Flow data (NetFlow, IPFIX, sFlow and others) are usually exported from routers/switches to flow collectors in plaintext using UDP protocol (standard flow export). Exporting plain flow data from customer to service provider through public and unsecured network represents risk of unauthorized access. And that is the major issue as the exported flows contain information about all communications in customer’s network. There are different approaches for protection from unauthorized access like deploying dedicated links, configure IPsec tunnels, VPNs or other, but they are hard to manage and also very expensive. The most feasible solution is application of flow data encryption .
Flow Encryption in Flowmon
Flowmon Networks introduces flow data encryption using Transport Layer Security (TLS) over TCP protocol (according to RFC 5153). This feature (available since Flowmon 8.02) allows to forward flow data from one place to another in secure and reliable way. Both encryption and decryption of the flow data is handled by Flowmon Collector. The collector is deployed on the customer’s and Service Provider’s side in form of hardware appliances or virtual appliances. Principle is following:
Customer export flow data (NetFlow/IPFIX/sFlow or other compatible) from own devices (routers, switches, firewalls, etc.) or Flowmon Probes to Flowmon Collector.
Flowmon Collector encrypts and forwards flow data it to Service Provider’s cloud.
Flow data are securely and reliably transferred through public network.
Flowmon Collector at Service Provider’s cloud receives and decrypt flow data. Then it can be forwarded in plaintext (standard flow export) for further analysis to Service Provider’s service (eg. DDoS attack detection) or Flowmon Collector itself can store, analyze and present the data (network traffic monitoring and anomaly detection, DDoS attack detection).
Service Provider analyze flow data and makes subsequent steps (eg. detects DDoS attacks and starts mitigation) or uses the outputs from Flowmon Collector for e.g. reporting about network operational issues or security incidents in Customer’s network.
Figure 1: Technology principle.
What is the delay you might ask. Flows are forwarded as they are received and the encryption introduces only negligible delay. So the overall delay depends on the round-trip time (network delay) and the delay made by configuration of timeouts on the exporters (time between flow record creation and export). With the short configuration of timeouts, you are able to receive the flows you need in almost real-time.
- Significant cost reduction.
- Protection from unauthorized access and reliable real-time flow export.
- Easy and fast to deploy Flowmon Collectors enables quick start of encrypted flow export.
- On-site full feature flow data collector for network monitoring as a differentiator and added value for customer.
With real-time encrypted flow forwarding, Service Providers can easily protect sensitive information they need to run their business. Flowmon Collector also extends and differentiates provider’s offering with functionalities like network traffic monitoring and network behavior analysis. From customers perspective, provider brings additional value in tool for effective network troubleshooting, users and network services monitoring, reporting and alerting, network anomalies detection and more.
Are you interested in this feature? You can try it for free, just contact us and leave your request.