Free Trial: ThreatEye NV - Enterprise Threat Detection and Encrypted Traffic Analysis Try It Free

What is IPFIX?

Flow monitoring has become an important tool for organizations in monitoring network health. Nevertheless, these protocols and technologies were not created equal. Network administrators were often forced to utilize products that were rigid and could not meet their unique needs—which is precisely why organizations needed an open solution. IP Flow Information eXport (IPFIX) is a protocol that gives organizations a common standard for the analysis of flow data for network optimization and troubleshooting.

What is IPFIX?

IPFIX was developed by the Internet Engineering Task Force (IETF) in 2013. The standard was based on Cisco’s NetFlow version 9—but vendors wanted to push away from Cisco-driven standards and the rigidity of NetFlow. The IETF wanted to create a more open flow gathering environment.

This led to the development of the IP Flow Information eXport. IETF designed IPFIX with similar features to NetFlow, as well as new features and additional extensibility. This modern standard defines what information (information elements) are collected, how it is formatted (encoded), and transmitted to a collector. IPFIX has given vendors flexibility to provide additional detail or metadata associated with network traffic from their observation point in an organization’s infrastructure.

Why is IPFIX Important?

Flow information plays a critical role in network security. For many organizations, IPFIX is a NetFlow upgrade that increases flexibility and customization. IT teams can utilize IPFIX to tailor their flow-gathering process for their unique needs, and IPFIX ensures that data sent to a collector is standardized for further segmentation, analysis, and logging. IT teams will increase visibility into network traffic data for a more robust security solution when using IPFIX.

IPFIX provides data on which devices communicate with one another, when they communicated, for how long, and how many times they have communicated. This underlying data on network traffic and communication helps analyze traffic, troubleshoot network problems, and identify cyberattacks. Some research estimates that IPFIX can handle up to 95% of network incidents.

How Does IPFIX Work?

IP Flow Information eXport works similarly to other flow monitoring methodologies. Generally, IPFIX protocols have these functions:

  • A template of information elements is defined on the exporter. Check with your vendors to see what vendor specific elements they support
  • A template record is exported to a collector, notifying the collector what information elements will be arriving. The collector will need to know this in order to decode them properly. NOTE: not all flow collectors support all IPFIX elements from vendors
  • Once the template is collected and processed, a flow collector is able to accept all of the IPFIX records
  • IPFIX information elements are converted text and numeric formats
  • Data is stored in appropriate data structures for accessibility and retention
  • Users are able to filter, aggregate, and report on the data

These tasks are accomplished by exporters, collectors, and analyzers. IPFIX is used to summarize data packets from the network to track IP actions that take place. The summary of data packets is metered appropriately as an active (long-lived flow) or an inactive flow. IPFIX metering is configurable by exporters and messages are sent to a collector when metering thresholds are met. The analyzer subsequently converts the data into graphical and visual representations to facilitate better decision making.

Exporters can send information to multiple collectors, and collectors can receive information from an unlimited number of exporters. These protocols are flexible and customizable to ensure that your IT team is collecting and analyzing the data necessary to better understand network behavior.

IPFIX Benefits and Applications

IP Flow Information eXport improves network security and infrastructure in a number of ways. Organizations will enjoy the following benefits:

Customizability
Tired of the rigidity of NetFlow, IPFIX was designed with flexibility in mind. The openness of the IETF standard means that IPFIX benefits from the collective internet working together on this standard. IPFIX supports the same 79 field types as NetFlow version 9, but it goes above and beyond to support almost 500 elements.

Unlike NetFlow, IPFIX allows for variable length fields, which makes it easier to transmit information that varies frequently. This is especially useful for certain types of data, like messages or HTTP hosts. Vendor ID can also be specified, which allows vendors to create proprietary information to export any data they need to. Some vendors are capable of exporting hundreds of unique elements. This flexibility allows users to monitor almost any type of flow data.

The customizability of the IPFIX standard is important as your network evolves. The flexibility in the fields that are included in record definitions enable specific functions. Network administrators are able to export data fields from the selected device that correspond to the issue being solved. This functionality is imperative as your network grows, particularly in terms of volume and complexity.

Network Data, Security, and Alerts
IPFIX gives IT teams a number of tools that are utilized to improve their network. Network administrators can identify users and applications that are consuming the most bandwidth, for example, which means teams can take appropriate action to reduce bandwidth usage. IPFIX alerts allow your team to identify potential issues before the issues take your network down. Alerting functions give teams notifications as to when traffic volumes are about to overwhelm the network.

IPFIX allows organizations to detect security threats like DDoS attacks and worm spreading. These attacks can be identified by studying network traffic metrics, such as traffic volume or the number of active flows at a specific time. Network administrators can also identify which link a user clicked on before becoming infected with malware.

Sharing Information
Having a standardized language with which to communicate facilitates collaboration within not only your organization, but outside organizations as well. Organizations have found it beneficial to share cybersecurity information with one another, and IPFIX can be used to exchange or receive information about incidents and anomalous traffic within other organizations. Your IT team will be able to use this information to track hackers or classify cyber attacks.

Network infrastructure is key to the operation of most organizations these days. Any downtime impacts business operations and must be prevented. That’s where IPFIX comes in: IPFIX-based flow reporting helps network administrators take control of their network.

Here at LiveAction we provide our clients with NetFlow Analyzer, which gives you access to both NetFlow and IPFIX. Clients can easily shift from NetFlow analysis to packet analysis in a single platform. If you’re interested in learning more about LiveAction network monitoring solutions, reach out to our team to schedule a demo today!