Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.


NetFlow Behavior Analysis Systems : Limited Impact

January 13, 2012

NetFlow Network Behavior Analysis (NBA) systems have limited impact on detecting threats. They are only suitable as a second or perhaps third layer of threat detection. Some companies offering NetFlow Threat Detection tools would have you believe otherwise. Don't fall for it. "Gartner says NBA is suitable as a complementary technology to intrusion detection and prevention software, which is effective for addressing network attacks that can be positively identified." As a HUGE NetFlow and IPFIX supporter, I tend to agree that flow technologies can augment security practices, but can't replace them.

Monitoring BYOD traffic with NetFlow

March 24, 2012

Monitoring BYOD traffic is a growing concern amonst network administrators.  Why?  Gartner predicts that 645 million smartphones will be sold in 2012 – a 40% increase from this year.  Cell phone reception is often weak on the interior of office buildings and smartphone owners will have their WiFi on.  What's more is that many companies are allowing employees onto the corporate net with their personal smart phones in hopes of increased productivity.

Building a NetFlow Cache: Exporting IPFIX

March 12, 2013

Most engineers implementing NetFlow or IPFIX know how to get started.  Where they sometimes stumble is in the area of a properly structured export with well thought out relationships between the templates. Today I want to provide an good example.

This  post on building a NetFlow Cache and exporting IPFIX is pretty deep. For this reason, my prior post on Exporting NetFlow or IPFIX   really should be reviewed first.  A flow cache entry in a router or switch is built using the first packet between two hosts and the cache table is maintained for all active connections (i.e. flows).   When a packet comes into the device, its tuple is compared to existing entries in the cache table.  A match of the key fields triggers a flow entry update where packet, byte counts and perhaps other fields are incremented and updated. Packets that don’t match a flow entry are compared to policy (e.g. firewall or ACL rules) and are ultimately dropped or used to create new cache entries.  Flow entries are exported to a flow collector periodically based on timers (I.e. Active Timeout) or flow behaviors.

Been Hacked - What will you do?

December 12, 2013

Is your company a financial institution or a government agency that fears it may have been hacked?  How do you know and if you have been penetrated, what are the hackers doing?  What will you do about it?

Featured Events