3-218                   CRC Handbook of Modern Telecommunications, Second Edition

            that flow-based statistics may be collected and presented using one collection station for up to 500 router/
            switch interfaces. Probe vendors work usually with one probe for up to 16 router/switch interfaces.
              The most prominent management software vendor for sFlow is InMon. The most prominent hardware
            vendor supporting sFlow is Foundry in cooperation with Hewlett-Packard. NetFlow is implemented
            and maintained by Cisco.
              The IP Flow Information Export (IPFIX) protocol is a template-based flow reporting method that
            supports flow aggregation, quality of service (QoS), Border Gateway Protocol (BGP) next hop, VLANs,
            multicast, network address translation (NAT), Multiprotocol Label Switching (MPLS), and IPv6 among
            others. The Internet Engineering Task Force (IETF) is getting closer ratifying IPFIX as a new standard
            for flow reporting. This standardization process is highly supported and driven by Cisco due to the fact
            that IPFIX is based on a high NetFlow version.
              The biggest challenge with all flow-based solutions is reporting, assuming that data can be collected
            without impacting performance. For lawful intercepts, it will be key to find the right data reduction and
            information reporting solutions.
              Although the IETF sFlow draft standard has been available for some time, few vendors have implemented
            it. But as network traffic speeds grow to Gigabit and to 10 G in some infrastructures, sFlow will become a
            more important technology for tracking network performance and providing network security.
              sFlow is a technology that uses random sampling of LAN’s and WAN’s data packet flows across an
            entire network to give users a detailed, real-time view of network traffic performance, trends, and prob-
            lems. sFlow is deployed through network management information bases (MIBs)—either hardware- or
            software-based agents—running on the actual switches and routers in the network. This allows for a
            broader picture of network performance. sFlow backers say that monitoring happens on every port
            of every sFlow-enabled switch, rather than on just the port or segment to which a probe is attached.
            Proponents of sFlow say that the technology allows for more widespread network monitoring because
            mirroring every port would be difficult and expensive for both network staff and LAN bandwidth. Up to
            half a switch or router would have to be dedicated to port mirroring to achieve this (Hochmuth 2004).
              Figure 3.8.9 shows the principal components of sFlow solutions. The most important functions are:
               1.  Switches with sFlow agents take random samples of traffic from all ports on the switch.
               2.  Sample  data  is  sent  to  an  sFlow  collection  server,  where  sFlow  samples  from  the  network  are
                 calculated.
               3.  Management workstations can tap the sFlow server to view an overall picture.
              Instead of capturing and logging every packet on a switch or router port, sFlow MIBs take random
            samples of packets traveling through ports. These so-called sFlow datagrams are forwarded to an sFlow
            collection server on a network—a DCN or the production network of the service provider. On this box
            the datagrams are run through an algorithm that generates a complete model of network traffic based
            on the sampled data. The technology behind sFlow was developed jointly by engineers at InMon, a
            manufacturer of switch monitoring software, and developers at HP and Foundry Networks. Support of
            sFlow is included in products such as HP OpenView, nGenius Performance Manager from NetScout,
            and Traffic Server from InMon.
              In addition to providing real-time snapshots of network performance, sFlow can be used as a network
            security tool. An example is in the direction of unauthorized network devices acting as network address
            translation (NAT) boxes. This could include a commodity NAT-enabled wireless router. While NAT
            devices attached to a network might appear as legitimate end nodes, these could serve as backdoors,
            allowing access to unauthorized connections from wired or wireless users. Because sFlow samples traf-
            fic from every port in a network, sFlow data analyzers can identify nodes that are acting as NAT devices
            on a network by comparing subnet data among switches/routers and NAT devices.
              Lawful intercept requires more than sFlow-based techniques may provide. But, in particular for stra-
            tegic surveillance, statistical techniques are very useful. Based on suspicious traffic flows, on-the-fly