Software Defined Networks, whether we talk about SDN or SD-WAN, are the latest and greatest technology step-changes within all facets of networking. For generations, we have been using good old SNMP to perform regular monitoring of our network infrastructure. Cisco brought us NetFlow, a technology standard for the collection of layer-3 & 4 traffic statistics that provided insight into the IP addresses, ports, protocols, timestamps, bytes, and several other packet level details that allowed us to visualise a little deeper into the interworking of the network and the delivery of applications.
The NetFlow insight was a WOW-Factor at the time because it started to bring deeper insight of what was going on at the packet flow level where you traditionally would have had to use a protocol analyser sniffer. The tooling available then and mostly now has typically been used for baselining performance, TOPn statistics, Real-Time QoS performance, TOPn Conversations, Capacity Planning, Traffic Engineering etc. and is still widely used today, especially for network statistical data.
Next-Gen FlowSec Forensics
You can’t get more accurate information than the devices from which your data flows end-to-end so why are engineering reluctant to enable flow? It’s a fallacy that configuring flow increases CPU and Memory resources, in fact, set correctly, it hardly increases device enabled flow resources at all.
Flow tooling has moved on considerably whereby deeper insights stitched into the fabric of capability to extract, not just traditional flow records, but Metadata and logging-data that increases the ability of the flow record in providing greater granularity. Having the power of operation to effect better security efficacy through the infusion of essential data enables faster accurate detection of suspicious threats and anomalous behaviour.
Without question, there are great security products available in the market that consider threats of unusual behaviour and with the advancement of artificial intelligence (AI) layered on top like a perfect icing on a beautifully engineered cake. The big BUT though is that, apart from costing an arm and a leg in licensing costs and professional services, they still don’t decipher the important signal of threat from the background noise of connectivity so by the time you think you’ve identified the signal of threat, the threat is no longer a threat… It’s a reality that’s in your network!
Utilising flow to track blacklisted addressing originating from your organisation, or malware calling home to command and control devices within your network yet being blocked by access controls (ACLs) hitting your routing entry points provides greater granularity of insight into how well your external facing security devices are protecting inbound anomalous traffic behaviour. Being able to track First-Packet-Response (FPR) from flow data will assist you in understanding the real response across the network, measuring DNS lookup response of every request across every NetFlow sender or visualising potential SYN attacks flooding your network due to misconfiguration causing system slow-down, or worst, mischievous scanning.
Visibility into bandwidth consumption of the top applications will allow you to plan real bandwidth requirements and profile your whitelisted addressing enabling you to tighten policies and filter and report on anomalies with higher efficiency and provide analytical insight feeds to dashboards that provide real-time external/internal systematic behaviour.