the big book of network flows for security4 cisco’s netflow is just one of the many network flow...

THE BIG BOOK OF NETWORK FLOWS FOR SECURITY

3

Networkflowsrepresenttheconversationsthatmakeyour

businesswork:emails,Webrequests,VoIPcalls,filetransfers,and

allthelow-levelback-and-forththatmakeanetworkanetwork.

Amongtheseconversationsarealsoattacks:spam,scanning,

malware,dataexfiltrations,andotherpotentialthreats.

Networkflowsprovideup-to-the-minuteinformationaboutthe

communications taking place on the network, including who’s

sending how much data to whom, as well as how and when: IP

addresses,portandprotocol,exportingdevice,timestamps,plus

VLAN,TCPflags,etc.Thisdataiswidelyavailablefromdeviceslike

routers,switches,firewalls,loadbalancers,hypervisors,andeven

assoftwaretoinstallonindividualhosts.Withdatastreamingin

frommultiplesources,acentrallocationcangetanexcellentview

ofthenetwork,includingcross-borderandpurelyinternaltraffic.

Cisco,theinventorsofNetFlow,describeitasaphonebillfor

your network1—alistingofalltheconversationsthattakeplace

onyournetwork,whethertheylasthoursormilliseconds.Unlike

anordinaryphonebillwithhundredsofconversations,there

arethousandsormillionsof“conversations”onthenetworkat

anyonetime.Theseconversationsaretheebbandflowofdata

and control of a modern computer network, embodying the

businessprocessesthatyournetworksupports.Thesizeofthe

conversationdoesn’tmatter—asingle-kilobytecommunication

can be as important to the operation of your network as a multi-

gigabytedownload.

INTRODUCTION TO NETWORK FLOWS

1 “CiscoIOSNetFlowandSecurity,”InternetTechnologiesDivision, February 2005

4

Cisco’sNetFlowisjustoneofthemanynetworkflowprotocolsout

there.Othersinclude:

• J-Flow

• Cflow

• IPFIX

• sFlow®

Flowdataprovidesgranularinsightintoyournetworkthatcanhelp

youdiagnoseapotentialproblem.Withtherighttools,anetwork

administrator can determine the source and destination of network

traffic,prominentpeeringrelationships,andcommonbottlenecks.

Specifically,flowrecordscontaininformationabout:

• Source IP address:whoisoriginatingthetraffic

• Destination IP address:whoisreceivingthetraffic

• Ports:theapplicationutilizingthetraffic

• Class of service:thepriorityofthetraffic

• Device interface:howthetrafficisbeingusedbythe

networkdevice

• Tallied packets and bytes:theamountoftraffic

• And more: including packet timestamps

5

NETFLOW SUITE OF PROTOCOLS

FortheNetFlowsuiteofprotocols—whichincludesIPFIX,Cflow,

andJ-Flow—wemostoftenseeversion5(supportedbythe

majorityofdevices),somecombinedv5/v7(theCatalysts),and

someversion9onthenewerdevices.Don’tbefooledbythe

ASAseriesoffirewalls;theydonotactuallysupportversion9flow

exporting.Instead,theseCiscodevicesuseNetFlow9tofirewall

events,similartologlines:norealtrafficrecordsinthere!NetFlow

v5usesastaticpacketformat(andisinthiswayverysimilartov7),

definingIPv4IPs,protocols,ports,andmillisecondprecisionon

flowstartandendtimes.Version9usesadynamicformat,parsed

basedonatemplatewhichissentaroundfirst.Thesetemplates

areflexibleandallowforexpansionoftheprotocolinthefuture.

Incidentally,IPFIXisalsobasedonNetFlowandisversionedas

NetFlow10.

J-FlowandCflowarethesameasCiscoNetFlowv5.OnlyNetFlow

v9andIPFIXsupportIPv6.

