WHITE PAPER. Extending Network Monitoring Tool Performance

Similar documents
WHITE PAPER. Static Load Balancers Implemented with Filters

WHITE PAPER. Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment

IxChariot Virtualization Performance Test Plan

WHITE PAPER. Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

WHITE PAPER. Gaining Total Visibility for Lawful Interception

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

EBOOK. The Network Comes of Age: Access and Monitoring at the Application Level

WHITE PAPER. Tap Technology Enables Healthcare s Digital Future

WHITE PAPER. Enabling 100 Gigabit Ethernet Implementing PCS Lanes

WHITE PAPER. How To Compare Virtual Devices (NFV) vs Hardware Devices: Testing VNF Performance

WHITE PAPER. Net Optics Phantom Virtual Tap Delivers Best-Practice Network Monitoring For Virtualized Server Environs

Scalability in Log Management

WHITE PAPER. SDN Controller Testing: Part 1

Reduce Your Network's Attack Surface

Data Center Automation - A Must For All Service Providers

Best Practices for Network Monitoring How a Network Monitoring Switch Helps IT Teams Stay Proactive

EBOOK. Software Defined Networking (SDN)

Taps vs. SPAN The Forest AND the Trees: Full Visibility into Today's Networks

Best Practices for Network Monitoring

WHITE PAPER. Application Performance Management and Lawful Interception

Consolidating Multiple Network Appliances

Application Performance Management - Deployment Best Practices Using Ixia- Anue Net Tool Optimizer

An Executive Brief for Network Security Investments

WHITE PAPER. Best Practices for Eliminating Duplicate Packets

OKTOBER 2010 CONSOLIDATING MULTIPLE NETWORK APPLIANCES

Guidebook to MEF Certification

Evaluating Wireless Broadband Gateways for Deployment by Service Provider Customers

WHITE PAPER. Realizing ROI from Your Network Visibility Investment

Analyzing Full-Duplex Networks

Unified network traffic monitoring for physical and VMware environments

WHITE PAPER. 50 versus 62.5 micron multimode fiber

Denial of Service (DOS) Testing IxChariot

Observer Probe Family

Router Architectures

Network Management and Monitoring Software

PRODUCTS & TECHNOLOGY

Network Instruments white paper

Ensuring Success in a Virtual World: Demystifying SDN and NFV Migrations

Cyber Range Training Services

Net Optics and Cisco NAM

Gaining Operational Efficiencies with the Enterasys S-Series

Bricata Next Generation Intrusion Prevention System A New, Evolved Breed of Threat Mitigation

Overview. Firewall Security. Perimeter Security Devices. Routers

SiteCelerate white paper

Net Optics xbalancer and McAfee Network Security Platform Integration

Solving Monitoring Challenges in the Data Center

White Paper. Best Practices for 40 Gigabit Implementation in the Enterprise

WHITE PAPER. Best Practices for Network Monitoring Switch Automation

Observer Probe Family

Building High-Performance iscsi SAN Configurations. An Alacritech and McDATA Technical Note

Diagnosing the cause of poor application performance

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

OptiView. Total integration Total control Total Network SuperVision. Network Analysis Solution. No one knows the value of an

OptiView. Total integration Total control Total Network SuperVision. Network Analysis Solution. No one knows the value of an

Fail-Safe IPS Integration with Bypass Technology

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Chapter 15. Firewalls, IDS and IPS

Extending Network Visibility by Leveraging NetFlow and sflow Technologies

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

Silver Peak s Virtual Acceleration Open Architecture (VXOA)

Architecture Overview

How to Build a Massively Scalable Next-Generation Firewall

Deploying Probes and Analyzers in an Enterprise Environment

High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features

Optimize Your Microsoft Infrastructure Leveraging Exinda s Unified Performance Management

Efficient Network Monitoring Access

Ixia Director TM. Powerful, All-in-One Smart Filtering with Ultra-High Port Density. Efficient Monitoring Access DATA SHEET

