Taking a Quantum Leap in Network Visibility

In our area of technology, we often think of our products in terms of how they compare to the rest of the products in the same market segment. Maybe we can highlight one facet of a unique feature and point out how nobody else offers it – or at least not in that way. It is tempting to compare features line-by-line when you have competitors who offer products that are generally similar. But now I have the opportunity to talk about a market where nobody else has gone. Ixia can show something that is truly game-changing for our customers.

Application intelligence (the ability to monitor packets based on application type and usage) is now available to provide the application and user insight that is desperately required. This technology is the next evolution in network visibility.

Application intelligence can be used to dynamically identify all applications running on a network. Distinct signatures for known and unknown applications can be identified and captured to give network managers a complete view of their network. In addition, well designed visibility solutions will generate additional (contextual) information such as geolocation of application usage, network user types, operating systems and browser types that are in use on the network.

So let’s just get this out of the way. Nobody else has anything like Ixia’s Application and Threat Intelligence (ATI) Processor. I can’t talk about how others stack up, because they just don’t have anything like this at all.

So rather than do a typical competitive analysis line-by-line, I am going to walk through the solution high points that raised eyebrows and engaged customers at the recent Cisco Live and Black Hat tradeshows.

What Is It?

Ixia’s ATI Processor is best described like this:

  • It’s a fully-featured 48x10G NTO blade that populates the 7300 chassis. It enables all standard visibility features that are so popular on the NTO: best-in-class GUI with drag-and-drop configuration, advanced filter compiler, 48x10G/1RU port density, all the stuff we already know and love. It is not some strange new thing you don’t understand and don’t know how to put into your network. It’s at the core a completely functional blade for the 7300. Think of it like 3/4 of a 5288 on a blade.
  • Did I mention, this is a normal NTO blade? Yes, you are going to use this in your visibility network you are already deploying. And of course it will talk to all the other ports and resources in the 7300 chassis.
  • It has, hidden inside, a whole different kind of product. This is the ATI Processor Resource. The ATI Processor Resource dramatically extends what can be done to monitor the network traffic that is already being passed through the blade.
    • Using the technology we learned from our BreakingPoint acquisition, the ATI Processor can recognize applications based on signatures, which involve much more than just domain names, or TCP port numbers, or the other things we have traditionally used to have to use to try and classify application traffic. The system comes pre-loaded with hundreds of signatures for known applications; and it can learn new ones on the fly as traffic happens in real time.
    • All kinds of details about these applications are revealed in the ATI Processor Dashboard, which runs in a browser window (not in the NTO Java-GUI).
      • IP addresses (source/destination)
      • Geography (city, country, latitude and longitude, both source and destination)
      • Application Identifier
      • You can create filters to watch these things
      • Orthogonal views are available; “why is someone in <insert country where we don’t have an office> accessing our SVN repository? WHO is it?”
      • Many other things. All the stuff you can’t do with ordinary network statistics, we can do with ATI Processor.
    • NetFlow can be generated based on all of these new data detected by the ATI Processor. Not just any NetFlow, but also IxFlow, which extends NetFlow with dozens of new fields including all of the interesting stuff like geography and application ID.
    • This IxFlow is integrated into more and more of the NetFlow tools you are already using, like Splunk and Plixer.
    • Multiple NetFlow exporters are supported
    • NetFlow can be assigned to any 1 port on the ATI Processor card
    • All ports on the card share this ATI Processor resource. Traffic sent to the ATI Processor resource goes through a dynamic filter that is attached to the ATI Processor and configured in the NTO GUI. You can filter what traffic you want to be analyzed in this filter. Traffic goes into this filter and the output is preset to go to the ATI Processor. The ATI Processor is, therefore, sort of “out of band” to the flow of traffic from network to tool ports in the NTO. You just attach the port you want to monitor to the ATI Processor filter, and voila, it gets the ATI Processor treatment. It doesn’t affect the other uses of that port for traditional visibility.

Counterpoints

“Hey, I thought you said nobody else has this AT ALL. Lots of products do NetFlow!”

OK, good point. But they don’t have IxFlow, which is where all the cool stuff is. And they don’t have our dashboard. AND they don’t do this in the context of the visibility network you have already deployed. They certainly don’t do this in the class-leading visibility tool such as the NTO.

“Yeah, well half the switch vendors and IDS and firewalls also do NetFlow, and I already have those things in my network . . .”

Remember, I said not to get hung up on NetFlow. We are talking about IxFlow! And switches and firewalls don’t:

  • Perform the kind of filtering we do, especially hitless with our killer GUI and all the other reasons you can’t use a switch in place of an NTO
  • Handle the rate of traffic flow the ATI Processor can handle and generate IxFlow
  • Integrate with your existing visibility architecture
  • Have access to traffic at all the points where you currently have Taps
  • Integrate traffic flows with other advanced features… like do NetFlow plus deduplication plus 1µs accurate timestamping plus load balancing...
  • Seriously, are you going to put a switch inline with every NTO port just to get it to generate NetFlow on the traffic you are monitoring? That doesn’t make much sense. It’s simpler, less expensive, and much more effective to just deploy the ATI Processor.

