Improving Network Visibility – Part 2: Advanced Filtering

In part 1 of this blog, I mentioned that our customers often ask the question “What can really be done to improve network visibility?” I answered the question with regards to data and packet conditioning. In the 2nd part of this discussion, I’ll continue to answer the question with a second set of features that will deliver even more verifiable benefits to improve network visibility.

I’ll provide you an in-depth view of features that will deliver true benefits. There are 5 fundamental feature sets that we’ll cover:

  • Data and packet conditioning
  • Advanced packet filtering
  • Automated real-time response capability
  • Intelligent, integrated, and intuitive management
  • Vertically-focused solution sets

When combined, these capabilities can “supercharge” your network. This is because the five categories of monitoring functionality work together to create a coherent group of features that can – and will – lift the veil of complexity. These feature sets need to be integrated, yet modular, so you can deploy them to attack the complexity. This will allow you to deliver the right data to your monitoring and security tools and ultimately solve your business problems.

Advanced packet filtering is one of the primary components (i.e., part of the secret sauce) which demonstrably improves visibility within the data network. While many monitoring switch vendors have filtering, very few can perform the advanced filtering that adds real value for businesses.

But what do we mean by “advanced filtering?” Advanced filtering includes the ability to filter packets across the anywhere it’s needed, using very granular criteria. Most monitoring switches just filter on the ingress and egress data streams. Only a few, like the Ixia Anue Net Tool Optimizer (NTO), can filter in between those two points as well. Filtering rules can be simple when you only have one or two monitor tools you need to send data to. But once the number of ports you need starts to increase, the number of filters increase and the potential for filters to overlap and prevent critical data from reaching the right tools. It takes time and money for the IT staff to write and maintain filter rules as the network changes. With the NTO filtering rule engine, all the filtering complexity is taken care for the NTO administrator and the IT department can focus on their value-add tasks such as resolving network problems and adding new capabilities to the network requested by the business.

Advanced packet filtering will usually incorporate the following components:

  • Basic filtering
  • 3 stage (dynamic) filtering
  • Pre-staged (floating) filters
  • Automated filters
  • Filter libraries

Let’s take a deeper look into each one of these components of filtering to see what it really does.

Basic Filtering

Basic packet filtering consists of either filtering the packets as they enter or leave the monitoring switch. Filtering at the ingress will restrict the flow of data (and information) from that point on. This is most often the worse place to filter, as tools and functionality downstream from this point will never have access to that deleted data. However, ingress filtering is commonly used to limit the amount of data on the network that is passed on to your tool farm and/or for very security sensitive applications that wish to filter non-trusted information as early as possible.

Egress filters are primarily meant for fine tuning of data packets sent to the tool farm. If IT tries to use these for the primary filtering functionality, they can easily run into an overload situation where the egress port is overloaded and packets are dropped.

3-stage (Dynamic) Filtering

Filtering can happen at three different points within a monitoring switch. Filtering at the ingress is called the 1st stage. Filtering at the egress is the 2nd stage. Filtering in between the ingress and egress would be called a 3rd stage of filtering. This 3-stage filtering capability, also called “dynamic filtering,” is a key aspect of advanced filtering. This type of filtering allows IT the capability to really take advantage of data flowing in from SPAN and TAP ports. The data can be segmented at a very granular level and then parsed out to individual or groups of monitoring and security tools across the LAN.

Dynamic filters are similar to that of ingress and egress filters except that the dynamic filter is located (and processed) in the middle, between the ingress and egress port filters. If dynamic filtering is used, the ingress filter can be left wide open so that the dynamic filters can segment and then aggregate packets from multiple ports and then send those packets on to the appropriate tool.

Filter Library

Any decent monitoring switch will allow users to save the filters they have created to a filter library so that they can be reused in the future. The filter library can also be pre-built by the IT organization for access whenever necessary without requiring knowledge of detailed filter criteria, addressing, or specifics surrounding a scenario. This library is perfect for a junior engineer or third-shift staff because they don’t need detailed knowledge of how to program a filter within a monitoring switch. The engineer can simply pull up a filter from the library and apply it with the graphical user interface to ingress and/or egress ports. This makes implanting filters quick and easy for the IT staff.

Pre-staged (Floating) Filters

As simple as it is to create filters on-the-fly or from a filter library, pre-staged “floating” filters are another nifty tool. This ability allows users to create a dynamic filter, or filters, ahead of time and then pre-connect them to a tool port for on-demand analysis. The filters are typically pre-configured for a specific purpose, common condition, or some vulnerability – allowing Network Operations personnel super-fast troubleshooting capabilities.

