NetFlow has become an industry standard for traffic monitoring and is supported on various platforms. Enabling NetFlow on devices helps characterize flows and understand traffic behavior. You can export flow information to perform traffic analysis, bandwidth capacity planning and security analysis.

Benefits of using NetFlow

  • Understand the impact of network changes and services
  • Improve bandwidth usage and application performance
  • Reduce IP service and application costs
  • Detect and classify security incidents

How does NetFlow help with Security Analysis?

Delve into traffic information by analyzing NetFlow data to obtain information on:

  • Who is talking to whom - Source & Destination IP addresses
  • Over what protocols and ports - Layer 3 protocol type, Source & Destination ports
  • For how long
  • At what speed
  • For what duration

It’s important to identify any unusual traffic patterns compared to previously collected network data or baselines. These traffic patterns are commonly referred to as anomalies.

NetFlow helps identify anomalies by providing high level diagnostic information on traffic flows and changes in network behavior. You can classify attacks by noticing small size flows to the same destination, which may also be a sign of botnet communication and propagation. NetFlow data can be used to deduce information on what is being attacked, where the attack is coming from, how long the attack has occurred, the size of packets used, and much more.

Usually, DoS attacks flood the network with packets from an untrusted source to a single destination. These packets are often of an unusual size. An attack can be determined by monitoring changes or number of flow counts on the edge routers. NetFlow data can be collected and correlated to identify a DoS attack in progress.

Delving a bit deeper, one way to use NetFlow to identify anomalous behavior is to establish a baseline that describes 'normal' network activity. This baseline can be set according to some historical traffic pattern. Then, all traffic that falls outside the scope of this baseline pattern will be identified as anomalous. Furthermore, flow data that has exceptionally high volume, especially those that are much higher than the established baseline, would demand attention as ‘unusual activity’.

In conclusion, NetFlow certainly provides another layer of valuable threat detection and insight, but it's not your primary threat detection and mitigation solution. Data collected from NetFlow helps analyze, detect and address security blind spots, and highlight DDoS, Botnet, top conversations, streaming and other hidden anomalies.

How are you using NetFlow to aid in security analysis for your network? Tell us in your comments below.