Can you see where you’re going? Keeping up with network data speeds
As enterprise network traffic continues to accelerate, how do you ensure that your visibility architecture can keep up the pace? That’s a problem that many organizations are now having to address. In 2016, the amount of data in transit within the typical enterprise grew dramatically, as backbones transitioned from 10G to 100G and beyond. Server connection speeds are often used as a baseline for network growth and, according to TE Connectivity, speeds averaged 1G in 2009, and transitioned to 10G by 2015. It’s predicted that by 2020 a significant percentage of enterprises will see 100G connectivity, with 400G on the horizon.
With this rapid acceleration, the network’s visibility architecture has to work much harder to quickly filter relevant traffic from background noise. Analysis and correction needs to occur instantly, as it only takes a few seconds for attackers to compromise an enterprise network, and to hide their tracks: so real-time visibility with no loss of data packets is an absolute requirement.
Dropped packets result in blind spots at the network’s switch points. Port mirroring, also known as Switched Port Analyzer (SPAN), is a typical method for monitoring network traffic. With port mirroring enabled, the switch sends a copy of all the network packets seen on one port (or an entire virtual local area network) to another port, such as a network packet broker (NPB), where the packet can be analyzed. Integrated SPAN ports are convenient but create scaling limitations in terms of both performance and availability.
With high-volume burst traffic, the switch will temporarily drop the SPAN process, which means that data will never reach the analysis or compliance tools. Also, when you run out of SPAN ports, your network configuration gets more complicated very quickly – and the growth in IT tools is creating a severe SPAN port shortage.
So that leads us to network taps, both virtual and physical, which do not suffer from the same scaling problems. However, dropped data packets and consequent visibility blind spots are often generated deeper within the network, after the SPAN or network tap, within the visibility layer itself. Here, some NPBs are simply unable to keep up with the demands of larger – and dynamically growing – networks. Many of them run on single processors and therefore have limited abilities to manage multiple features at the same time.
Deduplication, for example, is an extremely useful additional feature for making network visibility and inspection run more efficiently, and ultimately for extending the life of your visibility tools, but with basic NPBs just turning this feature on can have a huge impact on day-to-day performance. Ultimately, if an NPB is dropping packets, then the security tools fed by the NPB will not see all the traffic they need to – and will miss attacks.
It’s crucial, therefore, to evaluate your choices carefully and to prioritize scalability and growth just as much as security. Typical elements to consider include using a hardware-based accelerator, which can dramatically improve NPB performance, comprehensive testing to ensure no packets are dropped, how easy the NPB is to program, and that the NPB offers the performance to support running of functions like deduplication and SSL decryption simultaneously.
With these factors in mind, at Ixia we recently expanded our visibility tools portfolio with two new network packet brokers, the Vision Edge 40 (10/40G platform) and Vision Edge 100 (100G platform). These new, cost-effective and scalable solutions help IT teams that support both microscale and hyperscale data centers to keep pace with current and future network traffic, to resolve application performance bottlenecks, and to better utilize network analysis and security tools.