Network flows were historically leveraged as statistical data-generating tools for data measurement and usage quantification products. With data on network utilization, organizations could quickly wield the collected data for such things as quality of service (QoS) scope-limiting, bandwidth-utilization trending, enterprise application performance-tuning, and even third-party billing of clients piggy-backing on, or in some cases leasing, network access from Internet service providers. Network performance monitoring and management products have evolved over the years to facilitate the requirements imposed on them by desperate security analysts looking for visibility into what users and systems are doing on the network.
For the enterprise, the technology can be wielded for detecting anomalous network or system activity, as a botnet early-warning system, and as a data loss prevention solution. With the continuous network traffic-inspection capabilities, the products can also be used as an alternative to host intrusion detection and network intrusion detection systems.
From an audit and change control perspective, flow-capable tools can be used to more tightly monitor and profile all services and ports on a network. This gives firewall administrators a better understanding of what a firewall rule change could potentially disrupt between disparate network segments and systems if enacted. Third-party enterprise security information management (ESIM) products, like the multitude of players in the security information and event management (SIEM) and log management (LM) subsectors, can leverage the data-collection capabilities of flow-generating products to augment their own organic flow and log information stores. The collected data can then be correlated and normalized to provide a grander view of the happenings on the network.
From the carrier network and service-provider side of the table, the technology can be leveraged in the same fashion, though on a much larger scale, for network diagnostics and management of fixed, mobile, IP and converged multiservice networks.
Network flows provide an added layer of visibility into what is happening on the network without the need to become a "packet head." There are some limitations in the depth of inspection, but if a 10,000-foot view is all that is required, network flows may be the perfect contributor to your security and compliance-monitoring infrastructure.
Andrew Hay is senior analyst with The 451 Group's Enterprise Security Practice and is an author of three network security books. Follow him on Twitter: http://twitter.com/andrewsmhay