cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2329
Views
5
Helpful
1
Replies

What Can NetFlow Do That IDS Systems Can't Do Very Well or At All?

ronomeara
Level 1
Level 1

Can anyone elaborate on why NetFlow is a better solution for intrusion detection than IDS systems? My thoughts are that IDS systems are like packet capture devices, which see a very granular view of flows and can't produce the big picture that correlates one flow to another as a potential threat. Am I way off, and is there something else that is relevant?

1 Reply 1

Farrukh Haroon
VIP Alumni
VIP Alumni

One really cannot compare apples with oranges. There are actually two types of IPS systems:

Signature Based

Anomaly/Behavior Based

Most modern IPS systems are a combination of the above two, but most of their core detection functionality is based on pre-defined signatures. Netflow is a tool that can help achive the second of the above, as in baseline the 'normal' network traffic and then use that to do further analysis. It does not help much with protocol anomalies/exploitations like DNS/DHCP attacks, VOIP attacks, FTP attacks etc.

In the Cisco solution, you can send NetFlow events from IOS Devices to the Cisco MARS, as well as events from Cisco IPS Sensors,IOS IPS, CSA logs, firewall logs and it can correlate both to achieve the above two goals in an integrated fashion.

There are other products that focus on Network-Based-Anomaly Detection (NBAD) using Netflow/Sfow/Cflow, have a look at:

http://www.networkcomputing.com/showArticle.jhtml?articleID=163700677

However please note that they NBAD devices don't come that cheap :)

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: