After weeks of biting my tongue I can finally let everyone know that I have accepted a security analyst position in Bermuda and am leaving Q1 Labs. Over the past 3.5 years I learned more about log and flow management than I would have learned at any other job. My work at Q1 Labs inspired me to author 3 books, seek out new certifications, meet new and interesting people, and expand my overall knowledge of security.

Every now and then a career opportunity comes around that you simply cannot say no to. This job in Bermuda is just that kind of opportunity. My new role will allow me to attend more conferences and influence the development of security policies and training. Hopefully my new role will also allow me to enjoy some of my past accomplishments and provide new and exciting challenges.

Oh…and blog more 🙂

One question I hear all the time is “If I enable the exporting of Netflow on my router or switch, will it impact performance?” Yes it will, but usually not by enough to discourage you from including Netflow datagrams in your network analysis plans.

According to this document, released by Cisco, if you have…

• 10000 (ten thousand) active flows in the cache you can expect no more than a 4% increase in CPU utilization.
• 45000 (forty-five thousand) active flows in the cache you can expect no more than a 12% increase in CPU utilization.
• 65000 (sixty-five thousand) active flows in the cache you can expect no more than a 16% increase in CPU utilization.

Also, sampled Netflow will significantly decrease CPU utilization to the router. According to Cisco:

On average sampled NetFlow 1:1000 packets will reduce CPU by 82% and 1:100 sampling packets reduce CPU by 75% on software platforms. The conclusion is sampled NetFlow is a significant factor in reducing CPU utilization.

That being said, sampling Netflow won’t give you the whole picture, just a tiny piece of the flow puzzle.

More information can be found here and here.