Home Company Products Solutions Services Downloads News

Archive for May, 2009

Retrospective Network Analysis

Thursday, May 7th, 2009

While network complexity and bandwidth demands continue to increase, applications such as VoIP increase performance requirements. Now more than ever, network administrators require versatile monitoring and analysis tools to quickly troubleshoot business-critical operations and monitor security and compliance. In this environment, Retrospective Network Analysis (RNA) tools that let you go “back in time” to reconstruct a failure or attack can offer distinct advantages over analysis tools that only operate in real time.

Background

Retrospective network analysis (RNA) allows IT professionals to quickly browse backwards through massive amounts of network traffic. RNA allows network engineers to view breaches and anomalies exactly as they happened, within the context of other activity as it occurred on the network, thus sidestepping the often labor intensive step of trying to re-create problems to troubleshoot them. This requires that all network traffic (or some targeted subset) is efficiently captured and stored, in much the same way a convenience store might use a video security system.

The purpose of this paper is to explain how retrospective analysis functions and why it offers a significant time and cost savings over conventional real-time analysis.

State of the Industry

Paradoxically, improved hardware reliability has made the network engineer’s job more complex. Instead of finding and replacing obviously failed hardware, network engineers need to solve more and more intermittent (and subtle) problems. The continuing transformation of enterprise networks into complex webs comprising multiple technologies and topologies, with users from hourly employees to CEOs demanding flawless, department-specific functionality, makes the job of network managers increasingly difficult. Still, IT professionals continue to waste valuable time, energy, and resources gathering information in an attempt to replicate intermittent problems or enforce security and compliance regulations.

The Concerns

With these growing demands come new concerns. According to a recent Network Instruments® survey:

• Nearly 70 percent of IT administrators are concerned about the increased complexity of their networks
• Nearly the same number expressed concern about an increasing volume of network traffic
• Over half said their most common problem is a lack of information about network problems and their causes
• 30 percent cited the inability to replicate user problems as a recurring network issue

Case Study: The Way Things Were

A major Midwest healthcare provider, with many hospitals and over 200 clinics and pharmacies across 90 communities, required a powerful network monitoring and analysis solution to ensure its business-critical operations remained up and running. The provider relied on a mix of T1, DS3, Gigabit, and 10 Gigabit Ethernet links to provide access to some 30,000 users. When staff access to patient records can be a life-or-death matter, downtime is not an option, and time-consuming, reactive troubleshooting is unfeasible. This healthcare provider decided to explore retrospective network analysis solutions.

How It Works

RNA acts like a TiVo® for the network, changing the way administrators conduct analysis. Traditional real-time packet capture and analysis gives network administrators insight into their networks via packet-level protocol decode and analysis. While these tools are certainly useful when managing any mid- to enterprise-level network, using them to provide administrators with enough information to solve subtle or sporadic problems is an arduous task. What’s more, the ability to witness a compliance violation or security breach is limited to those lucky enough to be watching when it happens. RNA acts like a 24/7 surveillance camera — it is far easier to find the culprit using a stored video of the crime rather than just a photograph.

Appliances such as GigaStor are capable of storing terabytes of packet-level traffic collected from a variety of full-duplex network topologies, including WAN, LAN, Fibre Channel, wireless, gigabit, and 10 Gigabit (10 GbE). The appliance performs real-time Expert processing at the probe rather than transferring packet captures over the network to the console. The GigaStor has a 64-bit core and can capture up to 12 TB, or offload to a SAN for nearly unlimited storage.

But there is more to RNA than just capturing and storing the traffic. To truly be useful, the tool should make it easy to find the relevant connection or time period as quickly as possible, further improving troubleshooting efficiency. RNA for the enterprise should also provide IT staff with the drill-down detail necessary for isolating problems to particular protocols, applications, servers, and stations. They should be flexible enough to monitor any topology, including LAN, WAN, WLAN, gigabit, 10 GbE, and Fibre Channel. For true network forensic analysis, the ability to reconstruct files, web pages, images, e-mails, and IMs; and compare breaches to Snort rules, is indispensable.

Case Study: Implementation

The Midwest healthcare provider decided to implement a series of multi-terabyte GigaStor appliances across their network, in conjunction with several Observer® Expert consoles, from which they hoped to manage VoIP, a wireless network with over one thousand access points, and other network applications.

Benefits

The benefits of employing an RNA solution are numerous and tangible:

• Higher network availability
• Improved ability to conduct business efficiently and effectively
• Satisfied customers and employees
• Ability to validate and provide evidence for compliance and security issues streamlines enforcement process

RNA can also be used for planning, rollout, and performance management stages for new applications such as VoIP, by taking advantage of monitoring and trending data to determine exactly how applications affect (or will affect) the network. Preliminary testing can save an enterprise the cost and headaches associated with a problematic application rollout.

Finally, the comprehensive functionality of RNA lets IT staff spend less time attempting to recreate problems and spend more time on proactive planning. In short, reduced downtime plus faster problem resolution equals a rapid return on investment.

Case Study: After Implementation

The Midwest healthcare provider has seen marked improvements and saved thousands of dollars in costs since implementing RNA
solutions on its network. It routinely uses GigaStor to diagnose intermittent problems with its network, application performance, and
infrastructure. On multiple occasions, it has been able to diagnose intermittent issues on critical servers, allowing IT staff to take action before problems impacted overall network performance.

Summary

Whereas traditional protocol analyzers have evolved over time, adding features and capabilities in a natural progression, RNA has proved a different type of innovation: it is a true paradigm shift in network monitoring, security, and analysis technology. Many organizations currently use RNA technology to provide better service and improved security to their customers and employees in a way that saves both time and money.

