NetFlow in the Cloud

Senior Manager, Product Marketing
Gigamon

Organizations are going through a digital transformation at a very fast pace. As a result, more data is flowing throughout their infrastructures – both on-premises and in the public cloud. Security tools have difficulty keeping up with the influx of data and enterprises face heightened risk of security breaches, which can have severe consequences to reputation and brand.

One way to gain insight into all the data flowing over networks is to summarize the traffic flows traversing the infrastructure. NetFlow/IPFIX generation is a popular way to do this on-premises; it offers a way to summarize network traffic in the form of “flow records.” NetFlow and IPFIX are powerful technologies that are used by both security operations (SecOps) and network operations (NetOps) teams today. In fact, a large ecosystem of security and monitoring tools, including many SIEMs, readily understand the format of NetFlow and IPFIX records.

Today, we are debuting NetFlow/IPFIX Generation on the Gigamon Visibility Platform for Amazon Web Services (AWS). With this new capability, enterprises can gain access and analyze relevant data in the cloud to protect themselves from inbound distributed denial of service (DDOS) attacks, data exfiltration and other security threats. An especially important attribute of NetFlow is its ability to reduce the amount of data transferred by up to a whopping 99 percent. If these flow records are being sent to an analyzer that is located in a different region or sent from AWS to on-premises, the data reduction can lead to some significant cost savings.

Think of NetFlow or IPFIX as the equivalent of a phone bill that summarizes the different phone conversations you may have had in the past month – for example, who you called, who called you, the area code and country code of the other party or the duration of the conversation. Likewise, a summary of all the traffic flows in virtual private cloud (VPC) instances is especially useful in security analysis when deviations from normal behavior could be the early smoke signal to alert a security team of potential security incidents.

NetFlow allows a pragmatic way to sift through voluminous data and extract essential information about the nature of interactions happening in a VPC:

  • Information on source and destination of network traffic flows.
  • Statistical information about such traffic flows.
  • Flow details, such as protocol information, class of service, causes of congestion.
  • Application-level insights.

NetFlow/IPFIX capabilities allow enterprises to deliver relevant, summarized data to security and monitoring tools so that they consume the right data needed for incident analysis. To use NetFlow/IPFIX in security analysis, it is vital to support unsampled NetFlow – that is, security teams must have the ability to generate a NetFlow record for every flow seen. Just as a surveillance camera is useless if it is taking a snapshot every few minutes, sampled NetFlow, which generates a flow record for only a sample of traffic, is insufficient for security analysis.

The Gigamon Visibility Platform for AWS supports unsampled NetFlow record generation, thereby ensuring that flows are not missed. An effective way to gain good insight is by using the NetFlow/IPFIX record generation capability in combination with full traffic capture. In other words, use flow records to identify anomalous patterns and full traffic capture to “zoom in” on those specific flows.

If you are an AWS user wondering how this is different from VPC Flow Logs, there are several ways you can use the NetFlow/IPFIX flow record generation capability to augment what you may already be doing today with VPC Flow Logs:

  • The Gigamon Visibility Platform generates flow records for any Flow records on Dynamic Host Configuration Protocol (DHCP) traffic? Yes! Traffic to the Amazon Domain Name System (DNS) server? Amen! Traffic to your default VPC router? Si!
  • NetFlow and IPFIX formats are recognized by a broad range of tools used by SecOps and NetOps practitioners. The Gigamon Visibility Platform can generate flow records in NetFlow v5, NetFlow v9 and IPFIX format. Plug and play – just send the flow records to a tool that understands NetFlow/IPFIX and you are off to the races. We have already validated interoperability with Plixer Scrutinizer, Splunk ES, Cisco Stealthwatch, Kentik and NtopNG to name a few.
  • Cloud operations and SecOps engineers are often tasked with finding the root cause of an incident or task that is difficult to explain. In such situations, the ability to use NetFlow/IPFIX for gaining broad insight into the infrastructure coupled with full traffic capture for deep insight on a subset of flows provides a powerful set of capabilities for operations teams. The Gigamon Visibility Platform for AWS supports both these capabilities – all in a common platform – and can dynamically service chain multiple like capabilities to maximize effectiveness.

To learn more about NetFlow/IPFIX Generation for AWS, please read our press release and check out our Visibility Platform for AWS or come visit us at AWS re:Invent 2017 during our partner theater session “Gain Application and Security Insights using NetFlow and Metadata with Gigamon Visibility Platform for AWS” at either of the following times:

  • Tuesday, November 28, at 1:15 p.m. PST
  • Wednesday, November 29, at 1:15 p.m. PST
SHARE