In a previous post, we introduced the Emulex EndaceFlow 3040. Recently, Endace has become an independent company again and announced an updated NetFlow generator appliance: the EndaceFlow 4004.  This appliance boasts an impressive array of features and supports all major versions of NetFlow:  v5, v9, and IPFIX.  This is great news for administrators looking to incorporate a NetFlow Generator into their environment as having this sort of monitoring power provides security teams with greater, more detailed insight and the ability to deliver faster incident response times.  Combining the EndaceFlow 4004 Netflow Generator with our Incident Response System provides a reliable solution when investigating suspicious traffic patterns.

NetFlow Hardware

The EndaceFlow 4004 NetFlow Generator has four 10 Gigabit Ethernet ports (or one 40GbE port), 480GB of local SSD storage and 650W redundant power supplies. It offers a maximum throughput of 30 Gbps with a total active flow cache size of 64 million flows and can generate pure 1:1 (unsampled) or sampled NetFlow.  Using a Network Packet Broker, multiple network links can be aggregated and fed into the monitoring ports.  The EndaceFlow can also be configured to forward NetFlow records over the management LAN or over the standard network as a UDP feed.

endaceflow 4004

All this power and network insight is contained in a single rack unit.  Not only are you adding unsurpassed IPFIX monitoring to your network, but you’re also not taking up valuable space in your server racks to get it.

Advanced Hash Load Balancing

The EndaceFlow uses Advanced Hash Load Balancing or HLB to prevent collector overflow.  This eases the burden on collectors in a high flow volume environment by rotating the NetFlow exports through a distributed network of collectors.  Think of it as a “round robin” flow export  ensuring that no single collector becomes overloaded.

Template-based Flow records

NetFlow v5 only supports IPv4.  In order to support IPv6, EndaceFlow generators were engineered to support NetFlow v9 and Internet Protocol Flow Information Export (IPFIX). IPFIX is the standards-based approach for IP Flow information and translates monitored traffic into template-based flow records. Templates describe the information elements contained in an IP Flow record and the EndaceFlow assigns a unique ID to each template.  The appliance supports a broad range of fields with 46 in NetFlow v9 and 133 in IPFIX.  All of which can be reported on by our Incident Response System.

Autonomous System Support

The EndaceFlow 4004 also features Autonomous System (AS) support.  This feature allows for reporting on geographical location data and other information about IP addresses.

Combine these features with the already substantial information found in traditional flow data, and you’ve got near packet-level analytics across your network simply by adding one device.

Software vs. Hardware Flow Support

Hardware based NetFlow probes have come a long way in recent years.  Traditionally, software probes were thought to provide greater detail than their hardware counterparts.  With support for over 133 IPFIX fields, the EndaceFlow 4004 shatters this misconception and provides an export that rivals many software based flow exports.  So if you’re looking to shorten your incident-response time and bring your network monitoring capabilities to the next level without taking a hit on hardware performance, consider an EndaceFlow NetFlow generator.

If you have questions on incorporating the EndaceFlow or any other NetFlow generator into our system, please contact us.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related