Visibility: Separating Fact from Fiction (Part 1 in a Series)
Is visibility more about the network or more about what is delivered to the tools?
In the course of the last two years, we have witnessed a dramatic increase in market awareness on the benefits of visibility to solve pressing challenges in both security operations and other areas of IT operations. In spite of this surge in awareness, some misperceptions about visibility remain. Beginning this week, we will be publishing a multi-part blog series titled “Visibility: Separating Fact from Fiction” to highlight some of the nuances of network visibility and ensure a correct understanding to help customers make informed implementation decisions.
A core fundamental of the visibility market is that the visibility solution is all about ensuring that the delivered traffic meets the capacity and processing demands of the tools that can consume the network traffic and not necessarily matching the speed of the network. Many customers are initially drawn to visibility with a desire to “tap” traffic at a few locations in order to protect their valuable resources. These customers quickly recognize that merely tapping and delivering traffic to the attached tools is insufficient and may in some cases even overload the tools if the visibility architecture is not carefully designed!
Accordingly, a market-leading visibility solution must use a tiered structure to ensure that while all traffic is ingested at line rate, only the most relevant and appropriate traffic is delivered to maximize the efficiency of the attached management or security tools. In Gigamon’s Visibility Fabric architecture for example, we achieve this as follows:
- Filter traffic flows of interest: Our patented Flow Mapping® technology is a foundational Fabric Service available on every Visibility Fabric™ node, operating at line rate on all the Gigamon nodes.
- Send relevant and appropriate traffic flows to GigaSMART® for further optimization: GigaSMART is a combination of high-performance specialized compute and customized software applications that are designed to optimize and deliver the traffic to tools at scale without any packet drops. Already, we have over 15 traffic intelligence applications available in the GigaSMART suite, each of which helps to extract the relevant packets, flows and sessions of interest to each of the attached tools. Now in its fifth year of development, GigaSMART has been proven in hundreds of customer networks globally.
- Scale out traffic intelligence: No matter how powerful an individual compute node is, scale-out architectures are used in modern infrastructure today, including those that power today’s highly popular Web 2.0 and social media services. Likewise, GigaSMART software makes use of patented Gigamon innovations such as service chaining and engine grouping to allow additional capacity to be pooled together. For example, a cluster of 32 GigaVUE-HC2 nodes, each with 5 GigaSMART modules can scale up to 6.4 Tb of GigaSMART processing in the cluster—a scale of traffic intelligence that is unmatched in the industry today.
Once all these steps are done, the right (optimized) traffic is sent to the right tools.
What benefits does such a structured approach provide? For one, the architecture allows a GigaSMART engine group to see all the traffic that needs to be sent to the tools, maximizing traffic optimization. A second benefit is the adoption of a platform-based approach where a common programmable framework can be used to turn up multiple software applications on demand. Finally, any arbitrary sequence of traffic optimizations can be performed on a common platform—e.g. SSL decryption followed by extracting entire TCP/UDP sessions containing a pattern of interest in one of the packets and concurrently doing NetFlow/IPFIX record generation on traffic streams, regardless of whether it came from a physical network source or from a virtual network source. With the right architecture, one can do this without having to invest in a plethora of point products. This is in sharp contrast with the “stovepipe” approach used by some market players who have assembled a hodge-podge visibility product set with acquisitions, as they have been forced to play catch-up in this rapidly expanding market space.
So, is visibility more about the network or more about what is delivered to the tools? Both! Of course the reach of visibility is important in order to gain access to the right traffic but the key is to ensure that traffic delivered by the Visibility Fabric meets the capacity and processing demands of the tools that can consume the network traffic.
More to come in the next part of this series.