What Can NetFlow Do That IDS Systems Can't Do Very Well or At All?

Unanswered Question
Jun 13th, 2008

Can anyone elaborate on why NetFlow is a better solution for intrusion detection than IDS systems? My thoughts are that IDS systems are like packet capture devices, which see a very granular view of flows and can't produce the big picture that correlates one flow to another as a potential threat. Am I way off, and is there something else that is relevant?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Fri, 06/13/2008 - 04:13

One really cannot compare apples with oranges. There are actually two types of IPS systems:

Signature Based

Anomaly/Behavior Based

Most modern IPS systems are a combination of the above two, but most of their core detection functionality is based on pre-defined signatures. Netflow is a tool that can help achive the second of the above, as in baseline the 'normal' network traffic and then use that to do further analysis. It does not help much with protocol anomalies/exploitations like DNS/DHCP attacks, VOIP attacks, FTP attacks etc.

In the Cisco solution, you can send NetFlow events from IOS Devices to the Cisco MARS, as well as events from Cisco IPS Sensors,IOS IPS, CSA logs, firewall logs and it can correlate both to achieve the above two goals in an integrated fashion.

There are other products that focus on Network-Based-Anomaly Detection (NBAD) using Netflow/Sfow/Cflow, have a look at:

http://www.networkcomputing.com/showArticle.jhtml?articleID=163700677

However please note that they NBAD devices don't come that cheap :)

Regards

Farrukh

Actions

This Discussion