How does FlowTraq scale if we decide to monitor 20% to 50% more sites. FlowTraq offers a unique cluster solution that allows you to scale quickly and easily, by adding more server components in a cluster configuration. These servers would require additional VMs and resources.
What are FlowTraq’s architecture components? FlowTraq software can be deployed on one or more servers, typically in a VM. Depending on where the NetFlow telemetry is coming from — switches, routers, firewalls and/or flow export agents — there are several deployment options and factors to be considered. FlowTraq also offers a FlowProxy for securely encrypting and compressing flow data for backhauling between sites, or from CPE devices.
If the FlowTraq license is based on flows, what happens when the number of flows exceeds the purchased license? FlowTraq’s flow-based licenses is based on the average # flows/second, which allows for spikes in flow rate. If that number is exceeded, FlowTraq accepts the flows based on the ability of the hardware to keep up, for a grace period of 72 hours.
Does FlowTraq have the capability of retrospective analysis/hunting? Yes, FlowTraq has full-fidelity flow analysis allowing you to store the data for as long as you’d like. This gives you the ability to perform retrospective analysis and hunt persistent threats that, unbeknownst to you, have gained and retained access to your environment.
Does FlowTraq support NetFlow version 9, Flexible NetFlow,and IPFix data? Yes, FlowTraq ingests all versions of flow!
What happens when the system cannot cope with the load associated with the increase in number of flows processed? FlowTraq is typically provisioned with sufficient headroom. If the system is running out of resources, it will provide alerts via our Administration page (CPU, memory, disk…) If your system was to run out of resources, FlowTraq will prioritize the storage of incoming flow data over query servicing, to ensure no forensic data is lost.
Can all hardware components be virtualized? Yes, FlowTraq is delivered as downloadable software or as a pre-configured virtual appliance that may be deployed in your local virtualized environment, or a public cloud provider such as Amazon’s AWS, the Google Cloud, or Microsoft’s Azure.
What scrubbing platforms are supported while invoking DDoS remediation? • A10 Thunder TPS DDoS Scrubber • Verisign Cloud Sign • Fortinet FortiDDoS DDoS Attack Mitigation Appliance • Radware DefensePro • Remotely triggered black hole routing
Can FlowTraq leverage NBAR2 (Next Generation NBAR) with built-in capabilities to make use of fields in flows (like HTTP URL, host, user agent)? FlowTraq supports NBAR and Palo Alto AppID; it does not support NBAR2.
Does FlowTraq allow adding custom rules to detect anomalies or unwanted behavior? Yes, the analysis engine is very flexible. You can add custom rules for every traffic category as well as add threats to blacklists, set fine-grained thresholds on traffic patterns, or use dynamic baselining to detect deviations from normal patterns or odd times of day.
Does FlowTraq must have the capability to send scheduled report by email? Yes, FlowTraq can schedule and send reports to multiple email addresses. These reports contain detected anomalies and threats with relevant details and links to further information. Scheduled reports can also be generated on a regular basis – daily, weekly, and monthly, for example.
Is FlowTraq capable of providing behavior and threat analysis solely based on NetFlow data? Yes, FlowTraq is based on full-fidelity flow data. Security analytics and threat analysis is based on flow data.
Does FlowTraq have built-in capability of integration with other SIEM solutions? Please list them in the details Yes. FlowTraq has a detailed and bidirectionally integration with Splunk through the FlowTraq Splunk App. FlowTraq also allows straightforward extensibility into other products like AlienVault, ArcSight, and QRader through syslog messages as well as its rich API.
Can FlowTraq enrich logs and events with threat intelligence feeds? Yes, see answer above.
Does FlowTraq have built-in capability to detect lateral movement? Yes, FlowTraq detects and alerts on brute force and scanning behaviors. It can also detect: detect beacons to C&C, data exfiltration, detect DoS/DDoS attacks, malware outbreaks/worms, unauthorized applications, and unauthorized proxy servers.
Can FlowTraq work with custom / third-party intelligence feeds? Can it use multiple threat intelligence feeds simultaneously? FlowTraq supports custom and third-party intelligence feeds; it also supports multiple feeds simultaneously.
Does FlowTraq have the capability of event-driven packet captures? Yes, FlowTraq can initiate event-based packet captures using plugins.
Does FlowTraq have the capability to capture data on SPAN ports for detailed data analysis? Yes, the FlowExporter software can be deployed on a VM where one of the network interfaces is connected to the SPAN/mirrored port, which will allow for the generation of NetFlow data up to speeds of 80Gbps on commodity hardware.
Does FlowTraq have the capability to understand and take advantage of network topology information? Yes, the interfaces of the various flow exporters can be defined by a category, like Uplink, Edge, Core, etc., which allows for a topology-based understanding of the data.
Does FlowTraq have built-in capability for invoking remediation (i.e. create ACL entry)? Yes.
Does the system provide SNMP traps and alerts about health of its components? If so, what metrics are available? Yes, the system can be monitored using SNMP for availability, utilization status and utilization percentage.
What purchase models are options? FlowTraq offers both a perpetual and subscription-based license model, which can allow organizations to budget using either operation (OPEX) or capital (CAPEX) funding. Please contact a FlowTraq representative for a quote.