Analyzing Networks for Performance and Security

NetFlow Analysis Helps Understand and Protect Distributed Networks

The ability to collect and analyze metadata on network traffic is helping administrators achieve better security as well as understand how their networks are performing so that they can maximize efficiency.


  • Page 1 of 1
    Bookmark and Share

Article Media

What’s going on with your network? No, what’s really going on? Are some remote employees downloading excessive amounts of data? Are there suspicious attempts at access that might indicate a pending attack? Are the firewalls and intrusion detection mechanisms you installed really working the way you think they should be? Are your cloud-connected devices communicating the way they should be? Are you making the best and most cost-effective use of your present equipment and bandwidth? How would you know?

An existing but not yet fully appreciated technology called NetFlow, originally developed by Cisco, can be used to collect data about network traffic and subject it to analysis for network administrators and security personnel to better monitor and understand network traffic. Primarily this applies to enterprise networks that may be both distributed and have virtual private networks (VPNs) and are connected to the larger Internet and the world in general.

NetFlow consists of metadata about network traffic that is generated by routers and switches that support it and on which it has been enabled. The routers export the NetFlow data in small messages using UDP, and it can then be collected and stored by means of a NetFlow collector and then subjected to analysis using various tools (Figure 1). Most of the newer routers and switches support NetFlow. NetFlow records contain, among other information, source and destination IP addresses, source and destination port IDs, start and stop times, and the number of packets and bytes. Some of the newer versions also report things like user IDs. NetFlow takes place in the background so that users are unaware of it.

Figure 1
A NetFlow exporter can be a device such as a router or switch that generates NetFlow messages containing data about the network traffic. This data is collected and stored by the NefFlow collector and can then be analyzed by tools and applications of the analyzer. Often collector and analyzer are the same system.

Getting a Handle on Network Performance

One example of the kinds of collection and analysis tools is the Scrutinizer product from Plixer. The central element to the system is the Scrutinizer flow collector and analysis product. It has the ability to archive infinite years of data saved at selectable intervals. This allows analysis over time using the features of Scrutinizer as well as its add-on analytical tools. While it collects the NetFlow data, it does not gather the content of the traffic. Thus if a customer checks in at an airport kiosk, the flow data will record connection with the reservations database, the credit card system and such other points as may be needed for a given transaction. These and similar transactions with other customers can then be used for understanding the nature of the traffic.

Dozens of NetFlow collectors can be distributed and used to analyze enterprise wide traffic from a central location across thousands of interfaces if need be. Michael Patterson, Plixer CEO and co-founder, compares the data collected to a phone bill. “It’s a complete record of everything you’ve done with the network.” As such, he says, “It is a mechanism to help users understand how their network is functioning, how it is being used, and where in the network they need to make adjustments.” Once collected, the flow logs can be used to create reports, audit trails and analyses that can detect denial of service (DoS) attacks, intrusions, overuse of resources and the like. 

The use of Scrutinizer is situational to the given enterprise and applies to the wider public network only to the extent that the enterprise network interacts with it. This can apply to a relatively small network with two or three servers, to a distributed network and even to a system using a virtual private network (VPN), which may be using a firewall as a termination point. According to Patterson, the value of the tools increases as the size and complexity of the network grow.

An additional ability of the Scrutinizer flow analyzer is to identify which hosts, users and applications are consuming bandwidth. With this information administrators can make decisions to plan on adding equipment, or conversely how to reconfigure the network to make more efficient use of existing equipment and bandwidth and thus avoid costly upgrades. They can also identify users who may be consuming too many resources and reiterate company policies. The service provider module can also set permissions per interface per login and can set parameters to monitor and invoice for over usage. And then there are straight security concerns.

Analyzing for Enhanced Security

A number of flow analytic algorithms are supplied to help detect malicious traffic patterns such as network scans and unwanted protocols. In addition, the user can set up their own algorithms to look for security problems. It is possible to set threshold levels for access to or from specific IP addresses that will trigger an alert if exceeded. Different combinations of parameters can be selected and algorithmically combined to identify specific conditions of interest (Figure 2).

Figure 2
Some of the network traffic data collected by the Scrutinizer Flow Analyzer that can then be used by analysis algorithms to generate reports, alerts and audit trails to help understand what is happening on the network.

In addition, Scrutinizer offers an IP host reputation feature that could be compared to a list of  “wanted posters.” Plixer and some of its partners establish lists of known “bad guys” in the form of a database of known IP addresses that is updated hourly. The system then compares IP addresses accessed to or from the network and is able to issue alerts. So now it is not only possible to know who is talking to whom over the network but also if any of those are known bad actors.

The embedded industry is, of course, also interested in the “Internet of Things” as well as cloud computing, as it can serve to carry data traffic from widely distributed small devices delivering large amounts of data to the enterprise. While cloud computing very often involves encrypted data, it is nonetheless important to at least be able to identify cloud service performance when trying to eliminate causes of observed slowdown on the home network. Then, of course, the cloud service needs to be contacted and alerted—with data to back it up.

Bringing up the cloud reinforces the awareness of how distributed so many networked environments have become. Increasingly, smartphones and tablets are being used not only as the preferred access method by remote employees, but also as the user interface of choice for monitoring and controlling industrial and even medical devices via apps and touch displays. This “bring your own device” (BYOD) trend will continue to grow, and administrators must be able to see how many BYOD devices and of what type are on the network and which employees have authenticated them to the network—especially when so many of these devices do not have adequate antivirus software. It is also needed to maintain proper behavior with the company’s limited resources as well as to keep out opportunistic intruders.

For situations where a given network or perhaps an older router or switch does not support NetFlow, it is possible to bring in a point solution for addressing specific, if somewhat limited analysis needs. This is an x86-based hardware device called the nBox. The nBox can be thought of as a “flow probe” that can be attached to implement NetFlow where it may be lacking or to go after specific problems. The raw packets of the applications under investigation must pass through its ports, in which case it generates NetFlow messages for that traffic. These can then be collected and analyzed by Scrutinizer. In addition, nBox is capable of deep packet inspection to identify signatures or an application that may be disguising itself as another utility. 

Security measures like encryption, authentication, passwords, firewalls and intrusion detection are all vital parts of the security effort for networks and systems. However, they tend to be relatively static. The addition of active, dynamic analysis can not only aid in the securing of vital sites, applications and their data, but also add an active element that regularly engages human operators. Such tools that actively collect and analyze data like NetFlow can be a great asset in guarding the network in their own right; they can also be used to assess how well all the other parts of the network security strategy are doing their jobs.  


Sanford, ME.
(207) 324-8805.