Network Analysis Tools: Intelligent Data Collectors

8 min readJul 26, 2021

On 15 July 2021, data://disrupted®-Editor-in-Chief Kerstin visited the Nuvias Summer Party in Munich. Nuvias is a pan-European value add distributor specialising in cybersecurity and network infrastructure technologies. Among the manufacturers are Juniper, Fortinet, Bitdefender and riverbed, as well as many lesser-known companies.

Among the latter is the Polish start-up Sycope with its product FlowControl — a solution for analysing network traffic and detecting threats. FlowControl analyses 500,000 flows in 1.82 seconds. This is equivalent to the record time for changing a tyre in Formula 1.

We wanted to know: Is this really something special? What can others do? What does it actually depend on? And above all: why is it important?

First, however, let us briefly introduce Sycope to you: Sycope is part of the Polish Passus Group, whose core is Passus S.A., founded in 1992. Later, Wisenet sp. z o.o. and Chaos Gears sp. z o.o. joined the group as it became the majority shareholder. Passus specialises in the design and implementation of highly specialised IT solutions in the areas of network and application performance monitoring plus IT security in on-premises as well as in hybrid, private or public cloud architectures.

FlowControl is based on the NetFlow protocol developed by Cisco to collect information on IP data traffic and to monitor network data traffic.

Look what’s flowing

NetFlow is the most widely used, along with IPFIX and sFlow.

A flow on the network is a set of connected, unidirectional packets with common attributes such as source and destination address, port number and protocol.

Using a flow protocol such as NetFlow, network devices can collect information about these attributes and send it to a network analysis tool.
For example, NetFlow provides clues as to which network object or user, application, protocol or process requires how much bandwidth and when. Traffic from concrete IP addresses, ports and users can be monitored specifically. Deviations from certain data traffic patterns can be indications of security incidents. With the evaluation of data traffic, bottlenecks can be detected at an early stage and service levels can be improved.

The best-known representatives of such network analysis tools are SolarWinds® NetFlow Traffic Analyzer (NTA), Kemp Flowmon Netflow Collector or Riverbed® NetProfiler. In addition to NetFlow data, all solutions also evaluate IPFIX. FlowControl from Sycope, which also supports the sFlow and Cisco ASA/NSEL formats, can also do this.

Table 1: Number of flows and supported flow protocols

SolarWinds and Kemp Flowmon also support a number of different application and proprietary protocols. Kemp Flowmon mentions Cisco (AVC, HTTP), Gigamon (HTTP, DNS, SSL, RADIUS), IXIA (HTTP), VMware NSX (rule ID, vmUUID, vncIndex), OneAccess (HTTP), VMware VDS and AWS FlowLogs. A complete list can be found on the manufacturer’s page. SolarWinds mentions Cisco® NBAR2, WLC network data (radio), VMware vSphere Distributed Switch (VDS), Cisco Meraki MX/Z series and Network Insight™ for Palo Alto Networks®. Further information is provided in the manufacturer’s data sheet. We could not find anything on this at Riverbed.

Where are you flowing to?

If you compare the figures alone, FlowControl is not doing too badly. However, our editor-in-chief also knows from past experience that both throughput and analysis speed depend on the hardware: the more RAM, CPU cores and storage, the more powerful. We have deliberately left out the network cards, we will open that bottle later, in another post.

In addition to hardware appliances, Kemp Flowmon, Riverbed and SolarWinds also offer virtual appliances (VAs) for operation in cloud environments. All major public clouds are supported, as well as hypervisors from VMware, Linux (KVM) and Microsoft (Hyper-V).

The complete model overview of Kemp Flowmon is available on the manufacturer’s website. Riverbed also offers the specifications of the NetProfiler on its website. Passus and Sycope have hidden the information about the features of their appliance somewhat. Nevertheless, we found it.

In addition to the hardware, mechanisms such as the deduplication of flow data should also provide a remarkable performance boost. The Riverbed Flow Gateway also deduplicates data streams for the NetProfiler. But it is a separate device. More devices mean more complexity and more expensive.

Size matters. But ...

