Bringing Enterprise-class Network Performance and Security Management Together using NetFlow



Similar documents
Essential Ingredients for Optimizing End User Experience Monitoring

EMA Radar for Application Performance Management (APM) for Cloud Services: Q1 2012

Assuring Converged Infrastructure: Converged Management Strategies for Cisco UCS

EMA Service Catalog Assessment Service

Network Performance + Security Monitoring

EMA Radar for Application Discovery and Dependency Mapping (ADDM): Q AppEnsure Profile

REVOLUTIONIZE THE WAY YOU VIEW YOUR NETWORK GAIN A UNIFIED VIEW OF SECURITY AND NETWORK OPERATIONS ACROSS PHYSICAL AND VIRTUAL NETWORKS

The SIEM Evaluator s Guide

Secure Administration of Virtualization - A Checklist ofVRATECH

THE CONVERGENCE OF NETWORK PERFORMANCE MONITORING AND APPLICATION PERFORMANCE MANAGEMENT

Building on a Foundation for Growth: Integrating DLP with Message Security Infrastructure

Big Data Comes of Age: Shifting to a Real-time Data Platform

EMA Radar for Private Cloud Platforms: Q1 2013

Service Management and Operations: A Data Center Perspective

Four Priorities for Integrated, Service-Centric Performance Management

Network Performance Management Solutions Architecture

ITIL V3: Making Business Services Serve the Business

EMA Radar for Workload Automation (WLA): Q2 2012

Desktop Automation: Effective Desktop Operations & Management with Cloud Orchestration

How To Manage A Network With Ccomtechnique

White Paper: Application and network performance alignment to IT best practices

STEALTHWATCH MANAGEMENT CONSOLE

Three Asset Lifecycle Management Fundamentals for Optimizing Cloud and Hybrid Environments

Workload Automation: The Heart of Enterprise Operations

Faster, Cheaper, Safer: Improving Agility, TCO, and Security with Agentless Job Scheduling. A White Paper Prepared for BMC Software August 2006

Service Catalog: Dramatically Improving the IT/Business Relationship

Cisco Remote Management Services for Security

Streamlining the Process of Business Intelligence with JReport

STEALTHWATCH MANAGEMENT CONSOLE

Consolidating IT Infrastructure Management: Unifying Data Center Hardware and Software Administration

EMA Radar for Private Cloud Platforms: Q1 2013

Support the Era of the App with End-to-End Network and Application Performance Visibility

Next-Generation Asset Management and IT Financial Analytics: Optimizing IT Value in a World of Change

ARE AGENTS NECESSARY FOR ACCURATE MONITORING?

Routing & Traffic Analysis for Converged Networks. Filling the Layer 3 Gap in VoIP Management

How to Get NetFlow from Cisco 3750s. Joe Buchanan System Engineer Manager

QRadar Security Intelligence Platform Appliances

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Overview of NetFlow NetFlow and ITSG-33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A

EMA Radar for Workload Automation (WLA): Q2 2012

Cisco Systems Network Analysis Module Software 5.0

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

HP and netforensics Security Information Management solutions. Business blueprint

CA Virtual Assurance for Infrastructure Managers

Cisco Cyber Threat Defense - Visibility and Network Prevention

Endpoint Virtualization Explained:

Automating ITIL v3 Event Management with IT Process Automation: Improving Quality while Reducing Expense

Aternity Virtual Desktop Monitoring. Complete Visibility Ensures Successful VDI Outcomes

Riverbed SteelCentral. Product Family Brochure

Oracle s Unified Communications Infrastructure Solution. Delivering Secure, Reliable, and Scalable Unified Communications Services

Implement a unified approach to service quality management.

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Evolution to Revolution: Big Data 2.0

Riverbed SteelCentral. Product Family Brochure

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

Network Performance Monitoring at Minimal Capex

The Power and Payback of Unified IT Monitoring

Meeting the Challenges of Virtualization Security

Flow Analysis Versus Packet Analysis. What Should You Choose?

