What Is Universal Data Access?
Do you know what universal data access for monitoring networks means? It is the ability to tap into your data from anywhere across your network, at will. While this sounds like it should be fairly easy to achieve, due to the ubiquity of IP-based networks, it has often been hard for businesses to achieve this goal. Part of this hardship has been due to technology issues but other issues around processes and architectural designs exist as well. Fortunately, there is a straight forward solution – a visibility architecture.
Universal data access starts with capturing the proper data from your physical and virtual networks (both public and private) to enable a deeper, richer understanding of your network. This data can be captured by optimizing the data access layer framework of a visibility architecture. The data access layer is naturally focused on creating access to packet and application data within the network.
So what’s been the technical challenge with capturing the data? The first challenge is that many IT engineers have relied upon SPAN ports off of the network switches to forward data to the security and monitoring tools. This has created a host of little known problems like:
- The creation of duplicate data
- Data simply gets dropped to switch or port overload
- And data gets lost (because it was Layer 1 data, the packets were corrupted or malformed, or other data oddities occurred – none of which are forwarded through SPAN ports)
In addition, SPAN ports provide summarized data and they change the timestamps of packets. Depending upon how you set up the filtering (i.e. what traffic you decide to make a copy of and route the SPAN), you may be collecting the wrong data and/or accidentally clipping (i.e. dropping) data you are actually interested in. To sum it up, you’re not seeing a complete copy of the traffic on your network.
The solution is a physical tap that you install into the network. Taps are passive devices that are easy to install. They also typically require zero maintenance. This means that they are essentially “set and forget.”
Another technical issue is that physical taps and SPAN ports can’t capture the east west virtual data in your virtual data center. Since Gartner estimates that this may be up to 80% of the virtual data center traffic, this is a lot of data you aren’t seeing. The solution here is to install a virtual tap on one of the VMs. A virtual tap is simply a software version of a physical tap. The virtual tap allows you to export inter- and intra-VM data and send out to your security and monitoring tools for analysis.
A third technical challenge has been capturing inline data in a failsafe and reliable way. Again, traditional taps and SPAN ports can’t be used here. You need something that supports failover capability and heartbeat signaling to make sure that your network remains reliable in times of crisis. The solution here is to add an external bypass switch. Internal (to the security and monitoring tool) bypass switches aren’t as reliable as purpose built external bypasses.
Another challenge has been the architecture design, or lack thereof. A commonly missed item is that many IT departments have not created a proper visibility architecture. They either don’t have one at all, or what they have is from cobbled together point solutions that are often missing key pieces that lessen the utility of the “solution.”
Once a visibility architecture is deployed, it becomes obvious that one necessary component is the data access layer. The second obvious component is the security and monitoring tool layer. However, in between is the data control layer consisting of a network packet broker (NPB). This missing piece delivers great utility while also delivering cost savings.
In this architecture, the data access layer is the base framework that then feeds data to packet brokers, in the data control layer, for either out-of-band visibility or inline security frameworks. Packet brokers are devices where any uninteresting network or application data can be filtered out before being be sent on to the appropriate monitoring tools.
Packet brokers also deliver other benefits like:
- Aggregating data from multiple locations before the data is sent on to monitoring tools
- Removing duplicate monitoring data packets
- Load balancing data across multiple tools
- And packet manipulation (e.g. packet slicing, header stripping, data masking) to remove unnecessary or inappropriate data
The main use case for packet brokers is to aggregate data from the various taps on the network where it can be filtered and then distributed to a myriad of security and monitoring tools.
Another benefit to packet brokers is that they can be accessed remotely and reprogrammed to change data filters and distribute different data at will. Superior packet brokers can make these changes through a hitless process that doesn’t create data loss.
If you want to feel the power of universal access, get rid of SPAN ports and replace them with physical taps. You should also consider installing bypass switches and virtual taps. Then add packet brokers to the network to refine and optimize your monitoring data. This will make your tools more efficient and extend their lifespan, saving you money in the process.
For more details on some tap best practices, read this whitepaper Best Practices for Visibility Architecture Tap Planning and visit this website.