Network analysers have long been able to do more than just monitor traffic. With the disappearance of clear perimeters, more and more firewall functionality is migrating to the network devices. Thus, WLAN access points are becoming Unified Threat Managers (UTM), as with Aruba, and traffic analysers are becoming firewalls. Of course, this also has an impact on performance. This is best seen in the example of Kemp Flowmon. The peak value of 400,000 flows per second is only reached when all features are deactivated. With all shields up, only 100,000 flows per second are achieved. The value we mentioned in Table 2 is a compromise between safety and “still having fun”.

A Leipzig-based start-up (which now belongs to the Bundesdruckerei Group) proved that this can also be done differently. The genua Threat Defender theoretically reaches a peak of 80,000 flows per second even with the smallest appliance, which only has 8 GB RAM. The larger appliances can also easily achieve a few million. However, here, too, it depends on an optimal traffic distribution and the interaction of the activated functions. In contrast to the old hands of the industry, the Leipzig-based company relies on the advantages of a single pass engine and the Elastic Stack (ELK) with all its features, such as Elasticsearch. This means that data can be stored and, above all, retrieved wherever there is space. This of course has an impact on performance and above all on price: less expensive hardware is needed. Kibana, which is also part of the stack, visualises the data nicely and clearly. Logstash processes and normalises the data streams. In addition, the data is enriched with useful information.

The Polish developers also enrich the collected data. This allows the information obtained to be filtered and prioritised for Cyber Threat Intelligence (CTI). This is another feature we are seeing more and more in network analysis. In addition, Sycope FlowControl uses an extension to detect and analyse security anomalies and threats. A special Threat Intelligence Engine correlates data with lists of IP addresses and geo-data from sources or countries classified as threatening and generates alerts. These events (warnings, alarms) can be forwarded as an e-mail, syslog or SNMP trap to external SIEM systems such as QRadar, ArcSight and Splunk. A second engine is used to detect threats. The Threat Detection Engine aggregates and correlates information. For this purpose, Sycope relies on the matrix of the MITRE ATT&CK model. FlowControl knows more than 50 rules for the tactics Command and Control, Credential Access, Discovery, Exfiltration, Impact, Initial Access and Lateral Movement. Examples of the threats that can be detected by the system can be found in the data sheet.

An algorithm also actively monitors other sources and generates a uniform list of current Indicator of Compromises (IoCs). This helps to reduce the number of false positives, among other things.

Bonus: the system supports the white-listing approach (Zero Trust model), which is more secure than the usual fiddling around with block lists of only already known vulnerabilities and threats.

DDoS est mort. Vive le DDoS !

Distributed denial-of-service attacks are as old as the World Wide Web. They are experiencing a renaissance, not least due to the Internet of Things (IoT) and edge computing. Sycope uses NetFlow data for DDoS detection and can also identify multi-vector attacks. Attacks can be blocked manually or with the help of BGP FlowSpec.

Hooray! It can do IPv6.

FlowControl analyses IPv6 headlines, routing headlines based on types as well as on the addresses they contain and the flow label field.

SolarWinds NTA is at least able to detect IPv6 traffic and extract IPv6 traffic details from the packets (PDUs).

Riverbed NetProfiler is IPv6 ready. The manufacturer does not reveal what this means exactly.

With Kemp Flowmon we could not find any signs that IPv6 is supported or planned.

Conclusion

Visually, Riverbed and Sycope win. IPv6 is still a mystery. In terms of performance, Riverbed, Sycope and the somewhat out-of-competition genua Threat Defender are convincing. Sycope and genua win above all in price/performance. Complexity is highest with Riverbed and Kemp Flowmon.

As far as features are concerned, the glass ball is still very cloudy. We will see where the market will go from here. In any case, firewall manufacturers are getting serious competition. We haven’t even talked about root cause analysis and predictive analytics yet. But this market is also growing fast and the first challengers have entered the scene.

The downer? Every feature and every functional expansion also harbours risks. SolarWinds 2021 has experienced what this means. Every plugin, every third-party product, every development kit and every software dependency (e.g. libraries or drivers) can be compromised. The discussion and battle for security in software supply chains has only just begun.

Further information:

Kemp Flowmon presented their solution at Networking Field Day 25. You can find the recording on the Tech Field Day pages. Two months earlier, the company had already presented itself at Security Field Day 5. In between, there was Tech Field Day 23, where Riverbed presented itself as a root cause analysis company.

Sycope’s presentation is available in German only: