3

I am running a network with a central historically grown firewall system which I would like to replace. Unfortunately the historically grown rule set is a REAL mess, so I would like to do a network analysis from the scratch. Therefore I plan to run sflow on my HP Procurve Switches. I already have it running with ntop but this is unfortunately not the tool of choice in my case. What I am looking for is a sflow collector which I could use to reengineer my firewall rules. The main goal is to get a grahpical and/or table view of all hosts in the network. What I need to do is to create a complete new rule set for each host in the network, whereby my focus is on the incoming connections from host point of view. The tool should have different filter options like "filter by host", "filter by network", filter by service" etc. Of course I would prefer to use Open Source software but if there is no suitable open source tool for my purpose, I am definitely willing to pay for a commercial tool.

I hope my explanation is not too confusing. :-)

Would be great to get some advices from you guys. The list at sflow.org is a good starting point but unfortunately I don't have the time to try out each tool on the list:

http://www.sflow.org/products/collectors.php

Cheers,

Bob

Bob Meier
  • 79
  • 3

2 Answers2

1

I've being using nfdump/nfsen and Scrutinizer from Plixer since quite some time now (more nfdump than scrutinizer lately). Both are fantastic tools but they each have it's own "niche" of users.

Nfdump/nfsen is opensource/free-as-cerveza but may be too "geeky" for some users. It's filtering/querying capabilities are extremely powerful (think "tcpdump" filtering syntax but for flows plus aggregation and sorting) but in my opinion it lacks some polishing on the graph-generation/reporting side of the equation (in nfsen). What I love about nfdump is that I'm able to throw some "quick & dirty" command line queries and get the information I need in a format that are ready to feed some python scripts of mine.

On the other side, Scrutinizer (commercial/not-free-as-cerverza) is a fantastic "visual" tool. Great for generating reports and views to share with the not so "geeky" customers I have. It's querying capabilities are great but I have not found a way to via command line extract information from it (mainly because I have not research if Scrutinizer has this capability because this I can accomplish with nfdump).

One last thing. I know first hand that Scrutinizer can consume sFlow data. I know (from what I've read and the configurations options I've seen) that nfdump can consume sFlow data too but I have personally never done it. I've used nfdump only with Netflow v5/v9 data. So my recommendation would be that before committing to nfdump, you should confirm this capability.

jliendo
  • 1,568
  • 11
  • 13
0

Since you are using HP ProCurve switches, I would recommend a tool that supports the sFlow MIB for configuration. sFlowTrend is free and has filtering and reporting capabilities that should give you the data you need.

Ben Lessani
  • 5,174
  • 16
  • 37
Peter Phaal
  • 16