Flow, or commonly referred to as NetFlow, collectors play a pivotal role in network management, providing insights into traffic patterns, performance metrics, and security threats. However, not all flow collectors are created equal. Choosing the right one for your organization requires careful consideration of various features and functionalities. In this blog post, we'll explore the top features to look for in a flow collector to ensure that you're making an informed decision.
If you’d like to learn more about what flow data is and what it can reveal to you about network performance and security read our blog post “Explaining Network Flow Data - the Foundation of Network Observability”.
1. Scalability
A robust flow collector should be capable of handling the scalability demands of your network. It should efficiently process, store, and retrieve large volumes of flow data without compromising performance. Look for a collector that offers horizontal scalability, allowing you to seamlessly and cost efficiently (hardware) expand your infrastructure as your network grows.
What to ask:
Does the product utilize a data platform that was built from the ground up for extremely high data rates?
Were data resiliency, clustering, fault tolerance, and simple horizontal scalability part of the original data platform specifications?
Does your product allow multiple people to simultaneously search all network traffic with results returned in seconds?
What are the hardware requirements to collect flows from my network?
2. Sampled or Unsampled Collection
Many vendors who offer flow collectors sample the data they collect. While this may reduce storage costs, the fidelity is lost. Sampling strategies that collect flow every N seconds or minutes can miss spikes in network activity and, importantly, not retain critical data that may be important for security investigations.
What to ask:
Can the solution collect unsampled data and, if so, how will that impact costs or performance?
What solutions do you offer to optimize the storage of collected data?
What do you offer to make the collection and storage of unsampled data more efficient?
Does your product offer simple data lifecycle management?
3. Real-time Monitoring
Real-time monitoring capabilities are essential for detecting and responding to network issues promptly. The ideal flow collector should provide real-time visibility into network traffic, enabling you to identify anomalies, monitor bandwidth utilization, and troubleshoot performance issues in real-time.
What to ask:
Can your product provide up to the minute flow analysis data?
How long does the solution take to compile historical reports?
4. Comprehensive Data Analysis
Look for a flow collector that offers advanced data analysis features. It should support customizable dashboards, reports, and analytics tools to help you gain actionable insights from your flow data. Features like traffic visualization, top talkers analysis, and historical trend analysis can provide valuable insights into network behavior and performance.
What to ask:
Does your product come with dozens of out of the box dashboards supporting network engineering, security options, application performance use cases?
Does your product understand client / server relationships, TCP sessions, and map traffic to third party IDS events?
Are dashboards endlessly customizable?
Can just about anyone modify, clone, create, and share dashboards and create completely custom dashboards, from the ground up, all with no coding?
5. Security Features
Security is a top priority for any organization, and your flow collector should support robust security features to protect your network infrastructure. Ensure that the collector offers features like anomaly detection, threat intelligence integration, and integration with security information and event management (SIEM) systems to detect and mitigate security threats effectively.
What to ask:
Does your product come out of the box with zero configuration network anomaly detection?
Is flow enriched with IP reputation data?
Can flow data be easily sent to SIEMs or data lakes?
Does your product run in a high security and / or air-gapped environment?
6. Compatibility
It's essential to choose a flow collector that is compatible with your existing network infrastructure and devices. Look for a collector that supports a wide range of network devices, protocols, and flow versions to ensure seamless integration and compatibility with your network environment.
What to ask:
Can your product ingest, process, and normalize virtually any netflow / sflow / IPFIX flavor?
Does your product have out of the box support for most vendor specific flow fields?
Are never seen before flow sources handled automatically without requiring product configuration?
7. Flexibility and Customization
Every organization has unique requirements and workflows, so it's crucial to choose a flow collector that offers flexibility and customization options. Look for a collector that allows you to customize dashboards, reports, and alerts according to your specific needs. The ability to create custom filters, thresholds, and alerts can significantly enhance the effectiveness of your network monitoring and management efforts.
What to ask:
Does your product allow drag and drop dashboarding, reporting, and alerting, including wizard-driven machine learning job creation?
Can I enrich my flow data with any user defined metadata such as business unit, customer, geo, or anything?
How easy is it to query data via API or place a visualization in an in-house NOC dashboard?
8. Data ownership and management
They say data is what makes the information economy go ‘round. So, before you start storing valuable network traffic details in a third party platform, ensure that rigorous controls are in place and that your data is not going to be held hostage.
What to ask:
How can I be assured that my information is safe from prying eyes?
Can I take my own backup of my data?
Can I export or stream my flow data to other platforms for further analysis?
Is there an extra cost for access to my data in this way?
9. Ease of Deployment and Management
Deploying and managing a flow collector should be straightforward and hassle-free. Look for a collector that offers easy deployment options, intuitive user interfaces, and centralized management capabilities. Features like auto-discovery of network devices, automated configuration, and centralized policy management can streamline the deployment and management process.
What to ask:
If the product is self hosted, can it be deployed in 30 minutes or less?
Is it available as a stand alone virtual appliance?
What measures have been taken to streamline the deployment process?0
10. Integration Capabilities
Integration with other network management and security tools is essential for maximizing the value of your flow data. Look for a collector that offers seamless integration with third-party tools and platforms, such as SIEM systems, network performance monitoring tools, and ticketing systems. Integration capabilities ensure that your flow collector can easily integrate into your existing workflows and processes.
What to ask:
Does the flow analysis platform come with 100s of out of the box integrations?
How easy is it to correlate flow data with logs from another system?
Can I place widgets from disparate sources on one dashboard?
And finally…
Choosing the right flow collector is crucial for effective network monitoring, management, and security. By considering the key features mentioned above, you can select a collector that meets your organization's needs and helps you unlock the full potential of your flow data. Remember to evaluate each feature carefully and prioritize the ones that align with your specific requirements and objectives. When evaluated against these features, we believe ElastiFlow comes out on top, but try it for yourself - we offer a free trial!