sFlow is a traffic sampling technology that scales extremely well for big and busy networks. It provides an industry standard for exporting truncated packets with interface counters.
The sFlow Agent is a software process that runs as part of the network management software within devices, such as routers or switches. The sFlow agent packages the data into sFlow datagrams that are immediately sent on the network to minimize memory and CPU requirements.
What are the advantages of using sFlow?
There are great reasons to use sFlow, but there are some tradeoffs, especially when it comes to using sFlow for security.
Unlike sFlow, NetFlow does not forward packet samples directly, instead summaries of flows are cached and then exported based on active and inactive timeouts. Meaning, as packets are collected, the volumetric data builds up in the flow records. After some time has passed — usually about 1 minute — the record is sent to the collector.This means that information about ongoing conversations is exported with a delay. While this gives sFlow a point in its favor, many newer NetFlow exporters can be tuned to export at higher rights, diminishing sFlow’s speed advantage.
NetFlow/IPFIX traffic can be sampled, and sFlow is, by definition, always sampled. This means that only some packets are used to create the flow records, and many are ignored. Sampling can significantly reduce CPU usage, but is sampling network flow traffic in general a good idea for security purposes? The short answer is that sampling is not ideal for ensuring you have maximum visibility for maximum security and protection. When sampling, it is easy to miss hacker activity like command and control channels. If you’re interested, we also have the long answer that dives deeper into the analysis leading to that conclusion.
sFlow and NetFlow/IPFIX send information about sending and receiving port, including flag combinations and IP address. In practice, both provide sufficient details to enable a collector to detect a security problem, such as a DDoS attack, network scanning, insider threat, etc. It’s up to the collector to use that data to make the appropriate determination. More on that below.
Network security professionals need robust investigative capabilities to be able to determine what happened quickly after an attack or breach. And here’s where sFlow for security takes a hit. One other “feature” of sFlow is that sampled packets get forwarded as they are picked up, but they are not timestamped. This means there is a small level of uncertainty about the exact capture time of the packet. In forensic investigations this, accuracy is critical because it is often important to know in exactly what order connections were initiated. The net result is that sFlow simply doesn’t provide the granularity and precise accuracy required to perform a full forensic investigation to determine exactly what happened before, during, and after a security breach.
So, when it comes to network security, can you use sFlow?
Or, do you really need an unsampled Netflow/IPFIX solution?
The answer is that it depends.
Sampled sFlow is very powerful for fast DDoS detection. As packets are exported as they flow through, the time-to-detection for a volumetric DDoS attack is very quick when using sFlow. If you are an ISP or a large enterprise and plans to use NetFlow for data and security analysis, that can justify the increased hardware cost associated with tracking every communication.
For small organizations, the answer may simply be dictated by the switching and router gear currently in-house.
In any case, if you have sFlow-enabled devices, you should consider enabling sFlow exports to give you data about your network traffic, because even sampled data is better than no data at all.
The bottom line is, information security professionals leveraging sFlow for security should understand the capabilities and tradeoffs, and manage their security tools and processes accordingly.
Whether you are using sFlow or NetFlow/IPFIX – or some combination – for security, you want to make sure that your collector gives you the best possible capabilities for detection and forensic investigations. You want a flow analysis solution that will analyze this data to learn and understand the changing patterns of behavior inside your network, so when any system, mobile device, or server starts behaving outside the normally expected patterns – representing a potential security problem – you can quickly shut them down.
FlowTraq monitors network flow traffic in real time and immediately detects unusual behavior and deviations from “normal” patterns that indicate DDoS attacks, network scanning, insider threats and other unwanted behavior on the network so you can act fast. And after an attack, FlowTraq provides complete digital evidence to understand what happened, how long it was happening, and what other systems may have been affected.
Start your free trial now to experience FlowTraq’s superior network traffic analysis and visibility.