Organizations are going through a digital transformation at a very fast pace. As a result, more data is flowing throughout their infrastructures – both on-premises and in the public cloud. Security tools have difficulty keeping up with the influx of data and enterprises face heightened risk of security breaches, which can have severe consequences to reputation and brand.
One way to gain insight into all the data flowing over networks is to summarize the traffic flows traversing the infrastructure. NetFlow/IPFIX generation is a popular way to do this on-premises; it offers a way to summarize network traffic in the form of “flow records.” NetFlow and IPFIX are powerful technologies that are used by both security operations (SecOps) and network operations (NetOps) teams today. In fact, a large ecosystem of security and monitoring tools, including many SIEMs, readily understand the format of NetFlow and IPFIX records.
Today, we are debuting NetFlow/IPFIX Generation on the Gigamon Visibility Platform for Amazon Web Services (AWS). With this new capability, enterprises can gain access and analyze relevant data in the cloud to protect themselves from inbound distributed denial of service (DDOS) attacks, data exfiltration and other security threats. An especially important attribute of NetFlow is its ability to reduce the amount of data transferred by up to a whopping 99 percent. If these flow records are being sent to an analyzer that is located in a different region or sent from AWS to on-premises, the data reduction can lead to some significant cost savings.
Think of NetFlow or IPFIX as the equivalent of a phone bill that summarizes the different phone conversations you may have had in the past month – for example, who you called, who called you, the area code and country code of the other party or the duration of the conversation. Likewise, a summary of all the traffic flows in virtual private cloud (VPC) instances is especially useful in security analysis when deviations from normal behavior could be the early smoke signal to alert a security team of potential security incidents.
NetFlow allows a pragmatic way to sift through voluminous data and extract essential information about the nature of interactions happening in a VPC:
NetFlow/IPFIX capabilities allow enterprises to deliver relevant, summarized data to security and monitoring tools so that they consume the right data needed for incident analysis. To use NetFlow/IPFIX in security analysis, it is vital to support unsampled NetFlow – that is, security teams must have the ability to generate a NetFlow record for every flow seen. Just as a surveillance camera is useless if it is taking a snapshot every few minutes, sampled NetFlow, which generates a flow record for only a sample of traffic, is insufficient for security analysis.
The Gigamon Visibility Platform for AWS supports unsampled NetFlow record generation, thereby ensuring that flows are not missed. An effective way to gain good insight is by using the NetFlow/IPFIX record generation capability in combination with full traffic capture. In other words, use flow records to identify anomalous patterns and full traffic capture to “zoom in” on those specific flows.
If you are an AWS user wondering how this is different from VPC Flow Logs, there are several ways you can use the NetFlow/IPFIX flow record generation capability to augment what you may already be doing today with VPC Flow Logs:
To learn more about NetFlow/IPFIX Generation for AWS, please read our press release and check out our Visibility Platform for AWS or come visit us at AWS re:Invent 2017 during our partner theater session “Gain Application and Security Insights using NetFlow and Metadata with Gigamon Visibility Platform for AWS” at either of the following times: