Visibility Architectures: The ABCs of Network Visibility

In this blog, I want to explain what visibility architectures are. First of all, what do we even mean by visibility? Visibility is defined by Webster as the “capability of being readily noticed” or “the degree of clearness”. For network or application visibility, we are talking about removing blind spots that are hiding the ability to readily see (or quantify) the performance of the network and/or the applications running over the network. This visibility is what enables IT to quickly isolate security threats and resolve performance issues; ultimately ensuring the best possible end user experience.

Another way to think about this is that visibility is what allows IT to control and optimize the network along with applications and IT services. This is why network, application, and security visibility are absolutely vital for any IT organization to accomplish their job! Without visibility, IT can only operate reactively to problems and will never be truly effective at eliminating those problems.

A Visibility Architecture then is the end-to-end infrastructure which enables physical and virtual network, application, and security visibility. While it is possible to piecemeal visibility components together as you solve one problem after another, this won’t give you a cohesive strategy. That practice would only lead to unnecessary complexity and far higher costs. The basis of a visibility architecture starts with creating a plan. Instead of just adding components as you need them at sporadic intervals (i.e. crisis points), step back and take a larger view of where you are and what you want to achieve. This one simple act will save you time, money and energy in the long run.

A proper visibility architecture addresses the strategic end-to-end monitoring goals of the network, whether they are physical, virtual, out-of-band, or inline security visibility. Once you combine the security architecture with the visibility architecture, you will equip yourself with the necessary tools to properly visualize and diagnose the problems on your network.

Purpose of Visibility Architectures

A visibility architecture typically yields immediate benefits such as the following:

First, you want to eliminate blind spots, i.e. the hidden areas of your network. Every network has some. By designing an architecture, you have a full array of solutions for both physical and virtual deployments that can be leveraged so that network operators don’t have to make compromises when it comes to visibility. For an extensive list of blind spots, see this blog.

The starting point of your architecture is to make sure you have proper access to the data you need. This typically involves using taps, virtual taps, and bypass switches to access data from relevant segments of your network. This removes the bottle neck caused by limited access points (like SPAN ports). However, SPANs can still be used, if necessary.

Next, you’ll want to have a filtering component to maximize the flow of relevant information to your monitoring tools. Enterprises can maximize their monitoring investment by utilizing powerful network packet brokers (NPBs). These devices give greater control to network operators and enable the ability to extend the life of existing network, application, and security tools; even as you migrate to higher speed 10GE, 40GE, or 100GE networks. NPBs are responsible for data aggregation, filtering, deduplication, and load balancing of Layer 2 through 4 (of the OSI model) packet data. These features ensure the tools get the data they need without being overwhelmed.

The next set of capabilities is the application intelligence layer. This functionality allows filtering and analysis further up the OSI stack at the application layer, i.e. Layer 7. These capabilities give you quick access to information about your network and help to maximize the efficiency of your tools. This is only available in certain NPBs. Depending upon your needs, this feature can be quite useful as you can collect the following information: the types of applications running on your network, the bandwidth each application is consuming, the geolocation of application usage, device types and browsers in use on your network, and the ability to filter data to monitoring tools based upon the application type. You can also perform SSL decryption at this layer.

The final layer is made up of your security and monitoring tools. These devices perform the analysis function on the security and monitoring data. They are typically special purpose tools (e.g. IPS, firewall, sniffer, APM, etc.) that are designed to analyze specific data. The output from these tools is typically used by network engineers to make their decisions.

Typical Use Cases

When all components of a visibility architecture are combined, they eliminate the blind spots within your network that are harboring potential application performance and security issues. Here are some real-life use cases that show off the benefits of a visibility architecture.

1. Strengthening of security defenses

A primary reason for a visibility architecture is because if your network is attacked, or breached, how will you know? A DDoS attack will usually impact website performance. But other than that, how will you “see” a security attack? This is actually a common problem. The 2015 Trustwave Global Security Report stated that 81% of compromised victims did not detect the breach themselves—they had no idea this had happened. The report also went on to say that the median number of days from initial intrusion to detection was 86 days. So, most companies never detected the breach on their own (they had to be told by law enforcement, a supplier, customer, or someone else) and it took almost 3 months after the breach for that someone else to notify them.

