Systems and Security : Operations and Incident Response
1.3 Given an incident, utilize appropriate data sources to support an investigation.
Netflow/sFlow
Netflow and sFlow are network monitoring technologies that are used to collect, analyze, and visualize network traffic data. The following are some key differences between the two:
Netflow: Netflow is a proprietary technology developed by Cisco Systems. It collects information about IP traffic flows, including source and destination IP addresses, port numbers, protocols, and packet and byte counts. This information can be used to perform network traffic analysis, capacity planning, and security investigations.
sFlow: sFlow is an open standard for network monitoring and is used to monitor the performance and utilization of network devices. sFlow collects information about network traffic, including source and destination IP addresses, port numbers, protocols, and packet and byte counts, as well as information about network performance, such as utilization, errors, and discards.
IPFIX: IPFIX is a standardized technology that is used to collect and export flow data, including information about IP traffic flows and network performance. IPFIX is an evolution of Netflow, and it provides more flexible and scalable flow collection and export capabilities compared to Netflow.
In incident response and investigations, Netflow, sFlow, and IPFIX data can be used to track and identify the source and destination of network traffic, as well as to perform network traffic analysis and security investigations. For example, flow data can be used to identify unusual or suspicious network activity, such as an increase in network traffic from a particular IP address, or an increase in network traffic using a specific protocol.