Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
White Paper - Net Optics - Application Performance Management and Lawful Interception

White Paper - Net Optics - Application Performance Management and Lawful Interception

Ratings: (0)|Views: 15|Likes:
Published by Michael Tunk
A New Approach Unifies Two Disciplines to Drive Mutual Performance, Efficiency and Results
A New Approach Unifies Two Disciplines to Drive Mutual Performance, Efficiency and Results

More info:

Published by: Michael Tunk on Jul 05, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





- 1 -
White PaperI
Performance Management
New, Internet-Based Applications Bring Change andChallenge to Lawul Interception
Customarily seen as disparate areas, network perormancemanagement and lawul interception (LI) have recently begunto converge. In concept this should be no surprise, as the twodisciplines share a common oundation: LI involves examiningnetwork trac to identiy and collect specic content, whilenetwork perormance management examines network tracto identiy specic perormance parameters. However, despite acommon approach, this convergence is relatively recent, as bothdisciplines have begun to draw upon one another or mutualbenet.For clarity and denition, the ollowing is a brie, high-leveloverview o both lawul interception and network perormancemonitoring.Lawul interception has long been regulated by the strictconventions o governments and law enorcement agencies. LI’snon-commercial nature has caused it to evolve largely behindclosed doors, addressing the specic needs o law enorcementin carrier and service provider environments. Historically, LI hasinvolved identiying and inspecting voice trac, i.e., ‘phone-tapping.’ While voice remains a vital component o LI, thechallenges driven by the rise o data now require a new approach.Almost all Internet communication today uses TCP/IP asthe underlying protocol. Recent diversication o Internetcommunication techniques now pose unique challenges to LI.Numerous and varied methods or transerring messages overthe Internet have arisen. Email and instant messaging, alongwith the near-innite array o inormation-sharing and transermechanisms—peer-to-peer networks, web-based le repositories,Voice over IP (VoIP) telephony—and exploding numbers o socialmedia sites such as Facebook and Twitter, all provide an immenseeld or inormation-sharing and communication. The adaptation o LI to this new world o Internet-basedapplications is dicult. Many new Internet-based communicationmethods are no longer point-to-point, meaning that LI cannotsimply examine a known stream o data to identiy and collecttrac. Further, much data is cross-jurisdictional—extending acrossinternational borders—which makes identication o targetsdicult at best. Lastly, applications that transer inormation areoten encapsulated within other protocols in order to conceal theirappearance and bypass traditional lawul interception techniques.
A Snapshot o Network Perormance Management
For its part, network perormance management has historicallyocused on identiying such perormance metrics as throughput,volume and loss o data packets traversing the network. Network equipment vendors supplied detailed statistics in their network elements to allow third-party network monitoring tools to collectand analyze perormance data. This was, and to some extent stillis largely done using dedicated management protocols such asthe Simple Network Management Protocol (SNMP), RMON andNetFlow.O course, the network equipment vendor’s primary concern isto ensure that equipment is operating and perorming optimally.Similarly, carriers and service providers deploy network monitoringto ensure that network bearers and servers are perorming atlevel that avoid service degradation to end users. Accordingly, themajority o network perormance-monitoring tools were designedto assess perormance o network elements and carrier linksregardless o trac type carried over the network. Thus, network perormance monitoring tools typically providedinormation about how much and how ast in regards to trac,as opposed to who or what actually generated the trac—whichwould have interested LI. This disparate ocus distinguishedtraditional network perormance monitoring rom LI, with little orno overlap o techniques.
 The Changing Face o Network Perormance Monitoring
Change in application deployment, particularly in the enterprisespace, is now exerting pressure to extend that traditional network monitoring ocus o ‘how much’ and ‘how ast’ to include ‘who’ and‘what’. This trend is driven by the act that most enterprises dependheavily on network inrastructure or delivery o basic business
Application Performance Managementand Lawful Interception
A New Approach Unies Two Disciplines to Drive Mutual Perormance, Efciency and Results
- 2 -
White PaperI Performance Management