NetFlow Performance Analysis

Securing the Intelligent Network

Product Summary Report

HIGH-PERFORMANCE SOLUTIONS FOR MONITORING AND SECURING YOUR NETWORK A Next-Generation Intelligent Network Access Guide OPEN UP TO THE OPPORTUNITIES

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

whitepaper Network Traffic Analysis Using Cisco NetFlow Taking the Guesswork Out of Network Performance Management

Netsweeper Whitepaper

Extending Network Visibility by Leveraging NetFlow and sflow Technologies

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Enabling Cloud Architecture for Globally Distributed Applications

Open Source in Government: Delivering Network Security, Flexibility and Interoperability

The Future Of The Firewall

Observer Analysis Advantages

Cisco Integrated Services Routers Performance Overview

ETM System SIP Trunk Support Technical Discussion

Sygate Secure Enterprise and Alcatel

I/O Virtualization Using Mellanox InfiniBand And Channel I/O Virtualization (CIOV) Technology

How Solace Message Routers Reduce the Cost of IT Infrastructure

Advanced Core Operating System (ACOS): Experience the Performance

Hosting Solutions Made Simple. Managed Services - Overview and Pricing

Transcription:

WHITE PAPER Extending Network Monitoring Tool Performance www.ixiacom.com 915-6915-01 Rev. A, July 2014

2

Table of Contents Benefits... 4 Abstract... 4 Introduction... 4 Understanding Monitoring Tools... 4 Extending 1 Gigabit Monitoring Tool Performance... 5 Finding the Right Solution... 6 Conclusion... 7 About Ixia... 8 3

Benefits Handle higher bandwidth traffic without a total reinvestment in new tools Improve efficiency of network administration and problem solving Increase return on monitoring tool investments Abstract The industry s challenge is to leverage investments in existing monitoring tools as they confront increasing network speeds, higher network utilization, and the explosion of new network services and threats. Many organizations have invested in network monitoring equipment such as protocol analyzers, intrusion detection and prevention systems, and stream-to-disk traffic loggers. The challenge is to extend the performance capabilities of these tools to handle the highspeed, multi-protocol, security threat-laden traffic of today s and tomorrow s networks, without a total reinvestment in new tools, and without sacrificing security. This paper explores how monitoring tools can achieve higher levels of performance without forklift upgrades. It proposes a variety of ways to extend their efficiency, including the use of a stand-alone content filtering device to offload monitoring tools by pre-filtering traffic and assisting with common tasks. Introduction In today s IT-driven organizations, network performance is key to providing excellent customer experiences, driving business process efficiencies, growing revenue, and maintaining competitive advantage. Network administrators, charged with keeping networks responsive to the needs of both internal and external customers, rely on network monitoring tools for a continuous stream of information to baseline and assess the network s health. These tools enable administrators to ensure high application availability and good response times, to enforce network usage policies, and to justify and measure the impact of network upgrades. Network administrators can choose from an array of monitoring tools, ranging from open-source host-based software tools to sophisticated hardware appliances and platforms. Solutions include: Protocol analyzers, RMON probes, and NetFlow collectors for performance tuning Intrusion detection systems (IDS) and intrusion protection systems (IPS) for security Stream-to-disk traffic loggers and e-mail monitors for compliance auditing, forensics, and lawful intercept The industry s challenge is to leverage investments in existing monitoring tools as they confront increasing network speeds, higher network utilization, and the explosion of new network services and threats. The key is to find new and innovative ways to extend tool performance and improve network security by modifying the traffic flow or its basic characteristics rather than entirely replacing the tools. The following sections explain where opportunities exist for implementing new enhancements, and for extending tool performance. Understanding Monitoring Tools Most network monitoring tools are task-specific, high-performance software packages running on PC or server hardware. Proprietary boxes sold as appliances may consist internally of standard hardware components running proprietary software, often based on the Linux operating system. The performance of these tools is determined by the speeds of the processors and memory buses, and the size of the memory utilized 4

