Cloud / April 21, 2022

Clear the Cloud Visibility Haze with Application Awareness

Increasingly, organizations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications to Infrastructure-as-a-Service (IaaS) providers and hybrid clouds via “lift and shift” or refactoring. With this transition, they scale deployments with more servers and VMs, run high-capacity links, leverage containers, and routinely add new observability, security, and monitoring tools. On top of that, they’re often running hundreds or even thousands of apps, which — unbeknownst to IT — could include rogue software such as crypto mining or BitTorrent.

With ever-increasing volumes of application-oriented data, it’s hard for IT teams and tools to focus on the most actionable activity and avoid wasting resources processing irrelevant traffic. We often inundate security, observability, compliance, and network monitoring tools with low-risk, low-value traffic, making them less effective and requiring needless scaling. Additionally, false positives and alerts can overwhelm NetOps, CloudOps, and SecOps teams, obscuring the root causes of network and application performance issues and the real threats buried in volumes of undifferentiated traffic.

“Old School” Solutions

Traditionally, IT teams have taken laborious steps to identify applications based on network traffic, by either hardwiring ports to specific applications or writing regular expressions to inspect traffic patterns and identify apps. Such manual workarounds, however, bring their own challenges. When change occurs, such as growth in an application’s usage or the introduction of new applications, NetOps teams must update network segmentation. And app updates can change traffic patterns and behavior, meaning IT must constantly test and update their homegrown regex signatures. For the cloud, implementing such stopgap measures is difficult, if not impossible.

Until now, it’s been hard to isolate cloud traffic by application type and specify whether or not it gets inspected by tools. Visibility has been siloed, and filtering options often only go up to Layer 4 elements, forcing organizations to pass all traffic through their tools or risk missing potential threats. However, having each tool (intrusion detection system, data loss prevention, advanced threat detection, network analytics, forensics, and so on) inspect packets to filter irrelevant traffic is inefficient and costly, as most tool pricing is based on traffic volume and processing load. While packet brokering can reduce traffic, it requires programming knowledge to maintain complex rules. And although some systems provide a level of application filtering, it’s hard to use, identifies a limited number of applications, and doesn’t typically share this insight. Furthermore, the filters require ongoing maintenance to keep up with changing application behavior.

Visualize and Filter Cloud Apps

Gigamon GigaVUE® Cloud Suite with Application Filtering Intelligence (AFI) brings application awareness to your multi-cloud environments. Whether it’s public cloud (AWS and Azure) or private (VMware and Nutanix), we have you covered. Cloud Suite automatically extends Layer 7 visibility to identify more than 3,500 common business and network applications traversing the network and lets you select and deliver only high-value or high-risk data based on application, location, and activity.

Figure 1. Identify, filter, and properly forward applications to tools

Gigamon AFI classifies applications into categories that are automatically updated as the landscape evolves. This allows your team to take actions on a “family” of applications versus setting policies on individual apps. Examples of application families include antivirus, audio/video, database, ERP, gaming, messenger, peer-to-peer, telephony, webmail, and dozens more.

Now each tool is more efficient, since it no longer needs to store and process large volumes of irrelevant traffic. NetOps can apply existing tools across a larger area by prioritizing only core business applications and accelerate investigation of network and application performance issues with easier data isolation.

SecOps teams can extend current tools to a larger attack surface, securing more of the network and preventing sensitive data, such as personally identifiable information (PII), from being routed to monitoring and recording tools. For more on how to benefit from AFI, check out this paper.

Empower Tools with Application-Aware Metadata

Not only is identifying applications a serious challenge in the cloud, but obtaining even basic metadata, such as NetFlow, is problematic in public IaaS. You can derive basic details, such as which IP addresses are used and by whom, along with port and protocol details. But what you need is summarized, context-aware information about raw packets, based on Layers 4–7, that provides insights into user behavior, security breaches, customer experience, and infrastructure health.

Advanced metadata attributes expand on app layer visibility and support a comprehensive approach to obtaining application behavior. Especially when deploying workloads in the cloud, you can acquire critical flow details, reduce false positives by separating signal from noise, identify nefarious data extraction, and accelerate threat detection through proactive, real-time traffic monitoring as well as troubleshooting forensics.

Observability and SIEM solutions use this information to correlate and analyze log data from servers and security appliances. Network security and monitoring tools leverage this metadata to deliver the insight and analytics needed to manage the opportunities and risks associated with cloud deployments. And administrators can automate anomaly detection, stop cyber threats that overcome perimeter or end-point protection, and identify bottlenecks and understand latency issues.

Application Metadata Intelligence

Based on Layers 4–7, Application Metadata Intelligence (AMI) supplies network and security tools with more than 5,000 metadata characteristics that shed light on the application’s performance, customer experience, and security (see Figure 2 below). Gigamon extracts and appends these elements to NetFlow and IPFIX. Records include:

  • Identification: Social media user, file and video names, SQL requests
  • HTTP: URL identification, command response codes
  • DNS parameters: 39 elements, including request/response, queries, and device identifiers
  • IMAP and SMTP email-based communications with sender and receiver addresses
  • Service identification: Audio, video, chat, and file transfers for VoIP and messaging
  • Customer/network awareness: VoIP (SIP, RTP) and mobile (GTP, HTTP/2) control/signaling and user/data plane sessions
Figure 2. Supplement tools with app-aware attributes

Advanced L7 metadata can be applied in a variety of use cases. AMI’s principal deployment is in providing metadata to SIEM and observability tools for security analysis. This can help you:

  • Identify use of weak ciphers and expired TLS certificates
  • Investigate suspicious network activity by detecting unauthorized remote connections, bandwidth usage, connection longevity, or an unusual quantity of SSH, RDP, or Telnet sessions
  • Detect data exfiltration by monitoring the volume and types of DNS requests implying DNS tunneling and evaluating the legitimacy of the domains
  • Pinpoint security breach origins with time-window analysis of Kerberos, SMB, and HTTP use to isolate the prior and post protocol activities that lead up to an incident
  • Find suspicious behaviors that suggest compromised credentials or brute force attacks, such as high-privilege user activity, logins from unauthorized systems or multiple hosts, and HTTP client errors

To learn about these capabilities and more, check out this technical use case paper.

Cloud Providers Come Up Short

While IaaS and private cloud orchestration and management platforms are remarkably resilient, dynamic, and infinitely scalable, they don’t offer next-generation network packet brokers (NGNPB) with a deep observability pipeline provided by Gigamon. Not only do these brokers aggregate, filter, and distribute all traffic to the proper security and networking tools, they also provide the compute power behind AFI and AMI.

To learn more about obtaining application-layer visibility in the cloud with contextual insights, contact Gigamon or request a demo of Application Intelligence.

Featured Webinars

Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.


People are talking about this in the Gigamon Community’s Hybrid/Public Cloud group.

Share your thoughts today

Back to top