• 12/24/2013
    8:06 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Using NetFlow Data For Robust Network Security

NetFlow analytic data can spot dangerous traffic patterns including anomalous "hot-spots" of activity and compromised hosts.

While NetFlow data may traditionally be seen as a network infrastructure tool, smart security teams can get tons of benefits out of the collection of IP traffic statistics, too.

"Security professionals should consider every NetFlow and IPFIX router a security camera that allows them to go back in time and investigate suspect traffic reported by any number of security appliances," says Michael Patterson, CEO of Plixer.

According to Dr. Vincent Berk, CEO of FlowTraq, security pros may have to battle to get their hands on the data if other infrastructure people—the ones 'responsible for moving packets but not securing them—are at all territorial. But it is worth the effort.

"This has created a climate where security professionals have increasingly had trouble getting their hands on streams of NetFlow throughout their organizations," Berk says. "However, the advanced values that a security professional can get from NetFlow is enormous."

Read the rest of this article on Dark Reading.


No Silver Bullet

"Robust" in the sense that if you add this to your existing in depth arsenal of analysis tools, then yes it's another good thing to have around. I note that the Dark Reading articls says "More Robust" which is a bit more accurate in my opinion.


Netflow is great, but data may not be complete, and is not as "real time" as we'd typically like. It's not like it's streaming information constantly to a netflow analyzer. Typically netflow data aggregates IPs (because storing every individual IP flow is just too much overhead for busy routers, whether in terms of CPU or memory), has limited storage assigned to it (after which, should you ditch the older data or just not add the new data?), and is only dumped from the router to a collector periodically (the time frame for which determines the potential granularity of the definition of 'real time' analysis).


You can of course allow netflow to capture every flow in detail, assign a lot of memory to it, and dump every minute - with, as you can imagine, an accompanying impact on the network devices providing the data. I'm sure some can handle it well, but netflow is not a panacea for full network visibility. The fact that the data comes neatly formatted and ready for onward processing is very helpful though and if you can see discrepancies in that data that will help security then certainly there's no harm. As with every tool though we have to recognize the inherent limitations in the data gathering process and take that into account when analyzing the output.