FlowTraq > Blog > Network Security and Visibility > sFlow and Network Security: Understanding the Tradeoffs

sFlow and Network Security: Understanding the Tradeoffs

Gurdev Sethi
By | January 17, 2018


What is sFLow?

sFlow is a traffic sampling technology that scales extremely well for big and busy networks. It provides an industry standard for exporting truncated packets with interface counters.

The sFlow Agent is a software process that runs as part of the network management software within devices, such as routers or switches. The sFlow agent packages the data into sFlow datagrams that are immediately sent on the network to minimize memory and CPU requirements.

What are the advantages of using sFlow?

  • It’s an industry standard, which ensures interoperability. (View a list of vendors that export sFlow
  • SFlow provides a network-wide view of usage and active routes.
  • SFlow is scalable, enabling it to monitor links of speeds up to 10 Gbps.
  • SFlow  is low-cost

There  are great reasons to use sFlow, but there are some tradeoffs, especially when it comes to using sFlow for security.

The Different Kinds of Flows when it comes Security Visibility.

  • NetFlow is a protocol originally designed by Cisco to collect IP network traffic as it enters or exits an interface.
  • JFlow is Juniper’s flow protocol, and there are other XFlows from a variety of vendors, and for the purposes of this discussion, they are all the same, or very similar to NetFlow.
  • Internet Protocol Flow Information Export (IPFIX) defines how IP flow information is formatted and transferred from an exporter to a collector – is based on NetFlow v9.

sFlow vs Netflow

Unlike sFlow, NetFlow does not forward packet samples directly, instead summaries of flows are cached and then exported based on active and inactive timeouts. Meaning, as packets are collected, the volumetric data builds up in the flow records.  After some time has passed — usually about 1 minute — the record is sent to the collector.This means that information about ongoing conversations is exported with a delay. While this gives sFlow a point in its favor, many newer NetFlow exporters can be tuned to export at higher rights, diminishing sFlow’s speed advantage.

The Problem with Sampling & Security Visibility

NetFlow/IPFIX traffic can be sampled, and sFlow is, by definition, always sampled. This means that only some packets are used to create the flow records, and many are ignored.  Sampling can significantly reduce CPU usage, but is sampling network flow traffic in general a good idea for security purposes? The short answer is that sampling is not ideal for ensuring you have maximum visibility for maximum security and protection. When sampling, it is easy to miss hacker activity like command and control channels. If you’re interested, we also have the long answer that dives deeper into the analysis leading to that conclusion.

sFlow for Security Detection

sFlow and NetFlow/IPFIX send information about sending and receiving port, including flag combinations and IP address. In practice, both provide sufficient details to enable a collector to detect a security problem, such as a DDoS attack, network scanning, insider threat, etc. It’s up to the collector to use that data to make the appropriate determination. More on that below.

sFlow for Security Forensic Investigations

Network security professionals need robust investigative capabilities to be able to determine what happened quickly after an attack or breach. And here’s where sFlow for security takes a hit. One other “feature” of sFlow is that sampled packets get forwarded as they are picked up, but they are not timestamped. This means there is a small level of uncertainty about the exact capture time of the packet. In forensic investigations this, accuracy is critical because it is often important to know in exactly what order connections were initiated. The net result is that sFlow simply doesn’t provide the granularity and precise accuracy required to perform a full forensic investigation to determine exactly what happened before, during, and after a security breach.

There’s No One-Size-Fits-All Answer

So, when it comes to network security, can you use sFlow?

Or, do you really need an unsampled Netflow/IPFIX solution?

The answer is that it depends.

Sampled sFlow is very powerful for fast DDoS detection. As packets are exported as they flow through, the time-to-detection for a volumetric DDoS attack is very quick when using sFlow. If you are an ISP or a large enterprise and plans to use NetFlow for data and security analysis, that can justify the increased hardware cost associated with tracking every communication.

For small organizations, the answer may simply be dictated by the switching and router gear currently in-house.

In any case, if you have sFlow-enabled devices, you should consider enabling sFlow exports to give you data about your network traffic, because even sampled data is better than no data at all.

The bottom line is, information security professionals leveraging sFlow for security should understand the capabilities and tradeoffs, and manage their security tools and processes accordingly.

Go with the Flow … for Maximum Security

Whether you are using sFlow or NetFlow/IPFIX – or some combination – for security, you want to make sure that your collector gives you the best possible capabilities for detection and forensic investigations. You want a flow analysis solution that will analyze this data to learn and understand the changing patterns of behavior inside your network, so when any system, mobile device, or server starts behaving outside the normally expected patterns – representing a potential security problem – you can quickly shut them down.

FlowTraq monitors network flow traffic in real time and immediately detects unusual behavior and deviations from “normal” patterns that indicate DDoS attacks, network scanning, insider threats and other unwanted behavior on the network so you can act fast. And after an attack, FlowTraq provides complete digital evidence to understand what happened, how long it was happening, and what other systems may have been affected.

Start your free trial now to experience FlowTraq’s superior network traffic analysis and visibility.