Benefits
NetFlow Optimizer enables you to process massive volumes of NetFlow (IPFIX, sFlow, Cloud VPC Flow Logs, etc) data, optimizing and enriching it in real time - ensuring that you get data where you need it in right formats.
Data Volume Reduction
Data Volume Reduction (DVR) is a process of reducing the amount of data that needs to be stored and processed. This can be done by consolidating, deduplicating, or filtering data.
- Consolidation: Consolidation is the process of combining multiple data records into a single record. Bytes and packets from communicating peers are aggregated over a short configurable period of time by source, destination, protocol, and ports. Consolidation can reduce the amount of data that needs to be stored and processed, without losing any accuracy.
- Deduplication: Each flow is reported only once, even if it passes through multiple network devices. This further reduces the volume of data without losing accuracy.
- Top traffic: Top traffic is a technique for reducing the amount of data that needs to be stored and processed by only reporting the top N consolidated flows. Top traffic can significantly reduce the amount of data that needs to be stored, while still maintaining a high level of accuracy.
Flow Data Enrichment
NetFlow records only contain a limited amount of information about network traffic. Flow data enrichment is the process of adding additional information to NetFlow records, such as:
- DNS names: The domain names of the hosts involved in the flow.
- VM names: The names of the virtual machines involved in the flow.
- Applications: The names of the applications that are being used.
- User identity: The identity of the users who are using the applications.
- Cloud instance names, services, regions: The names, services, and regions of the cloud instances involved in the flow.
- SNMP polling data: Data that is collected from network devices using SNMP.
- GeoIP: The geographic location of the hosts involved in the flow.
- Reputation based on threat lists: The reputation of the hosts involved in the flow, based on threat lists.
Flow Stitching
Flow stitching refers to the process of consolidating client-server request-reply flows into a single flow record, offering several distinct benefits:
-
Enhanced accuracy in traffic analysis: By stitching together request-reply flows, a more comprehensive view of the traffic between two hosts is obtained. This aids in the identification of malicious activities such as port scans or denial-of-service attacks, thereby improving overall threat detection capabilities.
-
Heightened visibility into network behavior: Flow stitching provides a deeper understanding of how applications utilize the network. This visibility proves invaluable in troubleshooting performance issues and identifying potential security vulnerabilities, leading to more effective network management.
-
Streamlined security operations: Through the consolidation of request-reply flows, certain tasks involved in security operations can be automated. This automation allows security analysts to allocate their time and resources to more intricate and critical responsibilities, thereby enhancing overall operational efficiency.
By leveraging flow stitching, organizations can optimize traffic analysis, gain insights into network behavior, and streamline their security operations, resulting in improved network performance, enhanced security posture, and more efficient resource utilization.