How to choose a NetFlow Analyzer?

As you probably noticed, interest toward NetFlow has sharply risen in the previous years. This is due to the fact that its dataset provides much more detail and effective traffic analysis than simple SNMP monitoring. It also lightweight and it does not require to store big data and intrude on people's privacy as in the case of Deep-Packet Inspection. For this reason, NetFlow has expanded its application beyond networking and it is now used even by system and security admins.

Conducting a technical assessment for the software acquisition can be quite a painstaking process, especially in the case of NetFlow Analyzer where there are so many various providers on the market, both free and paid. Surely, each network team has to make it's own comprehensive decision - according to it's specific environment and taking into account both functional and non-functional requirements (such as architecture scalability, high performance, compliance with standards and regulations, etc.). However, based on our experience, it is still possible to bring out a generic conclusion about necessary requirements depending only on the network size. 

For the simplification purpose and right focus, we'll leave aside most of the non-functional requirements for the moment. Here's a simple check list of the top 10 feature categories and features currently offered by majority of providers that can help you get a clear overview on what to look from a NetFlow Analyzer.

Small network (single router, subnet, location and tens of users) doesn't need much. It is necessary that NetFlow Analyzer provides interface bandwidth monitoring with the possibility to analyze congestion reason and trend. What's also important is that it is easy-to-use and that it can be quickly implemented. On the top, it would be good to have a dashboard with traffic information that you want to monitor and even access traffic data on your mobile device. This feature set can be easily acquired from free tools.

Medium-size network (more routers, subnets, locations and hundreds of users) usually has a more complex needs. For starters, it has to provide multi-user privileges, segmentation of traffic to company's subnets, servers, applications and also notify dedicated users when atypical event occurs. In addition, it can provide user logging, logs and raw data analysis for more information about the event context and root cause. And, NetFlow Analyzer should also be able to export reports or even schedule regular report delivery to 3rd parties.

Large network (multiple routers, subnets, locations and thousands of users) typically requires a NetFlow Analyzer that provides very complex expert features that in the background translate into very serious software architecture, hardware, support, acquisition and maintenance cost. First of all, this tool should have more complex user management-privileges for different parts of the organization and user groups for easier privileges management. Second, it should have possibility to quickly drill-down into micro-segments of data (for example, to see which host used which protocols), instantly apply and save filters (eg. to pick a host and analyze its traffic from multiple dimensions) and also create personal profiles (each organizational unit and department creates its own part of the network, set of nodes and dashboards  to use). And third, in order to quickly alert on zero-day attacks in the environment of wast amount of network data it should be able to provide base-lining, register unwanted traffic pattern behavior as well us ability to update its threat database. 

Hopefully this overview will help you make your choice faster and more comfortable.

Good look searching for powerful NetFlow Analyzer that will cover all your need in the best possible way!