NetFlow analytics vs. network behavior analysis

Q & A with Plixer CEO Michael Patterson.

Welcome to the second in a three-part series on network behavior analysis through the eyes of Plixer International. The third and final part focused on network behavior analysis and DoS attacks. Additionally, you may also wish to review our first installment - Intrusion detection systems vs. network behavior analysis: Which do you need? As a NetFlow and sFlow analysis vendor, Plixer with its Flow Analytics is making a play into the "deeper flow analysis market."

Flow Analytics with Network Behavior Analysis (NBA)
Hopefully, this Q & A with Plixer CEO Michael Patterson will provide us with a better understanding on what Plixer's Flow Analytics strategy is all about. What is Flow Analytics and is it better than NBA (Network Behavior Analysis)? It isn’t necessarily better, it is a different approach to flow analysis. Based on feedback from customers, we felt we could catch 90% of issues using a few behavior algorithms and then focus on specific areas. Specifically, Flow Analytics focuses on collecting data across hundreds of routers and switches and displaying status windows on:

Top hosts sending or receiving data
Top hosts sending or receiving flows
Top applications currently on the network
Top hosts communicating back and forth on the network
Volume of hosts communicating on the network (e.g. 23,000 unique hosts in the last 5 minutes)

----------------------------------- What do you mean by catching 90% of issues using a few behavior algorithms? We started developing toward the NBA market initially. During our beta phase, it was exciting to see Scrutinizer catch SYN scans etc. that were currently underway on a customer’s network. Other times we noticed that some customer networks had few problems. We are still shipping with features that continually tally all flows and help identify:

Suspicious NetBIOS-based services
Unauthorized Application Deployments
Poorly configured and unauthorized devices
Zero-day worms, SYN Floods and DoS attacks
P2P traffic, such as BitTorrent (even if encrypted)
Unauthorized or incorrectly configured server activity
Internal IP addresses communicating with known compromised internet hosts, view the long list

Furthermore, we decided to start adding status windows on various things we could point out about the network across all routers and switches. Several of our customers have well over 500 routers and they want some high level information for management. Below you can see a host having a conversation with 1 destination involving over 500 flows. Why so many unique connections? You can click and drill in for details and learn more about the behavior. We aren’t always alarming on these behaviors, that is why we call it Flow Analytics.

Flow Analytics Screenshot

Do you think catching 90% of the issues is good enough?

Contact Brad Reese
http://www.BradReese.Com Search 31,427 Cisco Job Openings Post Cisco Network Engineer Jobs View 1,595 items of Refurbished Cisco Examine CCIE Resumes Consider 697 Cisco Certified Network Engineer Resumes

Visit Brad Reese on Twitter

Visit Brad Reese on Twitter
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey 2021: The results are in