When considering the purchase of an RNA solution, look for products that provide the following features. Some vendors charge extra
for additional functionality that is included in devices such as the GigaStor.

• Security forensics capability
• Real-time analysis on the probe
• VoIP analysis and call scoring
• Stream or application reconstruction
• Multi-user, multi-session access
• Connection Dynamics
• Nanosecond resolution
• Seamless integration
• Option to offload to SAN

Tags: , , ,
Posted in Network Instruments, Retrospective Network Analysis | 2 Comments »

Application and Network Performance Monitoring in a Virtualised Environment

Friday, May 1st, 2009

As organisations implement virtualised environments, knowing how to monitor and maintain them becomes yet another challenge for today’s network professional. Monitoring network and application traffic in an environment containing one-to-many relationships between physical hardware devices (virtual hosts) and virtual application servers (virtual machines) presents a number of concerns. This white paper presents various visibility options and their ramifications, and outlines new technology that allows visibility into both external and internal traffic within a virtual environment.

Introduction

Before discussing monitoring options within a virtual environment, let’s take a moment to discuss how the traffic flows within it.

Virtual environments are designed to include a virtual adapter (vNIC) for each virtual machine within the system. The vNIC is logically connected to a virtual switch, which is managed by the virtual host system (see the diagram below). This addresses communication which would remain in the VM host. In order to enable communication into and out of the VM host, a logical connection between the vNIC and the pNIC must be established.

Within the VMware ESX and ESXi environments, a virtual adapter can be set in “promiscuous mode.” When promiscuous mode is enabled on a virtual adapter, all traffic flowing through the virtual switch—including local traffic between virtual machines and remote traffic originating from outside the virtual host—is sent to the promiscuous virtual adapter.

Challenges

A number of challenges are presented when attempting to monitor applications with a virtualized environment.

1. Lack of visibility. Traffic between virtual machines within a virtual host will not be visible outside of the host. This causes a number of problems:

a. Network engineers cannot monitor multi-tier applications partially or wholly located on multiple virtual machines within a single host.

b. Should a virtual machine be compromised by malicious code or security breach, other virtual machines within the same host may also be compromised.

2. Lack of analysis functionality. A separate solution is required to push data streams flowing within virtual machines out to an external tool or a purpose-built device. This functionality is necessary for network and application monitoring and analysis, compliance, and security audits. Virtual TAPs (software applications placed inside a virtual machine to export all data through a designated pNIC to an external device) can alleviate this problem.

Options

There are three primary ways to monitor both traffic flow from within applications on virtual machines and from the virtual host:

Monitor the host using an external analysis device as you would any other system, via SPAN technology or a physical TAP

This option works well for environments not needing to track internal virtual machine-to-machine traffic within a host. However, it may not catch a security breach compromising multiple virtual machines within a host.

Monitor all virtual machines in a host by establishing a new virtual machine within the host. This option assumes the ability to SPAN or set in promiscuous mode the virtual switch within the host.

This option provides visibility at the statistics and packet levels of all traffic within a virtual host. It does not, however, allow packet-level traffic to be analyzed by an external physical device (IDS, retrospective analysis device, etc.).

Use a Virtual TAP to collect and redirect all internal virtual machine traffic to a dedicated virtual NIC within the monitoring virtual machine that is connected to an external purpose-built device for analysis or compliance enforcement.

Depending on the functionality of the external device the traffic is being copied to, this option may provide all the functionality of option two while taking advantage of the physical capabilities of the purpose-built external device.

Option two combined with option three offers the most extensive and comprehensive monitoring solution. In a VMware environment, one can utilize promiscuous mode on the internal virtual switch, and direct a copy of all traffic from all virtual machines to a virtual machine monitoring instance.

This offers several benefits:

a. Collect metrics and perform real-time analysis.

b. Using a Virtual TAP, re-direct packet streams out a separate NIC to be recorded by a Retrospective Network Analysis (RNA) device or other purpose-built security or analysis tool.

Benefits of the Virtual TAP

Mirroring all traffic within a virtual host to an external device provides a number of advantages, including total visibility into VM application traffic and the ability to run greater analytics for comprehensive reporting and faster problem resolution.

For example:

1. Application Performance Monitoring.

2. Application Performance Troubleshooting.

The Virtual TAP removes the limitation of having to access or respond to VM traffic in real time. By eliminating the visibility gap the TAP provides greater control of your virtual environment and helps you better maintain overall application performance.

Conclusion

Depending on the virtual server technology you have decided to implement, you will have a number of options for network and application traffic visibility, and for the use of external devices for analysis. If all virtual machine communications take place between the virtual machines and the “outside” (i.e. outside the physical host), then monitoring the data flow from outside the host server may be the least complicated method by which to gain flow visibility.

If there is any internal communication between virtual machines, the only way to monitor this data is by using a monitoring virtual machine (separate or existing) with an analysis service (i.e. probe) gathering data from the internal virtual switch. Should you need to analyze or store data on an external purpose-built device, installing a Virtual TAP within the monitoring virtual machine will provide complete visibility into all data flowing on the internal virtual switch.

The Virtual TAP can also output data to a Retrospective Network Analysis device, which stores it for later access. RNA devices have an intuitive time-navigation interface to help easily isolate problems within your virtual environment and troubleshoot these issues using Application Analytics.Feed VM traffic to an enterprise reporting engine for comprehensive monitoring of virtualized environments. Set and track performance baselines and respond quickly when performance deviates from the norm. Tracking VM traffic over time helps determine if your VM server load has increased to the point of requiring action.

Tags: , ,
Posted in Network Instruments, Virtualisation | 1 Comment »