SlideShare a Scribd company logo

Flow questions and answers

P
ProQSys
Technology
1 of 4
Download to read offline
Flow Questions and Answers Vincent Berk, October 26, 2010 Q: What is netflow? Netflow is the name CISCO gave to the broader class of network traffic reporting formats, generally known as ‘flow reports’. It is the equivalent of a ‘pen register’ for Internet traffic: http://en.wikipedia.org/wiki/Pen_register Q: How is netflow and flow analysis useful? Flow analysis (reporting) allows one to see who communicated with whom, without digging into the content of the communication. This is helpful in many ways, as it helps pinpoint network bottlenecks, find the cause of slowdowns, and see the source of attacks or information leaks, all without doing extensive in-depth analysis. Netflow and flow analysis is also scalable far into the future as the total number of network flows grows slowly. This is counter intuitive, because the size of each of our communications is growing rapidly. The reason, however, is simple to explain. Because network flow is like an Internet pen register, it records when a conversation took place, between whom, what application was used, and most importantly how long it took. The actual number of bytes transferred is inconsequential, as none of the actual content bytes are saved. This means that a flow record for a short and small communication (for instance a DNS lookup) takes just as much space to store as a large communication (for instance watching a YouTube video). Longer conversations don’t take any more space in a flows database! Over the years, network communications have grown exponentially in volume, however, only linearly in number. Each network user only produces twice the number of flows than they did 2 years ago, even though each flow is eight times as large! This is why flow analysis will scale, while packet captures won’t.
Q: What are the netflow privacy concerns? Although it is true that no content is retained in flow analysis, the source and destination of traffic can still reveal a lot of information. But only in some cases! For instance, say flow analysis is used to monitor a network, and there is an ‘acceptable use policy’ in place. The policy states that employees cannot use corporate email for private matters. Even though the ‘to:’, and ‘from:’ addresses in the email communications are not revealed, one can still tell to which email server the connection was made, and that the email protocol (SMTP) was used. This means that an employee communicating with their spouse who works at ‘smallacmecompany.com’ will quickly be caught in violation of policy, while another employee communicating with a friend at ‘gmail.com’ won’t, mostly because legitimate customers might be using Gmail for their communications. Keep in mind, however, that in both cases the content of the emails remains private. Q: How do I get flow analysis to work? Flow reports are generated by devices that either relay traffic (like routers or switches), or devices that can monitor the network for traffic (like sniffers). This is called an ‘exporter.’ Flow analysis is done by software, running on a server that collects these flow reports from one or more exporters. This is called the ‘collector’. What the collector does with the flow reports often determines the usefulness of the flow analysis tool. If you want to benefit from flow analysis, you will need both a collector, and one or more exporters. Most routers and switches will export netflow, sFlow®, cflow, or jflow. However, not all collectors accept all formats. Check your equipment before deciding on a collector. If you don’t have any devices on your network that are capable of exporting netflow, consider using a software exporter. This is a piece of software that can run on any computer attached to the network, and report flows on the traffic that passes by. Keep in mind that placement is key! Free Software Flow Exporter Q: How do I place a software exporter for maximum effect?
Since a software exporter is effectively a traffic sniffer, it is only as effective as the traffic it can actually see. This means that a computer located on the edges of your network will most likely see very little of the traffic passing through your organization. Instead, it is often better to place the software exporter on a SPAN/TAP port on a router or switch, allowing it to see all traffic that passes through. In fact, simply connecting a software exporter to a switch will only allow it to see its own traffic, as switches are smart about what traffic to send to a connected computer, and what to withhold. So you actually must put the switch port in a mirroring mode to allow the software exporter to effectively monitor the traffic on the switch! Q: Which flow/netflow collector is right for me? This depends on what you hope to achieve. Flow collectors are broadly classified in two different categories: the aggregators, and the full fidelity collectors. Aggregators take all the flow records, dump the traffic volume information into little minute-by- minute buckets, and store this information in a database. This process is quick and easy, and allows you insight in general traffic volumes and shows the bandwidth hogs on your network. If you simply want to monitor how busy your network is, this is your category. Examples are Plixer’s Scrutinizer, and IPSwitch’s What’s Up Gold. However, if you want to analyze unique traffic patterns, investigate intrusions, and never-before- seen attacks, you will need to invest some time and money in a proper full fidelity flow collector. These tools store every flow record in a database, and allow you to filter and view the traffic in much more detail than the aggregators. Generally these tools are more computationally expensive, but they offer a much wider range of possibilities. Examples are ProQueSys’s FlowTraq, and CERT’s SiLK. Both aggregators, as well as full fidelity flow collectors are often marketed as ‘flow analyzers’. Let your needs drive your deployment decision!
Vincent Berk is the founder of ProQueSys, a company that specializes in network security, analysis, and forensics software.

