Netflow/IPfix Analyzer for network threats and anomalies

Question

I'm evaluating various options for Netflow/IPfix based analyzers which focus on identifying security threats and anomalies. It would be highly appreciated if someone can provide a list of tools with the following points in mind.

• windows or *nix based .. doesn't matter.
• proprietary tool or open source ... doesn't matter but open source would be good.
• price .. doesn't matter.

Thanks

Answer 1

Cisco maintains a nice list of Netflow Software: freeware, commercial, Cisco solutions

Answer 2

Here are some options: Cisco just acquired Cognitive Security. They provide only threat detection. No flow reporting. Price = ??

Scrutinizer from Plixer : They perform threat detection and are leaders in reporting especially on firewall exports. They automate host reputation lookups. Price = moderate

Arbor Networks : They are leaders in threat detection and have some flow reporting. It is massively scalable. Price = expensive.

I hope this helps.

Answer 3

Some things to consider when looking at analyzers:

• Where is your NetFlow data coming from? If you've already got routers and switches that export NetFlow, you're probably in good shape, but if not, there are a number of free flow exporters available as software.
• Are you looking to buy a ready-to-deploy box, or a software solution to run on hardware that you provide yourself?
• How long of a data history do you need? Are you looking for a full-fidelity store, or are you OK with aggregation?

The company I work for produces a NetFlow analyzer called FlowTraq. For obvious reasons, I'm a fan :)

Other commercial offerings include SolarWinds, Arbor Networks, and Lancope. I believe Cisco has their own offerings as well. nTop and SiLK are two good open source tools; even if you wind up going with a commercial tool, I recommend trying them out just to get familiar with the terminology, and figure out what features you need in a NetFlow tool.