Floating filters allows an administrator that is more experienced with the monitoring switch to pre-stage diagnostic filters, regulatory or industry compliance (such as PCI DSS verification) filters, or other filter types. An authorized user, maybe an IT person responsible for network security or some other aspect, can then access the Control Panel and easily connect an ingress port to the floating filter and begin the data stream flow to a SIEM or other tool as needed.

Automating Filters

This primarily includes automation of functions to provide near instantaneous alerting and response when incidents arise and the ability for the system to automatically respond to those incidents with actions in real-time. Faster responses to problems result in a shorter mean time to diagnosis and a corresponding faster mean time to repair (MTTR).

A good monitoring switch will have an API capability built into it. When this is combined with scripting capability, the monitoring switch can react to network changes to deliver real-time responses to those network changes. For instance, automation scripts can be triggered in response to internal events (based upon some filter parameter or event monitoring parameter) or external events (such as SNMP traps, SNMP polls, Syslog, NMS events, SIEM events, or other software tool that supports TCL scripting).

More information on the Ixia Anue Net Tool Optimizer monitoring switch and advanced packet filtering within the Network Visibility Operating System (NVOS) 3.8 is available on the Ixia website and the Simple Is website.

Additional Resources:

Thanks to Ixia for the article.


Ixia’s v7.8 Director and Director Pro Release Empowers Customers with More Flexibility and Security Controls

The Net Optics Director family of smart filtering appliances (Network Packet Brokers) directs traffic of interest to monitoring tools in order to relieve oversubscription, leverage tool investment across groups, and centralize monitoring in the NOC.

As part of the new Director 7.8 software release, we are introducing several new key features for the Director and Director Pro product lines:

  • Port behavior configuration options are enabled for customers: Previously, network ports were bi-directional, that is, they could transmit and receive, even when unidirectional communications were intended. In this release, users can choose whether a port is receive only (RX), transmit only (TX), or keep the default setting (both RX and TX). While not required, this allows customers to further strengthen their security best practices.
  • Syslog enhancements make the product more secure: An enhancement was made to the syslog messages to record histories of every configuration change made by users. Now you’ll know who, what, where, when and how changes were made. Users can enable audit logs by issuing a log set audit on command line. Refer to the Director CLI Guide for more information on this command.
  • Native IPv6 support: IPv6 support was enhanced to allow users to configure logging, NTP, upgrade server, and tunnel settings. This change affects the CLI, Web UI, and SNMP interfaces.
  • Pro engine settings added to the Web UI make it more flexible and easy to use: The Pro Engine feature was added to the Director’s Web UI. Previously, you could only configure the Pro Engine settings using Director’s CLI.

For more information, see this link:

Additional Resources:

Ixia Director

Using xBalancer to Monitor Your 10 Gig Networks

Two big challenges with 10Gig monitoring are security gaps and the other is overall performance the existing security tools that cannot keep up with the overall throughput and the bandwidth of the network. As a result the 10 Gig links are growing rapidly and the backbones are getting huge.

From an attack standpoint they’re getting much more sophisticated and as a result the rules in the security devices are getting much more complex. A lot of the resources for being allocated now for content inspection

It’s critical that a network upgrade achieves two things, peek performance of your security and monitoring tools to support heavy volumes of traffic and at the same time you need to minimize CAPEX and OPEX expenditures

xBalancer allows IT professionals to meet these requirements by dynamically sharing the load between the tools. Its advanced features are unmatched in the marketplace because if it’s ultra-low predictable latency and high availability

xBalancer provides dynamic load balancing, it is using hash based algorithms to determine how to maintain the different flows. The flow can be defined by any combination of their five outputs of IPV4 or IPV6 assess as well as layer2 to information such as MAC and VLAN information.

It has up to 8 independent load balancing groups each one can have up to 16 different outputs

xBalancer has three advantages one is our tool sharing technology giving you the opportunity to have multiple tools deployed at the same time. This gives you an instant ROI and you can handle any of the bandwidth your network can throw at you.

We also know that heartbeat and link fault detect were two important features that we wanted to put into the device. This gives you the opportunity to make sure that all of the devices that are deployed with the xBalancer have high availability and that provides you the advantage of constant business continuity across your entire network.

