Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Tom Braun
July 26, 2005, 12:26 am
rate this thread
But the other day, I found this here, where someone is raising some
serious concerns about netflow:
They are specifically talking about anomaly detection and are proposing
using a packet based solution instead.
What is the consensus or at least, what are the most popular opinions,
when it comes to netflow? Does this person have a point, or is this all
Re: Problems with flows
:But the other day, I found this here, where someone is raising some
:serious concerns about netflow:
:They are specifically talking about anomaly detection and are proposing
:using a packet based solution instead.
:What is the consensus or at least, what are the most popular opinions,
:when it comes to netflow? Does this person have a point, or is this all
I would say that the person is correct that detection of anomalies
is -most- accurate when all the content of all of the packets is available
(and being processed by something which can keep up), but I wouldn't
say that that makes netflow or similar analysis useless.
What is the cost of a fibre tap? Together with a device which has
to be much faster than a dedicated high-performance router in order
to be able to examine every byte of every packet (considering that
the author was talking about situations in which the performance
of the router would be taxed by the flow recording.) And of the
parallel network infrastructure to report the results to an appropriate
location without taking any of the regular network bandwidth
(so as not to affect what is being measured)?
The author of the article claims that mirroring isn't as costly as
netflow, because the mirroring is done at the data plane (ASIC) level
rather than at the CPU level that netflow requires. The author is
making a number of assumptions about device architecture. My
[mis-?] understanding of netflow in Cisco's higher end devices is that
netflow is mostly handled in a distributed manner, with the CPU *not*
being involved for every packet.
My summary of the article would be that the author is saying,
a) "There are some things that you cannot detect just looking at
IPs and port numbers"
- this is true and is why (e.g.) Cisco handles packet-level inspection at
wire-speeds on their newer 8xx router series and their newer
security appliance series
- defence in depth: you don't give up on a strategy just because
it isn't able to discover -everything-
b) "flow analysis might overload the router"
- this is less true than the author suggests
- this can be alleviated by reading the flow packets off a dedicated
- if your router is running that close to capacity, you should probably
be upgrading anyhow, as you probably haven't provisioned the router
to be able to effectively take on extra load as required for your
This signature intentionally left... Oh, darn!