Blog :: Network Operations :: Security Operations

NetFlow DPI Category

If you are a vendor looking to export IPFIX from your appliance, you should know that a big selling feature for you to differentiate yourselves would be to export the type of application.  In other words, don’t just export that the application is Twitter, Facebook, Snapchat, Instagram, etc.

You need to export an addition template with an ID that allows the flow reporting solution to group applications into categories like, Social Media, Internet Search, News Feed, Travel, etc. Cisco does this as shown below.

Cisco NBAR Support

The above information is important for business managers who want to avoid additional headcounts by ensuring that existing employees are staying focused.  The IT security guys can also use the category information to help uncover possible data theft.

Think about it—customers want to drill in on categories like social media and find out what application and then drill in further to see who is abusing it and how often. Why is it taking so long for vendors to export these details? Cost?

Vendors need a list they can compare domains to in order to ascertain the category.  And these lists cost money.  Also, customers aren’t overly excited about buying a probe with yet another interface they have to learn.  This is why it is important to export the details in IPFIX as it allows the customer to use their existing flow reporting solution to view the data.

What’s even more impressive is when the reporting vendor can leverage the application information from one vendor and use it to add context to the flow export from another vendor. What do I mean?

Take a look at the image below to see that we correlate the destination DNS name to the FQDN:


The above started out as a typical NetFlow v5 export with the source and destination address.  We then use the DNS details collected by FlowPro Defender, Gigamon or Ixia to add context to these flows.  This is represented by the “Dst FQDN” column in the above image.  In a sense, the above strategy allows our reporting solution to enhance the visibility provided by a flow export that otherwise would provide less insight into the traffic being investigated.

By comparing flow tuples and time stamps, we can leverage the flows from something that provides deeper visibility and apply them to an older flow export to improve traffic visibility.  This is not a new idea; we do the same thing when we integrate with Cisco ISE or Microsoft Active Directory, which allows us to provide the username that authenticated a machine onto the network.

NetFlow Usernames

Today, the world of flow reporting is about metadata. At Plixer, we find out what the customer wants for information then collect it from whatever they already have in place.  Once we have the data, we correlate it with the flows to give the customer what they want – BETTER VISIBILITY!!!