both for caching and for buffering packets from the network. The performance of the network interface cards (NICs) is obviously critical, too, for monitoring high-bandwidth 1Gbps and faster network links. More advanced tools help alleviate these bottlenecks by adding more processors and more dedicated buffers, typically using standard integrated circuit (IC) components on custom-designed boards with proprietary architectures. The highest performing tools go one step further, using custom-designed application-specific integrated circuits (ASICs). The type, speed, and number of processors in a tool dictate its processing performance. As network speeds increase, the number of packets that can be processed at wire speed (in other words, keeping up with the network) reaches a limit. Moreover, the further a tool s hardware architecture diverges from standard, well-understood technology, the trickier it becomes, as engineers push radical new architectures to achieve maximum performance. Buffers enable the tool to handle higher peak traffic loads by storing packets during high traffic periods, and releasing them to be processed when the traffic is less. However, the inability to sustain performance at full network bandwidth, and for extended periods of high traffic, may eventually cause even the largest buffers to fill up, and the tool may not capture needed information. Extending 1 Gigabit Monitoring Tool Performance The objective is to deliver more network performance or security protection from a monitoring tool with minimal change. This goal can be achieved by directly upgrading or replacing software or hardware, or by combining the original tool with another device in a comprehensive system solution. Possible approaches and their impacts may include the following (in no particular order of acceptance or adoption): Upgrade components. If the monitoring tool runs on standard hardware, upgrading with additional memory or faster NICs and processors may be a quick and relatively inexpensive fix. Also, the vendor may have newer software releases that provide faster throughput and newer features that satisfy a particular situation. As network speeds increase, the number of packets that can be processed at wire speed (in other words, keeping up with the network) reaches a limit. Purchase duplicate equipment. In many cases, two monitoring tools can run along side each other, doubling the amount of data that can be captured. For example, one tool can process the TCP traffic while another one handles ICMP and UDP packets; or each tool can capture flows from different IP address pairs. This approach has the advantage of having no learning curve, because users already know how to operate the equipment. In addition, it provides redundancy in case one tool breaks, and the tools can be deployed separately when they aren t needed together. On the downside, this approach may not fit into the budget or architecture. It may also create issues around seeing an integrated view of the traces from both the tools. Upgrade to a faster tool. Higher performance equipment may be available, providing a twoto ten-times performance increase. Be sure to evaluate not only the cost of the tool itself, but also the training expense if the functions or user interface are significantly different. Also, check for compatibility with other tools that may be part of your total solution. For example, an offline protocol analyzer may work with trace files from a logging tool. Is the new logging tool s file format supported by the protocol analyzer? Change the network. It may be possible to temporarily or permanently change the network so the link that needs monitoring simply doesn t carry more traffic than the monitoring 5

Management tools can handle. Load balancing, bandwidth limiting, or perhaps adding new network devices might accomplish this goal. In most cases, it probably makes more sense to change the tools rather than the network, but when the network is changed for any reason, the impact on monitoring tools should be considered. It may be possible to pair an overburdened tool with a hardware-based device that is specifically built to offload redundant or well-known tasks. Use pre-capture filters. Pre-capture filters reduce the number of packets a tool needs to store and process, by selecting packets of interest based on header information such as protocol type and IP address. The performance ceiling of the tool is raised because less buffering and processing power are needed to support the traffic load. Many tools offer pre-capture filters, but software-based pre-capture filters have performance limitations of their own. Because the pre-capture filter itself must process every single packet on the wire, it may be limited to selecting ten or fifteen types of traffic; for instance, only flows between ten or fifteen source and destination IP address pairs. This limitation impacts the ability of administrators to debug network problems, costing them time and loss of productivity. Hardware-based filters implemented in custom ASICs may be able to support hundreds of filters at once, but they are found only in the more expensive equipment, so cost and administrator efficiency are a tradeoff. Another approach to improve the capture ability is to copy the pre-filtered traffic stream to a high-speed memory-based file system for subsequent processing, rather than processing the pre-filtered traffic in real time. Finding the Right Solution In some cases, monitoring tool performance can be extended through yet another approach. It may be possible to pair an over-burdened tool with a hardware-based device that is specifically built to offload redundant or well-known tasks. The solution would include pre-filters or offload capabilities that limit traffic being sent to the monitoring tool; a dedicated device that offers Layer-3/-4 and content filtering at 1Gbps wire speed, and only slightly increases the cost of your existing solution; a device that would be useful in a variety of scenarios, ranging from monitor tool performance offload to compliance adherence. What if this device could handle hundreds of filters at wire speed? (a) Without pre-filter (b) With pre-filter Router Tap Switch Router Tap Switch Protocol Analyzer Captures traffic from at most 10 to 15 IP pairs Pre-filter 192.168.20.0 <-> 192.82.0.10 192.168.40.5 <-> 192.112.0.1 192.168.72.9 <-> 192.82.0.80... hundreds of IP-pairs Protocol Analyzer Figure 1: Using a hardware pre-filter to capture traffic from hundreds of IP-pairs Figure 1: Using a hardware pre-filter to capture traffic from hundreds of IP-pairs It could be placed in front of a network analyzer to act as a hardware-based precapture filter, forwarding only traffic of interest to the analyzer, and preventing overruns (Figure 1). It could relieve an IPS by eliminating hundreds of known threats identified by content strings, protocols, and port numbers (Figure 2). It could assist in a regulatory compliance solution by logging or blocking content containing hundreds of keywords and phrases such as Company Confidential, Do Not Distribute, and Social Security Number (Figure 3). 6

