the network through a new lens: how a visibility architecture sharpens the vie · or more...

The Network Through a New Lens:How a Visibility Architecture Sharpens the View

PN: 915-3522-01 Rev B, October 2014

Table of ContentsIncreasing Vulnerability Drives the Need for Visibility .................................... 4

Enter the Visibility Architecture ...................................................................... 7

The Big 5 “Insider Tips” on Deploying a Network Visibility Architecture ..... 11

Three Infamous Deployment “Gotchas” and How to Avoid Them ................. 14

In Conclusion ..................................................................................................15

3The Network Through a New Lens: How a Visibility Architecture Sharpens the View

Visibility is essential to comprehending the truth. When it comes to networks, the greater the visibility, the better your insight and control of the entire applications and appliances infrastructure: virtual, physical, cloud, central, and distributed. As today’s infrastructures become larger and more complex – with rising speeds and volumes of data traversing them – the challenge to view, manage, and protect it all grows greater as well. Yesterday’s tactical, “point” visibility solutions have been eclipsed by the sheer power of network evolution, and there is an urgent need for a strategic, robust, and scalable visibility architecture. This visibility architecture must reveal both the big picture and the smallest details to present a true view of the expanding network universe.

The higher the visibility, the deeper your understanding

By Jan Verkolje (1650—1693) (http://ihm.nlm.nih.gov/images/B16786) [Public domain], via Wikimedia Commons

In 1674, Anton Van Leeuwenhoek peered into a drop of pond water through a new type of lens that he had ground and polished into unprecedented magnification. Suddenly, the invisible world was revealed, and everything changed forever.

4 The Network Through a New Lens: How a Visibility Architecture Sharpens the View

The forces driving network growth are well known. New technology spawns unceasing demand for networking access. Pervasiveness, mobility, consumerization, and bandwidth hunger show no signs of leveling out. Today, more than 80 percent of data center traffic travels between servers.

Why is network visibility so essential?Simply put, the network is always vulnerable. Total visibility of all traffic passing is critical to identifying and quickly resolving issues. With much inter-VM (virtual machine) and cross-blade traffic largely unmonitored, the network is increasingly exposed to attacks, noncompliance, loss of availability, and impaired performance. It’s also troubling that most network issues are still discovered by people, rather than by the technology designed to detect these issues.

Security threats are ingenious and opportunistic, always probing for network or application weaknesses. Currently, 50 percent of attacks happen to organizations with more than 2,500 employees. This percentage has held steady since 2011, but the actual volume of targeted attacks has doubled. Targeted attacks on smaller businesses of 1 to 2,500 employees have increased threefold since 2011 (Symantec Website Security Threat Report 2013).

Despite its power, scope, and influence, the network is incredibly fragile. The infrastructure and the mission-critical information it carries are at constant risk of being:

Increasing Vulnerability Drives the Need for Visibility

…in countless ways.

Network defense requires deep insight into every system, application, and device. Complexity must be tamed and managed, and tasks automated and simplified if the network is not to be crushed by its own growth. Awareness of abnormal activity allows the IT team to work proactively to minimize damage. As the momentum of new technologies, capabilities, and users accelerates, the need for visibility continues to rise.

Dropped Distorted Destroyed

The Network Through a New Lens: How a Visibility Architecture Sharpens the View 5

“Blind spots”: what happens when visibility doesn’t

Attacks never take a holiday. Shoppers stepped into an unhappy new year with a January 2012 data breach of 24 million identities at Zappos shoe and apparel, plus discovery of a scam involving malicious browser plug-ins for Firefox and Chrome. The Keilhos botnet returned after a hiatus of four months, and immediately began making up for lost time. And this was just the start of the year.

Partial network visibility is like a partial airline flight: it doesn’t get you where you want to go, and it’s potentially more unpleasant than no flight at all. The limitations of “standard” visibility approaches are evident in the shocking security failures that have hit the headlines.

Before data volumes began their recent rocketing climb, monitoring tools customarily attached via taps and SPAN ports. However, as traffic speeds blazed toward 10GbE and 40GbE, tools were handily outpaced — triggering the cost-inefficient strategy of purchasing ever more tools. With tool numbers climbing, the network ran short of available SPAN and tap ports, limiting tool access to the data needed for true visibility. Consequent dropped packets compromised network security and impaired IT’s ability to take quick action on issues. Spiraling pressure on tools and lack of ports led to a plague of the notorious “blind spots” — areas of the network that the tools cannot not see to monitor.

