Cloud / February 25, 2020

NetFlow/IPFIX Generation from AWS Clouds

The rapid pace of digital transformation places a heavy burden on organizations as data flows throughout their on-premises and cloud infrastructures. Security risks are heightened as security tools have difficulty keeping up with the influx of data.

Summarizing the traffic flows is one popular method to gain insight into all this data. NetFlow/IPFIX generation has served this purpose on-premises as it offers a way to summarize network traffic in the form of “flow records.” Both security operations (SecOps) and network operations (NetOps) teams use NetFlow and IPFIX. In fact, a large ecosystem of security and monitoring tools, including many SIEMs, readily understand the format of NetFlow and IPFIX records.

GigaVUE® Cloud Suite for AWS offers NetFlow/IPFIX generation. This feature lets you access and analyze relevant data in the cloud to protect from inbound distributed denial of service (DDOS) attacks, data exfiltration and other security threats.

NetFlow can also reduce the amount of data transferred by up to a whopping 99 percent. The data reduction can save you a lot of money if these flow records are sent to an analyzer located in a different region or sent from AWS to an on-premises analyzer.

To understand what NetFlow or IPFIX gives you, imaging a phone bill that summarizes the phone conversations you may have had in the past month, such as who you called, who called you, the area code and country code of the other party, or the duration of the conversation.

Just like that phone bill, a summary of all the traffic flows in AWS virtual private cloud (VPC) instances, for example, is useful for spotting abnormal behavior early enough to alert a security team to security risks.

NetFlow lets you scrutinize data and unearth key information about the nature of interactions happening in a VPC:

  • Source and destination of network traffic flows
  • Statists about such traffic flows
  • Flow details, such as protocol information, class of service, causes of congestion
  • Insights about applications

With NetFlow/IPFIX capabilities available, your security and monitoring tools will receive relevant, summarized data, which lets them consume the right data needed for incident analysis.

To work for security analysis, it must support unsampled NetFlow. That means security teams need to generate a NetFlow record for every flow seen. Just as a surveillance camera is useless if it is taking a snapshot every few minutes, sampled NetFlow, which generates a flow record for only a sample of traffic, is insufficient for security analysis.

GigaVUE Cloud Suite for AWS supports unsampled NetFlow record generation, thereby ensuring that flows are not missed. You can get key insights using the NetFlow/IPFIX record-generation capability in combination with full traffic capture. Stated another way, identify anomalous patterns using flow records and then zoom in on those specific flows using full traffic capture.

How does this differ from AWS VPC flow logs? Think of NetFlow/IPFIX flow record generation capability as a way to augment VPC flow logs:

  • The Gigamon Visibility and Analytics Fabric generates flow records for any Flow records on Dynamic Host Configuration Protocol (DHCP) traffic, traffic to the Amazon Domain Name System (DNS) severer or to your default VPC router.
  • NetFlow and IPFIX formats are recognized by a broad range of SecOps and NetOps tools. The Gigamon Visibility and Analytics Fabric can generate flow records in NetFlow v5, NetFlow v9 and IPFIX formats.
  • It’s plug and play — simply send the flow records to a tool that understands NetFlow/IPFIX. It’s been validated for interoperability with Plixer Scrutinizer, Splunk ES, Cisco Stealthwatch, Kentik and NtopNG, to name a few.
  • For cloud operations and SecOps engineers looking for root causes of an incident or task that is difficult to explain, the ability to use NetFlow/IPFIX for gaining broad insight into the infrastructure coupled with full traffic capture for deep insight on a subset of flows provides a powerful set of capabilities for operations teams. GigaVUE Cloud Suite for AWS supports both these capabilities all in a common platform. It can also dynamically service chain multiple like capabilities to maximize effectiveness.

To learn more about NetFlow/IPFIX Generation for AWS, check out GigaVUE Cloud Suite for AWS and request a test drive today.

Table 1. Key Features and Benefits from Using Gigamon for NetFlow Generation

Pervasive visibility with NetFlow generation across the entire network Security and performance monitoring tools get a complete view of the network, versus isolated views of individual network segments generated by a specific router or switch
High-throughput out-of-band NetFlow solution No performance impact of NetFlow generation from production routers and switches
High-throughput out-of-band NetFlow solution Complete and precise picture of network activity for security monitoring without loss of fidelity incurred from sampled NetFlow generation
Support for a wide range of NetFlow export formats – v5, v9, IPFIX and CEF Compatibility with legacy and next-generation NetFlow collectors
Ingress filtering on Layer 2, Layer 3 and Layer 4 headers using Gigamon Flow Mapping® Generate flow statistics for specific networks
Support for up to six collectors with customizable templates and filters Leveraging multiple vendors for security and network monitoring

Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.


People are talking about this in the Gigamon Community’s Hybrid/Public Cloud group.

Share your thoughts today

Back to top