®

Extending Network Monitoring Tool Performance

Beneits

• Handle higher bandwidth trafic without a total reinvestment in new tools • Improve eficiency of network administration and problem solving • Increase return on monitoring tool investments

Table of Contents

Abstract

Introduction ............................................... 1 Understanding Monitoring Tools ................. 1 Extending 1 Gigabit Monitoring Tool Performance .............................................. 2 Finding the Right Solution ........................... 2 Conclusion .................................................. 4 About Net Optics ........................................ 4

Many organizations have invested in network monitoring equipment such as protocol analyzers, intrusion detection and prevention systems, and stream-to-disk trafic loggers. The challenge is to extend the performance capabilities of these tools to handle the high-speed, multi-protocol, security threat-laden trafic of today’s and tomorrow’s networks, without a total reinvestment in new tools, and without sacriicing security. This paper explores how monitoring tools can achieve higher levels of performance without forklift upgrades. It proposes a variety of ways to extend their eficiency, including the use of a stand-alone content iltering device to ofload monitoring tools by pre-iltering trafic and assisting with common tasks.

Solution Brief

®

Solution Brief
Introduction

Extending Network Monitoring Performance

In today’s IT-driven organizations, network performance is key to providing excellent customer experiences, driving business process eficiencies, growing revenue, and maintaining competitive advantage. Network administrators, charged with keeping networks responsive to the needs of both internal and external customers, rely on network monitoring tools for a continuous stream of information to baseline and assess the network’s health. These tools enable administrators to ensure high application availability and good response times, to enforce network usage policies, and to justify and measure the impact of network upgrades. Network administrators can choose from an array of monitoring tools, ranging from open-source host-based software tools to sophisticated hardware appliances and platforms. Solutions include: • • • Protocol analyzers, RMON probes, and NetFlow collectors for performance tuning Intrusion detection systems (IDS) and intrusion protection systems (IPS) for security Stream-to-disk trafic loggers and e-mail monitors for compliance auditing, forensics, and lawful intercept

The industry’s challenge is to leverage investments in existing monitoring tools as they confront increasing network speeds, higher network utilization, and the explosion of new network services and threats. The key is to ind new and innovative ways to extend tool performance and improve network security by modifying the trafic low or its basic characteristics rather than entirely replacing the tools. The following sections explain where opportunities exist for implementing new enhancements, and for extending tool performance.

Handle higher bandwidth trafic— without a total reinvestment, or sacriicing security

Understanding Monitoring Tools

Most network monitoring tools are task-speciic, high-performance software packages running on PC or server hardware. Proprietary boxes sold as “appliances” may consist internally of standard hardware components running proprietary software, often based on the Linux operating system. The performance of these tools is determined by the speeds of the processors and memory buses, and the size of the memory utilized both for caching and for buffering packets from the network. The performance of the network interface cards (NICs) is obviously critical, too, for monitoring high-bandwidth 1Gbps and faster network links. More advanced tools help alleviate these bottlenecks by adding more processors and more dedicated buffers, typically using standard integrated circuit (IC) components on custom-designed boards with proprietary architectures. The highest performing tools go one step further, using custom-designed application-speciic integrated circuits (ASICs). The type, speed, and number of processors in a tool dictate its processing performance. As network speeds increase, the number of packets that can be processed at wire speed (in other words, keeping up with the network) reaches a limit. Moreover, the further a tool’s hardware architecture diverges from standard, well-understood technology, the trickier it becomes, as engineers push radical new architectures to achieve maximum performance. Buffers enable the tool to handle higher peak trafic loads by storing packets during high trafic periods, and releasing them to be processed when the trafic is less. However, the inability to sustain performance at full network bandwidth, and for extended periods of high trafic, may eventually cause even the largest buffers to ill up, and the tool may not capture needed information.

®

Solution Brief

Extending Network Monitoring Performance

Extending 1 Gigabit Monitoring Tool Performance

The objective is to deliver more network performance or security protection from a monitoring tool with minimal change. This goal can be achieved by directly upgrading or replacing software or hardware, or by combining the original tool with another device in a comprehensive system solution. Possible approaches and their impacts may include the following (in no particular order of acceptance or adoption): • Upgrade components. If the monitoring tool runs on standard hardware, upgrading with additional memory or faster NICs and processors may be a quick and relatively inexpensive ix. Also, the vendor may have newer software releases that provide faster throughput and newer features that satisfy a particular situation. Purchase duplicate equipment. In many cases, two monitoring tools can run along side each other, doubling the amount of data that can be captured. For example, one tool can process the TCP trafic while another one handles ICMP and UDP packets; or each tool can capture lows from different IP address pairs. This approach has the advantage of having no learning curve, because users already know how to operate the equipment. In addition, it provides redundancy in case one tool breaks, and the tools can be deployed separately when they aren’t needed together. On the downside, this approach may not it into the budget or architecture. It may also create issues around seeing an integrated view of the traces from both the tools. Upgrade to a faster tool. Higher performance equipment may be available, providing a two- to ten-times performance increase. Be sure to evaluate not only the cost of the tool itself, but also the training expense if the functions or user interface are signiicantly different. Also, check for compatibility with other tools that may be part of your total solution. For example, an ofline protocol analyzer may work with trace iles from a logging tool. Is the new logging tool’s ile format supported by the protocol analyzer? Change the network. It may be possible to temporarily or permanently change the network so the link that needs monitoring simply doesn’t carry more trafic than the monitoring tools can handle. Load balancing, bandwidth limiting, or perhaps adding new network devices might accomplish this goal. In most cases, it probably makes more sense to change the tools rather than the network, but when the network is changed for any reason, the impact on monitoring tools should be considered. Use pre-capture ilters. Pre-capture ilters reduce the number of packets a tool needs to store and process, by selecting packets of interest based on header information such as protocol type and IP address. The performance ceiling of the tool is raised because less buffering and processing power are needed to support the trafic load. Many tools offer pre-capture ilters, but software-based pre-capture ilters have performance limitations of their own. Because the precapture ilter itself must process every single packet on the wire, it may be limited to selecting ten or ifteen types of trafic; for instance, only lows between ten or ifteen source and destination IP address pairs. This limitation impacts the ability of administrators to debug network problems, costing them time and loss of productivity. Hardware-based ilters implemented in custom ASICs may be able to support hundreds of ilters at once, but they are found only in the more expensive equipment, so cost and administrator eficiency are a tradeoff. Another approach to improve the capture ability is to copy the pre-iltered trafic stream to a high-speed memory-based ile system for subsequent processing, rather than processing the pre-iltered trafic in real time.

