NetFlow (and associated technologies like IPFIX, J-Flow, Netstream, etc.) acts as a kind of live-reporting phone bill for your network: up-to-the-minute information about the communications taking place. This includes information such as who’s sending how much data to whom, as well as how and when: IP addresses, port and protocol, exporting device, and timestamps — plus VLAN, TCP flags, etc.
This data is widely available from devices like routers, switches, firewalls, load-balancers, hypervisors – and even as software to install on individual hosts. With data streaming in from multiple sources, a central location can get an excellent view of the network, including cross-border and purely internal traffic.
When collected in a central location and made available to view and search, NetFlow gives a network engineer visibility into what’s going over the network, including large-scale events like DDoS attacks and saturated links, and small-scale events like SSH logins and database connections. This allows the analyst to monitor for attacks, policy compliance, even data usage for billing. Everything from brute-force attacks to on-the-sly Netflix watching: if it crosses the network, it’s in the NetFlow.
Because NetFlow is a summary, it can be stored compactly — a gigabyte of NetFlow data can describe hundreds to thousands of gigabytes of actual traffic. This efficiency makes it suitable for full-fidelity recall, meaning that every single record can be stored for later analysis, down to the smallest ICMP ping. With a full-fidelity NetFlow history, it becomes possible to perform intricate analysis of one’s historical record, down to the level of the order of small transactions that occurred months ago. This enables an analyst to perform difficult tasks like tracking an intruder through multiple hops of SSH sessions, or separating potential DNS tunnels from ordinary requests. It also means that the analyst doesn’t have to be psychic: they don’t need to know today what they’ll need to search for tomorrow.
More than that intricate analysis, a fast full-fidelity NetFlow system gives an analyst an unparalleled feel for the network. Simply clicking around and exploring for a half hour can give a person a far better idea of what to expect in the traffic than days in the lecture hall. It is that intuitive feel for the network, made possible by mere exploration, that ultimately gives an analyst the knowledge and understanding needed to truly secure a computer network.