Flexibility is very critical in the architecture of your network so the way that we designed the port mapping and filtering on xBalancer gives you the opportunity to handle any load balancing need your network has.

xbalancer-pic-1 For 10 Gig inline applications Net Optics combines xBalancer with bypass switching technology whereby we take full-duplex traffic and route it through the bypass bridge before we intelligently distribute the traffic across multiple inline tools. xBalancer maintains coherency across those tools and with the embedded heartbeat technology were able to take those tools out smoothly without losing network traffic.

xbalancer-pic-2In an out of band configuration traffic from the network flows into the xBalancer and is aggregated and then load balanced to a number of data recorders and forensic traffic recorders. So when you need to capture specific or confidential information the xBalancer makes it possible where traffic goes in one direction to the tools and doesn’t go back to the network links being tapped.

In other words it has 0 impact on the network traffic!

xbalancer-pic-1xBalancer enables tool sharing, when multiple independent links are connected to xBalancer which aggregate the traffic and then sends it back into the network. This is extremely useful for configurations such as emphasis and redundancy when you’ve got larger number of links with a specific number of security or monitoring devices and an additional number of devices that are used for backup.

So imagine in today’s networks, eminent growth, scalability budget constraints and complexity are challenged. Luckily Net Optics has a way to solve that. When you combine xBalancer with today’s leading security and monitoring solutions, were able to meet the customer’s requirements. We help our partners expand their reach within these customer environments but also help maintain their business objectives so it’s a real win win win situation for everyone.

Net Optics has engineered the xBalancer to maximize your greatest investment your network.

Thanks to Net Optics for the article.

Net Optics Director Software Release 7.0

Net Optics Director software Release 7.0

Check Out the New ‘Smart Seven’ — Director 7.0

Intelligent Access and Monitoring Architecture Solution  

Superior Security, Flexibility and Performance

Smart filtering just topped a whole new level with Director 7.0. This is our flagship Network Packet Broker—speeding traffic of interest to your instrumentation layer tools to relieve oversubscription, centralize monitoring and compliance, and optimize your tool investment. This enriched upgrade offers:

Filtering on MPLS Labels

Analyze MPLS traffic more quickly and easily, with support for up to 4 MPLS labels.

More SNMP Trap Servers for Accurate Notification and Monitoring

Five SNMP trap servers deliver better reliability and higher performance. Filtering works for packets with or without one VLAN tag

Support for 8 User-Defined Filter (UDF) Offsets

Greater flexibility and more options: Cover complex filtering use cases

Session Timeout and Improved UI Performance

Enhance system security with user-configurable timeout periods for CLI and Web UI sessions.

User-Selected FTP Connection Modes

Easily set FTP connection session to passive or active mode when importing or exporting configuration files. If Active, Director 7.0 periodically ensures that the session remains active; in passive mode this is not done—your choice

Expanded Menu of CLI Commands

  • Config import/export ◦ Log export
  • Security export/import ◦ Upgrade
  • CLI parameter validation

Ask us how Director 7.0 makes your monitoring and filtering faster, easier and more efficient.

Year-End Network Monitoring Assessment

Planning for the Future

Net Optics Network Assessment As we approach the New Year, many organizations’ data centers and network configurations are in lockdown mode. Whether this is due to assuming a defensive posture against the onslaught of holiday ecommerce traffic, or an accommodation to vacationing staff, the situation provides network managers an opportunity to perform a year-end network monitoring assessment

Establish Future Goals, Identify Current Weaknesses and Make Sure Core Tasks and Goals Are Achieved

Q. How many locations will you need to monitor in the New Year?

If there are new server clusters or even new data centers in the works, be sure to plan accordingly, and ensure that your network monitoring tools will have visibility into those areas. Net Optics’ own Aggregation and Regeneration Taps can be used to incorporate more points of visibility for your existing monitoring tools within your growing network. Advanced appliances such as Network Packet Brokers (NPBs) can perform more sophisticated switching and filtering to optimize visibility within that network sprawl.

Q. What traffic will you be responsible for monitoring?

If you are providing network support, you need to understand immediately the nature, volume and security of the traffic flowing over your network. Is your organization planning to implement new applications or services on the network? Even the introduction or expansion of virtualization will require a monitoring plan that incorporates virtualization taps. For organizations looking to simplify their network performance monitoring, Net Optics’ Spyke appliance provides plug-and-play performance monitoring. Additionally, load balancers designed specifically for distributing network monitoring data to multiple tools can extend the useful life of 1G tools by sharing 10G traffic across a pool of devices.

Q. What new threats will the network face, and what preventative measures will you add?

The growing phenomena of advanced persistent threats (APTs) and directed attacks against network vulnerabilities demand a stronger response from security personnel. Dimension Data’s recent 2012 Network Barometer Report indicates that 75 percent of devices within an organization’s network contain a known security vulnerability. Many organizations deploy a defense-in-depth strategy with overlapping security tools to provide more robust security coverage. Be sure to schedule software updates for all of your network security tools, and make sure those security tools have total visibility of the traffic they are monitoring.

