Chuck Leaver – Monitoring Cloud Activity With Enhanced NetFlow

Written by Roark Pollock and Presented by Ziften CEO Chuck Leaver


According to Gartner public cloud services market went beyond $208 billion in 2016. This represented about a 17% increase year over year. Not bad when you consider the ongoing issues most cloud customers still have relating to data security. Another especially interesting Gartner finding is the common practice by cloud clients to contract services to numerous public cloud service providers.

According to Gartner “most companies are currently utilizing a combination of cloud services from different cloud providers”. While the commercial reasoning for the use of numerous suppliers is sound (e.g., avoiding vendor lock in), the practice does develop additional intricacy inmonitoring activity across an organization’s increasingly dispersed IT landscape.

While some companies support more superior visibility than others (for example, AWS CloudTrail can monitor API calls throughout the AWS infrastructure) organizations need to understand and resolve the visibility problems related to moving to the cloud regardless of the cloud service provider or companies they work with.

Sadly, the ability to monitor application and user activity, and networking communications from each VM or endpoint in the cloud is limited.

Irrespective of where computing resources reside, companies must respond to the questions of “Which users, machines, and applications are interacting with each other?” Organizations require visibility across the infrastructure in order to:

  • Quickly identify and prioritize problems
  • Speed source analysis and identification
  • Lower the mean-time to fix issues for end users
  • Quickly determine and get rid of security hazards, reducing total dwell times.

Conversely, poor visibility or bad access to visibility data can lower the efficiency of current management and security tools.

Companies that are familiar with the maturity, ease, and relative low cost of monitoring physical data centers are going to be disappointed with their public cloud options.

What has been lacking is an easy, common, and elegant service like NetFlow for public cloud infrastructure.

NetFlow, of course, has had 20 years approximately to become a de facto requirement for network visibility. A normal implementation involves the tracking of traffic and aggregation of flows where the network chokes, the retrieval and storage of flow info from multiple collection points, and the analysis of this flow information.

Flows include a basic set of source and destination IP addresses and port and protocol info that is typically collected from a router or switch. Netflow data is reasonably low-cost and easy to collect and offers almost common network visibility and enables actionable analysis for both network tracking and
performance management applications.

Many IT staffs, specifically networking and some security groups are exceptionally comfortable with the technology.

But NetFlow was developed for fixing exactly what has actually ended up being a rather restricted problem in the sense that it just gathers network data and does so at a limited number of possible locations.

To make much better use of NetFlow, 2 crucial changes are needed.

NetFlow at the Edge: First, we need to expand the helpful implementation circumstances for NetFlow. Instead of only gathering NetFlow at network points of choke, let’s broaden flow collection to the network edge (cloud, servers and clients). This would greatly expand the overall view that any NetFlow analytics provide.

This would enable organizations to augment and leverage existing NetFlow analytics tools to eliminate the growing blind spot of visibility into public cloud activity.

Rich, contextual NetFlow: Second, we need to utilize NetFlow for more than basic network visibility.

Instead, let’s use an extended version of NetFlow and take account of data on the application, user, device, and binary responsible for each monitored network connection. That would enable us to quickly correlate every network connection back to its source.

In fact, these two modifications to NetFlow, are exactly what Ziften has actually achieved with ZFlow. ZFlow provides an broadened version of NetFlow that can be released at the network edge, including as part of a VM or container image, and the resulting info collection can be consumed and analyzed with existing NetFlow tools for analysis. Over and above standard NetFlow Internet Protocol Flow Info eXport (IPFIX) networking visibility, ZFlow supplies extended visibility with the inclusion of info on user, device, application and binary for every network connection.

Ultimately, this enables Ziften ZFlow to deliver end-to-end visibility in between any 2 endpoints, physical or virtual, eliminating standard blind spots like east-west traffic in data centers and enterprise cloud implementations.



No Responses Yet to “Chuck Leaver – Monitoring Cloud Activity With Enhanced NetFlow”

Leave a Reply