The Network Design and Equipment Deployment Lifecycle

As we all know, technology has a life cycle of birth, early adoption, mainstream, and then obsoletion. Even the average consumer is very in touch with this lifecycle. However, within this overarching lifecycle there are “mini” lifecycles. One of these mini lifecycles that is particularly important to enterprises is the network design and equipment deployment lifecycle. This lifecycle is the basic roadmap of how equipment gets deployed within a company data network and key a topic of concern for IT personnel. While it’s its own lifecycle, it also aligns with the typical ITIL services of event management, incident management, IT operations management, and continual service improvement.

There are 5 primary stages to the network design and equipment deployment lifecycle: pre-deployment, installation and commissioning, assurance monitoring, troubleshooting, and decommissioning. I’ll disregard the decommissioning phase in this discussion as removing equipment is fairly straightforward. The other four phases are more interesting for the IT department.
The Network Design and Equipment Deployment LifecycleThe adjacent diagram shows a map of the four fundamental components within this lifecycle. The pre-deployment phase is typically concerned with lab verification of the equipment and/or point solution. During this phase, IT spends time and effort to ensure that the equipment/solution they are receiving will actually resolve the intended pain point.

During the installing and commissioning phase, the new equipment is installed, turned on, configured, connected to the network and validated to ensure that the equipment is functioning correctly. This is typically the least costly phase to find set-up problems. If those initial set-up problems are not caught and eliminated here, it is much harder and more costly to isolate those problems in the troubleshooting phase.

The assurance monitoring stage is the ongoing maintenance and administration phase. Equipment is monitored on an as-needed or routine basis (depending upon component criticality) to make sure that it’s functioning correctly. Just because alarms have not been triggered doesn’t mean the equipment is functioning optimally. Changes may have occurred in other equipment or the network that are propagating into other equipment downstream and causing problems. The assurance monitoring stage is often linked with proactive trend analysis, service level agreement validation, and quality of service inspections.

Troubleshooting is obviously the reactionary portion of the lifecycle devoted to fixing equipment and network problems so that the network can return to an optimized, steady state condition. Most IT personnel are extremely familiar with this stage as they battle equipment failures, security threats and network outages due to equipment problems and network programming changes.

Ixia understands this lifecycle well and it’s one of the reasons that it acquired Breaking Point and Anue Systems during 2012. We have capabilities to help the IT department in all four of the aspects of the network design and equipment deployment lifecycle. These tools and services are focused to directly attack key metrics for IT:

  • Decrease time-to-market for solutions to satisfy internal projects
  • Decrease mean-time-to-repair metrics
  • Decrease downtime metrics
  • Decrease security breach risks
  • Increase business competitiveness

The exact solution to achieve customer-desired results varies. Some simple examples include the following:

  • Using the NTO monitoring switch to give your monitoring tools the right information to gain the network visibility you need
  • Using the NTO simulator to test filtering and other changes before you deploy them on your network
  • Deploying the Ixia Storm product to assess your network security and also to simulate threats so that you can observe how your network will respond to security threats
  • Deploying various Ixia network testing tools (IxChariot, IxNetwork) to characterize the new equipment and network during the pre-deployment phase

Additional Resources:

Ixia Solutions

Network Monitoring

Related Products

Ixia Net Optics Network Taps Ixia Net Tool Optmizers
Ixia Network Tap
Ixia Net Optics network taps provide access for security and network management devices.
Net Tool Optimizers
Out-of-band traffic aggregation, filtering, dedup, load balancing

Thanks to Ixia for the article.

The Importance of State

Ixia recently added passive SSL decryption to the ATI Processor (ATIP). ATIP is an optional module in several of our Net Tool Optimizer (NTO) packet brokers that delivers application-level insight into your network with details such as application ID, user location, and handset and browser type. ATIP gives you this information via an intuitive real-time dashboard, filtered application forwarding, and rich NetFlow/IPFIX.

Adding SSL decryption to ATIP was a logical enhancement, given the increasing use of SSL for both enterprise applications and malware transfer – both things that you need to see in order to monitor and understand what’s going on. For security, especially, it made a lot of sense for us to decrypt traffic so that a security tool can focus on what it does best (such as malware detection).

When we were starting our work on this feature, we looked around at existing solutions in the market to understand how we could deliver something better. After working with both customers and our security partners, we realized we could offer added value by making our decrypted output easier to use.

Many of our security partners can either deploy their systems inline (traffic must pass through the security device, which can selectively drop packets) or out-of-band (the security device monitors a copy of the traffic and sends alerts on suspicious traffic). Their flexible ability to deploy in either topology means they’re built to handle fully stateful TCP connections, with full TCP handshake, sequence numbers, and checksums. In fact, many will flag an error if they see something that looks wrong. It turns out that many passive SSL solutions out there produce output that isn’t fully stateful and can flag errors or require disabling of certain checks.

What exactly does this mean? Well, a secure web connection starts with a 3-way TCP handshake (see this Wikipedia article for more details), typically on port 443, and both sides choose a random starting sequence (SEQ) number. This is followed by an additional TLS handshake that kicks off encryption for the application, exchanging encryption parameters. After the encryption is nailed up, the actual application starts and the client and server exchange application data.

When decrypting and forwarding the connection, some of the information from the original encrypted connection either doesn’t make sense or must be modified. Some information, of course, must be retained. For example, if the security device is expecting a full TCP connection, then it expects a full TCP handshake at the beginning of the connection – otherwise packets are just appearing out of nowhere, which is typically seen as a bad thing by security devices.

Next, in the original encrypted connection, there’s a TLS handshake that won’t make any sense at all if you’re reading a cleartext connection (note that ATIP does forward metadata about the original encryption, such as key length and cipher, in its NetFlow/IPFIX reporting). So when you forward the cleartext stream, the TLS handshake should be omitted. However, if you simply drop the TLS handshake packets from the stream, then the SEQ numbers (which keep count of transmitted packets from each side) must be adjusted to compensate for their omission. And every TCP packet includes a checksum that must also be recalculated around the new decrypted packet contents.

If you open up the decrypted output from ATIP, you can see all of this adjustment has taken place. Here’s a PCAP of an encrypted Netflix connection that has been decrypted by ATIP:

The Importance of State

You’ll see there are no out-of-sequence packets, and no indication of any dropped packets (from the TLS handshake) or invalid checksums. Also note that even though the encrypted connection was on port 443, this flow analysis shows a connection on port 80. Why? Because many analysis tools will expect encrypted traffic on port 443 and cleartext traffic on port 80. To make interoperability with these tools easier, ATIP lets you remap the cleartext output to the port of your choice (and a different output port for every encrypted input port). You might also note that Wireshark shows SEQ=0. That’s not the actual sequence number; Wireshark just displays a 0 for the first packet of any connection so you can use the displayed SEQ number to count packets.

The following ladder diagram might also help to make this clear:

The Importance of State

To make Ixia’s SSL decryption even more useful, we’ve also added a few other new features. In the 1.2.1 release, we added support for Diffie Helman keys (previously, we only supported RSA keys), as well as Elliptic Curve ciphers. We’ve also added reporting of key encryption metadata in our NetFlow/IPFIX reporting:

The Importance of State

As you can see, we’ve been busy working on our SSL solution, making sure we make it as useful, fast, and easy-to-use as possible. And there’s more great stuff on the way. So if you want to see new features, or want more information about our current products or features, just let us know and we’ll get on it.

More Information

ATI Processor Web Portal

Wikipedia Article: Transmission Control Protocol (TCP)

Wikipedia Article: Transport Layer Security (TLS)

Thanks to Ixia for the article.

Common Monitoring Switch Deployment Scenarios

As IT departments see the increasing value of network monitoring, sometimes there is confusion as to how to deploy monitoring switches – from an organizational point of view. There are two common deployment scenarios. The first is where the IT operations department owns the network monitoring switch, also known as a network packet broker (NPB). This group then centralizes control and access to the NPB so that multiple IT groups can use the same NPB. The second is where the core networking group within the IT department owns the NPB and uses it to optimize information flow to a monitoring tool farm.

In the first scenario (businesses with a centralized IT operations group responsible for IT service management), the operations group acts as a broker for the monitoring switch. They provide centralized, role-based access to the NPB for their internal customers. The operations group also handles routine maintenance and product software updates. That group’s internal customers (like the security group and core networking group) can then use the NPB to perform the different functions they need it to, without further interaction with the operations group.

Removing dependencies (and delays) on other groups can have dramatic business benefits. Service and equipment turn up time can be decreased from hours/days to minutes. While some enterprise IT departments have tried implementing internal SLA’s to speed up intergroup dependencies, centralized access to equipment like this can help eliminate the whole SLA conversation and make life easier within the IT department.

Another huge benefit of a centralized deployment is that automation can be implemented around the NPB. Automation between the monitoring switch and other network equipment can enhance many IT department initiatives such as troubleshooting, automated provisioning, regulatory compliance, capacity planning, and virtualization workflows. See the Ixia whitepaper Automation: The Future of Network Visibility for more information on improving network visibility using automation.

Smaller organizations may not have a core IT operations group. They tend to have more dedicated functionalities within the IT department. However, the equipment is still just as useful to these IT individuals and/or groups, especially the security group and the monitoring tools group. The person or group responsible for monitoring tools can take advantage of the NPB capabilities to remove the need for “crash carts” and change board approvals for connecting monitoring tools to the network. A single monitoring switch can be used to feed multiple monitoring tools to optimize tool productivity and return on investment.

