NetFlow, sFlow Proxy Collection in the DMZ

With the proliferation of DMZ’s (so-called De-Militarized Zones or firewall protected areas) and extranets today, network managers are increasingly faced with the problem of collecting data from NetFlow and sFlow enabled equipment when security policy prevents UDP to cross the firewall from these segregated areas.  This paper discusses three solutions for NetFlow and sFlow collection from the DMZ: 1) add collectors into DMZ, 2) use a separate network management network, or 3) add proxy collectors into DMZ.  This paper discusses the problem the security policy creates and three solutions for this problem.

Download the pdf to read the full article