“Speaking of the dashboard, doesn’t this make us a competitor with tools like Splunk and Plixer?”

No. While the ATI Processor dashboard is very useful for configuration and some general debugging and visibility, it is not a dedicated and refined reporting tool on the level of our tool partners like Splunk and Plixer. However, our IxFlow greatly enhances what you can get out of a tool like Splunk or Plixer. I like to think of it like this: the ATI Processor supercharges your NetFlow reporting tools that you already have!

OK, You Have My Attention. How Do I Know it Will Work For Me?

The biggest challenge I have experienced regarding the ATI Processor is not in the value it brings or the utility of the solution. Mostly it’s just that customers are not used to looking for something like this from Ixia. Here’s what I learned from customers at Black Hat and Cisco Live.

  1. If you are thinking of Ixia’s NTO products, you are already interested in network visibility. You care about monitoring the traffic on your network. You understand the value of keeping an eye on what your users are doing, being able to debug issues on the fly, and you have invested in tools and resources to make this work. The ATI Processor blade in a 7300 is a natural part of this visibility plan.
  2. In the classic sense, the NTO has always monitored network traffic in terms of bytes and addresses and VLANs and that kind of thing. But when a user on your network has an outage, they experience it in terms of the application. You don’t get a call into the help desk saying, “all VLAN 19 traffic with destination 192.168.4.7 is being dropped at my desk”. You get a call saying, “I can’t complete a VOIP call” or “why can’t I connect to our SVN server”. Users see the network in terms of applications and you should have a way of monitoring it in those same terms. The ATI Processor delivers just that.
  3. There are some ways where visibility of application-based traffic indicators such as those shown on the ATI Processor can be critical to your business. For example, let’s say you have an internal network with data on it that is shared across many geographies, but is important to be kept secure. That data may be summarized as an application, like Salesforce.com, Perforce or Exchange. You probably would like to know it when someone from a geography where you don’t have an office is accessing those applications on your intranet, right? Or what if you see a discovered dynamic app called “Paypal.com” show up on your network. That’s spoofing! You didn’t even know to look for it, which is why spoofing works for the bad guys. Wouldn’t you like to be able to rapidly see who all of the users are on the network who have used this application so you can notify them of the breach?
  4. Also, maybe there is application traffic behaviors that indicate changes in your customers’ patterns that you would like to know. For example, if you are a cable provider who also offers internet service, you would probably like to track the trend of the use of your own VoD service vs. competitors like Vudu and NetFlix, right? You’d like to know when a new competitor pops up, right? This gives you visibility not only into packets and network behaviors, but also into the potential future of your business.
  5. Remember, the ATI Processor dynamically learns about new applications when they come up on your network. Nothing is going to catch you off guard.

Now, the key to all of this is, you are already deploying a visibility network. That’s the key. Don’t think about the ATI Processor as a whole new thing you have to deploy which also happens, by the way, to have 48 ports of NTO on it. Think of it as a 48-port NTO blade that does everything you need for traditional visibility, plus a ton of other things you really want but didn’t even know we offered.

In hundreds of conversations with Ixia visibility customers and those interested in our visibility products, not once has anyone told me they were not interested in what the ATI Processor does. On the contrary, most of you are already thinking about this problem and may even be actively working on solving it, but you just didn’t know to ask our sales team about it, because maybe you think you are stuck going to other sources for this kind of thing. Now you know that Ixia offers a tool that does this, especially as an accessory to their class-leading NTO. This is game-changing!

Not Just For NTO Users

The reality is that IxFlow supercharges what you can do with a tool like Plixer or Splunk. You may very well already be a user of a NetFlow analysis tool, but you might not yet be an Ixia NTO user. You have bought and invested in the kind of thing the ATI Processor does best, but you are not using it to its full potential. The ATI Processor is essential to get all of the value from your existing NetFlow tool. We are not competing with these NetFlow analysis tools, we are enhancing those tools while also offering superior visibility.

As you consider the need for both traditional network visibility offered by NPBs as well as NetFlow analysis, truly the best way to accomplish this is with an integrated solution that delivers superior network visibility as well as superior NetFlow capability. The ATI Processor is not only an upgrade over other NPBs on the market, but it is also an upgrade to your NetFlow tools.

The ATI Processor is a game-changing quantum leap in the network visibility space, and really allows the NTO to go where no other packet broker has gone before.

Additional Resources:

NTO Application and Threat Intelligence Processor

Ixia NTO solutions

Ixia Network Visibility Architecture

Thanks to Ixia for the article. 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: