The following is a transcript of the audio podcast you can listen to in the player above.
Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary.
I’m Ethan Banks, it’s February 7, 2019, and here’s what’s happening. I had a briefing with Plixer today.
Plixer Scrutinizer, Flow Records, And Context
Plixer is in the world of flow record analysis, solving issues for both network and security operations folks. “Oh, so they’re a netflow collector?” Yes, that’s how Plixer started back in 1999, but there’s much more to the story than just collection of flow records now that they’ve got nearly 20 years of software development under their belt.
Plixer’s Scrutinizer platform doesn’t simply collect netflow records. Rather, Plixer grabs all sorts of flow records, including netflow, sflow, IPFIX, and more. How much more? Thousands. Plixer has made a point to integrate with several different industry vendors to be able to parse not just the standard flow records, but also many of the proprietary record types that are out there, for example, from Gigamon and Ixia.
The big idea is to, as a first step, collect a bunch of records from a bunch of sources–all the sources you have on your network. Collection is good and needful, but the real issue (and one we’ve been harping on in the Packet Pushers world) is how that data is interpreted. Records aren’t interesting by themselves. Context is. Software that collects flow records and parses through them so that you have transactional context up and down the stack is what operations folks need. You don’t have the bandwidth to be providing context yourself.
And that’s the next step Scrutinizer takes–providing context to help you make sense of all the flow records being collected from the network. Ahhhh…”Scrutinizer” – I see why they called it that now. While a standard netflow record might give you 12 data points (IP address, ports, and so on), Plixer with all of the integrations they’ve done with other platforms, can tap into as many as 5,000 data points around a transaction.
Plixer describes it as a “massively contextual database” containing L2-L7 information. The context stitches together all of the data you might care about when troubleshooting a problem or performing a forensic investigation. Metadata like application, user name, jitter, latency, SSL cert details, geo IP location, etc. are all examples of elements Plixer understands to help clarify what’s really going on and why.
The FlowPro Network Probe For Those Hard-To-Reach Network Segments
Flow records from sources all over your network including the funky proprietary ones are good, but what if you’ve got some dark spots on your network? Areas where the network equipment in play doesn’t have good flow information to send to Plixer Scrutinizer?
Plixer has announced the FlowPro network probe to shine some light on these dark areas. Available both as hardware and virtual appliances, FlowPro observes network packets via SPAN or ERSPAN and can, based on its observations, create and export flow records to Scrutinizer. But that’s not all that FlowPro can do. There’s a bunch of analytical capability baked into the tool.
For example, Plixer described rich DNS security functionality to me. FlowPro can inspect DNS via domain reputation checking, look and inspect for DNS tunneling, monitor queries for A and AAAA records, note hits on “whatismyip.com”, and then detect behavior indicating that malware folks are trying to get paid based on lookups against the public IP address of a compromised host. All of that work is done locally on the FlowPro, with anomalous events kicked up to Scrutinizer.
The virtual FlowPro runs on VMware, KVM, or Hyper-V. The hardware FlowPro supports 1G or 10G uplinks. You license the FlowPro with Defender to get the security analytics, including the DNS capability. You can license the FlowPro with APM to get application fingerprinting and L7 application performance analysis. Or run both licenses.
Part of Plixer’s idea with Scrutinizer and FlowPro is to offer deep network analysis products that are useful for both NetOps and SecOps, without an IT shop having to go to separate vendors to buy a solution. For example, Scrutinizer offers dashboards customizable per user, and FlowPro offers both the APM and Defender licenses.
DDoS Detection Under Scrutiny
Another announcement from Plixer today is the addition of DDoS detection to the Scrutinizer platform. The capability is straightforward. Detect DDoS, and then share the information with mitigation appliances that can help stem the tide of nasty DDoS traffic.
There are a number of solutions in this space–DDoS detection and mitigation has been hot for a long time, and they are usually really pricey tools. So if you’re a Plixer customer already…this feature makes a lot of sense to add to the Scrutinizer platform.
For More Information
My thanks to some of the folks in the Packet Pushers audience Slack channel for recommending I take the briefing from Plixer. Why did they recommend this? Because they use the product and told me it didn’t suck and/or became their tool of choice, replacing some other analysis tools they once used.
If you’re in the market for a tool that can help explain what’s really going on in your network by deeply breaking apart transaction level detail, Plixer Scrutinizer strikes me as worth investigating. And if you’re already in Plixer’s world, the FlowPro appliance seems useful well beyond simple packet analysis.
For more information, visit plixer.com. And if you sign up for a proof-of-concept, tell they you heard about them on Packet Pushers. Maybe we’ll get the chance to dive deeper on their tech on Heavy Networking one of these days.
That was Briefings in Brief from the Packet Pushers. For more IT podcasts, blogs and news created for engineers, visit packetpushers.net where you can subscribe for free. And for even more great information like our whitepaper on Intent-Based Networking, become a premium member (and one of the cool kids) at ignition.packetpushers.net.