NQ Blog – November

Network Monitoring & Cyber Security Threat Identification at Scale

By Chip Mesec, SR. Product Manager, NetQuest Corporation

As Internet usage continues to expand exponentially at breakneck speed — particularly in the business sector — companies should be prepared not only for new revenue generation and growth opportunities, but also for facing challenges with network security and reliability. Just as applications, compute infrastructure, and the number of connected devices increase, the network scales as well, usually by a factor of 10. Scaling cyber security threat identification as your infrastructure scales internally or externally with cloud migration, it is imperative to ensure the protection of critical data and reduce the risk of a security breach as your network speed and complexity increases.

Here is what you need to know about network monitoring and cybersecurity threat identification at scale, and how to get help scaling your network security from a leading carrier-grade network service provider.

Using Flow-Based Analysis vs. Packet-Based Analysis to Detect Cyber Security Threats

Monitoring your network for potential threats is the best place to have complete visibility of your corporate health as it is literally the corporation’s lifeblood. Older security guidance recommended viewing every packet to detect all security threats. Newer methodologies have evolved to from packet-based to flow-based (the primary information involved with every network transaction). Monitoring network flows are like measuring your temperature and blood pressure to quickly detect health, rather than use blood sampling and x-rays for every doctor visit.  Both packet-based and flow-based have advantages and drawbacks; here is a quick look at each and how to combine them for maximum efficacy and scalability.

Packet-Based Analysis


  • Packet-based analysis has been preferred by many IT professionals for years simply because it is so thorough; this type of analysis does not miss any important details.
  • Firewalls and Intrusion Detection systems are at their core – packet analyzers.
  • The packets contain all the information for every transaction in your business.


  • Processing packets for high-speed network or carrier backbones is expensive for the equipment required and the amount of storage required to perform analysis.
  • Processing packets within clouds you do not own is often impossible or expensive due to the cost of bandwidth – you are paying for traffic twice.
    • Packet-based systems cannot view encrypted traffic which can be over 50% of all traffic on some network links.

Flow-Based Analysis


  • Flow-based analysis systems provide roughly 80% of the information of packets and can reduce network traffic to your security tools by nearly 98% while still providing 100% visibility to subtle threats.
  • Modern flow-based analysis can identify applications and other useful application-layer information even if the traffic is encrypted.
  • Flow-based data can be created, collected, stored, and analyzed at lower cost than packets.


  • For fine-grain detail that is required to detect a particular malware variant or other data located deep within a packet, a packet-based system is required.
  • Some network flow deployments rely on sampled collection, only viewing 1 out of 1,000 or 1 out of 10,000, unfortunately, this is not useful in most security applications.

Using Flow-Based Analysis to Complement Packet-Based Analysis: The Best of Both Worlds

Fortunately, your business does not have to choose between flow-based or packet-based analysis. You can have the best of both worlds by using a network service node (a probe with more capability) — a network device that reconfigures raw packets into unsampled flow data, while at the same time providing packets. A network service node can also “clean” packet data by removing tunnel or VLAN encapsulation and transporting the flows or packets to several downstream devices through an IP network. Complementing packet-based analysis with flow metadata is an excellent strategy for comprehensive network monitoring that can be scaled as needed.

What Is IPFIX?

Internet Protocol Flow Information Export (IPFIX) is an IETF standard for flow information from routers, switches, and probes. It is based on a Cisco-created network protocol system designed to monitor incoming and outgoing IP network traffic, called NetFlow.

How IPFIX Is Used

Managed IT security providers and other IT professionals typically use IPFIX unsampled flows to:

  • Observe network traffic 24/7/365 in real-time
  • Create a picture of the network at any given time
  • Detect low-and-slow security attacks against the network, web servers, or Enterprise IT.
  • Provide multiple layers of defense against internal and external cyber security threats
  • Collect data about network flows to allow for adequate traffic engineering and capacity planning

Sampled or Unsampled Flows?

Sampled flows are a technique used by switches and routers to provide a single flow from many flows – usually 1 out of 1,000 or 1 out of 10,000. This enables traffic engineers to gain visibility for network traffic engineering. The drawback is that this technique is not useful for fine-grain security threat analysis.

Unsampled flows are a technique from network probes or service nodes which provides every flow transferring over a network link. This detailed data can be used for network problem analysis, relationship analysis, or security threat detection.

Get Help with Your Network Monitoring Today

NetQuest has over 30 years of providing high-speed WAN and carrier backbone packet and flow data to customers that rely on accurate and detailed data to protect customers and countries. Learn more about intelligently scaling your network and safeguarding your company from malicious cyber threats by contacting NetQuest today.

Share this: