Which to use for security analytics, IPFIX or sFlow?

The network security market is increasingly leveraging flow-based metadata for a variety of cyber security initiatives. These include anomaly detection, network forensics, detection of command and control activity, and early indications of data exfiltration.

Today there are a few different ways to generate flow-based metadata from network traffic. Internet Protocol Flow Information Export (IPFIX) and sFlow are two examples. Both IPFIX and sFlow derive flow-based metadata by looking at packets on the wire and condensing the packet information into flow records that capture information about the conversation. Some merchant Ethernet switch silicon vendors provide sFlow generation capability built into the silicon itself. However, sFlow found in many Ethernet switches uses sampling of the wire traffic to derive the flow metadata. In addition, many of them provide a very limited ability to customize the fields that can be included in the flow metadata records.  This means important information is often missed.

Vendors implementing IPFIX, on the other hand, tend to provide a much more customizable flow record with user-defined custom templates that can be specified to include various different fields within the packet. Additionally there are solutions that can generate IPFIX flow records by looking at every packet on the wire i.e. without resorting to sampling of network traffic but rather looking at all network traffic, or at very high sampling rates.  However, IPFIX flow generation capability is not commonly built into Ethernet switches that typically use merchant silicon.

There are strong camps advocating either IPFIX or sFlow. Both have their merits and shortcomings.

However, when it comes to usage of flow-based metadata for security, there is a clear line in the sand. Flow-based metadata generated out of sampled information leaves a big gap when it comes to information security. For example on a 10G link if the flow data is generated by sampling 1 in 2000 packets, it means that 99.95% of traffic is not being looked at. If a cybersecurity professional is trying to detect lateral movement of malware, or trying to find command and control activity over some backchannels, working off data that ignores 99.95% of the traffic leaves them with little more than a prayer of finding that activity. For this reason when using flow metadata for anomaly detection, or forensics, or command and control activity, or a variety of cybersecurity related initiatives, it is critical that the flow data be generated by looking at all packets on the wire not just a sample of packets.  Additionally, given the rapid evolution in the nature of malware, the ability to customize what fields within each packet to look at and what information to include within the flow metadata records  significantly expands the ability of the cyber security professional to derive more meaningful, more timely and more relevant information.

Any flow metadata generation solution that is being used for cybersecurity needs to address these two key requirements i.e. generating data by looking at all packets on the wire, and the ability to customize what data to look at and report.  So rather than debate the question of sFlow vs IPFIX, a more relevant question would be whether that flow metadata is based on a sampling of actual wire data or is it based on inspection of all traffic on the wire and how customizable is that metadata. If it is based on sampling as is found in many common white box/bare metal Ethernet switches, it may fall significantly short of what is needed for cyber security initiatives.

At Gigamon our IPFIX generation capability is tailored to addressing the stringent security use case, with the ability to generate IPFIX records by looking at all packets on the wire, and also providing customizable templates for the IPFIX records. This allows information security professionals to accurately fingerprint network activity, provide better detection of command and control activity, as well as enable rapid forensics and anomaly detection.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today