NetFlowdefinesa“flow”asaunidirectionalseriesofpacketsfrom

IPAtoIPB,usingsomeprotocol(TCP/UDP/ICMP/…).Whenthe

packetsuseeitherTCPorUDP,thentheflowisfurtherspecifiedby

apairofports;forinstance,10.20.30.40:53823->50.60.70.80:443

TCP.Often,sincemostcommunicationsrequirebothsidesto

transmitpackets,onewillseeNetFlowreporttwoflowsassociated

witheverycommunication,accountingforthepacketsandbytes

THE DIFFERENT KINDS OF NETWORK FLOWS

6

thatwentineitherdirection.Aproperflowcollectorandanalyzer

will correlate these with each other for you, so you can see a

reportofafullconversation.MostversionsofNetFlowalsosupport

asamplingmodewhereonlyoneineveryNpacketsisused

toupdatetheflowcounters.Thisisnotveryusefulforforensic

analysisofyournetworktraffic,buthelpskeepstheCPUloadon

yourrouterorswitchdown(see“ToSampleorNotToSample?”

below).Iffull-fidelityNetFlowisrequired,considerusingaSPAN,

TAP or mirrored port, and generate NetFlow with a software tool

or dedicated appliance without incurring the additional load on the

routerorswitch.

The NetFlow suite of protocols is a powerful source of security and

networkdebugginginformation.Sinceeachandeverynetwork

communication can be logged with millisecond precision, you

canquicklydeterminewhocommunicatedwithwhomandwhen.

Flow information is also much more tenable than raw packet data,

allowingforamuchquickerfirstlookatthenetwork.Inother

words,youcanuseflowdataasaspringboardtodetermineif

furtherpacketinspectionisnecessary.

SFLOW

ThesFlowprotocolisacompletelydifferentanimal.Easily

configurablethroughSNMP,itsprimaryobjectiveistobea

statisticalnetworkmonitoringtool.Lotsofdifferentperformance

counters can be monitored through the sFlow protocol, and the

biggestbenefitofsFlowcomesfromitsinfinitescalabilityinlarge

networksunderheavyloads;however,thisinnovativestatistical

approachcomesataslightdisadvantageinaccuracy,granularity,

andtimingprecision.Tounderstandthis,wehavetotakeacloser

lookathowsFlowmeasuresnetworktraffic.

7

UnlikeNetFlow,thesFlowprotocolsampleseveryNthpacket

fromthetrafficstream,whereNcanbeone-in-512,one-in-1024,

etc.Thismeansthatsomecommunicationsmayslipbyentirely

undetected, and the sFlow collector software will not know about

them.Largercommunications,suchasbigdownloadsandonline

videocontent,willstandamuchbiggerchanceofbeingreported,

astherearemanypacketsinvolved.Theseconddrawbackis

thelackofaccuratetimestampingofthepacketdata.Sampled

packetsgetforwardedastheyarepickedupfromthedatastream;

however,theyarenottimestamped.Therefore,asmallamountof

uncertaintyabouttheexacttimeofpacketcaptureisintroduced.

Although these tradeoffs render sFlow to be not particularly well

suitedtonetworkforensicinvestigations(thereissomestatistical

uncertainty as to when a communication began, how many

packetsweretransmittedeachway,theirsize,andwhenitended),

theyarenecessarytoallowthevirtuallyunlimitedscalabilitythat

sFlowoffers.Ifthenetworkgetsbusy,itcanfallbacktoaslower

samplingrate,andkeeploadontheexportingdeviceandsFlow

collectordownsignificantly.

WHICH FLOW SOLUTION IS RIGHT FOR YOU?

The answer to this question depends on the intended purpose

oftheimplementation.AttheISPorlargeenterpriselevel,the

hardwarecostassociatedwithtrackingeverycommunication

throughNetFlowissubstantial,andcanonlybejustifiedifthe

NetFlowdataisusedforsecurityandnetworkforensicanalysis.

Ifthegoalistosimplygetaroughoverviewofusage(“Who’s

hoggingmybandwidth?”),thesFlowprotocol,orsampledNetFlow

willsuffice—it’smuchmoremanageableandlesscostly.At

smaller sites, the decision will usually be dictated by the switching

androutinggearinthecurrentnetworkcloset.Usewhatyouhave!

