Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Lancope Goes With The Flow

In the world of application performance management and network security monitoring, visibility is key. If you can't detect it, you can't do anything about it. That is why networks are populated with probes, taps and in-line sensors. Lancope, in addition to a system wide software upgrade, announced a new probe, the FlowSensory AE, that collects Netflow v9 records and sends them to a collector for collection and analysis. In addition, Lancope has extended Netflow v9 with additional fields that the StealthWatchXE collects outside of the normal flow data such as addresses, ports and byte counts.

The FlowSensor AE is a passive Netflow V9 generator that feeds records to the StealthWatch XE. The AE-1000 can process up to 1.5 Gbps traffic, and the AE-2000 can process upto 2.5 Gbps. Collecting Netflow records is trivial, and there are a number of free or low cost collection and analysis tools available, such as Flow-Tools, nfdump and NfSen. Lancope added custom fields to Netflow v9 records to export data that is not available from pure flow data. FlowSensor AE prices start at $6,995.

Most network communications are bi-directional with a connection from the client to the server and a second connection from the server to the client. One connection is really two or more flows. Flow data typically contains data about the flow, such as addressing, port numbers, byte counts and duration. While flow data can provide interesting analysis, it can't be used for more advanced analysis like application analysis.

FlowSensor AE collects and reports data that is found deeper in the TCP/UDP  header and payload. For example, FlowSensor AE reports Server Response Time (SRT) by tracking the time from the point a TCP three-way handshake completes to the time when the first data packet arrives. The SRT is the gap in between. FlowSensor AE reports minimum, maximum and average response times. The data is sent to the Stealthwatch XE for analysis. Straight Netflow reporting wouldn't provide the SRT since it isn't captured in flow data. In addition, the FlowSensor AE also supports the ability to collect application data. Spam bots can be detected based on the number of recipients that an email is sent to. FlowSensor AE counts the number of recipients and reports that number in a Newflow v9 record. The collector matches that with the flow and reports potential spam hosts. Netflow v9 is a flexible reporting protocol with the ability to collect and count almost anything. Monitoring virtual web servers—servers with multiple web servers sharing the same IP—can be easily tracked and monitored by collecting the HTTP host header field.

Finally, the FlowSensor AE can be configured to capture and forward a portion of the Ethernet payload to a collector for analysis; this is useful for passive OS detection. By default, the FlowSensor can forward the first 120 bytes, enough to capture IPv4, IPv6 headers, the TCP/UDP headers and some of the payload, and then send it to a StealthWatch XE collector. Lancope's Adam Powers said "some of these fields are Lancope specific extensions, but we use standardized one where they already exist."