IT technical memo of networking

NetFlow vs sFlow

For integration of security and planning of network sizing, I'm going to use NetFlow/sFlow.

NaaS/E (Network as a Sensor / Enforcer)

Recently, keywords "NaaS/NaaE" appears.
It seems to be group of SaaS/PaaS/IaaS/DaaS.
But it is incorrect.
Cisco talk about them as below:

Network as a Sensor / Enforcer

Because of IoT spreading, Security incident risks are increasing.
Entry and Exit internet security system can protect from limited thread.

For example, Entry/Exit Sec CANNOT block(protect) PC to PC, Server to Server illegal traffic.
Of course, PC to Server traffic is protected by Firewall, but it might be accepted if protocol and port number is correct.

The method of protection each Src/Dst is like below:

Src/Dst Attacker Relation Server Damaged PC Domestic Server
Attacker - - Entry Entry
Relation Server - - Exit Exit
Damaged PC Exit Exit X X(Firewall)
Domestic Server Exit Exit X(Firewall) X

In the case of "X", by using NetFlow/sFlow with NaaS/E, it is going to be able to protect and detect.

Why NetFlow/sFlow?

Generally the security appliances like IPS/IDS, NG-FW are too expensive.
Therefore to introduce them is NOT easy.

Compared to them, NetFlow/sFlow are able to start with existing equipments(Switch, Router, Firewall, etc.).
Most of the companies have equipments that can use NetFlow/sFlow like Cisco Catalyst/ISR/ASA, Juniper SRX/SSG, PaloAlto, F5 BIG-IP, etc.
It can start to collect Flowdata with few additional configurations.

It is required to introduce software of traffic monitoring and method of blocking illegal traffic, but first step of analysis is collect data.

Difference and of NetFlow and sFlow

Rough difference and function comparison of NetFlow and sFlow is below:

Function NetFlow sFlow
Protocol IP IP, IPX, Appletalk, XNS
Layer L3 L2/L3
Target Flow All Flow Sampling
Load Low Very Low

Typical difference is "Target Flow". Because of sFlow collects 1 flow in few flows, always missed occurs.

Nowadays, the spec of products are improving, therefore it should be used NetFlow aggressively.

I continue to choice Flow Collector, Analyzer, Management Console.

This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.