Subscribe to Bloggers speak out on BradReese.Com

5 keys to successful enterprise NetFlow deployments

Sanford, ME:   Mon, 11/26/12 - 11:11am    View comments

After talking with hundreds of our NetFlow customers, I have found that there are basically 5 keys to some of our more successful enterprise NetFlow deployments. In this post, I will outline the features that apply to pretty much all enterprise class NetFlow roll outs as although business objectives vary and IT needs can change in each organization, we have found that these 5 keys make for the most productive and scalable NetFlow installations:

5) Scalability

Although most customers don't send more than 20K flows per second collectively from all switches and routers, collection rate is very important. In the near future, hardware will be exporting more details in NetFlow and IPFIX and because of this, flow collectors will start to see double and triple the flow rates. At a minimum, choose a vendor with the solution that can scale to over 100K flows per second per appliance. With this kind of capacity, you can scale into the millions in a distributed NetFlow collection environment.

4) Network Threat Detection

Firewalls and Intrusion Protection Systems are the first line of defense against internet malware but, what about internal threats. Zero-Trust security models require constant monitoring for malware that may have already made it onto the network. These systems watch for odd flow behaviors over a series of minutes from each host on the network. They compare IP addresses to Internet Reputation lists and alert for heightened indexes or excessive violation counts within a threshold.

3) Reconnaissance

Positive threat identification almost always requires follow up investigations. The ability to identify where the threat entered the periphery of the network, how they did it, who was logged in, and when it occurred requires the very best in ad hoc filtering and reporting. Most times when cleaning up malware we need to know who else may have been involved. Searching the database for machines engaged in similar traffic behaviors needs to be fast, scalable and capable of looking back over a long period of time.

2) Flow and Log Correlation

NetFlow and IPFIX reporting is greatly enhanced by correlating it with the details found in many syslogs or machine logs from just about any conceivable vendor. If the syslog tells us about a threat or denied connection, we can take the IP address or protocol, query the flow data and find out who or what was participating at the time of the event. The line between flows and logs is diminishing and the Mean Time To Know (MTTK) can often be reduced when further details such as URLs visited are readily available from a single interface.

1) Contextual Details

This is a feature just starting to be offered in next generation NetFlow and IPFIX solutions. Contextual details expand on Flow and Log Correlation by capitalizing on rich details such as username, and operating systems which are often only found in either proprietary logs or databases. The Enterasys Mobile IAM and Cisco ISE collect these details and can be setup to share collected information with flow reporting solutions. With the rising interest in controlling BYOD traffic, this area is likely to expand.

The best NetFlow solutions go beyond top X reporting and think about the enterprise as a whole in terms of integration with other forms of data. Attend the Advanced NetFlow Training Seminar and find out why thousands have deployed our NetFlow appliance.

Aamer Akhter, Technical Leader & Architect for Network Management Solutions at Cisco Systems:

"For the last 6 years I have been working with Cisco's NetFlow engineering team, customers as well as many network management system vendors... Plixer is one of the industry's premier thought leaders. It is clear to me that Michael and the team at Plixer are passionate when it comes to anything NetFlow and IPFIX related. This is a company that is on the bleeding edge of NetFlow/IPFIX processing and has much to share with industry."

View Cisco How-To Tutorials.

Mike Patterson's other blog stories:

Dell solves complex business problems

Enterasys Secure Networks

Mike Patterson speaks out

Systrax High-Impact Network Monitoring

TMCnet Advanced NetFlow Traffic Analysis

What's your take?

Subscribe to Bloggers speak out on BradReese.Com

1. Discrepancies found in Cisco's Q1'FY13 vs. Q1'FY12 net product sales
2. Cisco's Q1'FY13 switching, routing, collaboration and other revenue declined year-over-year (YOY)
3. An open letter to Cisco CEO John Chambers got results
4. Former Cisco RTP employee and CCIE Voice #13747, Brad Cooper, appeals first degree murder conviction
5. Cisco's Odd Johnny is out!
6. Cisco internal email vows to hunt down the sources of confidential memo leaks to Brad Reese
7. Cisco's salesforce is now compensated on profit contributions, not just bookings
8. New book on NetFlow and IPFIX - Mike Patterson
9. Cisco internal email addresses $100 million overcharge on $22 million California State University RFP
10. ZTE USA workshop targets the $5 billion secondary Cisco market generated by the elite members of UNEDA
11. Cisco's lead smart guy and rock star, David Meyer, jumps ship for Brocade
12. Imminent death of VCE will be no surprise to Wall Street
13. Voting for Cisco shareholder proposal No. 5 will oust John Chambers as Cisco's Chairman
14. Is Cisco behind the U.S. Congressional attack on Huawei and ZTE?
15. Have Cisco's councils and boards morphed into a bloated structure of 2-in-the box?
16. Cisco Cat6k Sup2T is the premier NetFlow switch with amazing performance - Mike Patterson
17. Padmasree Warrior declares her aspiration to become Cisco CEO
18. Single-handedly, fierce Cisco competitor Arista Networks appears to have delayed Cisco's SDN initiative
19. Meet Cisco's CEO for the next 4-years
20. View the archive of Bloggers speak out on BradReese.Com