BreachBytes

In a previous post I gave a rundown of various software tools for collecting NetFlow data for use in network security incident response. NetFlow is pervasive in routers but another technology, sFlow, is nearly as prevalent in routers and can be collected from switches — an arena that NetFlow does not play in very much as of yet. sFlow is a packet sampling technology and can provide a depth of network visibility — a key component of network forensic and incident response — even beyond what NetFlow can offer. For more information on sFlow check out sflow.org.

There is not as much activity in free software with sFlow compared to NetFlow, however InMon has a great suite of tools that can help enterprises leverage sFlow data from routers and switches. Their sFlow Agent software can sniff packets off a network interface card and convert them into sFlow packets if you do not have a sFlow enabled switch or router but want to test what sFlow can bring to the table.

More interesting to me however was that their sflowtool application can be used to collect sFlow data, convert it into NetFlow datagrams and then send it on to a NetFlow collector. I wrote a post in the Net/FSE user community on how this can be done using InMon’s sFlow tool set and Net/FSE.

Leveraging sFlow in this way is a very nice capability for enterprises that have an existing NetFlow implementation and want to start broadening their network visibility. Getting down to the switch level is a key for monitroing internal traffic, watching for internal malware and protecting against the insider threat. Keeping every packet on a network is cost prohibitive, but sampling with sFlow is an affordable and easy way to quickly enhance network visibility.

This entry was posted on Monday, January 28th, 2008 at 8:10 am and is filed under NetFlow for Security, network security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.