NQ Blog – December
IPFIX 101: The Lowdown on the NetFlow Upgrade
By Mike Seidler, Director of Product Management, NetQuest Corporation
IPFIX, or IP Flow Information Export, is the technical term used by network engineers and cybersecurity specialists to describe the process of analyzing network data by using a standard method for generating metadata to summarize network flows. IPFIX can be used to establish typical network behavioral patterns so that anomalous activity can be detected. The majority of the industry refers to IPFIX as NetFlow since the two technologies are very similar, however, there are some key differences between IPFIX and NetFlow.
Need high-level visibility into your company’s network? Welcome to IPFIX 101.
What Is IPFIX?
IPFIX is a standard developed by the Internet Engineering Task Force (IETF) to expand upon NetFlow v9 to create a more flexible solution for collecting and analyzing critical network data. The IPFIX protocol uses very similar procedures as NetFlow for exporting network traffic data, however, IPFIX was designed with additional extensibility and is considered the “upgraded” version of the protocol.
IPFIX uses a unique set of terms that may be familiar to most networking specialists, but we wanted to include them for engineers.
- Metadata refers to a subset of information that can easily be used by databases, e.g. Source IPv4 address, rather than reading and describing an entire packet record.
- Flow Record (or Flow) refers to a complete network conversation between endpoints, usually represented in metadata format. Flows can be bidirectional (both sides of the conversation – talking and listening), or unidirectional (from the perspective of one endpoint talking to another – talking but not listening).
- Template is a numbered dataset which is encoded with IPFIX data records. Each template is numbered to indicate what unique data records are present.
- Exporter is a device that can create IPFIX flows (see Metering) from packet streams.
- Metering is a process that creates IPFIX flow records from a packet stream. Usually IPFIX Exporters are performing flow metering.
- Collector is a system or device which receives flow records for analysis.
How Does IPFIX Work?
IPFIX uses a predetermined set of protocols to export a network flow record to a “collector,” who then further segments and analyzes the data to produce accurate and real-time insights into a network’s behavior. These protocols are flexible and customized to capture user-defined data, so you’re always reviewing the most critical data sets. With this technology, a single IPFIX “exporter” can send information to more than one collector and there’s no limit to the number of exporters from which a collector can obtain information.
Why Use IPFIX?
In most cases, IPFIX provides increased flexibility and many more customization options than NetFlow v9. This can greatly increase visibility into critical network traffic parameters for increased threat identification and a more robust security solution. Driven by the desire of vendors to break from the litany of differing vendor-specific flow standards and leveraging the popularity of NetFlow v9, IPFIX was designed to offer open standards freedom to tailor your flow gathering data for maximum network visibility.
Comparing IPFIX to NetFlow v9
Here’s how IPFIX and NetFlow v9, its predecessor, stack up against each other:
- NetFlow v9 supports about 100 standard elements, while IPFIX offers almost 500, including all of the NetFlow elements.
- IPFIX supports the flexibility to add vendor-specific data extensions.
- IPFIX supports customizable data templates allowing users to choose which of the close to 500 elements to include in the transmitted data set. NetFlow’s support for customization is much more limited.
- IPFIX offers variable length fields, which is quite useful when exporting raw data like URLs, DNS or HTTP host names.
- IPFIX supports custom input of vendor IDs to allow proprietary information to be placed in a flow record.
- Increased fidelity of IPFIX is essential for using flow data in security monitoring applications.
- Did we mention IPFIX offers increased flexibility versus NetFlow v9? This cannot be overstated.
To be fair, with added flexibility, IPFIX can sometimes create compatibility challenges. NetFlow’s narrow focus is typically supported in almost all standard collectors and analysis tools, making tool integration a foregone conclusion.
Improve Your Network Security With IPFIX Today
Comprehensive network monitoring and security solutions are critical for your organization to reduce risk and streamline workflows. NetQuest can help. IPFIX is a key feature for us and we provide high-performance solutions that create unsampled IPFIX records and export them to other tools for detailed analysis. Check out our OMX3200 high-bandwidth sensor and how it can used to scale network flow analysis for security solutions.
We’ve been providing full-scope cyber security and network administration tools to organizations both large and small since 1987 and can assist you in developing security protocols that fit the unique needs of your company. Contact us today for more information.