SapphireIMS 4.0 BSM Feature Specification

WHITE PAPER OCTOBER Unified Monitoring. A Business Perspective

Enhancing Cisco Networks with Gigamon // White Paper

Transcription:

Bringing Enterprise-class Network Performance and Security Management Together using NetFlow An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for Lancope November 2009 IT MANAGEMENT RESEARCH,

Table of Contents Executive Summary...1 The Emergence of Application-Aware Network Performance Management...1 Application Awareness in Security Management...2 Two Worlds Collide, or Combine?...2 Finding the One Plus One Equals Three Answer...3 The StealthWatch Approach...4 EMA Perspective...4 About Lancope...5

Executive Summary The drive towards application-aware approaches for monitoring the network infrastructure has resulted in the emergence of management data sources which can be used for multiple purposes. For instance, while there are different ends to network security and network performance monitoring, the means can very much be the same. With the current increased focus on protecting business process-enabling applications and services as opposed to mere infrastructure management, IT operations teams must pay attention to the opportunity in front of them to better leverage available management technologies, share the results, and form a more collaborative, proactive, and effective support regime for the businesses and organizations which they serve. This paper addresses the convergence of network management and network security technologies around NetFlow, and a solution built on this basis now available from Lancope. The StealthWatch System has long spanned both functional areas, and with the November 2009 release of the FlowSensor AE, a new packet inspection-based instrumentation option, is significantly expanded in its capabilities to deliver definitive, proactive security and performance management. The StealthWatch System has significantly expanded capabilities to deliver definitive, proactive security and performance management. The Emergence of Application-Aware Network Performance Management Network management technologies historically have been very much focused on making sure that the network infrastructure is available and working efficiently. Originally this meant assuring availability as well as interoperability between network elements that often times were geographically far-flung and sourced from multiple vendors. As networking technologies have matured and network architecture best practices have advanced, availability is no longer the primary concern for most network operations teams. What is now of more importance is establishing an understanding of the efficiency that the network infrastructure delivers. This is a performance management issue, and is most readily recognized by measuring the volume, quality of service, and end-user experience for applications and services as they traverse the network infrastructure. In order to become application-aware, network management teams need to take advantage of new sources of performance monitoring data, most often available directly from the infrastructure itself, but also drawn by adding instrumentation which can recognize, measure, and report application activity and user experience. It is with this new source of data that the network team has the opportunity to assume a more proactive position and role within their organizations. By gathering performance metrics in real time and tracking end-user experience, operators have the opportunity to find early indications of problems and take preventative actions before the end users or the business processes that rely on them takes notice or are substantially impacted. The technologies which provide application awareness for network teams fall into three categories: 1. Flow-based records produced by infrastructure equipment or management tools which record and report application session details. Most common in this category are NetFlow records, and the many variants and versions thereof.

