Published on June 22nd, 2016 | by Tony Thompson
NetFlow, We Are Never Ever Getting Back Together
I’ve been wanting to write you this letter for a long time. We’ve had some good moments, but 20 years is a long time to be together, and I don’t feel like you’re meeting my needs anymore. So I think it’s time we broke up.
Netflow, You’re No Longer Enough
When we first met in the 90s, you were my knight in shining armor. With your help, I was able to collect Layer 3 or 4 data on network flows passing through my network interfaces. With the basic flow information you provided, I finally had a good foundation to understand my network behavior. I thought your data gave me and my network the visibility I needed to identify and fight off breaches.
But Layer 4 information just isn’t enough for me anymore. The increased sophistication of today’s breaches means I need much more visibility into my network traffic, and your capabilities just don’t cut it anymore.
While it’s true you can still show me unusual activity occurring on my network, like beaconing to a server located in a country where activity isn’t normally detected, you just don’t have the transaction, flow and session awareness that I need these days. I can’t keep getting burned by trusting in your unreliable port-based protocol classification. I need application-based classification.
So, NetFlow, I’m leaving you…for HDRs.
Yes, I’ve met someone else: High-Definition Records (but they like to be called HDRs for short). HDRs add an application metadata layer to increase visibility into my network’s traffic. They can be generated not just on a per-flow basis, and not just based on packet sampling, but per transaction, per flow, or if necessary, for multiple flows.
How High-Definition Records Won My Heart
I know what you’re going to tell me, that you don’t need multiple records per flow, that just one NetFlow record is enough to get me the IP addresses and ports used by clients and servers communicating across my network. But I know you can’t distinguish between each email; the most you’ll be able to do is give me a summary of the whole flow.
Don’t you know sessions are made up of multiple flows? They have separate control and data channels. You can’t link the channels together, and I’m the one who ends up losing important relational information. But HDRs tell me the relationship between the channels with a single record, giving me much more information that’s a lot easier on my network load and storage.
Please don’t misunderstand me, NetFlow. You do what you do well, and I appreciate everything you’ve done for me. But if someone on my network is uploading files they shouldn’t be to Dropbox, I wouldn’t be able to find them easily with just a NetFlow record. The most you can tell me is that it’s a TCP flow. HDRs, on the other hand, can use certificate information to associate the flow with Dropbox, and give me metadata enriched with Active Directory so I know whose account was used to upload what file, not just their dynamically-assigned IP address.
I’ll always be grateful for what you did for me in the past, and I’ll cherish our memories together. But I simply need to move on to something that will give me deeper visibility into my network traffic. Hopefully you can find someone out there who will love you the way that I couldn’t. Please move on—because we are never, ever, ever getting back together.
Someone Who Needs More