NetFlow vs sFlow - designetwork(EN)

For integration of security and planning of network sizing, I'm going to use NetFlow/sFlow.

NaaS/E (Network as a Sensor / Enforcer)
Why NetFlow/sFlow?
Difference and of NetFlow and sFlow

NaaS/E (Network as a Sensor / Enforcer)

Recently, keywords "NaaS/NaaE" appears.
It seems to be group of SaaS/PaaS/IaaS/DaaS.
But it is incorrect.
Cisco talk about them as below:

Network as a Sensor / Enforcer

https://www.slideshare.net/mobile/CiscoSecurity/network-as-a-sensor-and-enforcerwww.slideshare.net

Because of IoT spreading, Security incident risks are increasing.
Entry and Exit internet security system can protect from limited thread.

For example, Entry/Exit Sec CANNOT block(protect) PC to PC, Server to Server illegal traffic.
Of course, PC to Server traffic is protected by Firewall, but it might be accepted if protocol and port number is correct.

The method of protection each Src/Dst is like below:

Src/Dst	Attacker	Relation Server	Damaged PC	Domestic Server
Attacker	-	-	Entry	Entry
Relation Server	-	-	Exit	Exit
Damaged PC	Exit	Exit	X	X(Firewall)
Domestic Server	Exit	Exit	X(Firewall)	X

In the case of "X", by using NetFlow/sFlow with NaaS/E, it is going to be able to protect and detect.

Why NetFlow/sFlow?

Generally the security appliances like IPS/IDS, NG-FW are too expensive.
Therefore to introduce them is NOT easy.

Compared to them, NetFlow/sFlow are able to start with existing equipments(Switch, Router, Firewall, etc.).
Most of the companies have equipments that can use NetFlow/sFlow like Cisco Catalyst/ISR/ASA, Juniper SRX/SSG, PaloAlto, F5 BIG-IP, etc.
It can start to collect Flowdata with few additional configurations.

It is required to introduce software of traffic monitoring and method of blocking illegal traffic, but first step of analysis is collect data.