Q. What is your replacement plan for older equipment?

Also included in Dimension Data’s Network Barometer Report is that many organizations are utilizing equipment that has reached an end-of-life, end-of-sale or end-of-support stage. Budgeting for, and planning ahead for the obsolescence or re-tasking of these devices should be included in your plan for the coming year.

Q. What are your redundancy and failover plans?

One option for extending the useful life of your legacy monitoring tools is to utilize them as redundant tools in case of failover. Utilizing bypass switches or high-availability modes in NPBs can make use of these tools in the event a primary device is put in maintenance mode, taken offline, or experiences a hardware failure. Consider assessing your older equipment on the basis of discarding the equipment entirely OR re-purposing it as a hot-standby.

Q. Have you included hardware/software maintenance in your annual budget?

Most hardware vendors offer annual maintenance and service plans for their devices. Renewing and maintaining these plans is critical to ensuring that you have access to the latest software updates. Additionally, should any of your devices experience hardware failure, advance replacement plans can get replacement equipment into your network as soon as possible.

Thanks fo Net Optics for this Great Article

Director 5.0 Delivers New Ways to Instrument Smarter and Simpler

Upgrade Net Optics Director now to Streamline Your Key Tasks

Discover Director 5.0! We’ve upgraded to deliver intelligent new management and filtering capabilities—plus even more convenience features. We’ve also made it easier than ever to put Director 5.0 to work. Visit the Customer Portal now, and start gaining the benefits of these substantial improvements for your network.

Smart Filtering Features Drive Efficiency Gains

Net Optics Director 5.0
New! Filter Tagging identifies input streams in aggregated traffic:
  • The filter through which the packet was directed
  • Which ports the packets arrive from (including packets arriving from ports across the daisy chain)
Net Optics Director 5.0
Enhanced User Defined Filter (UDF) adds flexibility and grows your options:
  • Support advanced filter options using four 4-byte offsets and four
  • DF values
  • Combine UDF with IPv4 and L2 filter qualifiers
  • Combine UDF with Deep Packet Inspection for seamless options
  • Filter with multiple MPLS labels
  • Filter with Cisco VN tag
  • Load-balance RTP traffic
  • Filter on HTTP header

Streamlined Enterprise Management Expands Your Reach

Net Optics Director 5.0
New! Syslog Capabilities
  • Granular syslog messaging
  • Send syslog messages to  multiple servers
  • Set individual message level for each server
Net Optics Director 5.0
Improved SNMP Support
  • Support for filter tagging, enhanced user defined filters, system shutdown and increased port counter size (64 bit)

Many New Ways to Say “Easy to Use”

Net Optics Director 5.0
Streamlined Daisy Chain Management
  • Save time, reduce error with one-touch upgrade for all nodes
  • Revision control: Smooth and stabilize upgrades with reboot, image swap
  • Easily synchronize system clock, set date and time on all nodes
  • Self-provisioning: Users change their own passwords
Net Optics Director 5.0
Simplified—yet powerful—Web GUI
Log configuration and management
  • Configure/Display/Export/Clear log
  • Configuration file management:
  • Export/Import/Load config file
  • Security enhancements:
  • Manage Web RSA key, certificate, CSR and SSH key information
  • Support for Syslog
  • Set system IP address using DHCP
  • Support for Ping : Test reachability of a host on the network

The enhanced functionality and quality engineering of Director 5.0 result from our deep commitment to listen to our customers and fulfill their needs in all aspects of our solutions. At Net Optics, we put customers first and welcome your feedback at all times. Director software version 5.0 upgrade required. Version 5.0 supports Director models DIR-3400, DIR-5400, and DIR-7400 and Director Pro models DIR-3400P and Dir-6400P.

Contact us at or 800-561-4019 to ask about your upgrade

Doing it right! Deploying new Contact Center Solutions

If you have gone through the cost and expense of deploying a new IVR or contact Center Solution, you know some of the unexpected surprises that you run into.    In a recent survey 96% of respondents said they would switch to a competitor as a result of a bad experience with a contact center.   So getting it right the first time is very important to maintaining your business.

The Bottom Line

Test the Design
Test before Deployment
  • Failover Testing
Test After Deployment
  • Regression Testing

If an application doesn’t perform the way it needs to, customers are going to turn to your agents – or your competitors – to get the level of service they requireBy Testing your system before and during deployment you can ensure that your system is delivering the high quality experience to your customers.