These fragmented areas are a perfect distillery for latent errors and pre-attack activity. Other magnets for blind spots are:

1. Corporate mergers that combine two organizations’ disparate network technologies

2. Layoffs and brain drain of key network personnel

3. Budget cuts that degrade monitoring capabilities

Migration cycles also began to outstrip monitoring capabilities. Because tools cannot discriminate between data that needs monitoring and data that is duplicated or otherwise not “of interest,” the tools become overwhelmed. Without the ability to filter data, tools continue their march to exhaustion, while IT budgets sag under the weight of forklift upgrades and CAPEX. How could packets be harvested, filtered, and systematically analyzed for issues?

*Bit9 2013 Cyber Security Study


Customers demand always-on access and immediate application response, seamless performance, connectivity, availability, scalability, security, and regulatory accountability. Service level agreements (SLA) must be fulfilled. IT organizations are expected to provide seamless customer experience in a secure and always-on network environment. Legacy security tools that once eased the pains of monitoring are losing ground to rising data volumes.

With visibility, IT can manage the underlying infrastructure and the experience they’re delivering to their users. Visibility lets them deliver on the SLAs to their end users. They can manage the infrastructure better and troubleshoot problems more quickly with access to data.

Customer expectations drive the world

The scalability quandary

Customer expectations have never been higher or more service-focused.

Many feel that scalability is the real issue at the root of the network’s security and performance shortfalls.

Pressures to scale are increasing as enterprises drive to manage server virtualization, 10/40/100GbE migration, data center consolidation, BYOD, and more. Any visibility solution must accommodate the rapidly rising rates of network link

connectivity speeds and packet volumes. As the organization expands geographically, the monitoring infrastructure needs visibility across the entire distributed network. Scalability is more complex than merely adding resources, it calls for deep insight into

how the various areas of the network relate to each other. The architecture must be planned to support current capacity, while providing sufficient scalability and flexibility to support future growth.


Buying more tools to deal with spiraling demands is counter-productive; it’s like trying to simplify a problem by increasing complexity. Visibility merits its own architecture, capable of addressing packet access and packet stream management. A visibility architecture that collects, manages, and distributes packet streams for monitoring and analysis is ideal for cost-savings, reliability, and resilience. The economic advantages of such end-to-end visibility are beyond debate.

An architectural approach to visibility allows IT to respond to the immediate and long-range demands of growth, management, access, control, and cost issues. This architecture can optimize the performance and value of tools

already in place, without incurring major capital and operational costs. With the ability to see into applications, a team can drill down instantly from high-level metrics to granular details, pinpoint root causes and take action at — or even before — the first the first sign of trouble, dramatically lowering mean time to repair (MTTR).

A scalable visibility architecture provides resilience and control without adding complexity. Because lack of access is a major factor in creating blind spots, a visibility architecture provides ample access for monitoring and security tools: network taps offer reliable access points, while network packet brokers (NPBs) contribute the advanced filtering,

aggregation, deduplication, and other functions that make sure these tools see only traffic of interest.

Application- and session-aware capabilities contribute higher intelligence and analytical capabilities to the architecture, while policy and element management capabilities help automate processes and integrate with existing management systems. Packet-based monitoring and analysis offers the best view into the activity, health, and performance of the infrastructure. Managing a visibility architecture requires an intuitive visual/graphical interface that is easy to use and provides prompt feedback on operations – otherwise, architecture can become just another complexity to deal with.

Enter the Visibility Architecture

The Ixia Network Visibility Architecture encompasses network and virtual taps, as well as inline bypass switches, inline and out-of-band NPBs, application-aware and session-aware monitoring, and a management layer.

Netw

ork

Infr

astr

uctu

reIT M

anagement Groups

Remote OfficeBranch Office

NetworkOperations

PerformanceManagement

SecurityAdmin

Server Admin

Audit &Privacy

Forensics

Campus

Core

Data CenterPrivate Cloud

Virtualization

Carrier NetworksWired and Mobile

Net

wor

k Vi

sibi

lity

Fram

ewor

k

Virt

ual

Visi

bilit

y Fr

amew

ork

Inlin

e S

ecur

ity

Fram

ewor

k

NetworkTaps

Out-of-BandNPB

InlineNPB

AppAware

SessionAware

Virtual& CloudAccess

InlineBypass

ElementMgmt

PolicyMgmt

DataCenter

Automation

Visibility Architecture

Intelligence ManagementPacketBrokers

NetworkAccess


NPBs – compact, hardware-based, and rack-mounted – offer a spectrum of capabilities for handling and manipulating network packets. They provide the wherewithal to improve tool performance and scale existing tools for higher network speeds. NPBs optimize access and visibility of traffic from one or many network links to the monitoring, security, and acceleration tools, as well as:

1. Aggregate monitored traffic from multiple links

2. Filter and groom that traffic

3. Regenerate and load-balance traffic to multiple tools

They also pre-filter traffic in order to relieve tools of exhaustive redundancy and overprovisioning. NPBs intelligently distribute traffic from network devices across port mappings – many-to-many, any-to-many, many-to-any, and any-to-any.

