Sampled NetFlow: Difference between revisions
No edit summary |
No edit summary |
||
| Line 10: | Line 10: | ||
=== Bit rate calculation === | === Bit rate calculation === | ||
Compared to SFlow, NetFlow | Compared to SFlow, NetFlow has never been designed to accurately report metrics such as bit rate (bps) and packet rate (pps). A single NetFlow record <u>reports</u> total flow duration and the number of bytes and packets transported during that time interval. The NetFlow reporter <u>calculates</u> bit rate and packet rate based on those records. NetFlow Sampling at a rate that is not adapted to the expected traffic rate to be monitored, will jeopardize the exactitude of that calculation, even when all other precautionary measures such as "active time-out" are being implemented. | ||
| | ||
| Line 16: | Line 16: | ||
=== NetFlow Sampling === | === NetFlow Sampling === | ||
A sampling rate of 1 out-of 100 may reduce the exports of NetFlow records by as much as 50%. You must keep in mind that the collector will only receive a small percentage of the traffic and will use the sampling rate to "inflate" the metrics for bytes and packets | A sampling rate of 1 out-of 100 may reduce the exports of NetFlow records by as much as 50%. You must keep in mind that the collector will only receive a small percentage of the traffic and will use the sampling rate to "inflate" the metrics for # bytes and # packets reported. | ||
| | ||
| Line 22: | Line 22: | ||
=== Impact === | === Impact === | ||
Tools for flow-based network analysis are used to monitor and baseline network behavior and increasingly by | Tools for flow-based network analysis are used to monitor and baseline network behavior and increasingly by security teams to detect persistent threats. Sampling rates that are not adapted to the speed of the interface may lead to inaccurate reporting of quantitative metrics such as bit rate, packet rate and utilization. It may also lead to some short-lived flows no longer being reported at all. When security professionals need to go back in time, the flows they want to investigate may no longer be there. | ||
| | ||
Revision as of 16:32, 24 November 2020
Introduction
Higher traffic volumes mean higher numbers of NetFlow records and increasing load on device's CPU. The increasing number of records may require too much bandwidth when send over the network to the collector. Therefore, it may become necessary to find a balance between reporting needs and device/network efficiency. Vendors may recommend or even force the use of Sampled NetFlow.
Solution
Bit rate calculation
Compared to SFlow, NetFlow has never been designed to accurately report metrics such as bit rate (bps) and packet rate (pps). A single NetFlow record reports total flow duration and the number of bytes and packets transported during that time interval. The NetFlow reporter calculates bit rate and packet rate based on those records. NetFlow Sampling at a rate that is not adapted to the expected traffic rate to be monitored, will jeopardize the exactitude of that calculation, even when all other precautionary measures such as "active time-out" are being implemented.
NetFlow Sampling
A sampling rate of 1 out-of 100 may reduce the exports of NetFlow records by as much as 50%. You must keep in mind that the collector will only receive a small percentage of the traffic and will use the sampling rate to "inflate" the metrics for # bytes and # packets reported.
Impact
Tools for flow-based network analysis are used to monitor and baseline network behavior and increasingly by security teams to detect persistent threats. Sampling rates that are not adapted to the speed of the interface may lead to inaccurate reporting of quantitative metrics such as bit rate, packet rate and utilization. It may also lead to some short-lived flows no longer being reported at all. When security professionals need to go back in time, the flows they want to investigate may no longer be there.
Recommendations
- The use of sampling will always come at a cost. Use Sampled NetFlow only if you must. This could be the case when monitoring a high-traffic rate interface (n x Gbps) or when the vendor forces you to use a sampler.
- Start with sampling rates of 1 out-of tens or 1 out-of hundreds. Rates smaller than 1:100 are seldom acceptable.
- Validate the reported data. Compare metrics such as bit rate and packet rate against the same metrics obtained by other means like SNMP polling. You must find the balance between sampling rate and reporting exactitude.
- Please realize that the "raw" flow records database is probably incomplete. Your tool may no longer be suitable for forensic flow analysis by the security team.