sFlow, which is short for “sampled flow,” provides an industry standard for exporting truncated packets with interface counters. The sFlow Agent is a software process that runs as part of the network management software within devices, such as routers or switches. The sFlow agent packages the data into sFlow datagrams that are immediately sent on the network to minimize memory and CPU requirements.
According to sFlow.org – the authoritative source of the sFlow protocol specifications – sFlow offers a number of advantages:
- It’s an industry standard, which ensures interoperability. (You can see a list of vendors that export sFlow here.)
- It provides a network-wide view of usage and active routes.
- It’s scalable, enabling it to monitor links of speeds up to 10 Gbps.
- It’s a low-cost
These are all great reasons to use sFlow, but there are some tradeoffs as well, especially when it comes to using sFlow for security. Here’s what you need to know.
The Different Kinds of Flows
NetFlow is a proprietary protocol from Cisco to collect IP network traffic as it enters or exits an interface. JFlow is Juniper’s flow protocol, and there are other XFlows from a variety of vendors, and for the purposes of this discussion, they are all very similar to NetFlow. Internet Protocol Flow Information Export (IPFIX) – an IETF protocol that defines how IP flow information is formatted and transferred from an exporter to a collector – is based on NetFlow v9.
Unlike sFlow, NetFlow isn’t sampled, but it is cached and then exported based on active and inactive timeouts. The lowest possible value for exporting active flows is one minute, and inactive conversations are exported every 15 seconds. This means that information about ongoing conversations is exported with a delay of at least one minute. While this gives sFlow a point in its favor, many newer NetFlow exporters can be tuned to export at higher rights, diminishing sFlow’s speed advantage.
The Problem with Sampling
NetFlow/IPFIX traffic can be sampled, and sFlow is, by definition, always sampled. Sampling can significantly reduce CPU usage, but is sampling network flow traffic in general a good idea for security purposes? The short answer is that sampling is not ideal for ensuring you have maximum visibility for maximum security and protection. When sampling, it is easy to miss hacker activity like command and control channels. If you’re interested, we also have the long answer that dives deeper into the analysis leading to that conclusion.
sFlow for Security: Detection
sFlow and NetFlow/IPFIX send information about sending and receiving port, including flag combinations and IP address. In practice, both provide sufficient details to enable a collector to detect a security problem, such as a DDoS attack, network scanning, insider threat, etc. It’s up to the collector to use that data to make the appropriate determination. More on that below.
sFlow for Security: Forensic Investigations
Network security professionals need robust investigatory capabilities to be able to determine what happened after an attack or breach. And here’s where sFlow for security takes a hit. One other “feature” of sFlow is that sampled packets get forwarded as they are picked up, but they are not timestamped. This means there is a small level of uncertainty about the exact capture time of the packet. In forensic investigations this, accuracy is critical because it is often important to know in exactly what order connections were initiated. The net result is that sFlow simply doesn’t provide the granularity and precise accuracy required to perform a full forensic investigation to determine exactly what happened before, during, and after a security breach.
There’s No One-Size-Fits-All Answer
So, when it comes to network security, can you use sFlow? Or do you really need a Netflow/IPFIX solution? The answer is that it depends. Sampled sFlow is very powerful for fast DDoS detection. If you are an ISP or a large enterprise and plans to use NetFlow for data and security analysis, that can justify the increased hardware cost associated with tracking every communication. For smaller organizations, the answer may simply be dictated by the switching and router gear currently in-house. In any case, if you have sFlow-enabled devices, you should turn on sFlow exports to give you data about your network traffic, because even sampled data is better than no data at all. The bottom line is that information security professionals leveraging sFlow for security should understand the capabilities and tradeoffs, and manage their security tools and processes accordingly.
Go with the Flow … for Maximum Security
Whether you are using sFlow or NetFlow/IPFIX – or some combination – for security, you want to make sure that your collector gives you the best possible capabilities for detection and forensic investigations. You want a flow analysis solution that will analyze this data to learn and understand the changing patterns of behavior inside your network, so when any system, mobile device, or server starts behaving outside the normally expected patterns – representing a potential security problem – you can quickly shut them down.