Cisco Blogs

Security and NetFlow: The time is now!

June 25, 2011 - 6 Comments

For those of you that have been around the networking world for a while, NetFlow is far from a new technology. Cisco developed NetFlow years ago and it has become the industry standard for generating and collecting IP traffic information. NetFlow quickly found a home within network management providing valuable telemetry for overall network performance and management. Nine versions later NetFlow is growing in popularity not solely due to its value to network management but as a critical component of security operations. Over the past 12 months I have encountered more and more large enterprises that view NetFlow as one of their top tools for combating advanced threats within their perimeters.

The dynamic nature of the cyber threat landscape and growing level of sophistication and customization of attacks are requiring organizations to monitor their internal networks at a new level. IP flow monitoring (NetFlow) coupled with security focused NetFlow collectors like Lancope’s StealthWatch is helping organizations quickly identify questionable activity and anomalous behavior. The value that NetFlow provides is unsampled accounting of all network activity on an IP flow enabled interface. I bring up unsampled because of its importance from a security perspective. While flow sampling is a valid method for network management use cases sampling for the sake of security leaves too much in question. An analogy would be having two different people listen to the same song. One person gets the song played in its entirety, unsampled, and the other only hears the song in 30-second intervals. While neither may be musically inclined the person who had the advantage of listening to the song in its entirety would be able more accurately hum or sing back that song than the person that only heard 30 second snippets of the song. Furthermore the ability to identify that song during radio airplay would be in favor of the individual that was able to listen to the song in its entirety. This holds true for IP flow information when leveraging the information for detecting malicious or anomalous traffic. Some malicious code will only send a single packet back to a master node, which would most likely be missed, in a sampling scenario.

Further increasing the value of IP flow monitoring is Cisco’s recent release of Flexible NetFlow (FnF). FnF introduces two new concepts to flow monitoring. The first is the use of templates and the second expands the range of packet information that can be collected as well as monitor more deeply inside of a packet. This allows greater granularity in the information that is to be monitored as well a providing different collector sources for different sets of information. You can search for Flexible NetFlow on Cisco’s main website to get more technical details.

Are you using NetFlow for security operations? I welcome any feedback, good or bad regarding your experience and opinions on the value that IP flow information provides for detecting this ever-changing threat landscape.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. We have some government customer using Netflow for Security very extensively today. You might want to check with Argonne National Lab (@argonne), specifically Scott Pinkerton who does a great job of explaining his Federated Model. I’ll forward this to him.

  2. NetFlow has absolutely no security context! Particularly for ATP..

    • Mark,

      Thanks for the comment and point of view. I would suggest that you look into the capabilities that Flexible NetFlow introduces and how those capabilities can be leveraged for anomaly detection and other security focused analysis. With regards to sophisticated malware, very few technologies will identify these threats based on signatures but we have many government customers that are successfully using NetFlow to identify compromised hosts which are not being identified by traditional perimeter security devices. We are also seeing customers in mid-market and enterprise verticals use NetFlow at an increasing rate for security specific purposes.

  3. This is a great post. Thanks for sharing.

  4. Hey, I really enjoyed this post. Cheers.

  5. Performance Monitoring from Cisco also uses Flexible NetFlow. For TCP connections, this means we gain details on Round Trip Time (RTT) and for VoIP we get details on jitter and packet loss. Performance Monitoring has been slow to take off as customers need to be running at least IOS 15.1(3)T.

    These new metrics allow NetFlow to take traffic monitoring to another level.