[unisog] Cisco netflow and argus (was registering servers)

John Kristoff jtk at depaul.edu
Mon Jul 31 15:08:00 GMT 2006

On Mon, 31 Jul 2006 10:24:04 +1000
Rudolph Pereira <rudolph at usyd.edu.au> wrote:

> Does anyone have pointers to papers or other concrete descriptions of
> problems with netflow on cisco routers making them useless (ok: less
> useful) for security incident investigation and/or accounting/traffic
> analysis? We're having more problems with them as time goes on, and I
> suspect that netflow is more and more likely to become a second-class 
> citizen on cisco platforms and would like some data to backup a case
> for abandoning it altogether in favour of something like argus.

Can you describe what you mean by "more problems"?  NetFlow is wildly
popular, and has been increasingly so over the last 6 or so years.  So
much in fact that at least one company, Arbor Networks, has been doing
quite well selling a security-oriented product around the feature.

In my experience, network-oriented people tend to use NetFlow, security
people\ want Argus or something that can "see the entire packet".  They
each have their strengths and weaknesses.  Why not leverage that and
use both?  Many people do.  It will also give you some verification
that you seem to be asking for.  A basic NetFlow monitoring system is
relatively cheap to run so I'd advise against getting rid of it if you
already have something running.


More information about the unisog mailing list