Making sense of network traffic

In the Star Trek: The Next Generation episodes, Capt. Picard would get a handle on a situation, turn to his Number 1, and say, “make it so.” At that point things would get in gear. Usually Picard was pressed due to poor visibility into alien behaviour.

It’s fun to watch on TV. Not so fun for network administrators.

Visibility can be clouded by poorly thought-out access. The data is then of limited use, even if there is a decent process for dealing with problems. Nothing gets done. Or, sometimes worse, the wrong thing gets done.

“The industry has an unbalanced approach to network management,” says Chris Bihary, director of sales for Network Critical Solutions in Buffalo.

“Millions of dollars are spent on enterprise network tools, various analyzers, sniffers, QoS gear, stuff for VoIP, and then on the security side there is content filtering, intrusion detection, the list goes on. But no-one asks: how will the device get access?”

The challenge isn’t to buy a specific tool, but to get complete network access. When looking at critical tasks, people tend to look at the core (data centre, database, server farms), the perimeter, or the edge.

From Network Critical’s perspective the solution is to take a temporary access port (TAP) and make it permanent. This way the out-of-band device has uninterrupted visibility into network traffic with no competition for access, and no affect on network flow.

However, whether access is from a TAP, appliance at the edge or perimeter, or application on a host server, the next issue is what to do with visibility.

“You have to set service quality definitions to assess things based on performance and behaviour, not just device availability and status,” says Jayanth Angle, research analyst for infrastructure at Info-Tech Research Group. “The engineers should know before the end-users.” Dean Pothorin, chief executive officer of PresiNET Systems in Victoria, sees the merit in appliances because data is not that accessible in logs.

“Networks are dynamic,” says Pothorin. “It’s timely and costly to run a sniffer when you’ve got a problem. An appliance can get to every single user, application, and destination.”

The value in this kind of visibility is that the information can travel from the user, to IT manager, and then to CIO or CEO. At this stage visibility should translate into policy development and enforcement.

But here lies one of the biggest challenges in making the visible actionable: the reporting has to translate into language understood by the network administrator and the CFO.

Loki Jorgenson, chief scientist for Apparent Networks in Vancouver, says part of the problem is that network and application people often don’t talk across the enterprise, and management rarely communicates with service providers.

“It’s a trick to generate a report and make it sensible to all,” Jorgenson says. “There has to be a balance of detail and a summary of information that directly explains the cause of the degradation.”

Apparent Networks’ approach is IP-centric. This is a software-based point-and-shoot technology. The application is generic to all IP networks and can sit virtually anywhere — at the edge, in the core, or parachuted remotely in the field.

The appeal of the solution is the degree to which it pumps out suggestions and not just graphs. “We come out with actual recommendations,” Jorgenson says. “The application might look at a hop (e.g. data packet trip) and say, ‘Check the duplex setting, set to auto negotiate’.”

Part of the strategy is to use templates to determine what’s useful. Is it voice, data? Looking though the application lens, a comparative summary will offer explanations and make suggestions.

A complicating factor is that a good choice from a security standpoint may be a bad idea in terms of application performance.

Scott Crawford, research director for security and risk management with Enterprise Management Associates in Colorado, sees definite crossovers from network management and security.

“There are a number of situations where, from a vendor perspective, security and network visibility have similar value propositions,” Crawford says. “Firewalls, deep inspection to Layers 1-7, intrusion protection systems — these do much the same thing in that they analyze traffic.”

IT security risk management solutions can then become tools for gaining visibility into the network. Companies like Skybox Security for security risk/network compliance management, as well as Arbor Networks and Lancope for network behavior analysis (NBA), are at these crossroads. With so much information, and some of it legally required for reporting and auditing purchases, there has to be a prioritization of capture and reporting.

Angl argues that NBA, an emerging space, is converging with security incidence management (SIM) and can provide a lot of network visibility off of an appliance.

Crawford agrees that validation on the security side is an important part of the puzzle, and more proactive than setting an SNMP trap.

“Vulnerability analysis requires a map, the lay of the land of the IT environment,” he says. “You then need to set priorities for application flow and monitoring, all validated for security.”

PresiNET’s chief operating office Jo Surich argues for the merit of an independent reporting system for compliance. “For SOX you might have a log, but then the question is: Who touched your financial servers? It has to be so that no one can get in and alter the reporting structure.”

Performance management also means that every single transaction is not only recorded but also timed. This way if you make changes you can do rollbacks and compare performance.

“We can check the transaction time between two cities to track jitter for VoIP. The reports are template driven. You can click a button for an application, bandwidth, users, timeframe.”

The risk, of course, is information overload. NetFlow and sFlow are good traffic analysis tools. You can track raw data, but additional tools help get to the granularity of total link utilization and tracking bandwidth by application and host.

Here is where the solution should, in effect be the brain of Picard, narrowing options to the point where not only administrators, but also senior managers, can “make it so.”

Related Download
EMC Data Protection For VMWare-Winning In The Real World Sponsor: EMC
EMC Data Protection For VMWare-Winning In The Real World
Download this white paper for a deep dive analysis based on truly real world comparison of EMC data protection vs. Veritas NetBackup for VMware backup and recovery.
Register Now