Skip Links

Network World

Brad Reese

NetFlow analytics vs. network behavior analysis

Q & A with Plixer CEO Michael Patterson.

By Brad Reese on Wed, 09/10/08 - 7:55pm.

Welcome to the second in a three-part series on network behavior analysis through the eyes of Plixer International. The third and final part focused on network behavior analysis and DoS attacks. Additionally, you may also wish to review our first installment - Intrusion detection systems vs. network behavior analysis: Which do you need?

As a NetFlow and sFlow analysis vendor, Plixer with its Flow Analytics is making a play into the "deeper flow analysis market."

Flow Analytics with Network Behavior Analysis (NBA)

Hopefully, this Q & A with Plixer CEO Michael Patterson will provide us with a better understanding on what Plixer's Flow Analytics strategy is all about.

What is Flow Analytics and is it better than NBA (Network Behavior Analysis)?

It isn’t necessarily better, it is a different approach to flow analysis. Based on feedback from customers, we felt we could catch 90% of issues using a few behavior algorithms and then focus on specific areas.

Specifically, Flow Analytics focuses on collecting data across hundreds of routers and switches and displaying status windows on:

Top hosts sending or receiving data
Top hosts sending or receiving flows
Top applications currently on the network
Top hosts communicating back and forth on the network
Volume of hosts communicating on the network (e.g. 23,000 unique hosts in the last 5 minutes)

-----------------------------------

What do you mean by catching 90% of issues using a few behavior algorithms?

We started developing toward the NBA market initially. During our beta phase, it was exciting to see Scrutinizer catch SYN scans etc. that were currently underway on a customer’s network. Other times we noticed that some customer networks had few problems.

We are still shipping with features that continually tally all flows and help identify:

Suspicious NetBIOS-based services
Unauthorized Application Deployments
Poorly configured and unauthorized devices
Zero-day worms, SYN Floods and DoS attacks
P2P traffic, such as BitTorrent (even if encrypted)
Unauthorized or incorrectly configured server activity
Internal IP addresses communicating with known compromised internet hosts, view the long list

Furthermore, we decided to start adding status windows on various things we could point out about the network across all routers and switches. Several of our customers have well over 500 routers and they want some high level information for management.

Below you can see a host having a conversation with 1 destination involving over 500 flows. Why so many unique connections? You can click and drill in for details and learn more about the behavior. We aren’t always alarming on these behaviors, that is why we call it Flow Analytics.

Flow Analytics Screenshot

Do you think catching 90% of the issues is good enough?

Contact Brad Reese
http://www.BradReese.Com

Search 31,427 Cisco Job Openings

Post Cisco Network Engineer Jobs

View 1,595 items of Refurbished Cisco

Examine CCIE Resumes

Consider 697 Cisco Certified
Network Engineer Resumes

   
Brad's Favorite Top 5 Picks
# 1. Cisco Tools
# 2. Cisco vs. Competitor Lab Tests
# 3. Cisco Engineering Support Directory
# 4. Cisco Repair and Hardware Troubleshooting
# 5. Cisco Product Quick Reference Guides, CPQRGs
Brad Reese on Cisco Story Archives Brad Reese on Cisco Story Archives

Cisco Jobs

Cisco Resumes

2008 Cisco Salary Rates

Nine Year Worldwide CCIE Count
  
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.

Don't be shy, contact Brad Reese online or call him at 646-827-1130.

 

Most Discussed Posts

On The Web
Twitter