4 min read

Getting to Know Netflow

Finally, a tool to see what's bleeding the network dry and to identify anomalous behavior, all from existing router information

There's an emerging tool that is available on practically every network that can help analyze and profile that network. With it, you can finally understand what your network is actually used for. On top of that, it may become a cornerstone in protecting the enterprise by securing the network fabric.

What is NetFlow? It is simply the aggregation of packets into "flows" and the reporting of that data. A flow is a collection of packets that can be characterized by source and destination IP addresses and ports, as well as a few more characteristics. The packets in a particular flow are counted and reported to a collector. Cisco and most other routers support NetFlow. NetFlow is used by all the major ISPs and carriers to resolve peering issues and account for whose traffic flows over which network.

Imagine being able to classify all of the traffic on your network into source, destination, and application. You can immediately determine which applications, users, and servers consume the most resources. You may be surprised, as the operators of Internet2 were, to discover that over 90% of your traffic is not business related, for instance. You may find a server that has been infected with a worm for months, spewing packets that eat up valuable bandwidth. You may discover unauthorized Web, gaming, IRC, or Warez servers on your network. (See Aurora Reaches for Security Rx.)

On top of providing complete network visibility and analysis capability, NetFlow makes possible something called Network Behavior Analysis. There are two possible ways to control how a network is used: policy or behavioral methods. Unfortunately it is near impossible to actually set policies within most network environments. The combinations of users, end points, servers, protocols, and applications is too complex to explicitly define and too large for most switches and routers to enforce without a significant degradation of performance. Even if it were possible to set such a policy, the daily changes to policy would create a management nightmare.

Behavior-based profiling is simple in concept. Using NetFlow, a behavior-based system profiles the typical connections made between devices. This can be as granular as hour by hour, day by day. After the network is "learned," any variation is anomalous and can be alerted on or even proactively blocked. For instance, no user laptop would be expected to scan random IP addresses unless it was infected by a worm or hacking tools were being used.

What tools are available to leverage NetFlow? There are several freeware applications as well as numerous vendors of NetFlow-based modeling, analysis, and control. Flowd and Flow-tools are freeware software packages that collect NetFlow data. Flowscan creates reports and works with Flow-tools.

Commercial products have gone much further in developing the security capabilities of NetFlow. Arbor Networks provides tools to most large ISPs that are beginning to join in a reporting community to track down and squelch spammers and other sources of network attacks. Arbor also provides an enterprise product for internal network modeling and hardening. Czech Republic-based Caligare provides a basic set of tools for collecting and reporting NetFlow data. Of all the NetFlow vendors, Lancope has had the most consistent focus on internal network security from their inception. Its StealthWatch product is designed to identify malicious behavior and alert or even block when anomalies are detected.

Mazu Networks, like Arbor, originally was formed to counter distributed denial-of-service (DDOS) attacks. But having a powerful NetFlow monitoring and modeling solution gave them the ability to introduce enterprise products for securing the network. And finally, Q1Labs is bridging network behavior analysis (NBA) with security management by incorporating vulnerability assessment information into its dashboard.

While all of these vendors are attempting to demonstrate that their products enhance an organization's ability to be compliant with various regulations, I believe the true value in their products comes from the ability to make networks visible and ultimately to harden and secure them. I believe using NetFlow correctly is the single most important step remaining for enterprises to secure their networks.

— Richard Stiennon is founder of IT-Harvest Inc. Special to Dark Reading

  • Arbor Networks Inc.
  • Caligare
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Lancope Inc.
  • Mazu Networks
  • Q1 Labs Inc.