Blog

Managing Metadata - The importance of Netflow & IPFIX

Yigal Amram By: Yigal Amram May 06, 2019

The right approach to network monitoring and analysis can make all the difference in cutting costs and improving ROI across your business. That’s why the market for network analytics is worth over $3 billion.

The “why” is clear. Maximizing visibility into network usage and performance will help you improve data security, troubleshoot issues more efficiently, and adapt to new business demands faster. What isn’t often discussed is the “how”— that’s where metadata comes into play.

While full packet capture is the right choice for some applications and it is critical for total network visibility, it is not practical or productive for others.  Metadata-based tools can be used to quickly visualize network behavior and correlate issues to specific applications or data sources.

Rather than always relying on full packet capture, protocols like NetFlow and IPFIX can generate valuable metadata for less-intensive network monitoring. This metadata is similar to how your phone bill shows your calls, displaying the source, destination and volume rather than showing the actual content of the conversations.  With this information, you can gain useful insights at a lower impact on your network management strategy. But which approach or metadata protocol is right for your network monitoring needs?

What Is NetFlow Used for in Metadata Generation?

NetFlow enables you to create a picture of behavior across your network. Using NetFlow, you are able to inspect packets to determine source IP addresses, destination IP addresses, source ports, destination ports, input interfaces, and more.

The protocol was invented by Cisco and released on their devices in 1996. At the time, it was limited to IPv4, and just a few data fields. Over the years, newer versions expanded it to support more use cases such as IPv6, MPLS, and numerous others and has been adopted as an industry standard, supported by many devices and monitoring tool vendors.

There are many advantages to using NetFlow for managing metadata. One main benefit is that you can visualize traffic patterns so that NetOps and SecOps teams can see application usage history and user access. NetFlow also supports more effective planning by helping you anticipate the need for growth and map upgrades accordingly. It also helps you determine how to prioritize traffic. As for network security, NetFlow provides insight into anomalies that could indicate data breaches.

Usually, there are devices sending metadata about traffic observed at the measuring point to a monitoring tool normally referred to as a flow or Netflow collector. Originally, the measurement point was a Cisco router interface, sending reports about source-destination-protocol tuples. This forced IT professionals to choose between impacting performance on the device or increasing visibility. Nowadays the collection point ability has expanded to support different devices that observe the traffic. This advancement saves the routers from unnecessary performance costs, while optimizing data management.

What Is IPFIX Used for in Metadata Generation?

The IP Flow Information Export (IPFIX) protocol was derived from NetFlow V9. As such, IPFIX is very similar to NetFlow in that it allows you to collect flow data from switches and routers.

Two of the most important features of IPFIX are that its protocol allows:

  1. Custom input of vendor IDs to allow proprietary information to be placed in a flow, exporting all kinds of information without the need for syslog or SNMP collection.
  2. Variable length fields for exporting HTTP hosts, URLs, and messages.

The IPFIX protocol was released by the IETF in 2013, and it is just starting to catch up.  If you want to maximize network visibility and generate the most valuable insights possible, you need to know the differences between IPFIX and NetFlow so you can choose your best option for the task at hand.

IPFIX vs. NetFlow for Network Monitoring and Analysis

The most critical difference between IPFIX and NetFlow lies in flexibility and interoperability.

Because NetFlow is managed by Cisco, you are limited in monitoring and analyzing your network by their protocol definition.  IPFIX, on the other hand, is designed to avoid these issues, providing more universal support for exporting data to collectors. There are workarounds in NetFlow to increase flexibility—most notably Flexible NetFlow, but it’s important to understand that there will still be barriers  which are avoided when using a flexible protocol, like IPFIX.

Another key difference for IPFIX users that unlike NetFlow, the variable-length fields in IPFIX provide access to additional types of information, including messages, HTTP hosts, and URLs which  provide valuable and actionable insight into network behavior.

Furthermore, it is important to consider the application(s) collecting the NetFlow metadata.  Ultimately, you need to ensure that the metadata is in a format that your Network Management Tool and NetFlow collector can interpret with visualizations needed for clarifying how to optimize and protect your network.

There’s no denying that both protocols play similar roles in generating metadata for network monitoring and analysis. However, with the right partner, you can decide which approach is best for your specific monitoring needs.

Learn to Handle Metadata on Your Network

Metadata is the key to unlocking valuable insights about your network behavior. From application performance to security vulnerabilities, user access behavior, and root cause analysis, metadata gives you the information necessary to keep your network running smoothly.

Getting the most out of IPFIX and NetFlow (or even deciding between the two for your own network monitoring strategy) can be easier said than done.

To learn more about how to best handle your metadata needs, contact us today and find out how we can help maximize your visibility, decrease your costs, and improve ROI across your network.

How to monitor your network traffic with no impact - get the white paper