2. Synthetic agents which are installed at key points around the distributed network infrastructure to artificially test and measure application responsiveness. 3. Packet-based monitors which use deep inspection techniques to recognize and track application sessions and report key performance metrics as well as provide a rich basis for detailed troubleshooting. The first two types are purely passive in nature; however, the third may also be delivered as part of an active solution, most commonly in the form of application delivery controllers or WAN optimization controllers. Experience dictates that a balance of all three of these types has proven to be the best answer for complete instrumentation coverage, facilitated troubleshooting, and optimal flexibility while fulfilling both reactive and proactive task needs. Application Awareness in Security Management Current security management and monitoring tools also utilize a mix of these three types of application-aware measurement techniques. For instance, packet inspection is the basis of firewall and network intrusion detection system (NIDS) technologies, as well as intrusion prevention systems (IPS). While NIDS is passive, firewalls and IPSs are active. Synthetic agents have a lesser role, but can be used as part of vulnerability assessment approaches. Network flow data is currently considered one of the most powerful sources for network security monitoring, and is used to recognize and track unusual patterns of activity as well as unexpected network participants and applications. The goal here of course is to identify threats, whether they originate inside or outside the organization, and provide enough information to the security operations team to allow protective actions to be taken. Use of NetFlow, as the most common format of network flow data records, is the most heavily adopted approach of this type. Two Worlds Collide, or Combine? For many years, providers of network-based security monitoring solutions have recognized that the data they are collecting could also be used for performance management. Similarly, providers of application aware network performance monitoring solutions have recognized that in addition to monitoring legitimate business traffic, they also commonly see illegitimate activities. And as a result, many solution providers for one camp or the other have tried to adapt their products to meet both sets of needs. For many years, providers of network-based security monitoring solutions have recognized that the data they are collecting could also be used for performance management. To be clear, there are very different objectives between the two practice areas of network management and security management. The data analysis activities focus on quite different indicators and results, as well as audiences. But what are remarkably similar are the techniques in which network-based security technologies gather data as compared to network performance monitoring technologies. And the key to creating a solution which can address both spaces successfully requires a clear understanding of the different purposes and constituencies involved.

If we consider which underlying data collection technologies hold the most promise as a common basis for security and network management, the conversation must naturally turn towards Flow-based sources, and there are two primary categories of those as mentioned above. Flow data can be drawn from flow records generated by infrastructure devices or from packet monitoring technologies. Flow data is the most powerful option because it includes not only a record of activity, but information on the source and destination addresses, as well as an indication of what applications or services were in use. And if packet-based sources are used, that information can be augmented with quality of experience measurements. Finding the One Plus One Equals Three Answer As mentioned earlier, technology providers have attempted in the past to span the two domains of security management and network management. The rationale is strong to provide additional functionality based on a common platform, thus realizing more value and returns on investments made in tools and training. And yet few of these solutions have found significant success or broad market adoption. What has been lacking in many of these attempts in the past has been a viable model and architecture for adequately addressing the full range of functional needs for both security and network operations teams. In particular, delivering the capability to present summarized and analyzed results in a way that adequately supports the full spectrum of operational processes and workflows has proven difficult. What has been lacking has been a viable model and architecture for addressing the full needs for both security and network operations teams. And there are differences in data needs. While NetFlow has proved a great common ground, additional measurements or metrics are required in order to fill out each practice area. For instance, network managers need to augment NetFlow with expanded application recognition and response time measurements in order to understand and track user quality of experience, and security professionals need to augment NetFlow with log file data and signature recognition to fully address points of vulnerability. Further, the political barriers resisting the sharing of data, and more specifically, control of the data have often proven insurmountable. A solution that has strong adoption and use within one constituent base but little or no recognition within the other will have little advantage versus other best-ofbreed options. So how do we get past the political and technological barriers? How do we find a way to build rather than oppose, and how can we reach out to capture the potential advantages of an integrated solution? The answer very well may be to identify a solution that can truly be considered best-of-breed by each constituent group. This means not settling for 80% capabilities on one side of the house just because you get 100% on the other side.

