3. Choosing a Method of Traffic Monitoring¶
Wanguard Sensor is a product name that describes a Sensor licensed with a Wanguard license (which activates all features). Wansight Sensor is a Sensor licensed with a Wansight license (which is missing the features related to DDoS detection and mitigation).
The term Sensor describes four software components that share a common feature set but differ in the way they obtain traffic information:
► Flow Sensor analyzes Netflow® (jFlow, NetStream, cflowd), sFlow® and IPFIX flow packets.
Many routers and switches can collect IP traffic statistics and periodically send them as flow records to a Flow Sensor. Because the flow protocol already performs pre-aggregation of traffic data, the flow data sent to Flow Sensor is much smaller than the monitored traffic, making Flow Sensor a good option for monitoring remote or high-traffic networks. The main downside of flow-based traffic analysis is that pre-aggregating traffic data adds a delay of at least 30 seconds to collecting real-time traffic statistics
► Packet Sensor analyzes IP packets. It can run on Linux servers deployed in-line (in the main data path) or connected to a mirrored port or TAP.
In switched networks, only the packets for a specific device reach the device’s network card. If the server running a Packet Sensor is not deployed in-line in the main data path, then a network TAP or a switch or router that offers a “monitoring port” or “mirroring port” must be used. In this case, the network device sends copies of data packets traveling through selected ports or VLANs to the monitoring port. Packet Sensor inspects every packet it receives and conducts packet-based traffic analysis.
► SNMP Sensor monitors the bandwidth usage of routers and switches on a port-by-port basis via the SNMP Protocol.
When this technology is used, an SNMP Sensor queries the device (e.g., router, switch, server) for the traffic counters of each port with small data packets. These are triggering reply packets from the device. Compared to other bandwidth monitoring technologies, SNMP is very basic and offers no IP-specific information. SNMP creates the least CPU and network load
► Sensor Cluster aggregates pre-existing Sensor traffic data into a single, unified anomaly detection and IP graphing domain.
Sensor Cluster sums up the traffic data collected by Packet Sensors, Flow Sensor, and SNMP Sensor interfaces. It performs the same tasks as the other Sensors (IP graphing, IP accounting, anomaly detection, etc.)
You can deploy Flow Sensor(s) and Packet Sensor(s) simultaneously for redundancy, high availability, and to view packet dumps and flow data.
3.1. Comparison between Packet Sniffing, Flow Monitoring, and SNMP Polling¶
Packet Sensor |
Flow Sensor |
SNMP Sensor |
|
|---|---|---|---|
Traffic Monitoring Technology |
Sniffing packets passing an in-line appliance; Port mirroring (SPAN, Roving Analysis Port); Network TAP |
NetFlow version 5, 7 and 9 (jFlow, NetStream, cflowd); sFlow version 4 and 5; IPFIX |
SNMP version 1; SNMP version 2c; SNMP version 3 |
Maximum Traffic Capacity per Sensor |
100 GigE |
multiples of 100 Gbps |
multiples of 100 Gbps |
DDoS Detection Time |
≤ 1 seconds |
≥ flow ageing time (≥ 30 seconds usually) + 5 seconds |
≥5 seconds |
IP Graph Granularity |
≥ 5 seconds |
≥ 20 seconds |
N/A (SNMP offers no details about IPs) |
Traffic Validation Options |
IP classes, MAC addresses, VLANs, BPF |
IP classes, Interfaces, AS Numbers, Ingress/Egress |
Interfaces |
Packet Dumps |
Yes |
No |
No |
Flow Collector |
No |
Yes |
No |
Packet Sensor is recommended when the speed of detecting attacks is critical or when there is a need for capturing raw packets for forensics and troubleshooting. Because every packet entering the network is inspected, Packet Sensor needs to run on powerful servers.
Flow Sensor analyzes pre-aggregated traffic information sent by routers and switches, so it can monitor traffic passing through multiple 10/40/100 GbE interfaces even when it runs on a low-end server. By comparison, Flow Sensor has a few disadvantages:
✘ It exhibits reduced speed in processing real-time traffic information. Flow exporters aggregate traffic data over time, making the traffic visible only after a certain delay, called flow aging, that usually exceeds 30 seconds✘ It provides slightly less accurate traffic readings because the packets or flows are sampled✘ Enabling the flow exporter functionality may result in an increased CPU load on the network device if the flow collection is not performed in hardware✘ Flows can be dropped if a powerful spoofed DDoS attack fills the TCAM of the network device