While the standard layer 2 – 4 network packet broker data continues to have value, to really understand your network infrastructure and how to respond to customer demands, you need to see which applications are running. You need to look at performance artifacts at the application layer, i.e. layer 7 information. Application intelligence (the ability to monitor packets based on application type and usage) is now available to provide the application and user insight that is desperately required. This technology expands the benefits of an NPB and is the next evolution in network visibility.

Application intelligence lets you dynamically identify all applications running on a network. You can capture distinct signatures for known and unknown applications, giving network managers a complete view of the network. In addition, well-designed visibility solutions offer enriched contextual information such as geo-location of application usage, network user types, operating systems and browser types that are in use on the network.

The Evolution of Visibility

Network packet brokers: the workhorses of visibility

“NPBs intelligently distribute traffic from network devices across port mappings – many-to-many, any-to-many, many-to-any, and any-to-any.”

01001001011110000110100101100001001000000100111001100101011101000111011101101111011100100110101100100000010101100110100101110011011010010110001001101001011011000110100101110100011110010100100101111000011010010110000100100000010011100110010101110100011101110110111101110010011010110010000001010110011010010111001101101001011000100110100101101100011010010111010001111001 0100100101111000011010010110000100100000010011100110010101110100011101110110111101110010011010110010000001010110011010010111001101101001011000100110100101101100011010010111010001111001 01001001011110000110100101100001001000000100111001100101011101000111011101101111011100100110101100100000010101100110100101110011011010010110001001101001011011000110100101110100011110011011101000111011101101111011100100110101100100000010101100110100101110011011010010110001001101001010000001010110011010010111001101101001011000100110100101


NPBs reinforce and extend the value of your tool investmentThe ability to optimize the performance and utility of current tools as speeds push toward 10GbE, 40GbE, and beyond is critical. NPBs make a substantial difference in savings as well as security, without sacrificing functionality. Among the many capabilities of NPBs:

• Load Balancing solves the problem of speeds rising faster than the ability of tools to keep up by balancing the load with a more lightly engaged tool. This solves the problem without requiring new CAPEX and preserves current tools until further upgrading is feasible.

• Packet Deduplication eliminates redundant data packets sent by taps and SPAN ports at full line rate to monitoring tools, significantly improving tool bandwidth.

• Packet Trimming lightens the packet payload before the packet arrives at the monitoring or security tool to improve tool capacity and performance.

• MPLS Stripping enables non-MPLS capable monitoring tools to monitor MPLS data by removing MPLS labels from the packet stream and restoring packets to standard IPv4/6 packets.

• GTP Stripping removes the GTP headers from a GTP packet, leaving the tunneled L3 and L4 headers exposed. Enables tools that cannot process GTP header information to analyze the tunneled packets.

• Extended Burst Protection prevents dropped packets when aggregating multiple network streams into a single 1G stream, ensuring monitoring tools always receive the data they need.

• NTP Time Stamping helps latency-sensitive monitoring tools know when a packet traverses a particular point in the network – the best NPBs provide time stamping with nanosecond resolution and accuracy.

The Network Through a New Lens: How a Visibility Architecture Sharpens the View10

The Big

“Insider Tips” on Deploying a Network Visibility Architecture

In deploying a visibility architecture, there are five key considerations to address and factor into your basic plan.

Cost Perhaps the number one project consideration is: do you have the funds? If you don’t have sufficient money, you may have to cut down or deploy in stages. Also, you need to determine whether that budget is yours, or if it belongs to a different organization. If the money belongs to Security and you’re in Network Management, you may have to negotiate. Prioritize your wish list and strategize on deployement.

Type, Size, and Scope Determine what type of project is this :an add-on to existing infrastructure, a re-do, or a brand new data center greenfield opportunity. A big consideration is that an overhaul requires a lot of change planning, submission of requests and creation of maintenance operations and procedures. If it’s brand new, then you can plan out just what you want. An add-on is somewhere in between those two. Find out what the time frame is when you’re overhauling versus a brand new implementation.

Physical Infrastructure Get a good handle on nuts-and-bolts issues at the outset and know what you have to spend on them. Perhaps you have legacy equipment and you’re deploying something farther along—extending multimode cable if you have single mode, for example. Also, you’ll need to determine if you have enough of the right kind of copper to meet requirements.

Technical Requirements Ask yourself, what are the technical features you need to make this deployment effective for visibility? For example, will you need deduplication? Packet slicing to store more? Or MPLS stripping? All of these issues are important and need to be considered. Check with other groups so you’re fully briefed.

