An IPFIX collector performs a nearly identical function as a NetFlow collector. The term 'NetFlow' encompasses all flow technologies (explained below). The big difference between NetFlow v5 and v9 was the introduction of templates in v9; templates allow the hardware to tell the collector what is being exported, which opens up the protocol to many new metrics such as: jitter, packet loss, round trip time, retransmits, URLs, layer 7 application and more.
What is an IPFIX or NetFlow Collector?
First of all, what is NetFlow? NetFlow and IPFIX are flow or messaging technologies which are nearly identical. IPFIX is the official IETF standard and considered by some to be NetFlow v10. IPFIX allows for variable length strings and opens the technology up to allow vendors other than Cisco to export unique details about the traffic passing through their hardware.
Flow collectors are able to dynamically read the templates exported by flow capable hardware and store the flows being sent. Most NetFlow collectors provide reporting on the data and some even provide behavior analysis to help detect network threats.
What is a Flow?
A flow is typically thought of as an entry in the connection cache of a router, switch, server, or firewall. A flow entry represents the packets that match the same criteria as decided by a tuple. A tuple is a set of definable criteria that a packet must match to be considered part of the same flow. An example tuple includes:
- source and destination IP Address
- source and destination port
- Source Interface
- DSCP or ToS value
NetFlow and IPFIX, however, are not limited to network traffic—they are also ideal for sending log data. This is especially true of IPFIX, which allows for variable length strings.
If you were to take an Advanced NetFlow Training class, the insructor would tell you that the most flexible solutions allow the customer to define the tuple, meaning he or she can customize what is exported. For example, the customer could add the following fields to the tuple:
- MAC Address
- Round Trip Time per flow
- Retransmitted packet counts
- URL, etc.
Hardware companies that support IPFIX can be found on this configure NetFlow page, which is maintained by one of the leaders in NetFlow. They also develop their own IPFIX collector, maintain a user forum known as the NetFlow Knights, and offer a NetFlow analyzer called Scrutinizer.
An IPFIX collector typically supports NetFlow, J-Flow, NetStream, CascadeFlow, and even packet sampling technologies such as sFlow all on the same appliance. When flows from the same devices need to be sent to multiple IPFIX collectors, an IPFIX replicator is deployed. A replicator speeds the proccess up exponentially; you can visit a single appliance to forward flows from 800 routers rather than having to telnet and update the configuration on each individual device. An IPFIX replicator is most often found in environments where the security team wants to send the flows to more than one IPFIX collector for internet security reasons.
Analyzing flow data can add another layer of internet security to a company's overall network security solution. NetFlow and IPFIX threat detection systems compile the flows received and perform network behavior analysis. During this process, IP addresses within the flows are often compared to a constantly updated host reputation list, and TCP flags are reviewed in an effort to identify certain types of network scans (e.g. SYN, XMAS, RST/ACK, etc.). Flow ratios are also examined, which helps detect DDoS attacks.
A Leading IPFIX Collector Vendor
Visit one of the leaders in NetFlow at Plixer.com for more information on one of the best IPFIX collectors in the industry.