8

Aflowexporterisasoftwareorhardwareenginethatkeepstrack

ofallthecurrentsessionsthatit“sees.”Inhardware,thismight

meanallthepacketsthataswitchswitches;insoftware,it’swhat

canbeseenonaninterfaceorsetofinterfaces.Itdoesthisby

maintainingatableofcurrentsessions,calledaconntrack(as

inconnectiontracking)table.Typically,thistableisscannedfor

updatesatregularintervals,whicharesubsequentlyaddedtoflow

packetsthatareexportedtoaflowcollector.

Onverybusynetworks,sometimesanenormousnumberof

sessionsreceiveupdatesduringthescaninterval,thusresulting

inasurgeofflowpacketstoexport.Thissuddenburstofoutput

canoverwhelmtheUDPinputbuffersoftheoperatingsystemon

thecollector,especiallyifthecollectormachineisheavilyloaded

orunderpowered.Thiscanleadtodroppedflowpacketsand

inaccurate,incompletedata.Tocombatthisproblem,youwantyour

flowexportertospreadalltheexportpacketsovertime,ratherthan

sendtheminbursts.Thissmoothsoutthesurgesconsiderably,

resultinginasteadystreamofflowpackets,evenonverybusy

networks,andminimizesthechancesofoverloadingacollector.

FLOW EXPORTERS

9

Acollectorisaserverwithsoftwarethatcanacceptandinterpret

flowexports.Exporterssendtheirflowsummariestocollectorsfor

storageandanalysis.Mostcollectorssummarizeandaggregate

theflowsbeforestorage,discardingtherecords.Althoughcoarse,

this approach is fastest, but the cost is the loss of forensic

accuracy.Somecollectorsstoreallflowrecords,allowingfullrecall,

andprecisefiltering.Thesefull-fidelityanalyzersaremorepowerful.

Forsimplyanalyzingtopnetworkusersandtheirtopcontent,

youmayonlyneedaflowaggregator.Butbecausenetworkflows

are a summary, they can be stored compactly — a gigabyte of

flowdatacandescribehundredsofthousandsofgigabytesof

actualtraffic.Thisefficiencymakesitsuitableforfull-fidelityrecall,

meaningeverysinglerecordcanbestoredforlateranalysis,down

tothesmallestICMPping.Withafull-fidelitynetworkflowhistory,

it becomes possible to perform intricate analysis of one’s historical

record,downtosmalltransactionsthatoccurredmonthsago.This

enablesananalysttoperformdifficulttasksliketrackinganintruder

through multiple hops of SSH sessions, or separating potential

DNStunnelsfromordinaryrequests.Italsomeansthatanalysts

don’thavetobepsychic—theydon’tneedtoknowtodaywhat

they’llneedtosearchfortomorrow.

Morethanthatlevelofintricateanalysis,afastfull-fidelitysystem

givesanalystsanunparalleledfeelforthenetwork.Simplyclicking

aroundandexploringforahalf-hourcangiveafarbetterideaof

whattoexpectinthetrafficthandaysinalecturehall.

FLOW COLLECTORSFLOW COLLECTORS

10

Onanygivenday,atypicalnetworkedhostwillsendabout30MB

andreceiveabout200MB.About300,000packetsareswitched.

Duringpeaktimes,theaverageworkstationinitiatestwotofour

networkUDPorTCPsessionspersecond,andeachsession

averages34KBinsize,roughly100packets.What’smore,these

sessionsarenegative-exponentiallydistributedwithregardto

packetcount.Whatdoesthatmean?Itmeanstherearealot

moreveryshortsessionsofonlyacoupleofpacketsthanlengthy

sessionswithlotsofpackets.

Whenroutersusesamplingfornetworkflowgeneration,an

interestingthinghappens.Thesamplingisdoneonapacket-

countlevel,soa1:512samplingratewillgrabroughlyevery512th

packettoupdatetheflowstatetables.

ThisisgreatforreducingCPUload.Butitisnotsogreatat

reducingflowupdaterate.Here’swhy:Withanaveragesession

sizeofroughly100packets,eachsampledpacketisverylikely

tobepartofaflowthatisnotyetinthestatetable.Thismeans

anentryiscreated,whichwillleadtoaflowupdatebeingsent.