®

Solution Brief
Finding the Right Solution

Extending Network Monitoring Performance

In some cases, monitoring tool performance can be extended through yet another approach. It may be possible to pair an over-burdened tool with a hardware-based device that is speciically built to ofload redundant or well-known tasks. The solution would include pre-ilters or ofload capabilities that limit trafic being sent to the monitoring tool; a dedicated device that offers Layer-3/-4 and content iltering at 1Gbps wire speed, and only slightly increases the cost of your existing solution; a device that would be useful in a variety of scenarios, ranging from monitor tool performance ofload to compliance adherence. What if this device could handle hundreds of ilters at wire speed? • It could be placed in front of a network analyzer to act as a hardware-based pre-capture ilter, forwarding only trafic of interest to the analyzer, and preventing overruns (Figure 1).
(a) Without pre-filter (b) With pre-filter

Router

Tap Switch

Router

Tap Switch
Management

Pre-filter Protocol Analyzer Captures traffic from at most 10 to 15 IP pairs

192.168.20.0 <-> 192.82.0.10 192.168.40.5 <-> 192.112.0.1 192.168.72.9 <-> 192.82.0.80 ... hundreds of IP-pairs

Protocol Analyzer Figure 1: Using a hardware pre-filter to capture traffic from hundreds of IP-pairs

It could relieve an IPS by eliminating hundreds of known threats identiied by content strings, protocols, and port numbers (Figure 2).
(a) Without filter Known, repetitive, and keyword-based threats Complex, stateful, and emerging threats

O VERL O AD!

Router

IPS Appliance Complex, stateful, and emerging threats

Switch

(b) With filter

Known, repetitive, and keyword-based threats

Management

Router

Rule-based Filter

IPS Appliance

Switch

Figure 2: Using a rule-based filter to offload an IPS appliance

®

Extending Network Monitoring Performance Solution Brief
• It could assist in a regulatory compliance solution by logging or blocking content containing hundreds of keywords and phrases such as “Company Confidential,” “Do Not Distribute,” and “Social Security Number” (Figure 3).

E-mail attachments containing “Company Confidential”, “Social Security Number”, and many other keywords and phrases dropped from outgoing traffic

Management

Router

Content Filter Switch Web sites containing profanity dropped from incoming traffic

Figure 3: Using a hardware content filter to assist a host-based compliance solution

The ability to deploy a single device in a variety of configurations allows for the flexibility to assist in multiple scenarios, offering offload and pre-filtering for tools of all types.

Conclusion

Today’s network monitoring tools offer levels of performance that were unheard of just a few years ago, but ongoing increases in network speeds and utilization continue to challenge their limits. The move to enhance monitoring tool performance, without sacrificing security, is driven by the hundreds of thousands of dollars in lost revenue and reduced productivity that organizations suffer annually due to underperforming or down networks. One study by the Aberdeen Group estimated that network downtime costs corporations an average of US$69,000 per minute (as high as US$1.5 million per minute in some industries) and those may be minutes that a network administrator is struggling with a monitoring tool that is bumping up against its performance ceiling. Therefore it makes good business sense to invest in solutions that enable administrators to solve network problems as quickly and accurately as possible. Given the wide range of approaches for extending network monitoring tool performance, at least one is sure to be cost-effective for your organization. To learn more about monitoring prefilter and offload technology, please contact Net Optics at info@netoptics.com. Our technology experts would be happy to discuss possible solutions that Tap into your network monitoring challenges.

Net Optics is the leader in innovative passive in-line devices for network security, traffic analysis, and IT monitoring. Its products are deployed in enterprises, service providers, and government organizations worldwide. Leading vendors of protocol analyzers, RMON probes, and IPS appliances have selected Net Optics for their customers’ monitoring solutions—from T1 WANs to 10 Gigabit links. For further information: http://www.netoptics. com

About Net Optics

For further information on Tap technology:
http://www.netoptics.com/support/whitepapers Net Optics, Inc. 5303 Betsy Ross Drive Santa Clara, CA 95054 (408) 737-7777 info@netoptics.com

Distributed by:
Network Performance Channel GmbH Ohmstr. 12 63225 Langen Germany +49 6103 906 722 info@np-channel.com / www.np-channel.com

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.