-practices" id="best-practices"></a>

Here are recommended best practices to use in deploying NetoFlow in production environments:

* Use the NetoFlow container for deployment. It is built on the Google distro-less container image, which significantly reduces the attack surface compared to a default Linux distribution.
* If you choose to deploy NetoFlow as a software package, deploy it on a dedicated system that adheres to your organization's security policies and is updated and hardened, and all external services that are not strictly required are disabled (e.g., no open ports or services except SSH and the UDP port NetoFlow is listening on). Limit network access to the system to authorized administrators only. Exercise general security best practices in operating a limited-use system of this type.
* Ensure that only legitimate network devices can deliver NetFlow and sFlow protocol UDP packets to the NetoFlow system.
* Disable the NetoFlow API or restrict access to its listening port to prevent others from reading statistics (see [Reading statistics from NetoFlow API](/netoflow-connector/reading-statistics.md).
* Create an API key configured with the `neto_flow` role in Fusion.
* Store API credentials in an external vault or secrets management system and pass them in at runtime rather than store them locally. Choose the most secure credential storage approach for your environment.
* Regularly expire and rotate API keys being used.

## Understanding the data <a href="#understanding-the-data" id="understanding-the-data"></a>

All flow data and user metadata in the Vectra cloud are stored encrypted at rest. The NetoFlow Connector sends the flow records it collects from your local network devices to the Vectra Fusion SaaS. These flow records contain network meta-data but not packet payloads. Metadata includes the NetFlow 5-tuple (source IP, destination IP, source port, destination port, protocol). NetoFlow also parses out of the flow record associated network interfaces and statistical information. An example of a flow record is shown below:

{% tabs %}
{% tab title="JSON" %}

```json
{
  "timestamp": 1574220661,
  "srcip": "10.0.0.1",
  "srcport": 34765,
  "srcowneras": {
    "asnumber": 3333,
    "asorg": ""
  },
  "srcas": {
    "asnumber": null,
    "asorg": ""
  },
  "dstip": "192.168.2.2",
  "dstport": 179,
  "dstowneras": {
    "asnumber": 14618,
    "asorg": ""
  },
  "dstas": {
    "asnumber": null,
    "asorg": ""
  },
  "nexthop": null,
  "nexthopowneras": {
    "asnumber": null,
    "asorg": ""
  },
  "bgpnexthop": null,
  "bgpnexthopowneras": {
    "asnumber": null,
    "asorg": ""
  },
  "bits": 480,
  "packets": 1,
  "pbratio": 0.0020833333333333333,
  "flowbrate": 480,
  "flowprate": 1,
  "protocol": "tcp",
  "protocolint": 6,
  "tos": 192,
  "srcmask": null,
  "dstmask": null,
  "start": 3056874,
  "end": 3056874,
  "duration": null,
  "input": null,
  "output": 4,
  "samplerate": 10,
  "uptime": null,
  "flowsrcip": "172.16.10.10",
  "tcpflags": {
    "urg": false,
    "ack": true,
    "psh": false,
    "rst": false,
    "syn": false,
    "fin": false,
    "ece": false,
    "cwr": false,
    "ns": false
  },
  "tcpflagsint": 16,
  "flowtype": "netflow",
  "flowversion": 10,
  "srcvlan": null,
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.fusion.vectra.ai/netoflow-connector/security-considerations.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.