NetFlow and sFlow are relatively new protocols that can be used to collect sampled traffic and usage/event statistics from network devices. Many network devices and servers can be configured to periodically send NetFlow and sFlow information to designated collection stations, and a variety of management applications have been developed to collect, analyze, and present the information received. Some of these applications focus on network usage, accounting, and billing, while other applications focus on network performance optimization. NetFlow and sFlow are even used by some applications to identify security threats based on recognized attack signatures.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent NetFlow and sFlow information from passing through the firewall, accepting limited ability to receive information from the devices beyond, or allow NetFlow and sFlow messages to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NetFlow and sFlow traffic, enabling management applications to receive NetFlow and sFlow messages from devices beyond firewalls, while mitigating the associated security risks. All NetFlow and sFlow messages are carefully inspected by the ZoneRanger, and valid messages that match configured filter criteria are forwarded to configured destination addresses. This approach prevents managed devices (or malware masquerading as a managed device) from directing NetFlow and sFlow messages to arbitrary destinations via the ZoneRanger.

NetFlow and sFlow are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

• FTP
• HTTP / HTTPS
• ICMP
• NTP
• SNMP
• Syslog
• TACACS+ / RADIUS
• Telnet / SSH
• TFTP