Flows versus Packets

So which is better, flow monitoring or packet capture, and what is all this about deep packet inspection (DPI)?

Flow monitoring looks at network traffic based on flows, or connections between hosts, across the network. By grouping all the flows associated with a specific connection between devices, flow monitoring provides an excellent platform for identify high level traffic patterns and anomalous behaviour.

By contrast, packet capture and deep packet inspection, whilst more granular, imposes a far greater overhead on monitoring equipment – particularly at high speeds. Having said this, DPI is invaluable in identifying applications and application behaviour across the network.

Dabble uses a combination of flow monitoring and DPI to provide the most comprehensive network wide view of security and performance.

Traffic Profiling Service

The Dabble Traffic Profile Service provides visibility and diagnostics of network traffic across the entire enterprise.  The service comprises a dedicated onsite appliance that reports to a cloud based dashboard allowing network operators to quickly assess network performance and isolate potential issues. The Traffic Profiling Service goes beyond traditional network monitoring solutions by also including comprehensive active diagnostics to pinpoint network problems.

The appliance has built in deep packet inspection, flow monitoring and host identification engines but also aggregates data from external third party devices to plug visibility holes. Data is aggregated and correlated on the appliance before being  exported to the cloud reporting portal to provide a single point to assess situational awareness.

Visibility

The appliance covers the following functional areas. Not all sites will need all these functions, each may be enabled on demand if required. It may be we want to license these separately. For example, a customer might want to enable DPI for a month to meet a specific requirement – it would be great to develop a charge model where customers can provision on demand, and be invoiced for, discreet services.

As a starting point, the following functional areas will be provided. Note that the architecture provides the ability to support a wide range of third party devices – see the discussion on ‘Codecs’ below for more detail.

    • Vulnerability Assessment
    • Firewall event analysis
    • IDS event analysis
    • Flow reporting
    • Deep Packet Inspection engine
    • Host and User identification

 

 

Appliance Modules

NetFlow Probe

An internal NetFlow probe is provided which generates flow data from a connected SPAN or tap port. The probe will perform flow stitching to consolidate unidirectional flows into bidirectional flows before presentation to the log forwarder.  This module will also (optionally) perform flow stitching for external NetFlow records that may be available from external network devices in the site.

Deep Packet Inspection Probe

The DPI probe provides a deep packet inspection engine for application identification and reporting. The DPI probe identifies traffic by application as well as classifying into logical high level groups such as email, web, video streaming and social media allowing for for easy business style reporting.

Host and User Identification

An important function often missing from management platforms is the ability to associate device IP addresses with the underlying hostname or user. Host and user identification is performed via DHCP snooping and Active Directory queries (as appropriate).