Recommended

Tcp protocols
Tcp protocolsTcp protocols
Tcp protocolsmaliksiddique1
 
Internet traffic measurement, analysis and control based on apptype1
Internet traffic measurement, analysis and control based on apptype1Internet traffic measurement, analysis and control based on apptype1
Internet traffic measurement, analysis and control based on apptype1elsaher
 
Socket programming assignment
Socket programming assignmentSocket programming assignment
Socket programming assignmentRavi Gupta
 
EMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc Networks
EMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc NetworksEMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc Networks
EMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc NetworksKaashivInfoTech Company
 
Chapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityChapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityPhu Nguyen
 
Interledger Protocol Stack Deep Dive @ Boston Interledger Meetup
Interledger Protocol Stack Deep Dive @ Boston Interledger MeetupInterledger Protocol Stack Deep Dive @ Boston Interledger Meetup
Interledger Protocol Stack Deep Dive @ Boston Interledger MeetupInterledger
 
Fauna
FaunaFauna
Faunamekici
 
UMS Ltd new version
UMS Ltd new versionUMS Ltd new version
UMS Ltd new versionspyros_s
 

Recommended

Tcp protocols
Tcp protocolsTcp protocols
Tcp protocolsmaliksiddique1
 
Internet traffic measurement, analysis and control based on apptype1
Internet traffic measurement, analysis and control based on apptype1Internet traffic measurement, analysis and control based on apptype1
Internet traffic measurement, analysis and control based on apptype1elsaher
 
Socket programming assignment
Socket programming assignmentSocket programming assignment
Socket programming assignmentRavi Gupta
 
EMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc Networks
EMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc NetworksEMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc Networks
EMAP Expedite Message Authentication Protocol for Vehicular Ad Hoc NetworksKaashivInfoTech Company
 
Chapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityChapter 1 organizing data vantage domain action and validity
Chapter 1 organizing data vantage domain action and validityPhu Nguyen
 
Interledger Protocol Stack Deep Dive @ Boston Interledger Meetup
Interledger Protocol Stack Deep Dive @ Boston Interledger MeetupInterledger Protocol Stack Deep Dive @ Boston Interledger Meetup
Interledger Protocol Stack Deep Dive @ Boston Interledger MeetupInterledger
 
Fauna
FaunaFauna
Faunamekici
 
UMS Ltd new version
UMS Ltd new versionUMS Ltd new version
UMS Ltd new versionspyros_s
 
Lecture notes -001
Lecture notes -001Lecture notes -001
Lecture notes -001Eric Rotich
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlowAuditor
 
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...IOSR Journals
 
7_considerations_final
7_considerations_final7_considerations_final
7_considerations_finalJane Roberts
 
Sending the data already gathered from the client to the Server
Sending the data already gathered from the client to the ServerSending the data already gathered from the client to the Server
Sending the data already gathered from the client to the Serverhussam242
 
Web Application Troubleshooting Guide
Web Application Troubleshooting GuideWeb Application Troubleshooting Guide
Web Application Troubleshooting GuideExtraHop Networks
 
Multiple_Vendors_Part-1
Multiple_Vendors_Part-1Multiple_Vendors_Part-1
Multiple_Vendors_Part-1Philip Storey
 
check iternet speed
check iternet speedcheck iternet speed
check iternet speedcheck speed
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsANKIT GUPTA
 
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfJessica Thompson
 
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveTop 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveManageEngine, Zoho Corporation
 
Free Netflow analyzer training - diagnosing_and_troubleshooting
Free Netflow analyzer training - diagnosing_and_troubleshootingFree Netflow analyzer training - diagnosing_and_troubleshooting
Free Netflow analyzer training - diagnosing_and_troubleshootingManageEngine, Zoho Corporation
 
Who’s Minding the SSO Store?
Who’s Minding the SSO Store? Who’s Minding the SSO Store?
Who’s Minding the SSO Store? CA Technologies
 
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET Journal
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Web server
Web serverWeb server
Web serverAlieska Waye
 
0130225347
01302253470130225347
0130225347Dharmendra Gupta
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco StealtwatchRayudu Babu
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLieRick Kingsley
 