Comparethisto1:1unsampledflowgeneration,wheremostof

thepacketswillgotowardupdatingexistingentriesintheflow

statetable.Flowstatetablesaretypicallyexportedwhenaflow

is60secondsold,orthetableisfull,andtheoldonesneedto

bepurged.

TO SAMPLE OR NOT TO SAMPLE?

11

Leavingtheexactmathoutforclarity,ifunsampledflowgeneration

resultsinaflowrateofX,thena1:512samplingresultsina

roughly1/5thoftheflowtrafficbeinggenerated.Not1/512th.

Thisistheintuitiveanswer,andthetrueresultsofsamplingdepend

muchontheprecisemixoftrafficpresentonthenetwork.Also,

somerouterswilluseadaptiveflowsamplingratestokeeptheir

flowexportratesconstant.Thismeansthatatbusiertimes,the

granularityofthedatabecomeslessandless.Althoughthisis

niceforCPUtimeconsiderationsontherouter’send,itdoesnot

helpmuchthattheroughestdataiscollectedduringtheheaviest

attack!Samplingissimplynotthecorrectapproachtoreducecost

orgainbestvisibility.Youshoulddesignfor1:1unsampledflow,

becauseitbuildsinasafetymarginduringthebiggestattacks.

12

Whencollectedinacentrallocationandmadeavailabletoview

andsearch,networkflowsprovidevisibilityintowhat’sgoing

overthenetwork,includinglarge-scaleeventslikeDDoSattacks

andsaturatedlinks,andsmall-scaleeventslikeSSHloginsand

databaseconnections.Thisallowsananalysttomonitorfor

attacks,policycompliance,anddatausageforbilling.Whetherit’s

abrute-forceattackoron-the-slyNetflixwatching,ifitcrossesthe

network,it’sinthenetworkflows.

Amoderncomputernetworkencompassesawidevarietyof

Internet-capabledevices,notallofthemphysical,joiningand

leavingyournetworkinalmostnotimeatall.Thenetwork

infrastructure itself can change drastically with just a few

keystrokes,withoutmovingevenasinglewireofyourphysical

infrastructure.Aproperlydeployednetworkflowsolutiongivesyou

exceptionalvisibilityintoyournetwork,providingthebestavailable

balancebetweenscopeanddepth.Networkflowsbythemselves

giveyouanexcellentview,butcombinedwiththeproperanalytical

tools,itgivesyouunparalleledcontroloveryournetwork.

VIRTUALIZED NETWORKS

Theabilitytorapidlydeployvirtualnetworksandvirtualhosts

has been a game-changer for many companies, allowing

unprecedentedflexibility.Networkflowsarefastenoughtokeep

pace—theminuteyourvirtualnetworkgoeslive,sodoesyour

NETWORK FLOWS FOR VISIBILITY

13

flowexportandyoucanseetheflowandbalanceoftraffic

betweenVLANsataglance.

MOBILE DEVICES

Mobiledevicesareparticularlydifficulttomonitorbecausethey

moverapidlyfromnetworktonetwork,arenoteasytoinstrument,

anddonothaveeasilyaccessiblelogfiles.Networkflowsprovide

aconvenientandrobustmeansofmonitoringthesedeviceswhen

theyassociatewithyourwirelessnetworks.

REAL-TIME NETWORK MANAGEMENT

The more you know about your network, the better prepared you’ll

be for decisions you need to make:

• IsyourWebservicesufferingadenialofserviceattack?

• Areallofyourbackupsmadeontime,everytime?

• That foreign IP address that is currently trying a

brute-force attack against a system in your Chicago

network — has it contacted any of your other networks

today? Last week? Last year? Are they trying blindly or

didtheyperformreconnaissancefirst?

• CanyoureduceloadonyourBostonserversbymoving

functionality to San Francisco or do they experience

peaks at the same time?