2. Acceleration of Mean time To Repair

Another example of a visibility architecture benefit is faster remediation of security breaches and network problem. In regards to security problems, if you can’t see the threat, how are you going to respond to it? For network problems, where should you start your troubleshooting efforts? A visibility architecture gives you a coherent way and access to the data you need to triangulate on problem spots as fast as possible. Some Ixia customers have seen an up to 80% reduction in their mean time to repair performance due to implementing a proper visibility architecture.

  1. Prevention of network issues and problems

Prevention is always a good aspiration. Almost all of us have grown up on the phrase, “an ounce of prevention is worth a pound of cure.” With proper visibility into your network, you can capture data the data you need to prevent costly outages. For instance, network data can tell you applications or network segments are running slowly. You can even run proactive monitoring solutions to test network segments and applications to check that they are working normally or see what kinds of problems they are having. Application intelligence can also help in this area.

  1. Optimization of your network

The final goal of a visibility architecture is to be able to capture data at regular intervals so that you can characterize your network and understand where and when you might have issues. This allows you to be even more proactive. In addition, it gives the data you need to better dimension your network equipment, optimize traffic routes, and maximize your capital expenditures (CAPEX).

Considerations When Researching Visibility Architectures

When considering visibility architectures, there are several items to investigate. Here is a short list of common items:

Flexibility, i.e. choice – You will want, and need, options. This includes the flexibility to deploy inline and out-of-band visibility solutions. It also includes the ability to monitor your physical and virtual data center traffic. Application Intelligence is another area to look for. While you may not want to engage in all of these activities right away, you should look for a solution that allows you to add the pieces you want, when you want, without a forklift upgrade.

Ease of Use – This will be a critical component that will heavily influence your total cost of ownership (TCO). Look for a solution that uses a drag and drop GUI interface. A command line interface will take you 10 times (or more) longer than a drag and drop interface to configure filters. The management system should also be able to handle everything—from global element management, to policy and configuration management, to data center automation and orchestration management. Engineering flexible management for network components will be a determining factor in how well your network scales.

Technology – A third consideration is around the technology. Buyer beware applies to this market place (just like others you are used to). While Vendor products may sound the same, they usually aren’t. In general, a strong consideration should be to purchase NPBs that run at line rate under all conditions. Only a very few NPBs do this. Anything less adds delay to your monitoring effort.

For inline solutions, this line rate will be absolutely critical. You will also want failover technology that is as fast as possible for inline solutions. It also suggested to use dedicated bypass switches, instead of bypass switches built into monitoring tools. This will maximize your fail-over capabilities and minimize loss of data on your network.

Data access is another area of concern. Consider using Taps instead of SPAN ports for your data access technology. Taps are superior to SPANs for several reasons, see this analysis here. One key difference is that SPANs provide summarized data (instead of a complete copy of all data) that can often be missing key data you need for proper problem resolution. Another area to investigate is whether your tools need packet data or NetFlow data. One last thing to consider is if your tools need additional data from application intelligence functions to further improve their performance.

More Information on Visibility Architectures

Visibility architectures can, and should, integrate with your business initiatives. If implemented correctly, they can seamlessly integrate into your existing network management and orchestration systems. They can also extend data center automation or application performance monitoring initiatives. Advanced visibility architectures can also take advantage of the power of automation. For example, your tools could automatically, without manual intervention, request specific types of traffic when it detects a security issue. And if a tool goes down, load balancing can automatically compensate for this by sending traffic to the remaining tools until a replacement tool can be deployed.

So what does a successful visibility architecture look like? Check out the material available here.

Ixia’s entire series of blogs on visibility are available now in the e-book Visibility Architectures: The ABCs of Network Visibility.

limit
3