Once the NPB is inserted into the network, other IT engineers can take advantage of it as well. For instance, the network engineer can implement workflows to reduce mean time diagnosis and a corresponding mean time to repair (MTTR), optimize data sent to protocol analyzers and debugging tools, and improve overall network visibility with proactive scans and trend analysis.

The network security engineer can use the NPB to optimize the information flow to security tools and data recorders. This allows the engineers to better debug network anomalies and respond faster to security threats allowing them to minimize data theft and/or cyber attack damage.

If you are interested in learning more about Ixia’s network visibility and monitoring solutions and how we can help you get the most out of your tools, information on monitoring solutions, like the Ixia Anue Net Tool Optimizer, can be found on the Ixia website. You can also request a demo for the Ixia Anue Net Tool Optimizer and its capabilities.

Additional Resources:

Ixia Anue Net Tool Optimizer

White Paper: Automation: The Future of Network Visibility

Thanks to Ixia for the article. 

Mobile Network Optimization

Visibility Into Quality

What happens when we offload voice traffic to Wi-Fi? As user demand for high-quality anytime, anywhere communications continues growing exponentially, mobile providers are evolving core networks to higher capacity technologies such as 4G LTE. As they do so, mobile network optimization increasingly relies on detecting and preventing potential performance issues. Accomplishing this detection becomes even more challenging, given the expanding mix of tools, probes, interfaces, processes, functions, and servers involved in network monitoring and optimization.

Ixia’s network visibility solutions provide the ongoing data needed for mobile network optimization. They deliver a high-quality subscriber experience reliably and cost-effectively, despite the growing diversity of network technologies, user devices, and security threats. As operational complexity increases, network engineers at leading mobile service providers can leverage Ixia’s suite of network monitoring switches to ensure the end-to-end visibility needed to minimize OPX, sustain profitability, and safeguard quality and user satisfaction.

Ixia’s mobile network visibility solutions deliver:

  • Traffic optimized for monitoring
  • Automated troubleshooting to reduce MTTR
  • A breakthrough “drag and drop” GUI management interface that streamlines configuration
  • Expanded network monitoring capacity

Carrier-grade Mobile Network Capabilities

Ixia’s expanding suite of network visibility solutions offer a host of new capabilities that equip network engineers at telecommunications providers to achieve end-to-end network visibility—simply and efficiently. NEBS-compliant and suitable for 4G LTE packet cores, these solutions can enable such essential functions as connection of multiple network monitoring tools to a large number of 40GbE, 10GbE, and 1GbE interfaces (up to 16 40GbE ports or up to 64 10GbE ports) in an efficient form factor. Reflecting Ixia’s globally renowned monitoring innovation, these carrier-grade solutions offer such innovative features as:

  • MPLS and GTP filtering
  • Custom dynamic filtering to allow visibility into the first 128 bytes of packets
  • Uninterrupted access for high-availability network monitoring
  • NEBS certification that ensures robustness
  • Redundant, hot-swappable power supplies and fan modules
  • Local and remote alarm relay support
  • Emergency out-of-band reset
  • Intuitive drag-and-drop control panel
  • Aggregation of data from multiple network access points

Ixia provides telecommunications providers easy access to view end-to-end analyses of architected networks, validate field applications, and improve customer loyalty and support. They deliver the actionable insights needed to dynamically detect, avoid and address issues, Overall, Ixia’s robust end-to-end network visibility solutions allow engineers to evaluate and optimize network and application performance under diverse conditions, maximizing ROI and the quality of the user experience.

 

Ixia Anue NTO 7300 Ixia Anue GTP Session Controller
Net Tool Optimizers
Out-of-band traffic aggregation, filtering, dedup, load balancing
GTP Session Controller
Intelligent distribution and control of mobile network traffic

 

Thanks to Ixia for the article.

Application Intelligence For Your Monitoring Tools

Ixia Application Threat IntelligenceApplication intelligence (the ability to monitor packets based on application type and usage) is the next evolution in network visibility. It can be used to dynamically identify all applications running on a network. Distinct signatures for known and unknown applications can be identified, captured, and passed on to specialized monitoring tools in order to provide network managers a complete view of their network.

In addition, well-designed visibility solutions will gather additional (contextual) information on applications and users. Examples of this contextual information include: geo-location of application usage, network user types, operating systems, and browser types that are in use on the network.

With the number of applications used over service provider and enterprise networks rapidly increasing, application intelligence provides unprecedented visibility that enables IT organizations to identify unknown network applications. This level of insight helps mitigate network security threats from suspicious applications and locations. It also allows IT engineers to spot trends in application usage which can be used to predict, and then prevent, congestion.