BANDWIDTH PLANNING

Whether your site is getting more popular, your team is expanding,

yourpartnersstartpreferringvideoconferencestovoicecalls,or

thesizeoftheaverageWebpageisincreasing,theonlycertaintyis

thatyouwillneedmorebandwidth.Butwhere?Long-termnetwork

14

flowtrendscantellyouwhereresourcesaremostlikelytobe

neededmosturgently.Theycantellyouwhichtrafficisdominating

your network and, at a glance, show you the rates at which it’s

increasing.Thismakesiteasytospotpotentialbottlenecksand

strategicallyplanforexpansion.

REGULATORY COMPLIANCE

Differentorganizationshavedifferentrecord-keepingrequirements.

For example, if you handle medical records, you are required to

showHIPAAcompliance;ifyouhandlecreditcarddetails,you

arerequiredtotracktheflowofdatatoandfromthesystemthat

processesthisvitalinformation,showingallaccess,eventhe

smallest.Ifyoumonetizeyournetworkbyhostingservices,you

needtorackbandwidthuseaccuratelytodetermineusagebilling.

Relyingon95th-percentilebillingcanberisky;itcanbegamed

andyoucanmissspikesintrafficthatdegradeperformanceto

othercustomers.

15

Flow is a compact format, meaning it can be processed and

analyzedmuchmorequicklythanafullpacketcaptureformat

(fullcap).Whenanalyzingnetworkpatternsforillicitbehaviors,

botnets,ordataexfiltrations,thespeedofanalysisiskey.Ifittakes

hours to detect a potential data theft, and then a security analyst

takeshoursmoretoinvestigate,howmanyproverbialhorseswill

haveleftthebarnbeforethebarndoorisshut?Flowanalysis

deliversthepowerandspeedtoactquickly.Atthesametime,

point-to-point communications are increasingly being encrypted,

whichdramaticallyandrapidlydecreasesthevalueoffullcap.

Byanalyzingflowdata,networkandsecurityoperationspersonnel

canflagunfamiliarIPaddresses(orIPaddressesknowntohost

malware),analyzedistributeddenialofservice(DDoS)attacks,

identifypotentialwormsandbotnets,trackunusualdatatraffic

patterns,findnon-compliantusers,andgiveyouadetailedaudit

trailofallnetworkactivity.Flowanalysiscanalsohelpyoupinpoint

unwanteddataexfiltrations,identifycausesofslowdowns,and

spotwhereattacksorinformationleaksarecomingfrom.

BOTNET PROTECTION

Onceyoulearnyourorganization’stypicalnetworkpatterns,you

canuseyourflowdatatohelpdetectnetworkanomaliesthatoften

indicatebotnets,rogueservers,unauthorizedclients,orother

networkthreats.

NETWORK FLOWS FOR SECURITY

16

DDOS AND BRUTE FORCE ATTACK DEFENSE

AsignificanttrafficsurgecanindicateapotentialDDoSorbrute

forceattack,twoofthemostcommonnetworkthreatsaround.

DDoS attacks can make your websites, email, or other applications

unavailabletoyourcustomersoremployees,whileasuccessful

bruteforceattackallowsaperpetrator,virus,orwormtopenetrate

yournetworkwithcompromisedcredentials.Byregularlyanalyzing

yourflowtrafficyoucanrecognizethesetypesofmaliciousthreats

in real time so you can immediately react to them and select the

appropriatedefense.

WORMS, SCANS, AND NETWORK RECONNAISSANCE PREVENTION

Worms propagate through your network by rapidly looking

forhostswithcommonvulnerabilitiesandexploitingthose

weaknessestospreadthroughoutyournetwork.Byusingflow

data,thisscanningbehaviorcanbeeasilyidentifiedwhenseveral

internalsystemsshowthesamebadpatterninrapidsuccession.

Thisisaverycommonreconnaissancetechniqueusedby

attackers,andcanserveasanearlywarningforothermore

maliciousattackstocome.Flowdatacanhelpyoucatchand

controltheseincidentsbeforetheybecomearealproblem.

DATA EXFILTRATION RECOGNITION

Youmayalreadyspendtimeandresourcessearchingforviruses

oncomputers,blockingspam,andtrackingdownabuse.