Evolution of Monitoring and Prometheus (Dublin 2018)
Evolution of Monitoring and Prometheus (Dublin 2018)Evolution of Monitoring and Prometheus (Dublin 2018)
Evolution of Monitoring and Prometheus (Dublin 2018)Brian Brazil
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

More Related Content

Similar to Flow questions and answers

Lecture notes -001
Lecture notes -001Lecture notes -001
Lecture notes -001Eric Rotich
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlowAuditor
 
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...IOSR Journals
 
7_considerations_final
7_considerations_final7_considerations_final
7_considerations_finalJane Roberts
 
Sending the data already gathered from the client to the Server
Sending the data already gathered from the client to the ServerSending the data already gathered from the client to the Server
Sending the data already gathered from the client to the Serverhussam242
 
Web Application Troubleshooting Guide
Web Application Troubleshooting GuideWeb Application Troubleshooting Guide
Web Application Troubleshooting GuideExtraHop Networks
 
Multiple_Vendors_Part-1
Multiple_Vendors_Part-1Multiple_Vendors_Part-1
Multiple_Vendors_Part-1Philip Storey
 
check iternet speed
check iternet speedcheck iternet speed
check iternet speedcheck speed
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsANKIT GUPTA
 
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfJessica Thompson
 
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveTop 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveManageEngine, Zoho Corporation
 
Free Netflow analyzer training - diagnosing_and_troubleshooting
Free Netflow analyzer training - diagnosing_and_troubleshootingFree Netflow analyzer training - diagnosing_and_troubleshooting
Free Netflow analyzer training - diagnosing_and_troubleshootingManageEngine, Zoho Corporation
 
Who’s Minding the SSO Store?
Who’s Minding the SSO Store? Who’s Minding the SSO Store?
Who’s Minding the SSO Store? CA Technologies
 
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET Journal
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco StealtwatchRayudu Babu
 
Evolution of Monitoring and Prometheus (Dublin 2018)
Evolution of Monitoring and Prometheus (Dublin 2018)Evolution of Monitoring and Prometheus (Dublin 2018)
Evolution of Monitoring and Prometheus (Dublin 2018)Brian Brazil
 

Similar to Flow questions and answers (20)

Lecture notes -001
Lecture notes -001Lecture notes -001
Lecture notes -001
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
 
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
Cataloging Of Sessions in Genuine Traffic by Packet Size Distribution and Ses...
 
7_considerations_final
7_considerations_final7_considerations_final
7_considerations_final
 
Sending the data already gathered from the client to the Server
Sending the data already gathered from the client to the ServerSending the data already gathered from the client to the Server
Sending the data already gathered from the client to the Server
 
Web Application Troubleshooting Guide
Web Application Troubleshooting GuideWeb Application Troubleshooting Guide
Web Application Troubleshooting Guide
 
Multiple_Vendors_Part-1
Multiple_Vendors_Part-1Multiple_Vendors_Part-1
Multiple_Vendors_Part-1
 
check iternet speed
check iternet speedcheck iternet speed
check iternet speed
 
Apache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analyticsApache Spark Streaming -Real time web server log analytics
Apache Spark Streaming -Real time web server log analytics
 
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
 
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solveTop 5 problems a NETWORK ANALYSIS TOOL will help you solve
Top 5 problems a NETWORK ANALYSIS TOOL will help you solve
 
Free Netflow analyzer training - diagnosing_and_troubleshooting
Free Netflow analyzer training - diagnosing_and_troubleshootingFree Netflow analyzer training - diagnosing_and_troubleshooting
Free Netflow analyzer training - diagnosing_and_troubleshooting
 
Who’s Minding the SSO Store?
Who’s Minding the SSO Store? Who’s Minding the SSO Store?
Who’s Minding the SSO Store?
 
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Web server
Web serverWeb server
Web server
 
0130225347
01302253470130225347
0130225347
 
Cisco Stealtwatch
Cisco StealtwatchCisco Stealtwatch
Cisco Stealtwatch
 
PacketsNeverLie
PacketsNeverLiePacketsNeverLie
PacketsNeverLie
 
Evolution of Monitoring and Prometheus (Dublin 2018)
Evolution of Monitoring and Prometheus (Dublin 2018)Evolution of Monitoring and Prometheus (Dublin 2018)
Evolution of Monitoring and Prometheus (Dublin 2018)
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Flow questions and answers

