Improving Network Visibility – Part 1: Data and Packet Conditioning

“What can really be done to improve network visibility?” This is a question that our customers often ask us. They’ve heard about this and that and something else but are often left confused as to what capabilities actually exist in the market to solve their network visibility problems.

In this multi-part blog, I’ll provide you an in-depth view of features that will deliver true benefits. There are 5 fundamental feature sets that we’ll cover:

  • Data and packet conditioning
  • Advanced packet filtering
  • Automated real time response capability
  • Intelligent, integrated and intuitive management
  • Vertically-focused solution sets

When combined, these capabilities can “supercharge” your network. This is because the five categories of monitoring functionality work together to create a coherent group of features that can, and will, lift the veil of complexity. These feature sets need to be integrated, yet modular, so you can deploy them to attack the complexity. This will allow you to deliver the right data to your monitoring and security tools and ultimately solve your business problems.

This first blog will focus on data and packet conditioning. Data and packet conditioning can mean different things to different people, but simply put it’s about manipulating the packets or packet streams for better quality. In the context of a data monitoring switch, we’re more concerned about removing duplicate data, grouping packets together to send to particular ports and tools, removing extraneous information like payload information and MPLS labels, or adding information like port tagging and timestamp information.

While data and packet conditioning is a general term, it usually incorporates the following components:

  • De-duplication
  • Load balancing
  • Packet trimming and MPLS stripping
  • Timestamping and port tagging

Let’s take a deeper look into each one of these components of data and packet conditioning to see what they really do.

De-duplication

Duplicate packets can come from several sources. Common sources include network switches, mirror ports and SPAN ports. For instance, even when a SPAN port is configured optimally, it may generate between one to four copies of a packet. This extra data can have negative implications, especially around monitoring and security. The duplicate packets from SPAN ports can represent as much as 50% of the network traffic being sent to a monitoring tool. Slower tools and duplicate packets reduce effective bandwidth capability, which causes data jams that result in dropped packets and lost data.

By adding a network monitoring switch, you can reduce the amount of data packets being sent to your tool farm. This has three fundamental benefits:

  • CPU load of a tool can be cut in half because the monitoring tool can focus on its primary task, not using CPU capability to sort and delete duplicate packets (which is extremely resource intensive)
  • Bandwidth at the Ethernet port of the tool can be conserved, so more data can be provided to the tool
  • The amount of data stored by the tools is reduced which can decrease your SAN (storage area network) costs

The Ixia Anue Net Tool Optimizer (NTO) takes de-duplication one step further with patented technology based upon implementing a de-duplication window that increases the efficiency of removing duplicate data packets in real-time from very high data rate streams. This patent allows the NTO to process duplicate packets with less loading on the monitoring switch CPU.

Load Balancing

Load balancing is another important feature of a monitoring switch that allows it to efficiently distribute data streams to the appropriate monitoring tools. This allows IT to prevent the overload of various tools in the tools farm.

The load balancing feature keeps session data together for better analysis. This function is used extensively with network data recorders. Since session data is kept together, only one data recorder needs to be accessed to analyze any given session at a later time.

The Ixia Anue NTO excels far above the competition in this area as well by supporting 16 ports of load balancing capability. This is one of the largest amounts of port balancing capability that is currently on the market and testifies as to the powerful capabilities contained within the NTO.

Packet Trimming and MPLS Stripping

Packet trimming capability gives IT the option to remove the data payload information, basically just leaving the header information. Since some monitoring tools don’t need the payload information, this is a useful feature.

There are two main benefits/use cases for this monitoring switch feature:

  • Since unnecessary information is removed, the monitoring tool can receive a far greater amount of network data
  • In the case of regulatory compliance concerns (HIPAA, PCI DSS, SOX, etc.), it may be desirable to “trim” or remove sensitive payload data

While MPLS is a useful protocol for traversing networks, it poses problems for many of the network monitoring tools in use today. Most monitoring tools aren’t capable of understanding MPLS-tagged packets, so they can’t monitor MPLS networks. Monitoring tools that can understand the MPLS label must spend time to process that information. This extra step usually has no benefit to the monitoring tool. By removing the MPLS labels, the monitoring tools can regain CPU processing capability and improve efficiency.

A good monitoring switch has the ability to remove the MPLS labels and forward the original packet so that monitoring tools which can’t handle the labels can still be used on MPLS networks. For the monitoring tools that can process the MPLS labels, the monitoring switch can improve their efficiency (i.e. increase capacity) by allowing the monitoring tools to focus on core monitoring functions.

Time Stamping and Port Tagging

Time stamping is a feature that allows you append a trailer containing a timestamp to individual packets. This allows you to have a diagnostic trail showing how long it takes for a packet to move from the monitoring switch to the monitoring tool that is downstream. This additional information can be useful when troubleshooting and investigating jitter and latency effects.

One of the Ixia NTO benefits associated with time stamping is that Ixia tags on the first bit of the first byte to ensure as accurate a timestamp as possible. The timestamp is then attached to the packet on egress. Other vendors tag on the last byte which allows for inaccuracies to be encountered before a timestamp is created. Since Ixia tags at the start, the packet timestamps are consistent across packet lengths.

Another important feature is the use of port tags. These tags can help ensure where packets came from and that transactions are secure. While most of the packet security responsibility falls upon firewalls, IPS/IDS and other SIEM tools, port tagging provides an additional way to ensure that packets have not been tampered with and the packet source location. The port tagging helps identify the source, beyond just an IP address, by placing VLAN information into the packet which helps determine where the packets came from. So if legitimate looking packets are coming from an unusual location, they can flagged for further investigation as to what is happening in the data center. The SIEM can help determine if the traffic is legitimate or not.

More information on the Ixia Anue Net Tool Optimizer monitoring switch and advanced packet filtering within the Network Visibility Operating System (NVOS) 3.8 is available on the Ixia website and the Simple Is website.

Additional Resources:

Thanks to Ixia for the article. 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: