10.09.2018

Delivering traffic information to FastNetMon over the Internet

Default setup of FastNetMon assumes that traffic between your routers and switches and machine with FastNetMon does not leave your network premises.

But in some cases it may be useful to send traffic information over the Internet. FastNetMon could work this way without any issues. But please be careful with following restrictions:

  • Netflow/IPFIX is not encrypted protocol and could leak sensitive data (IP addresses, port numbers, protocols)
  • Netflow/IPFIX are UDP based protocols and could be dropped/corrupted during transfer

The same restriction applies to sFlow v5 protocol. But it carries even more sensitive data (including HTTP headers, session id and other very important fields) because it has first 60-120 bytes of each Ethernet frame from your network. Please be very careful with it.

If you could deploy IPSec/VPN or any kind of L2 link between two points it’s a recommended way to implement it.

Also, BGP is very sensitive to any kind of network congestion/overload and could shutdown session between router and FastNetMon and all announces published by FastNetMon will be removed. So, please keep your timeouts high to avoid such cases.

Also, as an additional level of security, we suggest using md5 validation for BGP sessions from both sides. FastNetMon has complete support for this option.