Cubro Network Visibility commissioned Tolly, a leading global provider of third-party validation services for vendors of IT products, components and services, to evaluate the usability, storage efficiency and approach to data structure used in Custos. Tests were run by evaluating a live network simultaneously using Cubro Custos and legacy NetFlow/ IP Flow Information Export (IPFIX) files.
Tests showed that the Custos 3D-style user interface provided insightful, immediately actionable network information, stored network data significantly more efficiently than NetFlow/IPFIX, and implemented a human-oriented data structure that could be easily integrated into 3rd-party systems.
“The advantages of Cubro’s Time-Window Based approach with the output of Custos are a drastic reduction of processing and storage requirements versus NetFlow while gaining insight into actual protocols and applications on the network as opposed to inferring them from port numbers and server addresses. Additionally, the output is platform-agnostic with flexible formatting, allowing a variety of tools and systems to take advantage of its network telemetry.”
– Kevin Tolly, Founder, The Tolly Group
Key takeaways of Tolly Report
- Powerful and intuitive network monitoring
- Time-Window Aggregation (TWA) that dramatically reduces file size for network transfer and storage
- Highly optimizable using custom collection window
- Data structure designed with human-readability in mind
- Discovery and visualisation of network devices, services & traffic
Time Window Based Monitoring Vs NetFlow (IPFIX)
Time-series data is compiled from a collection of data points collected over a specified time interval; the time window. Cubro employs a customizable time-window, often 1 or 5 minutes. During the given time-window events are combined (time-window aggregation) creating a record that consists of a collection of packet, client, location and application information. The time window based processing has a compression ratio of 1:30 (1 minute) to 1:60 (5 minutes), and retains all important information while having the advantage of discarding redundant data.
The same data point may be collected numerous times over the time window interval, but will result in only a single entry into the aggregated record. To gain the same level of data resolution from NetFlow would require unsampled flow records. In this case one flow record is produced per packet analyzed. This produces a constant traffic stream to transport flow records to a collector where they are stored, processed, and analyzed.
The main issue is that these records contain a lot of redundant data that a time-window based method would have aggregated together at the onset. Ironically, flow data is often aggregated in some way during analysis to produce useful output but this is after transporting and storing larger data volume. Flow data can be sampled to reduce the overall output volume, however this comes at the cost of losing much of the resolution necessary for monitoring and security applications thus limiting its usefulness.
End-user Value of Custos Time Window Based Monitoring
- Reduces costs and increases the ROI of network tools
- Enhances the capabilities of network tools by enriching metadata
- Improves network performance by enhancing network monitoring
- Improve network security posture by enhancing network security monitoring
- Improves network planning and compliance by enhancing network analytics