  • 1. Flow Questions and Answers Vincent Berk, October 26, 2010 Q: What is netflow? Netflow is the name CISCO gave to the broader class of network traffic reporting formats, generally known as ‘flow reports’. It is the equivalent of a ‘pen register’ for Internet traffic: http://en.wikipedia.org/wiki/Pen_register Q: How is netflow and flow analysis useful? Flow analysis (reporting) allows one to see who communicated with whom, without digging into the content of the communication. This is helpful in many ways, as it helps pinpoint network bottlenecks, find the cause of slowdowns, and see the source of attacks or information leaks, all without doing extensive in-depth analysis. Netflow and flow analysis is also scalable far into the future as the total number of network flows grows slowly. This is counter intuitive, because the size of each of our communications is growing rapidly. The reason, however, is simple to explain. Because network flow is like an Internet pen register, it records when a conversation took place, between whom, what application was used, and most importantly how long it took. The actual number of bytes transferred is inconsequential, as none of the actual content bytes are saved. This means that a flow record for a short and small communication (for instance a DNS lookup) takes just as much space to store as a large communication (for instance watching a YouTube video). Longer conversations don’t take any more space in a flows database! Over the years, network communications have grown exponentially in volume, however, only linearly in number. Each network user only produces twice the number of flows than they did 2 years ago, even though each flow is eight times as large! This is why flow analysis will scale, while packet captures won’t.
  • 2. Q: What are the netflow privacy concerns? Although it is true that no content is retained in flow analysis, the source and destination of traffic can still reveal a lot of information. But only in some cases! For instance, say flow analysis is used to monitor a network, and there is an ‘acceptable use policy’ in place. The policy states that employees cannot use corporate email for private matters. Even though the ‘to:’, and ‘from:’ addresses in the email communications are not revealed, one can still tell to which email server the connection was made, and that the email protocol (SMTP) was used. This means that an employee communicating with their spouse who works at ‘smallacmecompany.com’ will quickly be caught in violation of policy, while another employee communicating with a friend at ‘gmail.com’ won’t, mostly because legitimate customers might be using Gmail for their communications. Keep in mind, however, that in both cases the content of the emails remains private. Q: How do I get flow analysis to work? Flow reports are generated by devices that either relay traffic (like routers or switches), or devices that can monitor the network for traffic (like sniffers). This is called an ‘exporter.’ Flow analysis is done by software, running on a server that collects these flow reports from one or more exporters. This is called the ‘collector’. What the collector does with the flow reports often determines the usefulness of the flow analysis tool. If you want to benefit from flow analysis, you will need both a collector, and one or more exporters. Most routers and switches will export netflow, sFlow®, cflow, or jflow. However, not all collectors accept all formats. Check your equipment before deciding on a collector. If you don’t have any devices on your network that are capable of exporting netflow, consider using a software exporter. This is a piece of software that can run on any computer attached to the network, and report flows on the traffic that passes by. Keep in mind that placement is key! Free Software Flow Exporter Q: How do I place a software exporter for maximum effect?
  • 3. Since a software exporter is effectively a traffic sniffer, it is only as effective as the traffic it can actually see. This means that a computer located on the edges of your network will most likely see very little of the traffic passing through your organization. Instead, it is often better to place the software exporter on a SPAN/TAP port on a router or switch, allowing it to see all traffic that passes through. In fact, simply connecting a software exporter to a switch will only allow it to see its own traffic, as switches are smart about what traffic to send to a connected computer, and what to withhold. So you actually must put the switch port in a mirroring mode to allow the software exporter to effectively monitor the traffic on the switch! Q: Which flow/netflow collector is right for me? This depends on what you hope to achieve. Flow collectors are broadly classified in two different categories: the aggregators, and the full fidelity collectors. Aggregators take all the flow records, dump the traffic volume information into little minute-by- minute buckets, and store this information in a database. This process is quick and easy, and allows you insight in general traffic volumes and shows the bandwidth hogs on your network. If you simply want to monitor how busy your network is, this is your category. Examples are Plixer’s Scrutinizer, and IPSwitch’s What’s Up Gold. However, if you want to analyze unique traffic patterns, investigate intrusions, and never-before- seen attacks, you will need to invest some time and money in a proper full fidelity flow collector. These tools store every flow record in a database, and allow you to filter and view the traffic in much more detail than the aggregators. Generally these tools are more computationally expensive, but they offer a much wider range of possibilities. Examples are ProQueSys’s FlowTraq, and CERT’s SiLK. Both aggregators, as well as full fidelity flow collectors are often marketed as ‘flow analyzers’. Let your needs drive your deployment decision!
  • 4. Vincent Berk is the founder of ProQueSys, a company that specializes in network security, analysis, and forensics software.