Butit’snotonlywormsandvirusesthatmaybeexfiltrating

yourmostsensitivedata,itcouldbeanyonewithinyourown

walls.Bymonitoringflowdatatodetectanomalies,youcan

17

immediatelyrecognizeundesireduploadsanddatabreaches

fromyournetwork.Thisallowsyoutostopaleakbeforeyouface

millions of dollars of cyber theft damages, lawsuits and public

embarrassment, or before your CEO, CSO or CIO lose their jobs

duetofaileddatasecuritypractices.

DATA BREACH DEFENSE

To spot potential data leaks or information security breaches,

youcananalyzenetworkflowrecordstoquicklyrecognizehosts

initiatingaconnection,receivingdataoutsideofnormalthresholds,

orexhibitingunexpectednetworkbehaviorpatterns.Withthe

propertools,flowdataanalysiscanhelpyoukeepsensitive

informationsafefromoutsideintrudersandunauthorizedinsiders.

18

Successful DDoS triage and mitigation depend on two things:

speed of detection and accuracyofdetection.Usersconsidering

aDDoSsolutionoftenaskifitisbesttouseNetFloworsFlow.

To understand what is best, it’s important to understand the

differencesbetweenthetwotypesofflowdata.

NetFlow(andtheverycloselyrelatedcFlow,JFlow,andIPFIX)isa

summaryrecordformat,wherearouterorotherexportingdevice

tabulatesthestatisticsoneachflowofpacketsflyingby.Aflowis

typicallydefinedasthe5-tupleofsendingIPandport,receivingIP

andport,andtheprotocol.Eachpacketistabulatedandadded

totheappropriaterowinthetable:1morepacket,Xmorebytes.

Stateiskeptoneveryflowthattheexporterobserves,andwhen

aflowis60secondsold,therecordissenttothecollector,which

hasthetaskofdetectingthedenialofserviceattack.

sFlowtakesaslightlydifferentapproach,keepingnostateatall.

InsteadsFlowrandomlygrabsoneineveryNpacketsflyingby

andimmediatelysendsittothecollector.Althoughthisapproach

may appear somewhat less accurate than the NetFlow tabulation,

itisactuallyverygoodforfastDDoSdetection.Asthefloodor

amplificationattackstartstorampup,therateofpacketsflowing

bytheexporterstartstoincreaseveryrapidly.Thismeansthat

thenumberofpacketsamplesgoingtothecollector(whichis

responsiblefortheDDoSdetection)startstoincreaseimmediately.

WHICH NETWORK FLOW IS BEST FOR DDOS DETECTION AND MITIGATION?

19

Although the NetFlow approach ensures that no packet is missed,

which is great for accurate network forensics, the nature of the

exporttimermayresultinmuchslowerdetections.IftheNetFlow

exporterhassufficientmemorytokeepstateonalltheattack

traffic,itmaytakeupto60secondsbeforethedetectingcollector

seesanyevidenceoftheattack!Thankfullythough,manynewer

NetFlow-capabledevicescanbetunedtoexportathigherrates,

resultinginimproveddetectiontimes.

Detectionaccuracyisanothermatter.SincebothsFlowand

NetFlowtransmitinformationonsendingandreceivingportand

bothtransmitinformationonflagcombinationsandIPaddresses,

itisreallyuptothecollectortomakeanaccuratedetection.

DistinguishingaDNSorNTPamplificationattackfromaSMURF,

or a FRAGGLE attack from a SynFlood, is key in performing

effectivemitigation.Mosttriagescenarios(whetherusinga

scrubbingdeviceormanuallymitigating)relyonknowingacouple

of key factors:

1. What are the targets being hit?

2. Arethebit/packetratessufficientlyhightoimpact

theservice?

3. Whatisthespecifictype(ortypes)ofattack?

BothNetFlowaswellassFlowprovidesufficientdetailto

accurately make that determination if the detection logic is present

inthecollectorsoftware.

