Network flows have been ignored for a long time. During the last couple of years they have been used as a key information to detect and characterize DDoS attacks on the Internet. That's not their only interesting use. On an internal network (be it a large management network or a global entreprise IT network for example) they enable early detection of worm breakouts, infected workstations and covert channels to list a few examples. Network flows are also very helpful for forensics since quite often a full traffic dump isn't available (for multiple reasons: size, scalability, bandwidth, etc). Linking these two together gives a macroscopic view (netflow) of the network that can be linked with a microscopic view (full dump) "on demand". Network flows is to use them to build a baseline and detect policy violations, this enables the security administrator to "enforce" the security policy and detect people trying to circumvent it (using tunnels for example). We'll go through deployment scenarii and for each application show and list some examples of what to look for.