Enterprises with ideal network security solutions built up their infrastructures by recognizing the need to address key security threat areas which can include: Education, Monitoring, Detection, Investigation, and Mitigation.

Although prevention has been the primary focus of the security industry, the reality is that malware can and probably has penetrated your best threat blocking efforts. In most networks today, infections such as C&C bots are hanging out, waiting for the controller on the Internet to give them instructions. These machines can go unnoticed for months and unfortunately we often only identify these machines through happenstance. When something suspicious is uncovered, complete network security solutions provide a means to quickly investigate a potential problem. Forensic reporting is key.

As you build out your threat defenses, make sure your investment includes support for a network traffic analyzer which leverages NetFlow and IPFIX. Today, NetFlow and the IETF standard IPFIX provide the complete visibility into all corners of the network without deploying expensive probes. Because most routers, switches and all VMware ESX servers support flow technologies, most companies need only enable this protocol to take advantage of these juicy-insightful metrics.

What is NetFlow

What is NetFlow? NetFlow is a technology developed by Cisco Systems where the device (i.e. router, switch, server) maintains a table or cache of flow entries. A flow entry is a counter with a set of definable criteria which packets leaving the device either match or end up triggering new flow entries. The matching criteria used by the flow cache is called a tuple. An example tuple could be:

  • source and destination IP Address
  • source and destination port
  • protocol
  • source interface
  • ToS or DSCP value

Most hardware today supports something similar to Flexible NetFlow whereby the tuple is definable allowing the consumer to add and remove additional criteria in the packets they want to match on. Examples include:

  • source and/or destination MAC address
  • VLAN
  • Autonomous System
  • VoIP, Jitter, Packet loss or even caller ID
  • TCP flags, retransmits
  • Next hop, etc.

Leaded with details like the above, it becomes easier to understand why NetFlow and IPFIX are quickly becoming the log export of choice by firewall vendors such as Barracuda, Cisco, Dell SonicWALL and Palo Alto Networks. Network security solutions that don't support flow technologies may rely on packet sampling strategies such as sFlow which shouldn't be confused with true flow technologies.

Network Performance Monitoring

Although historically NetFlow was generally used for network performance monitoring, it was always intended to aid companies with their network threat protection efforts. Only NetFlow and IPFIX provide the 'everywhere' visibility that network security systems need to maximize visibility from end to end. Network security solutions like Scrutinizer with Flow Analytics fully utilize flow technologies for broad visibility and can be used for network monitoring, threat detection and forensic investigation.

cisco netflow reporting

Investigative solutions like Scrutinizer( shown above) provide flexible filtering options, which allow you to quickly narrow in on the traffic patterns requiring investigation.

Enterprise Network Security

Your total enterprise network security solution may require a combination of best breed vendors. Scrutinizer makes the most of your NetFlow, IPFIX and sFlow exports by providing the very best forensic investigation capabilities.

Leading network security solutions are enhanced with flow data. Check out Scrutinizer from Plixer.