access layer has also evolved to meet the requirement o morecomplex topologies and higher bandwidths. Vendors such as NetOptics have released a comprehensive set o higher density andully eatured passive access products to meet the demand orundamental visibility across carrier and enterprise networks bothphysical and virtual. Though the requirements o LI oten drive implementation o adedicated passive access layer, this is not always the case. Thesame level o visibility is required by application and network perormance monitoring tools, and indeed or other emergingareas such as security and network orensics. Certainly in theenterprise space, where LI is not typically a requirement, theimplementation o passive access devices is driven solely by theneed o network monitoring and security tools or visibility intounderlying data streams. The cost o deploying a passive access layer into a complex, high-speed network can be signicant. Thereore, it makes perect senseto leverage the unctionality available in these platorms acrossa range o LI, network monitoring and security tools. Thus, thepassive access layer becomes the common thread between lawulinterception and network perormance monitoring.
 The Shared Technology o Deep Packet Inspection
Lawul Interception and application perormance monitoringcan use the same passive access layer as the undamental datasource. So it is not surprising that they can also share the sameundamental DPI inspection technique to analyze trac streams.DPI looks inside the payload o TCP/IP rames to gather inormation.In the case o LI, this technique is applied to gather content o theunderlying communication relating to persons o interest, whereasin application perormance monitoring, DPI serves to collectimportant data about specic applications.Whatever the requirement, both LI and network perormancemanagement share a need or ast, eective DPI techniques. Aquick word o caution: the term Deep Packet Inspection is otenmisused within the industry, with no clear denition, resulting onwild claims by many vendors in this space.Accordingly, some vendors claim DPI unctionality when in eectall they are doing is collecting and storing ull packets rom thewire—simple packet capture, i you will. True DPI involves muchmore sophisticated unctionality relating to identication andcollection o unique and proprietary application inormation romservices—a situation that is intensiying with the rapid deploymento cloud-based and Sotware as a Service (SaaS) applications.Increasingly, enterprise-wide business applications are criticalto commerce or all size enterprises. Companies make largeinvestments in their enterprise sotware, but maintaining thoseapplications ater deployment can prooundly infuence overallproductivity and cost-eciency or the entire company. In actuality,application problems are the single largest source o IT downtime. To manage new, network-based applications, rom a networperormance perspective, we must examine not only how muchand how ast the network is running, but also who and what isgenerating trac. Visibility o specic applications and users acrossthe network is now critical to ensure business continuity, enableeective troubleshooting and reduce Mean Time To Resolution(MTTR). Visibility is also critical to allow ongoing capacitymanagement rom both a network and application viewpoint. There can be no argument that solving application-relatedconcerns calls or or in-depth network trac visibility down to theapplication level. In truth, we can no longer rely on the carriers ornetwork element vendors to provide the undamental data. Rather,we need to start inspecting the trac itsel, deploying deep packetinspection (DPI) techniques that enable us to grab inormationrom within the payload o each packet where applicationsthemselves are carried.For these reasons, the world o network perormance monitoringneeds to shit its view rom networks to applications and usersbehind them.
Passive Access, a Common Thread
LI vendors have long used passive techniques to access the primarydata streams running across the network. Devices such as simplenetwork taps or ber splitters provide a ‘mirror image’ or copy o network trac to various LI applications. The beauty o using dedicated passive access hardware devices, asopposed to leveraging the capability o network elements to mirrorthe trac itsel, is that dedicated passive access devices impose noperormance overhead to the monitored network. Perhaps evenmore importantly, they are totally transparent and undetectable toend users—and oten even to network operators. This simplicity,along with their additional unctionality, has made passive accessdevices a common oundation or lawul interception deployments.O course as networks have become more complex, the passive
- 3 -
White PaperI Performance Management