The StealthWatch Approach Lancope is a well established provider of network security products, and has been delivering solutions to organizations worldwide for years. Their StealthWatch product has evolved from roots in early threat detection to become a highly scalable, enterprise-class real-time network security monitoring platform complete with extensive reporting, alerting, trending, and broad multivendor support. In addition to the historical strength in security management, Lancope has achieved steadily growing success in addressing network performance monitoring and management goals with the same core system, and has achieved adoption for these purposes within a substantial number of customer environments. At heart of Lancope s StealthWatch platform is the use of NetFlow both as a data acquisition technique as well as a means for transferring data from its instrumentation devices in the data collection layer to its centralized data stores, where analysis and reporting take place. Lancope s solution has long had the ability to directly harvest NetFlow records from capable devices directly within the StealthWatch Xe platform. This is augmented by the StealthWatch FlowReplicator, which can gather flow records remotely as well as create NetFlow records from non-netflow data sources, such as syslog and SNMP. Lancope recently introduced the StealthWatch FlowSensor VE, which extends NetFlow-based visibility into VMware ESX virtualized servers, providing visibility into traffic flowing between guest VMs which reside on a common host. These approaches have all utilized traditional NetFlow data structures as a means for communicating data between the collection and analysis tiers. The StealthWatch FlowSensor AE fills the key response-time metrics gap which exists with NetFlow-exclusive monitoring solutions. Brand-new to the Lancope product portfolio with the StealthWatch 5.10 release is the StealthWatch FlowSensor AE. This new instrumentation device attaches directly to network links and adds an important additional set of measurements to what is traditionally available and transmitted using NetFlow. The FlowSensor AE can recognize and measure response times based on the packet sequences it inspects, and uses custom fields within the NetFlow V9 format to forward both round-trip time (RTT) and server response time (SRT) to the StealthWatch XE server. Such response time data fills the key gap which exists with NetFlow-exclusive monitoring solutions. Lancope has also gone further in their efforts, adding specific views and reports that would be of interest to differing audiences. For instance, their logical, system-wide reports, which focus primarily on individual or groups of IP addresses, are tuned towards security and server managers, who often are not directly concerned about physical location. Network managers, on the other hand, benefit from their physical perspective reports, due to their concern with understanding topological relationships for traffic engineering and root cause determination. EMA Perspective ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) analysts have long been advocates for integrated management technologies and practices. This is a growing priority for organizations that seek to turn IT into a strategic asset, and make the shift for reactive practices to proactive service orientations. As part of this evolution, both rigorous security and compliance management and infrastructure performance management are considered indispensable. Lancope s StealthWatch embodies a practical solution for leveraging the technological similarities between network security and network performance management while addressing the unique needs of both functional areas from a common platform.

Lancope has been pursuing this combined solution for several years, and with this latest iteration has closed key gaps in particular the addition of response time metrics via the new packet-based FlowSensor AE. This is not the end of the road, however, and EMA foresees continued opportunities for improvement to the StealthWatch solution. One area would be the addition of real-time views and reports using business-oriented data presentations to better collaborate and communicate with other groups inside and outside IT. Further development of performance troubleshooting workflows which can reach down to the packet level would also be a big plus, as this is often an essential capability for addressing the most difficult and subtle performance degradation issues. Where many have failed before, Lancope s StealthWatch solution may just hold the elusive answers to combining security and performance management for networks. Lancope s approach demonstrates significant savvy and holds great promise for improving operations, both from a total cost as well as total effectiveness and impact perspectives. About Lancope Lancope, Inc. is the leader in NetFlow Analysis and the provider of the StealthWatch System for flow-based network performance and security monitoring. Delivering unified visibility across physical and virtual networks, StealthWatch eliminates network blind spots and reduces total network and security management costs. Both OPSEC and Common Criteria-certified, StealthWatch monitors the networks of Global 2000 organizations, academic institutions and government entities worldwide. Lancope also partners with fellow best-of-breed solution providers through its Technology Alliance Program, which includes Cisco Systems, Brocade, Blue Coat, VMware, IBM Tivoli, Check Point, TippingPoint, ArcSight and A10 Networks. Lancope is a privately held, venture-backed company headquartered in Atlanta, Georgia. For more information, visit www.lancope.com.

About Enterprise Management Associates, Inc. Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that specializes in going beyond the surface to provide deep insight across the full spectrum of IT management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise IT professionals and IT vendors at www.enterprisemanagement.com or follow EMA on Twitter. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. EMA and Enterprise Management Associates are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. EMA, ENTERPRISE MANAGEMENT ASSOCIATES, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 5777 Central Avenue, Suite 105 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com 1982.110809

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information