The Application Intelligence portion of a network packet broker (NPB) is used in conjunction with other components (as part of a visibility architecture) to achieve this heightened level of visibility. For instance, a typical visibility solution has network access points (typically taps), the NPB that providing layer 2 through 4 filtering (in addition to the application filtering information), and dedicated purpose-built monitoring tools (like IPS, IDS, SIEMs, network analyzers, etc.). So, the application intelligence portion doesn’t function as an island but rather an integrated component of the overall visibility solution.

Ixia’s new Application and Threat Intelligence (ATI) Processor, built for the recently announced NTO 7300, brings intelligent functionality to the network packet broker landscape with its patent-pending technology that dynamically identifies all applications running on a network. This product gives IT organizations the insights needed to ensure the network works – every time and everywhere. This is the first visibility product of its kind that extends past layer 4 to layer 7, and provides rich data regarding the behavior and locations of users and applications in the network.

As new network security threats emerge, the ATI Processor helps IT improve their overall security with better intelligence for their existing security tools. The ATI Processor correlates applications with geography and can identify compromised devices and malicious activities such as Command and Control (CNC) communications from malicious botnet activities. IT organizations can now dynamically identify unknown applications, identify security threats from suspicious applications and locations, and even audit for security policy infractions – including the use of prohibited applications on the network or devices.

To learn more, please visit the ATI Processor product page, see our press release, or contact us to see a demo!

Additional Resources:

ATI Processor product page

Ixia NTO 7300

Ixia Visibility solutions

Press release

Thanks to Ixia for the article.

Ixia Network Visibility Operating System 4.2 General Availability

The Network Visibility Operating System (NVOS) v4.2 release is now available for download to current Net Tool Optimizer® (NTO) customers at the Ixia Customer Portal. Partners can find the MIBS files and user guide on Ixia Partner Portal product section.

This new software update supports the following NTO models: NTO 5288, NTO 5293, and ControlTower (NTO 5260, 5263 and 5268.)

What is New

  • Advanced Feature Module (AFM16) enhancements
  • Improved filter configuration capabilities enable more sophisticated filtering
    • Seamless integration of standard, MPLS, GTP and custom dynamic filtering
    • Support for Q-in-Q VLAN filtering
    • New “Pass by Criteria” filtering option for tool ports
  • New port configuration options enhance NTO deployment flexibility
    • Enable tool ports to stay up when there is no receive (RX) signal
    • Turn off the transmit side (TX) of network ports

– Please see the Release Notes for a complete list of new features and enhancements.

In addition, a new software update for the NTO 7300 series (NVOS 4.0.3) is generally available as well. This newest software release supports the ATI Processor and the Packet Capture Module.

Thanks to Ixia for the article.

ControlTower Gains FabricPath Stripping

Networking technology continues to evolve. An example of such evolution is the development of something called FabricPath. FabricPath was invented by Cisco® in, or about, 2010 for their Nexus line of switches (e.g., Nexus 7000 and Nexus 5500) as part of their 3.0 release of VMDC. The key benefit of this technology is that it eliminates the complexities of Spanning Tree Protocol (STP) and thereby enables the building of massively scalable and flexible data centers. To accomplish this, FabricPath adds a new header to the frames that enter the fabric. This encapsulation header contains the source and destination addresses.

fabricpath

Source = VMDC 3.0 Introduction

One of the challenges with the deployment of new encapsulation technologies such as FabricPath is that they create blind spots from a monitoring perspective. You need to be able to “un do” this encapsulation to prevent blind spots. The reason the blind spots will appear in your network is because any legacy monitoring tools will probably not understand the FabricPath headers. If they don’t understand the headers then they’ll either discard the packet or put aside in the buffer. In either case, a blind spot appears as certain data packets can’t be properly processed and analyzed. Therefore, the encapsulated traffic is effectively hidden from the monitoring tools.

The great news is that Ixia just released a solution to help you maintain visibility into a FabricPath encapsulated network traffic. Our new NVOS 4.2 software for the Ixia Anue Net Tool Optimizer (NTO) includes a new feature that enables you to strip off the FabricPath headers so your monitoring tools can continue to deliver visibility into the network.

In addition to the new FabricPath stripping capability, the NVOS 4.2 software release also supports other new features like:

  • Advanced Feature Module (AFM16) enhancements
  • Improved filter configuration capabilities that simplify more sophisticated filtering
  • User interface improvements that make it easier to work with hundreds of ports

More information about Ixia network performance, network security, and network visibility solutions, and how they can help generate the insight needed for your business, is available on the Ixia website.

Additional Resources:

Video: Network visibility solutions

Thanks to Ixia for the article.