within the application layer payload o TCP/IP rames.It is this more comprehensive, ‘true’ denition that we are reerringto here when speaking o DPI. This denition o DPI is also thatrequired by LI vendors to eectively deploy their solutions acrossInternet and network-based applications.
 The Problem o Speed
Compounding the challenge o deploying eective DPI is theperennial issue o ever-increasing network throughput. It doesn’tseem long ago that we were contemplating the monumentalincrease rom a 9600 baud modem to a ull 128Kbps ISDNconnection—and wondering how we would ever keep pace withsuch high bandwidths! The same problem exists today, but rather than talking o a jumpto 128Kbps we now conront the ramications o deploying LI andnetwork perormance monitoring in 10 Gigabit and 100 Gigabitnetworks. Just as we had to adapt in the past, the transition tosuch high-speed networks will drive undamental changes in theway that we implement LI and monitoring solutions within carrier,service provider and enterprise environments alike.Such velocity makes the old ashioned “brute orce” approach o streaming all packets to disk or later analysis impossible. Even i the disk technology were available today to cope with such highspeeds, the sheer volume o storage required makes this approachprohibitive both logistically and nancially.We need a smarter approach to the identication and collection o data, as well as a seamless mechanism to strip out only inormationo interest. To do this we must still examine all the data, but oncewe have identied the target, we need the ability to selectivelycapture only those streams o interest.For application monitoring solutions, rather than trying to collectand retain every packet, we need to use DPI to collect onlypertinent application-specic metrics (better known in the industryas Key Perormance Indicators or KPIs) relating to each application. These KPIs represent a relatively small set o data in comparisonto the brute orce packet streaming approach and as such can beundertaken more eciently and at much higher speeds.Based on analysis o the collected KPIs, it is relatively simple toidentiy specic trac or streams o interest. In the enterprisespace, this identication is primarily used to pinpoint perormanceor perhaps security issues—but rom the LI perspective, it canidentiy potential targets or communications o interest.Specically, leaving jurisdictional privacy issues aside, a network perormance monitoring platorm can provide a high-level viewo all trac by gathering KPIs across a wide range o applications.Because KPIs are relatively small in volume, compared to theoriginating trac, it is simple to search or keywords or patternswithin the KPIs themselves. This approach makes it possible tosearch all email subject lines or a specic term, or website URLs ora particular pattern or monitor an applications’ behavior based onits specic KPIs .LI solutions can leverage the capability o application perormancemonitoring to provide detailed KPIs via DPI. This capability enablesmore comprehensive security monitoring at a ar lower cost thanthe traditional brute orce packet capture approach. This tripartite approach between the passive access layer,application perormance monitoring and LI provides the mostcomprehensive, cost-eective solution to cope with emerginghigh-speed networks and diverse Internet communication modes.
Are KPIs a Positive Consequence o the New APMParadigm?
As we have discussed, modern perormance managementsolutions need to incorporate DPI in order to eectivelyidentiy and classiy network-wide application perormance.Unlike traditional SNMP or even fow-based monitoring, thosemetrics required to monitor networks at an application level areapplication-specic. That is, metrics that dene one application’sperormance dier rom those that dene another’s. This is a subtle concept, illustrated with this example: I we areinterested in email perormance, we might collect pertinentstatistical data such as ‘To’ and ‘From’ address, attachment nameand size, time taken or the email to send and so on. In monitoringVoIP trac, however, we collect a dierent set o metrics such ascaller/callee identiers, jitter, MOS score and volume. Thus, whilesome metrics are common across many applications, others areapplication-aware. This is why DPI is important, to dig into thepayload o each packet and extract application specic data.It is the collection o these application-aware metrics—or KPIs,as we have named them—which is o most interest to the newbreed o network perormance solutions. The KPIs go well beyondtraditional perormance measures such as volume and throughput,to include inormation traditionally the domain o policy orsecurity managers. Identiying the ‘sender’ rom an email doesnot, strictly speaking, pinpoint application perormance issues,

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->