Time Frame How much time do you have to get this project completed? Six months—or three? Do you need contractors or distributors to be involved? Consider that you may have to lengthen the amount of time you allocate to the project.

1 2

4 5

3


Deploying a visibility architecture in the real world

A full assessment and analysis of both short- and long-term visibility needs should include all IT departments. In addition, short-term penny-wise planning – without taking future needs into account – can result in sticker shock at the costs of re-architecting the network later on. In order to avoid future issues, monitoring needs must be fully taken into account. However, you can leverage existing tools even while migrating networks to 10GbE, 40GbE, or 100GbE – saving tremendous CAPEX. Repurposing or reusing exiting tools also reduces OPEX, since the team is already trained and familiar with the tools they have been using.

Network Upgrade: 1GbE to 10GbE (or 40GbE)Visibility resources like NPBs can improve network efficiency, reduce complexity, and minimize/delay network upgrade costs. Most prominently, NPBs have proven their ability to help IT leverage current investments in 1GbE tools for enhanced value and functionality. By delaying new CAPEX, and reducing OPEX such as training and staffing costs on new tools, NPBs are important to an economical visibility strategy.

Pitfalls and PainsBe sure to upgrade monitoring tools when upgrading the network – or risk sub-optimal functioning. Investigating and addressing monitoring needs after the fact is a prime cause of project delays and cost overruns. Further, complexity and increased OPEX result when you try to perform network monitoring on the upgraded network – issues not addressed in the initial design.

Company Merger/AcquisitionWhen merging separate networks together, a Visibility Architecture can help to minimize complexity and costs.

Pitfalls and PainsWatch out for massive blind spots that can result from lack of visibility and monitoring coverage where it’s most needed.

Network complexity can develop as disparate networks are patched together, leaving the IT team wondering how to get usable monitoring data. Also, outdated or unknown equipment left in the network can create security holes; unknown equipment left unused while new and similar equipment is purchased can result in costly redundancies and monitoring tool

overlaps.

“Investigating and addressing monitoring needs after the fact is a prime cause of project delays and cost overruns.”


Managing the visibility architectureAs part of designing a visibility architecture, management needs should be investigated and factored in ahead of time. If not considered from the start, managing network elements (monitoring switches, taps, monitoring tools, etc.) can become a very cumbersome task. The management of network monitoring devices needs to align with your needs and the needs of your customers (both internal and external). Engineering flexible management for network components will be a determining factor in how well your network scales.

An inevitable increase in the size and complexity of the network doesn’t have to mean an increase in the complexity of your monitoring solution itself. With the right management

approach, you can control and minimize monitoring complexity. Think intuitive, integrated, and intelligent.

• Intuitive—visually friendly and easy to understand at a glance

• Integrated—“One Stop Shopping,” with no separate executables required for basic configuration, and seamless linkages among various systems

• Intelligent—such resources as a powerful filtering engine and automated discovery of components or initiation of actions based on thresholds


Three Infamous Deployment “Gotchas” and How to Avoid Them

Gotcha #1 is lack of communication. If you’re not talking to each other, you can end up with specifications and codes being violated. You need to make sure that all people engaged with the network are communicating and understanding one another.

Gotcha #2 is planning a network visibility architecture without understanding the applications. This not only risks response time delays or failures, it can even necessitate retransmissions of processes. Gain a solid understanding of each application; where to monitor it and its characteristics.

Gotcha #3 is improper or inadequate lifecycle planning. You have a great plan and start to deploy, but have neglected to upgrade all of the tools. A sudden demand for a function or capability that you cannot provide can lead to delays and dissatisfaction. Be sure to consult manuals and take whatever training is necessary to understand new models, upgrades, and additional features or capabilities of new equipment. Revisit this every 6 months or a year.

The Network Through a New Lens: How a Visibility Architecture Sharpens the View14

In ConclusionThe momentum of traffic growth is placing unprecedented demands on the network for total visibility. Accelerated change and the rising profile of threat have spurred network advances that are also capable of delivering substantial cost savings and new efficiencies that benefit the entire organization.

Ixia’s Visibility Architecture delivers end-to-end network information and enables instantaneous response to a spectrum of challenges. The Ixia Network Visibility Architecture is a progressive, responsive, and flexible solution that brings together proven technologies and resources to enable the scalability, cost-effectiveness, performance optimization and robust threat protection that organizations need to solve today’s and tomorrow’s challenges.

Ixia Worldwide Headquarters26601 Agoura Rd. Calabasas, CA 91302

(Toll Free North America)+1.877.367.4942

(Outside North America)+1.818.871.1800 (Fax) 818.871.1805 www.ixiacom.com

Follow us.

the network through a new lens: how a visibility architecture sharpens the vie · or more...

Documents