Network traffic analysis has historically been a secondary concern when selecting new hardware. However, corporate IT ecosystems, and the threats targeting them, have evolved considerably over the past several years. The emergence of BYOD (bring your own device) and increasingly sophisticated distributed denial of service (DDoS) attacks mean that built-in network analysis features are required to maintain performance and security.
Types of Network Flows to Monitor
Flow analysis is a particularly valuable tool in mitigating high traffic risks because it gives you a detailed idea of what is happening on your network. What should you expect to see in a Flows analysis? Flows data capture allows you to see who is sending and receiving the data, what kind of traffic it is, and when the traffic is being utilized. The data provided is extremely important when you are trying to validate what type of traffic is being utilized on your network, whether it is peer to peer, web, backup, or some other traffic that you may not be aware of.
There are three types of flows that are commonly used to identify trends and spot problems: Netflow, sFlow, and JFlow. For each, setting up flow processing requires you to configure a router or switch to act as an exporter, meaning that it will send traffic data to a flow analysis tool.
NetFlow is a technology developed by Cisco for the collection and monitoring of network traffic flow data that has been generated and captured by NetFlow-enabled router and switches. This gives the most accurate representation of network activity since it uses all IP traffic data and allows for more efficient switching of packets according to packet type. However, it can also contribute to increased CPU utilization—exporting at 10,000 flows per second translates to roughly seven percent additional CPU usage.
sFlow only takes a sample of packets that flow through the network. This means that some conversations may be missed, which would limit the network administrator's ability to spot anomalies when performing detailed analysis. However, sFlow utilizes a dedicated chip to process information and can also be used with legacy network protocols, so it does not result in the same performance hit as NetFlow. SFlow protocols are primarily available for such vendor devices like 3Com, Netgear, Dell, and Hewlett Packard.
JFlow is very similar to sflow, as it is also an IP traffic flow sampler technology developed and used by Juniper Networks. Much like sFlow, it is enabled on an interface and it allows the capture of packets in the input stream to be sampled. The router or switch will take a look at each packet but will only record and send new packets or eliminate ones it has already seen.
Deciding which of these protocols is the best choice ultimately depends on how you’re going to use it and which vendor devices you have running in your environment. For example, large organizations that require all communications with customers be captured and analyzed might want to consider NetFlow because it provides more substantial data. Its detailed data can be used for compliance auditing, security, and in-depth network analysis required in identifying potentially problematic incidents.
If the main goal is to find out who or what is consuming the bandwidth on your network, sFlow is useful for that kind of trend analysis without placing too much strain on the CPU. SFlow devices are less costly and a little easier to manage. For any of these options to work, however, it's important to note that the device in question must be able to support flows data capture and export.
Related Webinar: Analyze Traffic Flow with a Bandwidth Monitoring Tool
Finding a Network Flows Monitoring Tool
Flow analysis tools vary significantly in terms of functionality, but there are some critical components to consider regardless of your specific needs. It's also important to make sure you're getting the most for your money, as flow analysis tools can vary in their cost. Some key features include:
- Support for multiple flow protocols
- Granular and high-level data views
These essential features enable administrators to gain more insight into their networks and respond to problems quickly. For instance, using real-time traffic analysis allows you to see spikes in network traffic immediately, while historical data can be used to investigate an issue on a deeper level.
This does not mean that flows should replace other security tools such as firewalls or intrusion detection software. However, relying entirely on perimeter-based defenses will likely leave security gaps; it is these holes that protocols such as NetFlow, JFlow and sFlow are designed to fill. By analyzing actual network traffic, IT personnel will be able to detect anomalies even when a threat bypasses signature-based detection safeguards.
How Intermapper Flows Can Help
Intermapper Flows is network traffic monitoring software that enhances your ability to tell what kind of data is flowing across your network. It collects data with millisecond accuracy and provides a forensic-level view of top talkers, top hosts, and top listeners. Because data is preserved over time, you can conduct post-hoc network traffic analyses to determine what caused a network traffic spike. Intermapper can support all versions of NetFlow, including Flexible NetFlow and IPFIX.
See how Intermapper Flows can provide a more in-depth view of your network traffic by watching this seven-minute video.