AppNeta vs. NetFlow: App Identification Without the Overhead
by May 24, 2017

Filed under: Networking Technology

Getting a full picture of applications in use on the network is essential for IT teams today. In the past, NetFlow functionality has been used to see apps in use. NetFlow, and similar technologies like sFlow and jFlow, is typically a router feature that looks at the traffic that’s been sent and received, and then sends a summary of the data to a server for analysis.

AppNeta vs. Netflow: APM Google API

We at AppNeta have an approach for understanding the applications in use on your network, the users running those applications and their experience that differs from traditional NetFlow tools in some critical ways. Here’s how we tackle the app visibility problem in a better, more modern way.

1. Application Identification                                                                                                                                  AppNeta vs. Netflow Google APIs

Since the vast majority of newly deployed applications and services are web-based, IT teams will need an advanced application identification engine. The problem with traditional NetFlow tools is that they are limited by the application identification capabilities of the network devices generating the NetFlow records. Hardware vendors have made an attempt at creating application identification engines like Cisco NBAR2, but it is clearly not their focus. Those engines are effectively adding overhead on both the operation of the devices and the teams building the devices.

While the AppNeta Performance Manager can receive NetFlow records, the vast majority of deployments connect our hardware or virtual monitoring points to network spans or place hardware appliances inline when a span is not available. This gives us direct access to analyze the packets on the wire and use an industry-leading deep packet inspection engine to identify the applications in use. We identify more than 1,500 applications and provide a per-user, per-application view of the volume of app usage and what users experience with the app. It all happens without slowing down the original network traffic.

All applications are grouped by category and classification, enabling easy alerts such as “Notify me if 5% of my network traffic is social media.” The rule will stay up to date even if the social media sites in use change.

2. Custom Application Support

There will always be applications that are custom to your environment and are not identified automatically by our deep packet inspection engine. You can easily add them as custom applications so that they are tracked, reported and alerted upon properly. Critical to custom application creation is the ability to easily create the apps based on the web domain for HTTP and HTTPS traffic, as well as to correctly associate web contents delivered by CDNs with the website that originally requested them.

3. User Identification

By default, the AppNeta Performance Manager will integrate with local DHCP and DNS systems to resolve the hostnames of local systems and store that data over time. If you are looking at usage data from last month, you’ll be using the DHCP resolutions from that same time range. AppNeta has gone even further by integrating with Active Directory. That lets us identify the users currently logged into that host, so you can put a name to the usage of any app.

AppNeta vs. Netflow--APM monitoring point data

4. Efficient and Secure Data Transport

The architecture of the AppNeta Performance Manager uses physical or virtual Monitoring Points at customer locations. These analyze network traffic in memory and upload usage data back to our public cloud or private cloud hosted service via secure, compressed tunnels. This reduces the typical 5% overhead of NetFlow to about 0.5 or 1%, lessening the impact on your WAN, while also securing this very sensitive data which is normally sent without protection.

5. Packet Capture Support

AppNeta lets  you perform remote packet captures from all Monitoring Points and securely transmit them for analysis, either in Wireshark or your packet analysis tool of choice. Both on-demand or scheduled packet captures can be performed using Wireshark syntax for filtering. All captures are encrypted with FIPS 140-2 compliant encryption so that it’s encrypted in transit and at rest. Our cloud-hosted service enables unlimited packet captures up to 2GB in size, which are retained for one year.

AppNeta vs. Netflow: Usage monitoring points

6. Data Retention

NetFlow data is big. For every 1GB of network traffic, there will be 50MB of NetFlow records generated. On 10Gbps networks, the traffic rate can overrun the available storage for traditional NetFlow tools in a number of hours. This is not an issue for AppNeta customers. Our cloud-hosted service provides 90 days of history for all locations, even 10Gbps networks. AppNeta’s big data architecture also enables reporting and analysis of hundreds of terabytes of data within seconds.

When we think about NetFlow, we consider the ways AppNeta can achieve what NetFlow was originally designed for without the high overhead and potential pitfalls. Our features and methods will get you better analytics data in a more secure, lower impact way.