sFlow Analysis
sFlow Analysis
sFlow, a technology designed for network monitoring based on packet sampling, captures traffic data in switched or routed networks. Uniquley applicable in high speed networks, sFlow capture and analysis enables continuious monitoring of application traffic flows on all interfaces simultanenously.
By collecting, processing and analyzing sFlow® data, exportable from existing routers and switches, organizations can easily extend the value of their network infrastructure. This additional intelligence is not available through classic IDS/IPS technology can only be obtained through sFlow-based technologies, which offer significant value for both security and network operations.
| Classic IDS/IPS technology | sFlow-enabled NBA technology |
| Database signatures detect known attacks | Real-time monitoring of host behaviors and traffic analysis to identify threats |
| Per-packet, in-line blocking of attacks | Mitigation via network infrastructure or integration with in-line devices |
| Cost prohibitive at speeds above 1G | Unlimited monitoring of high speed networks at no extra cost |
| Little to no network performance tools for identifying DoS, worm outbreaks | Extensive network performance reports including top talkers, interface utilization, exporter tracking, etc. |
| No identity integration | User-identity aware |
| Limited visibility per direct network connection | End-to-end network visibility |
| Commonly deployed technology | Innovative technology deployed by early adopters |
Security Benefits of sFlow
Have you ever asked yourself any of the following questions?
- What happens if my perimeter defenses fail to stop an external threat or are bypassed altogether (e.g. walk-in worms)?
- How do I know that I haven’t already been compromised?
These questions indicate a need for an internal security solution. sFlow analysis by provides end-to-end visibility to secure network cores by detecting malicious, accidental and suspicious activities on the network, including:
- misconfigured systems and devices
- file servers ”re-deployed” as web servers
- unauthorized apps (e.g. P2P file sharing)
- troubleshooting network problems
In addition, sFlow is well suited for wide area of network monitoring:
- Policy monitoring and auditing
- Network Traffic Analysis
- Defense against security threats (insider misuse, DDoS, worm infected hosts and worm propagation)
- Continuous monitoring of application level traffic flows on all interfaces simultaneously
>>MORE: Security Benefits of sFlow
Improved Performance with sFlow
One of the big advantages sFlow has over NetFlow is that it runs at layer-2.sFlow enabled devices don’t need a layer-3 hop to create a flow as most NetFlow exporters do.
Because sFlow agents package data into sFlow data-grams, which are immediately transmitted onto the network, there is minimal processing and little to no impact on memory CPU. Furthermore, enabling sFlow does not add significant traffic load.
>>MORE: sFlow Benefits
How sFlow Collection Works
sFlow operates by sampling 1 in N packets as they arrive at the device’s Ethernet interface. A small bit of the Ethernet frame is snipped off and placed in a UDP packet along with additional samples. Once the packet reaches 1500 bytes the sFlow exporter attaches a preamble (including sample rate) and sends the samples to the collector.
>>MORE: sFlow Collection
sFlow Collection and Analysis Solutions
Leverages sFlow traffic samples from Foundry, Extreme, HP ProCurve, and other leading network infrastructure vendors to provide behavior-based network protection.
>>MORE: sFlow Collector