Tap everywhere. Tap everything. Trustworthy visibility is the key to network monitoring and security.
Ixia’s heritage is test and simulation equipment. They pride themselves in being a market leader in that space working with customers like Verizon and Cisco. With about 1800 employees worldwide, Ixia was in an excellent position to expand into the network visibility space with a series of acquisitions culminating with the acquisition of Net Optics in late 2013. This last acquisition is what solidified Ixia’s position as a market leader in the network visibility market. Their presentation at Networking Field Day 13 explored the problems with network monitoring that Ixia is trying to solve, and they framed their argument in terms of lossless end-to-end visibility.
The Problem with Network Monitoring
Marie Hattar explained that until now we’ve only assumed that the data from our networks actually reaches our network monitoring and security tools. Because of the large amount of traffic flowing through a network, it’s difficult to know if everything really has been analyzed, and an organization’s monitoring and security program is only as good as the data it sees.
Traditionally the best we could do is use SPAN ports on switches to send a copy of traffic to a management tool. However, when a switch becomes overloaded, SPAN traffic is dropped.
This means we can’t trust the data being sent to our network monitoring tools.
This is the major problem Ixia is trying to solve, and to that end they are focused on developing solutions to ensure data integrity before it’s sent off for analysis.
Ixia uses network taps and packet brokers to make sure monitoring and security tools already in use on the network receive lossless, contaminant-free data. This is extremely poignant for security as Marie noted by explaining that “you can’t have security without visibility.”
The idea of network taps and packets brokers isn’t new at all, but Ixia differentiates itself by claiming to provide a perfect copy of traffic to monitoring tools without dropping a single packet.
Therefore, the data sent from Ixia’s visibility infrastructure can be trusted.
This is much easier said than done because of the incredible amount of data that’s collected from network taps, and this is where the recent acquisition of Net Optics comes in.
Ixia integrated the intelligent network tap technology acquired from Net Optics to aggregate and groom the huge amount of data produced by network taps. Using packet brokers to handle this large amount of data, they’re then able to optimize what’s sent to various tools.
Network Packet Brokers are appliances that control where packets from the network taps go. Keep in mind that packet brokers aren’t switches, though they do have layer 2 through 4 filtering capability for sending copies of traffic to the correct tool.
Ixia’s flagship all-in-one product, Vision ONE, handles all these processes and intelligently delivers data to our favorite monitoring and security tools. Vision ONE provides the ability to filter based on what each tool needs to see and load balances this traffic to accommodate link restrictions within the network. This means that you don’t necessarily have to upgrade your IPS boxes with 1Gbps interfaces. It also deduplicates traffic in order to conserve bandwidth without dropping any packets so that our monitoring tools provide us a trustworthy picture of the network.
From a security perspective, we’re able to tell if our firewalls and IPS appliances really are seeing all the packets they’re supposed to see – which is sort of the whole point of inspecting traffic, right? Notice the entire visibility ecosystem in the diagram below.
For monitoring beyond Layer 4, Ixia developed the Application and Threat Intelligence Processor (ATIP) to provide application-level visibility. This is part of the Vision ONE platform and is used to dynamically identify all applications running on a network. With that knowledge, an administrator can pass actionable information to monitoring and security tools. This is very powerful because the ATIP can dynamically create application signatures based on patterns in a network. From this an administrator can create very advanced visibility filtering and gain visibility that is otherwise very difficult to get.
Recep Ozdag explored monitoring in virtualized environments, which is a bit trickier. Ixia developed a virtual tap, the Phanton vTap, which can be used to create GRE tunnels to send a copy of traffic to the packet broker.
Kris Raney addressed the unique issues with visibility in the public cloud. It’s difficult to gain good visibility into cloud applications, and until now only north/south traffic was able to be captured by using some type of virtual machine. In fact, cloud providers often prevent many of the methods we use for visibility because they’re a security risk to their own environments. Additionally, most public cloud infrastructures are both very large and dynamic which also present challenges for a network monitoring solution.
For example, VMs using dynamic IP addresses and distributed workloads may be spun up and destroyed regularly. How can a network monitoring solution provide lossless end-to-end visibility with this type of infrastructure churn?
Ixia’s CloudLens addresses these challenges by using a Docker container agent which is installed on all the VMs you want to monitor. And since the agent lives inside the base image of the OS, whenever new VMs are created, new agents are automatically created which solves the issue of dynamic scaling. The hypervisor-independent agent can intercept data at the operating system level and gather much more than simply network data.
I have to admit that I cringed a little when Kris said the word “agent”, but thankfully he addressed that concern by explaining that you never have to interact with an agent directly because they all phone home to a centralized management service.
Recep echoed Marie’s words when he explicitly stated that “we do not drop packets.” He and the Ixia team drove this point home as a major differentiator between Ixia and its competitors. After all, if packet loss prevents you from having an accurate picture of what’s happening on the network, then you really don’t have true visibility.
Ixia has been busy. That’s for sure. They’ve made some smart acquisitions to expand their portfolio of network visibility tools and have done an excellent job integrating them into a suite of resources for lossless end-to-end visibility. Though I would have preferred a deep dive into one product and one use case, one single message was very clear: trustworthy visibility is the key to network monitoring, and you can trust the data Ixia sends to your monitoring tools.