[c-nsp] netflow collector feedback.

Adam Powers apowers at lancope.com
Sat Sep 22 11:18:53 EDT 2007 

Commercial NetFlow products have matured greatly in the last 2 years. You
now have a number of viable options on the commercial side. As with most any
technology selection process, your specific requirements and budget will
drive which vendor you select. I tend to break the NetFlow vendors down into
three groups...

- Low cost "classic" NetFlow solutions

Crannog, AdventNet, and Plixer are a few of your low cost leaders. They
offer basic network traffic analysis functionality such as top talkers, ASN
reporting, interface utilization, QoS reporting, etc. I call these basic
capabilities "commodity features" cause most everyone has them and they are
relatively easy to implement.

These solutions often suffer on the performance / scalability side. As with
most things, you get what you pay for.

You'll also want to keep in mind that these technologies are normally
software only so you're responsible for sizing and building the flow
collectors and management infrastructure. Make sure you factor this into
your project costs.

For most small environments, these solutions will more than meet
requirements and may be all you need.


- Enterprise class "classic" NetFlow solutions

NetQoS is the primary member of this category along with NetScout to a
lesser degree. You find the same core set of "commodity features" along with
more advanced reporting, scalability, and an appliance-based model that's
easier to deploy and maintain.

These products are designed for large scale deployments and carry a much
higher price tag. They also tend to integrate application performance
monitoring technology (using probes) at the management layer which some
organizations may find valuable.

As with the low cost solutions, the focus is almost entirely on network ops
reporting. Traffic trending, top talkers, QoS reporting, etc are the
mainstay of these products.


- Enterprise class "NBA" NetFlow solutions

These products grew out of the network security side of things and include
Lancope (my company), Mazu Networks, and Arbor Networks. Coined "Network
Behavior Analysis" products by Gartner in 2006, these companies provide many
of the same "commodity features" as the classic NetFlow collector vendors
along with a heavy focus on security functionality for the enterprise or
ISP.

These products are not cheap but represent the state-of-the-art in real-time
NetFlow analysis.

Key attributes for these vendors:

- provide deduplication of NetFlow PDUs. This is mandatory for accurate
security analysis.
- perform stateful analysis of flow data. Referred to as "bi-flow
reassembly" or "flow stitching", NetFlow records are reassembled into a
single bi-directional flow for analysis and reporting.
- very high performance. For example, Lancope's StealthWatch Xe-2000 flow
collector can sustain 40K flow per second with burstability to 300K or more.
- integration of identity information from AD, VPNs, eDirectory, etc.
- behavioral analysis of network communications.


Anyway, hope that helps. Good luck in your search.





On 9/21/07 1:38 PM, "virendra rode //" <virendra.rode at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> We are currently looking at following commercial collectors for our
> environment.
> Any sort of feedback from the community who are currently using the
> following collectors will be greatly appreciated.
> 
> 
> * netflow tracker from crannog
> * scrutinizer from plixer
> 
> 
> regards,
> /virendra
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFG9AGzpbZvCIJx1bcRAoUPAKCgsGYWKh5WILFgeC8mJN+aR0ZVzwCfWmEJ
> kFjRuNVPLIavRYzZYWdVATI=
> =lMn1
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 

Adam  Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam at lancope.com

More information about the cisco-nsp mailing list