The leader in NetFlow collection should be determined by examining several attributes of the overall NetFlow solution. Best at NetFlow implementations should have a history of winning NetFlow awards as well as demonstrate leadership in several key areas of this growing technology.
Most scalable NetFlow or high volume NetFlow solutions are measured by how many flows per second they can handle within a single NetFlow appliance. Since flow exports such as Cisco Application Visibility and Control are resulting in higher flow volumes with richer contextual details such as round trip time, packet loss, retransmit counts, URLs, etc., a solution that can handle over 100K flows per second is becoming more of a requirement.
Network Threat Detection
One of the ideal attributes of a robust network threat detection solution is in its ability to take a multi layered approach to detecting unwanted network behaviors. This is often done by using something called NetFlow Telemetry. All flows should be put through Flow Analytic algorithms which look for nefarious traffic patterns such as network scans, odd flow ratios, unwanted protocols, etc. that could be trying to fly under your watchful radar.
Forensic Investigation Capabilities
This is a feature that is needed when a network threat is suspected. The leader in NetFlow solution provides mechanisms for changing the report and modifying the filters in ways that guide the investigator down to the suspect traffic that is being questioned.
When 100K flows per second per appliance isn't enough, collection can be distributed and the front end should provide visibility across all NetFlow collectors. Deduplication and stitching should also be performed.
Flexible NetFlow Reporting
When the elements or attributes we want to report on are not displayed in the reports available, the leader in NetFlow solution provides the user with a way to customize reports and reorder columns in a way that empowers the user to create the exact report they are looking for. Only the most Flexible NetFlow solutions support this.
The NetFlow reporting interface shouldn't be limited by the hard coded vendor filtering options. The leader in NetFlow solution should allow to filter on any element contained in the template (E.g. Mac Address, VLAN, time to live, packet loss, URLs, etc.) and functionality should be complete with support for greater than, less than, equal to etc. expressions.
Custom Threat Monitors
Best NetFlow solutions can be configured to watch for custom unwanted traffic patterns such as mail traffic not involving the local mail server or DNS traffic to hosts other than the local DNS servers. Excessive traffic to facebook.com or other web sites can also be monitored.
One collector for all
A single collector should be able to accept flow data regardless of the flow technology du jour. Vendors requiring a separate collector for sFlow Vs. NetFlow or IPFIX are not leaders in NetFlow technology.
One of the most important security layers is the ability to compare the IP addresses in all flows to a constantly updated IP reputation database of known compromised internet hosts. For most companies this is one of the best defenses against some of the scariest internet attacks such as Advanced Persistent Threats (APTs).
Want to learn more? Read the book on NetFlow that is endorsed by Cisco.
Reach out to the leader in NetFlow by Contacting Plixer for the very best in NetFlow Collection +1 (207)324-8805.