Sampled NetFlow

From wiki.comcert.com
Revision as of 16:19, 24 November 2020 by Bert (talk | contribs) (Created page with " == Introduction == Higher traffic volumes mean higer numbers of NetFlow records and increasing load on device's CPU.  The increasing number of records may req...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

Higher traffic volumes mean higer numbers of NetFlow records and increasing load on device's CPU.  The increasing number of records may require too much bandwidth when send over the network to the collector.  Therefore, it may become necessary to find a balance between reporting needs and device/network efficiency.

Vendors may recommend or even force the use of Sampled NetFlow.

 

Solution

Bit rate caluculation

Compared to SFlow, NetFlow had never been designed to accurately report metrics such as bit rate (bps) and packet rate (pps).  A single NetFlow record contains duration of the flow and the number of bytes and packets transported during that time interval.  The NetFlow reporter calculates bit rate and pachet rate based on those records.  NetFlow Sampling at a rate that is not adapted to the speed of the interface will jeopardize the exactitude of that calculation, even when all other precautions such as "active time-out" are being used.

 

NetFlow Sampling

A sampling rate of 1 out of 100 may reduce the exports of NetFlow records by as much as 50%.  You have to keep in mind that the collector will only receive a small percentage of the traffic and will use the sampling rate to "inflate" the metrics for bytes and packets received.

 

Impact

Tools for flow-based network analysis are used to monitor and baseline network behavior and increasingly by the security team to detect persistent threats.  Sampling rates that are not adapted to the speed of the interface may lead to inaccurate reporting of quantative metrics such as bit rate, packet rate and utilization.  It may also lead to some flows no longer being reported at all.  When security professionals need to go back in time, the flows they want to investigate may no longer be there.

 

Recommendation

  1. The use of sampling will always come at a cost.  Use Sampled NetFlow only if you must.  This could be the case when monitoring  a high-traffic rate interface (n x Gbps) or when the vendor forces you to use a sampler.  
  2. Validate the reported data.  Compare metrics such as bit rate and packet rate against the same metrics obtained by other means such as SNMP polling.  You must find the balance between sampling rate and quality reporting.
  3. Please realize that the "raw" flow records database is probably incomplete.  Your tool may no longer be suitabe for forensic flow analysis by the security team.