I’m tired of the same ol’ pitch on why companies should be using NetFlow for Network Traffic Management. In this post I will leverage idioms to explain how NetFlow and IPFIX are being used beyond most traditional implementations and I won’t “cut any corners”. Since NetFlow and IPFIX are pretty much all I do every day, I thought this would be a topic that I could cast an interesting light on.
Personally, I feel that flow technology has been seeing a paradigm shift. I don’t want to imply that it will no longer be used to determine the top talkers, applications, protocols, etc. rather, I want to suggest that flow technology is already being used for much more. If you have reservations on this claim, hopefully we will “see eye to eye” after you finish reading.
First of all, What is NetFlow? It is a technology use to group packets info flows. Packets sharing the same characteristics (e.g. source/destination port, address, interface and protocol, etc.) are added together with the bytes and packets totaled. The result: the NetFlow collector receives flows where each could represent thousands of packets. The aggregation of data is incredible but, the granular details are discarded.
1) Identifying slow applications, why is the network so slow?
Why is the network so slow or why is this application so slow? This can be a tricky question to answer if you don’t have the right details and tools. “The devil is in the details” and with flow technology this holds true with NetFlow and IPFIX as well.
Most traditional flow collectors can be used for basic reporting purposes such as capacity planning, QoS monitoring or even MPLS reporting. However, this is not where leading NetFlow solutions receive their good marks. Next generation NetFlow solutions provide the most flexible filtering and reporting as a combination. Let me digress. Powerful filtering provides Boolean logic whereby the user can narrow in on traffic by assembling both include and exclude filters. For example:
- include these subnets but, exclude these IP addresses
- include these DSCP values but, exclude all of this application
- include all traffic that begins with this vendor ID of the MAC address
- include all traffic to and from salesforce.com
Filters like the above, allow network analysts to trouble shoot issues like cloud services with near pin-point accuracy. And by combining this data with external sources, you can gain tremendous insight into hot topics such as BYOD Traffic Volume
With all of this detail it is important to remember that rich flow exports with juicy insightful details (e.g. latency, packet loss, URLs) are only available if two things happen. The hardware needs to export the details and the collector needs to have the ability to report on it. If your hardware doesn’t have these abilities yet, span a port to an IPFIX or NetFlow Probe.
2) Intellectual property theft or data leakage can be an unfortunate part being on the internet and hiring employees. Some would argue that they are both a kind of “double edge sword”.
Companies spend millions to develop competitive technologies and many times the size of the file containing the details will fit onto a USB memory stick or can be sent as a harmless email to do some work at home. Customer and vendor relationships are also often coveted secrets and with the introduction of Linkedin and Facebook, protection from of this type of information theft is increasingly difficult.
If you are suspicious of an employee or have a key employee leaving, can you go back weeks, months or even years to look at their network usage patterns? What if the information was simply flat out stolen? Do you have Advanced Persistent Threat reaction and recovery plan in place? These questions lead to reasons 3 and 4 on threat detection and regulatory compliance.
3) NetFlow is often used as a type of internal IDS which looks for problems (e.g. bots) that may not require internet access initially or at all. Often times they start by scanning the local network. In other cases, worms like these may not cause lots of odd traffic patterns which enables them to go unnoticed by most behavior monitoring systems. Corporate electronic break-ins are becoming increasingly simple. If they don’t cost the company a lot of money, they are still embarrassing and can be bad for the company image. To “add insult to injury”, malware is constantly evolving making it more and more difficult to detect.
It is often wise to have a system that constantly looks up IP addresses using IP Host Reputation as another threat detection with NetFlow routine.
4) If your business is in the Payment Card Industry (PCI) and is concerned about regulatory compliance, it is imperative that the raw flows be saved in native format for potential “once in a blue moon” investigations. Only a few reporting tools can save the data for decades and provide fast access (i.e. within seconds) when searching.
HIPAA and SCADA are also concerns for the same reasons above. If you’re company has to worry about NPPI (Non Public Personal Information) have no fear because NPPI data is never exported in NetFlow. A good NetFlow reporting solution can help with your compliance efforts and provide a great additional layer of security that will help protect your business. If this isn’t enough, here’s 5 more reasons to use NetFlow for threat detection .
5) The ideal NetFlow and IPFIX reporting solution doesn’t have to “cost an arm and a leg”. You can have “the best of both worlds” at a reasonable price. When someone says “you get what you pay for”, heed warning and take this advice with a “pinch of salt”. The time to get involved with NetFlow is now and your Enterasys switches support it. Don’t “sit on the fence” for another day. If you still think this post is trying to “pull the wool over your eyes”, take the Advanced NetFlow training seminar in a city near you. You don’t want to “miss the boat” on this great opportunity to “hear it straight from the horse’s mouth” on why NetFlow is the hot potato in the Network Traffic Monitoring industry.
How many idioms was that?