Cisco nvzFlow Reporting

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Cisco nvzFlow Reporting

There has been lots of excitement this week at our company since the release of Cisco’s nvzFlow.  Companies which utilize the Cisco ASA for VPN access have the option to upgrade to AnyConnect 4.2.  With this latest release admins can configure remote users to export IPFIX right from their laptops to the flow collector for real time and future analysis.


According to Cisco, end users will not witness any observable additional overhead on their personal devices while nvzFlow is exporting lots of information on the traffic the end system is generating. The details being exported from nvzFlow include username, device operating system, domain being visited and much more.  Sophisticated details are also exported such as process and parent process names with a SHA256 hash which can be used to verify the signature of the executable.  These  details allow security teams to verify the authenticity of the files which generate flows on the local system.

“Users are one of the most vulnerable parts of any security strategy, with 78% of organizations saying in a recent survey that a malicious or negligent employee had been the cause of a breach.”

Vinny Parla, Senior Staff Member

Office of the Security CTO at Cisco


nvzFlow Reporting

Reporting on nvzFlow allows the IT administrator to answer questions such as:

  • Where in the enterprise are users accessing specific SaaS services
  • What applications are being run from smart phones and tablets
  • What users are running an old or vulnerable version of an application
  • What are the top applications being run across all end systems
  • What are the top operating systems
  • What Internet domains are being requested the most

Ziften ZFlow

Cisco is not alone in the market when it comes to exporting these types of details from end systems using IPFIX.  Ziften’s ZFlow exports include many of the same details found in nvzFlow.  For example, ZFlow details include but, are not limited to:

  • Version of the layer 7 application
  • Application Description
  • Installation path of the executable
  • MD5 hash of the executable.  Cisco utilizes at SHA256 hash.

Both of these technologies are brand new in the market. Therefore my guess is that there is plenty of room for both companies in the space.  What is more important to determine is whether or not consumers will want to deploy this agent on their end systems in order to collect the incredible details these exports can provide.  Industry adoption on something this innovative is still to be learned but, Cisco is wasting no time at pushing it forward as a standard. 

“This new protocol was developed by the Office of the Security CTO at Cisco, and is planned to be moved to a standards track in the near future.” Said Vinny.

Plixer worked with both companies to make sure we both ingest and fully report all of the details.  ZFlow and nvzFlow are both welcome into the IPFIX community.   


Feedback for Cisco nvzFlow Reporting

Leave a comment

Featured Events