Inpractice,bothsFlowandNetFlowvariantscanbedeployed

verysuccessfullyinDDoSdetection.AlthoughsomesFlow

deployments detect DDoS attacks in as little as 3 seconds, the

nature of the Internet has made it such that it can take some

timebeforetheattackreachesfullstrength.Combinedwiththe

20

fasterNetFlowexportersthathaverecentlystartedtoreachthe

market,thespeedadvantageofsFlowisstartingtofade.Also,

keepinmindthatmanyenvironmentswillnothaveachoice,

as the exporting hardware is already in place, supporting only a

singletypeofexport.Sothechoicemaynotbeyours,andboth

approachescanbeusedtotuneandfinessefordetectionspeed

andaccuracy.Mostimportantly,ifyouhaveboth,thenuseboth.

Thebetterthevisibility,thebetteryourdefenses.

21

Flowanalysiswillgetevenfasterinthefuture.Althoughpacket

volumesaregrowingexponentially,networkflowvolumesarenot

growingasquickly.Howisthispossible?Individualflowsaregetting

bigger(meaningmorepacketsperflow)andthisisbecausenetwork

sessionsareprimarilydrivenbyuserbehavior,suchasretrieving

email,browsingWebpages,andconsumingmedia.Forexample,

wecanonlywatchonemovieatatimeandreadoneemailata

time.Analysisspeedswillthereforegrowovertheyears,asthetime

toprocessasingleflowremainsconstant,regardlessofthepacket

sizeofthatflow.

Movingflowanalysisintotheclouddeliversadditionaladvantages.

We are able to harness the processing power to deal with transient,

high-volumethreats.Flowvolumesmayincreaseone-hundred-fold

duringaDDoSattack,whichcanputastrainonright-sizedin-house

flowprocessingequipment.Inthecloud,flowsareanalyzedona

muchlargerplatformthantheywouldbeinhouse;CPUresources

areavailabletoquicklydetect,analyze,andmitigatethesebehaviors

withoutresource-constrainedslowdowns.Somecraftyattackers

andverystealthybadbehaviorsonlybecomeapparentwhenviewed

overmanycustomernetworksatonce.Thefinalbenefitofanalysis

inthecloudisthemostexcitingofall—byanalyzingflowdata

fromthousandsofsourcesallovertheInternettogetherinasingle

window,emergentbehaviorsbecomevisiblethatwouldotherwise

behiddenfromviewwhenanalyzedinisolationinasinglenetwork.

Thispowerfulbenefitisunlockedbymovingflowdatatothecloud.

THE SCALABILITY OF NETWORK FLOWS

22

Fortipsonconfiguringflowexportfromavarietyofroutersand

switches, check out the following resources:

• Flexible NetFlow export from Cisco routers

• Simple NetFlow export from recent Cisco routers

• NetFlow export from older Cisco routers

• J-Flow export from Juniper SRX Series routers

• NetFlow export on VMWare vCenter with ESXi

• NetFlow export on Open vSwitch SDN

TIPS ON CONFIGURING FLOW EXPORT

http://bit.ly/1QJcLsx

http://bit.ly/1QJcN3I

http://bit.ly/1Qg6xh4

http://bit.ly/1K1kClV

http://bit.ly/1X6B7z1

http://bit.ly/1KsWCId

23

ABOUT FLOWTRAQ

FlowTraq®providessoftwareandservicesfor

high-performance network monitoring, analytics,

security and forensics to detect a range of network

behaviors,includingdistributeddenialofservice

(DDoS),bruteforceattacks,botnets,worms,

networkscansandothernetworktrafficanomalies.

FlowTraqiscompatiblewithallthecommonflow

formats — including NetFlow, sFlow®,IPFIX,Cflow,

J-Flow,andPCAP—whethersampledornot.And

thankstoafull-fidelityparalleldatabase,FlowTraq

canrecalleveryindividualtrafficflowthatcrossed

yournetwork,nomatterhowlongago.Thisunlimited

filteringcapabilityisnecessarytofindanindividual

communication that is the source of the malware,

controlofthebotnet,ordestinationofexfiltrateddata.

TolearnmoreaboutFlowTraq,visitwww.flowtraq.com.

Experience FlowTraq for yourself with a free 14-day trial

(availabletoqualifiedorganizations).Torequestatrial,

visitwww.flowtraq.com/trial.

http://bit.ly/20cEDb8

http://bit.ly/1S3H14C

the big book of network flows for security4 cisco’s netflow is just one of the many network flow...

Documents