Strategy Series: What is your netflow strategy?

You have one, right? Even if your entire strategy is “collect some flow data”, there is absolutely NO reason not to have a netflow implementation, and frankly, it will save you time and money over time if you make the effort to do it. I love network data and analytics and I have waxed poetic about how important they are at every opportunity. There are a myriad of options for analytics and flow data. If you’re not doing something, you’re doing it wrong. I can go on and on about the importance of network data for budgeting, security, capacity planing, and general knowledge of what your network is actually doing, but that’s for another day (contact me directly if you really want to chat details on that subject). Today is about network flow data – the foundational bits and pieces of what the heck your network, big or small, is actually doing. I’ve been having a breakdance fight with flow data packages for almost two decades, and I’ve jotted down a few of my more notable experiences. Regardless of your needs, budget, abilities, or time, there is a solution for you.
 

 


via GIPHY

Arbor

Arbor is the Rolls Royce of flow analytics (and DDoS mitigation) solutions. It does almost everything, has options for managed objects, DDoS scrubbing and alerting capabilities, a magnificent interface, role based access, rainbows and gumdrop houses with lollipop trees. This system is pretty darned amazing – it truly is, and that likely comes from the fact that they were one of the first, and had/have one of the largest install bases for this kind of system. They have turnkey solutions and have the unique position of being in roughly 90% of the worlds legacy tier 1 ISPs, so their DDoS and other security options are strong, fast to update, and very good. I’ve had great experience with this platform and its API. I like to think of arbor as the commercial ISP brass ring for flow data analytics. They have other solutions for enterprise and campus, but their roots are in strong ISP solutions. They’re pricey, but very, very good. Expect to need at least an FTE to really take full advantage of their very capable ecosystem, but if you dedicated the money and manpower to it, you won’t be sad.

Splunk

We all know spunk as a really nice log and analytic system but what many may not realize is that Splunk is really, really good at network data and analytics as well. It’s pricey, but it’s as close as you’ll get to a turkey solution for a SIEM that can actually scale. It has the notion of customizable dashboards and visualization, as a huge amount of plugins and add on’s, but they come with a legendarily steep price tag. The saying I have always heard is “if you can afford spunk, buy spunk. If you can’t use an ELK stack (noe elastic stack)”. My experience backs this up.

ELK /Elastic Stack

I’m a big fan of this not only because it’s essentially free, but because it’s so extremely flexible and has so many existing projects built around it. I’ve moved my go-to for net flow collection from nfdump to Elastic Stack built around the Manito Networks flowanalyzer install.   This platform takes a bit more command line jockeying and isn’t entirely turnkey, but it’s crazy flexible, had great eye candy and building the visualizations and dashboards is easy. Notable mention is Elastiflow, which is similar but has a bit more eye candy and leverages log stash. Elastiflow doesn’t have nearly as turnkey of an install (and really has almost no “newbie” install instructions at all – but it’s a strong offering if you already know how to spin up an ELK stack and tune it.

Nfdump

The venerable nfdump. This is what so many large networks were using (and probably still are) for their raw flow collections. This package scales exceptionally well to huge networks and has so many tools available for the CLI that it’s the de facto standard for raw flow analytics and forensics. I love this system and ran it for many, many, MANY years. It takes a but of time to learn, and may not be the right tool for you if you want a modern GUI, lots of eye candy, or are inexperienced with the UNIX/LINIX command line, but it’s got it where it counts, supports IPFix, Netflow v5, v9 and IPFIX and you can’t dog wrong with it. I have a handy how-to getting it up and running Under CentOS here. When you couple this with something like Justin Azoff’s flow indexer and nfsen on the front end, you’ve got an enviable power user setup ripe for both forensics, tactical work as well as baseline generation.

SolarWinds

Solarwinds Orion is the go-to for windows based monitoring. It’s not cheap, but if you’re running a windows based monitoring system, you’re likely an enterprise and have budget for it. I have been impressed with the visualizations of this system and like that it does all of the monitoring in one package – once installed I never have to see windows (and since I can’t efficiently support windows, that’s probably a good thing – someone else will handle the OS work). The price tag can be a bit steep depending on number of nodes monitored, but it does what it claims and commercial support is decent. My one complaint is that I can’t seem to find a way to do raw data queries in a straightforward way. This may be possible and I have just not had the time or mental power to workout out. Overall it’s a worthy monitoring platform if you need your system to run on windows and can afford it. There are some older but still good videos from several Network Field Day events here and I wrote about it from a UNIX users perspective here.

Live Action Networks Live UX

Another commercial option that has good support and a lot of eye candy. This was born out of work with the US Government and is a really interesting system. I’ve met with these guys several times and their team is super open to taking and feature requests and they have a good product. I first heard about them at Network Field day 7, their product was intriguing there and they’ve come a long way since then. Worth looking at for a turnkey solution for things like network analytics, IP-SLA,

My take

I like the power that an indexed set of data provides and I am willing and capable of plowing through the install of a linux based system. I’m also frugal, and for a product to really warrant my money it needs to do something that nothing else does [translated: I am willing and able to support open source solutions].