Management Management (a) Without filter Known, repetitive, and keyword-based threats Complex, stateful, and emerging threats OVERLOAD! Router IPS Appliance Switch (b) With filter Known, repetitive, and keyword-based threats Complex, stateful, and emerging threats Router Rule-based Filter IPS Appliance Figure 2: Using a rule-based filter to offload an IPS appliance Figure 2: Using a rule-based filter to offload an IPS appliance Router Switch E-mail attachments containing Company Confidential, Social Security Number, and many other keywords and phrases dropped from outgoing traffic Content Filter Switch Web sites containing profanity dropped from incoming traffic Figure Figure 3: 3: Using Using a hardware a content filter filter to to assist a a host-based appliance compliance solution solution It makes good business sense to invest in solutions that enable administrators to solve network problems as quickly and accurately as possible. The ability to deploy a single device in a variety of configurations allows for the flexibility to assist in multiple scenarios, offering offload and pre-filtering for tools of all types. Conclusion Today s network monitoring tools offer levels of performance that were unheard of just a few years ago, but ongoing increases in network speeds and utilization continue to challenge their limits. The move to enhance monitoring tool performance, without sacrificing security, is driven by the hundreds of thousands of dollars in lost revenue and reduced productivity that organizations suffer annually due to underperforming or down networks. One study by the Aberdeen Group estimated that network downtime costs corporations an average of US$69,000 per minute (as high as US$1.5 million per minute in some industries) and those may be minutes that a network administrator is struggling with a monitoring tool that is bumping up against its performance ceiling. Therefore it makes good business sense to invest in solutions that enable administrators to solve network problems as quickly and accurately as possible. Given the wide range of approaches for extending network monitoring tool performance, at least one is sure to be cost-effective for your organization. To learn more about monitoring pre-filter and offload technology, please contact Net Optics at info@netoptics.com. Our technology experts would be happy to discuss possible solutions that Tap into your network monitoring challenges. 7

About Ixia Ixia develops amazing products so its customers can connect the world. Ixia helps its customers provide an always-on user experience through fast, secure delivery of dynamic connected technologies and services. Through actionable insights that accelerate and secure application and service delivery, Ixia s customers benefit from faster time to market, optimized application performance and higher-quality deployments. 8

9

WHITE PAPER Ixia Worldwide Headquarters 26601 Agoura Rd. Calabasas, CA 91302 (Toll Free North America) 1.877.367.4942 (Outside North America) +1.818.871.1800 (Fax) 818.871.1805 www.ixiacom.com Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom Sales +44 1628 408750 (Fax) +44 1628 639916 Ixia Asia Pacific Headquarters 21 Serangoon North Avenue 5 #04-01 Singapore 554864 Sales +65.6332.0125 Fax +65.6332.0127 915-6915-01 Rev. A, July 2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information