Keith Bromley
Sr. Manager, Product Marketing at Ixia

Application Intelligence: The ABCs of Network Visibility

October 19, 2016 by Keith Bromley

What is Application Intelligence?

What do people mean when they talk about application intelligence? For those that haven’t heard about application intelligence, this technology (using context-aware data processing) is available through certain network packet brokers (NPBs). It’s an extended functionality allows you to go beyond Layer 2 through 4 (of the OSI model) packet filtering to reach all the way into Layer 7 (the application layer) of the packet data. The benefit here is that rich data about the behavior and location of users and applications can be created and exported in any format needed – raw packets, filtered packets, or NetFlow information.

IT teams can identify hidden network applications, mitigate network security threats from rogue applications and user types, and reduce network outages and/or improve network performance due to application data information. Distinct signatures for known and unknown applications can be identified, captured and passed on to specialized monitoring tools to provide network managers a complete view of their network.

Typical Use Cases and Benefits

A powerful use case for application filtering is to improve security tool efficiency. Application filtering effectively allows you to create an early warning system for real-time vigilance. In the context of improving network security, context awareness can provide the following benefits:

  • Identify suspicious/unknown applications on the network by exposing the applications that are running on the network. This feature is often an eye opener for IT teams as they are usually surprised to find out that there are actually applications on their network they knew nothing about. 
  • Identify suspicious behavior by correlating indicators of compromise with geographic location and known bad sites. For instance, maybe there is a user in North Korea that is hitting an FTP server in Dallas, TX and transferring files off network. If you have no authorized users in North Korea, this should be treated as highly suspicious. See this solution brief for an illustration.
  • Improve security and monitoring tool efficiencies by flagging trusted data (voice, video, etc.) and allowing it to bypass security tool inspection (e.g. IDS or tool). This can increase the efficiency of security tools by up to 35%. See this case study for an example.
  • Improve security by providing immediate, cost-effective SSL decryption activities so that data can be sent clear channel to security tools for inspection and analysis for potential threats.

A second category of benefits include improved troubleshooting and performance capabilities. For this category, application awareness can be used to:

  • Find application failures as soon as they happen simply by looking at a dashboard showing all applications running on the network
  • Create empirical data to identify bandwidth usage, trending, and growth needs. This allows IT admins to be proactive in managing their resources and forecast expansions.
  • Identify new user applications consuming network resources to prevent capacity overload (i.e. explosions) and network outage problems
  • Geolocation capability can be used to help quickly locate geographic outages and potentially narrow troubleshooting efforts to specific vendors that may be causing network disruptions. This reduces troubleshooting costs and improves customer Quality of Experience. See this solution brief for an example.
  • Find application traffic behaviors that indicate changes in your customers' patterns that you would like to know. As an example, if you are a cable provider who also offers internet service, you would probably like to track the use of your own VoD service vs. competitors like Vudu and NetFlix. This let’s you know when a new competitor pops up.

A third category of benefits include improved regulatory compliance capabilities. For this third category, context awareness helps:

  • Identify prohibited applications that may be running on your network
  • Audit your network policies and usage of those policies. Maybe users are transferring files off network to Drop Box. Maybe employees are using web-based email instead of the official corporate email system; that is linked to anti-viral software for attachment inspection. Without the anti-viral inspection, harmful files can be downloaded onto the corporate network.
  • Data masking can be used to hide sensitive data like credit card information before the data is sent to monitoring and logging tools
  • Features like Regex can be used to create search strings for sensitive. This allows only relevant data to be sent on monitoring tools for analysis.

Considerations When Researching Application Intelligence and Context Awareness

When investigating application inteligence solutions, there are several items to consider. Here is a short list of common items:

Extensive functionality – You will want lots of functionality. Once you start using context awareness, you will find more and more needs for it. This technology is an integral part of security, performance, troubleshooting, and compliance initiatives. Look for a solution that is flexible enough to use for current and future needs. A forklift upgrade will be expensive in the future if you find that the current context awareness features won’t suit your future needs.

Ease of Use – This will be a critical component. You need an interface that is powerful but intuitively obvious to use. Look for a solution that uses a drag and drop GUI. A command line interface (CLI) will take you 10 times (or more) longer than a drag and drop interface to configure application filters. Look for a vendor that has lots of predefined application signatures. The last thing you want is to have to spend a lot of time creating your own signature definitions.

Technology – A third consideration is around technology. Vendors can say they support context awareness and NetFlow but what features do they really support?  Make sure the vendor supports the core features that enable improved security and troubleshooting. Some examples of these features include:  geolocation, SSL decryption, data masking, Regex commands, browser and user device type identification, BGP AS, etc.

More Information on Application Intelligence and Context Awareness

When all components of a visibility architecture are combined, they eliminate the blind spots within your network that are harboring potential application performance and security issues.

Ixia’s ATI Processor can deliver context aware information like geo-location, browser type, and device type. The Ixia solution delivers critical intelligence to reduce troubleshooting costs and boost network security protection (especially for indicators of compromise). In addition, Ixia has created several hundred application definitions that can be used to filter application data and forward that data on to appropriate monitoring tools. In addition to the application definition, Ixia can also distinguish application sub-functionality. Using Pandora as an example, the Ixia ATI Processor can understand sub-functions within that application which include “play”, “skip”, “pause”, etc. Information granularity like this reduces application troubleshooting costs and allows you to optimize customer quality of experience.

More information on application intelligence and context-data aware processing is available here and in this whitepaper.