That said, the Manito Networks install of Elk + Kibana (no logstash in this default install) is where I typically land due to the fact that I can get indexed flow data, nice, configurable graphs and trending statistics, and can integrate things like syslog into another index on the same system giving me the tools to do forensics on a number of topics on that system. The setup is crazy easy and really well documented, too. Someone linux-inclined can have it up and collecting flow data (sflow, netflow v5/9 or IPFIX) in an order of about 30 minutes – probably less. The take aways really, though, is that there are options available no matter your skill level or budget, so there is really no reason not to have something.

15 thoughts on “Strategy Series: What is your netflow strategy?

    1. A great option for sure. My experience with pmacctd is sadly lacking, but i’d put it up there near nfdump in style but far surpassing it in ability. I am a big fan of pmacctd but was never able to really give it the time it deserved in replacing my legacy ndfump installs. From my point of view it’s as much of a flow generation tool in the vein of softflowd or nprobe (both honorable mentions in my eyes). As far as ELK, my opinion is that I don’t care what generates the flow data as long as I can collect it, and I’m a fan of ELK for this.

    2. A great option for sure. My experience with pmacctd is sadly lacking, but i’d put it up there near nfdump in style but far surpassing it in ability. I am a fan of what I’ve seen and done with pmacctd but was never able to really give it the time it deserved in replacing my legacy installs. From my point of view it’s as much of a flow generation tool in the vein of softflowd or nprobe (both honorable mentionsfor that service). As far as ELK, my opinion is that I don’t care what generates the flow data as long as I can collect it, and I’m definitely a fan of ELK for this.

  1. You might also take a look at Kentik Detect. It is a SaaS based approach to flow collection and analysis. No hardware/software to manage/maintain. Constant improvement in feature set without having to download/upgrade to pick them up. It is a commercial offering but might be worth evaluating if you want more of an easy button. It also provided a RestAPI to allow for integration with other tools. Free trial: https://portal.kentik.com/signup

    1. I went back and forth on mentioning Kentik. I like what I have seen so far but have very little to no experience with it. It is at the top of my list of platforms to spend some quality time with in the upcoming months. My take was that it was bucking to be a competitor to Arbor, with an original focus on service providers and expanding into enterprise markets. The cloud SaaS offering is interesting and compelling if one can justify and get approval to push flow data into an external infrastructure. My desire would be to work out soft and hard failure modes (as I do with any cloud based service) and then to really exercise the analytics and anomaly detection. I have had several comment on the robustness of the Kentik API, which is very, very high on the list of desirables.

    2. I went back and forth on mentioning Kentik. I like what I have seen so far but have very little to no experience with it. It is at the top of my list of platforms to spend some quality time with in the upcoming months. My take was that it was bucking to be a competitor to Arbor, with an original focus on service providers and expanding into enterprise markets. The cloud SaaS offering is interesting and compelling if one can justify and get approval to push flow data into an external infrastructure. My desire would be to work out soft and hard failure modes (as I do with any cloud based service) and then to really exercise the analytics and anomaly detection. I have had several comment on the robustness of the Kentik API, which is very, very high on the list of desirables.

    3. Seconded this. Kentik should have been on the list. First to market w/ a SaaS based detection offering… clearly an innovative approach that should not have been overlooked.

      1. I don’t disagree. As stated, my experience with Kentik is lacking so doing a review of it would have been lacking. Given the amount of heck I’ve received for *not* including it, it certainly has a larger market than I knew of. I will fully admit that my current stance on cloud based flow solutions is evolving, they require a risk assessment that others do not and unless there is diverse connectivity there is a potential to lose access to your analytics (think triage of a DDoS). My plan is to give this a reasonable amount of attention in the next 6-8 weeks.

  2. I think of Arbor more like a Jaguar. Beautiful machine, but very expensive and quite often needs attention from a (specialized) mechanic. I have a hard time liking it because if I’m throwing that much money into it, I don’t want to do that much hand holding. I like to look at solutions on a continuum of inversely related time and money (ie Splunk vs Elastic Stack). Arbor requiring both is a tough sell.

  3. Nick – Thank you for the shout out for LiveAction LiveUX !
    Just a note that LiveNX is our network performance and analytics platform that collects flow data (NetFlow, IPFIX, S-Flow, jflow, NetStream,etc) and SNMP, Cisco AVC, PerfMon, NBAR2, etc telemetry data directly from the underlay infrastructure and with LiveInsight, our machine learning module, provides real-time visibility into the applications across the environment for proactive management.
    In addition today we publicly announced a key acquisition to expand the portfolio to address service provider requirements. Super stoked, and so are our customers.
    We would welcome the opportunity to give you a an update.
    /Mark

  4. Nick, thanks for the mention of ElastiFlow. Back when I created it I knew from my past experience that there was a lot of value in flow data. However, I must admit to being surprised with how popular the solution has become. Your criticism of the lacking documentation is fair, and will be addressed in the near future. Additionally, I am available to help any organization looking to leverage the Elastic Stack (formerly ELK) for network infrastructure management, whether that be flow data, SNMP, logs and more.

Comments are closed.