The Art of Scrying — How Network Visibility Helps Enterprises ‘See’

Updated October 28, 2021.

scry
/skrī/
verb
gerund or present participle: scrying
meaning: foretell the future using a crystal ball or other reflective object or surface.

Imagine what it would be like if your IT organization could lay their hands on a crystal ball that showed them how to make applications run faster, detect bottlenecks and provide the ultimate customer experience. That crystal ball is commonly known as an application performance management/monitoring (APM) tool. Riverbed’s SteelCentral™ AppResponse is an APM that helps businesses diagnose problems quickly and remediate before things go south.

A psychic looks for information in a crystal ball, which could be pictures, words or symbols. When it comes to application performance, the information that helps IT teams best utilize tools such as AppResponse is network data.

The endpoints accessing the applications have grown mostly due to mobile and IoT devices. Therefore, the need for complete visibility is absolutely vital for organizations to enhance the APM tools. Riverbed SteelCentral AppResponse can be deployed in conjunction with Gigamon either on-premises, or on virtual or private cloud (AWS and Azure) performing real-time and historical monitoring of packet data.

The SteelCentral suite of applications and tools provides unified network performance management; the AppResponse specifically is a network-based APM tool that can analyze every minute detail, from packet to complete webpages, for optimum end-user experience monitoring. With more and more applications directly being exposed on the front end to the users, the amount and rate of data being sent to the APMs have surged in recent years. This new nice-to-have headache for IT administrators has provided a way to identify problem areas instantly and predict patch-up work much sooner.

However, there is an important concern here: Are these tools prepared to ingest the barrage of north-south and east-west traffic with multiple copies of the same traffic flows? Is there a risk of missing a blind spot in your network that this tool will not be able to see? Is encrypted traffic going to result in the tool not being utilized effectively? Gigamon has a wide variety of solutions that can alleviate these problems and still provide a better ROI for the organization. Data acquisition and delivery to Riverbed tools is achieved through a combination of taps, SPANs and traffic aggregators that can perform basic filtering, then fed into a next-generation packet broker where further filtering, de-duplication and other advanced operations can be performed.

The Gigamon Visibility and Analytics Fabric™ offloads the tasks that will otherwise burden the APM. Given the strategic placement of the visibility fabric in the infrastructure, between the network and the application monitoring tool, it facilitates not only filtering and de-duplication, but more features such as header stripping, slicing, SSL decryption and so on. Let me elucidate how these features specifically help the APM tool to operate at its full potential and how IT managers ensure performance of critical business applications.

Remove Packet Headers

Stripping headers from tagged packets (VLAN, VN-tag, MPLS and so forth) eliminates the tool’s inability to process and understand these protocols, and — if it can at all — reduces overall load with lower processing power. Additionally, GigaSMART^® has the capability to strip these headers for specific protocols and also add VLANs so as to differentiate the stripped packets from the non-stripped ones.

Load Balancing

When there is a requirement needed to add multiple APM tools, traffic can be load balanced so that the flows can be shared across the tools. The load balancing could be stateful, stateless or enhanced. With stateful load balancing, the sessions are kept together and sent to the tools without any loss.

Slicing and Advanced Flow Slicing

If the analysis being done on the APM does not need the entire packet information (including payload), packet slicing can be performed, where specifying an offset value will truncate the packets, resulting in a massive reduction of storage for the tools. Advanced flow slicing is a newer feature whereby the device can forward the first few longer flows and later slice or drop the rest. This tremendously reduces the CPU utilization of the tool-saving bandwidth.

Masking           

When sensitive customer data such as financial information or Social Security numbers are required to be hidden for compliance reasons, the Visibility and Analytics Fabric provides different ways to mask these details with custom patterns and lengths. This avoids unnecessary work for operators to deal with security concerns and information leakage.

Out-of-Band SSL Decryption

Decryption is a highly complex and CPU-intensive task. Offloading this function to the Visibility and Analytics Fabric is a no-brainer because it maximizes tool performance, and since decryption is done centrally, multiple tools can receive copies at the same time.

As of March 2020, TLS 1.0 and 1.1 has been deprecated. This means organizations are going to move to TLS 1.3 and tools need to see decrypted traffic for analysis. The Visibility and Analytics Fabric is currently in the process of qualifying TLS 1.3 decryption.

For more use cases and how we partner with Riverbed, see the Gigamon-Riverbed joint solution brief.

Stay tuned to this space and we will be sharing more details on the 5.9 release.