Network traffic analysis has historically been a secondary concern when selecting new hardware. However, as TechTarget noted corporate IT ecosystems, and the threats targeting them, have evolved considerably over the past several years. The emergence of BYOD (bring your own device)” and increasingly sophisticated distributed denial of service (DDoS) attacks means that built-in network analysis features are required to maintain performance and security.
Types of flows
Flow analysis is a particularly valuable tool in mitigating high traffic risks because it gives you a detailed idea of what is happening on the network. There are three types of flows that are commonly used to identify trends and spot problems. For each, setting up flow processing requires you to configure a router or switch to act as an exporter, meaning that it will send traffic data to a flow analysis tool.
NetFlow is a technology developed by Cisco, and it captures all IP traffic on the network. According to TechTarget, this gives the most accurate representation of network activity since it uses all IP traffic data. However, it can also contribute to increased CPU utilization – exporting at 10,000 flows per second translates to roughly 7 percent additional CPU usage.
sFlow only takes a sample of packets that flow through the network. This means that some conversations may be missed, which would limit IT’s ability to spot anomalies when performing detailed analysis. However, sFlow utilizes a dedicated chip to process information and can also be used with legacy network protocols, so it does not result in the same performance hit as NetFlow.
JFlow is very similar to NetFlow, but developed by Juniper Networks.
Deciding which of these is the best choice ultimately depends on how you’re going to use it. For compliance auditing and in-depth network analysis, administrators should use Netflow or JFlow because they provide the detail required to spot potentially problematic incidents. sFlow is useful for trend analysis or figuring out who uses the most bandwidth without placing too much strain on the CPU.
Putting the data to use
Flow analysis tools vary significantly in terms of functionality, so it’s important to make sure you’re getting the most for your money. Some key features include:
- Support for multiple flow protocols
- Auto discovery
- Granular and high-level data views
These essential features enable administrators to gain more insight into their networks and respond to problems quickly. For instance, using real-time traffic analysis allows you to see spikes in network traffic immediately, while historical data can be used to investigate an issue on a deeper level.
This does not mean that flows should replace other security tools such as firewalls. However, relying entirely on perimeter-based defenses will likely leave security gaps – it is these holes that protocols such as NetFlow, JFlow and sFlow are designed to fill. By analyzing actual network traffic, IT personnel will be able to detect anomalies even when a threat bypasses signature-based detection safeguards.