flow questions and answers
TRANSCRIPT
Flow Questions and Answers
Vincent Berk, October 26, 2010
Q: What is netflow?
Netflow is the name CISCO gave to the broader class of network traffic reporting formats, generally
known as ‘flow reports’. It is the equivalent of a ‘pen register’ for Internet traffic:
http://en.wikipedia.org/wiki/Pen_register
Q: How is netflow and flow analysis useful?
Flow analysis (reporting) allows one to see who communicated with whom, without digging into
the content of the communication. This is helpful in many ways, as it helps pinpoint network
bottlenecks, find the cause of slowdowns, and see the source of attacks or information leaks, all
without doing extensive in-depth analysis.
Netflow and flow analysis is also scalable far into the future as the total number of network flows
grows slowly. This is counter intuitive, because the size of each of our communications is growing
rapidly. The reason, however, is simple to explain. Because network flow is like an Internet pen
register, it records when a conversation took place, between whom, what application was used, and
most importantly how long it took. The actual number of bytes transferred is inconsequential, as
none of the actual content bytes are saved.
This means that a flow record for a short and small communication (for instance a DNS lookup)
takes just as much space to store as a large communication (for instance watching a YouTube
video). Longer conversations don’t take any more space in a flows database!
Over the years, network communications have grown exponentially in volume, however, only
linearly in number. Each network user only produces twice the number of flows than they did 2
years ago, even though each flow is eight times as large! This is why flow analysis will scale, while
packet captures won’t.
Q: What are the netflow privacy concerns?
Although it is true that no content is retained in flow analysis, the source and destination of traffic
can still reveal a lot of information. But only in some cases!
For instance, say flow analysis is used to monitor a network, and there is an ‘acceptable use policy’
in place. The policy states that employees cannot use corporate email for private matters. Even
though the ‘to:’, and ‘from:’ addresses in the email communications are not revealed, one can still
tell to which email server the connection was made, and that the email protocol (SMTP) was used.
This means that an employee communicating with their spouse who works at
‘smallacmecompany.com’ will quickly be caught in violation of policy, while another employee
communicating with a friend at ‘gmail.com’ won’t, mostly because legitimate customers might be
using Gmail for their communications. Keep in mind, however, that in both cases the content of the
emails remains private.
Q: How do I get flow analysis to work?
Flow reports are generated by devices that either relay traffic (like routers or switches), or devices
that can monitor the network for traffic (like sniffers). This is called an ‘exporter.’
Flow analysis is done by software, running on a server that collects these flow reports from one or
more exporters. This is called the ‘collector’. What the collector does with the flow reports often
determines the usefulness of the flow analysis tool.
If you want to benefit from flow analysis, you will need both a collector, and one or more exporters.
Most routers and switches will export netflow, sFlow®, cflow, or jflow. However, not all collectors
accept all formats. Check your equipment before deciding on a collector.
If you don’t have any devices on your network that are capable of exporting netflow, consider using
a software exporter. This is a piece of software that can run on any computer attached to the
network, and report flows on the traffic that passes by. Keep in mind that placement is key! Free
Software Flow Exporter
Q: How do I place a software exporter for maximum effect?
Since a software exporter is effectively a traffic sniffer, it is only as effective as the traffic it can
actually see. This means that a computer located on the edges of your network will most likely see
very little of the traffic passing through your organization.
Instead, it is often better to place the software exporter on a SPAN/TAP port on a router or switch,
allowing it to see all traffic that passes through.
In fact, simply connecting a software exporter to a switch will only allow it to see its own traffic, as
switches are smart about what traffic to send to a connected computer, and what to withhold. So
you actually must put the switch port in a mirroring mode to allow the software exporter to
effectively monitor the traffic on the switch!
Q: Which flow/netflow collector is right for me?
This depends on what you hope to achieve. Flow collectors are broadly classified in two different
categories: the aggregators, and the full fidelity collectors.
Aggregators take all the flow records, dump the traffic volume information into little minute-by-
minute buckets, and store this information in a database. This process is quick and easy, and allows
you insight in general traffic volumes and shows the bandwidth hogs on your network. If you
simply want to monitor how busy your network is, this is your category. Examples are Plixer’s
Scrutinizer, and IPSwitch’s What’s Up Gold.
However, if you want to analyze unique traffic patterns, investigate intrusions, and never-before-
seen attacks, you will need to invest some time and money in a proper full fidelity flow collector.
These tools store every flow record in a database, and allow you to filter and view the traffic in
much more detail than the aggregators. Generally these tools are more computationally expensive,
but they offer a much wider range of possibilities. Examples are ProQueSys’s FlowTraq, and CERT’s
SiLK.
Both aggregators, as well as full fidelity flow collectors are often marketed as ‘flow analyzers’. Let
your needs drive your deployment decision!
Vincent Berk is the founder of ProQueSys, a company that specializes in network security, analysis, and
forensics software.