Another Kind of Insurance Policy – Network Forensics

Posted on January 26, 2012 by wildpackets

The recent Symantec security breach proves that even global brands and governments are vulnerable to hackers, and companies need to have contingency plans in place, as no amount of security can protect all of your data all of the time. So, what is one of the best contingency plans on the market?

Network Forensics

Network forensics is an essential, but often overlooked, part of any comprehensive security strategy. Many companies believe that a simple activity monitoring solution typically involving IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) is the only thing they need to help protect their network and dissect what has happened if a problem does occur. However, these solutions are not foolproof, as indicated by the many recent and very public attacks, and seem less effective against Advanced Persistent Threats (APTs), which are on the rise. And although IDS/IPS solutions help indicate and prevent problems, when they miss a problem you have no data to analyze to figure out what went wrong. Also, many IDS/IPS employ extensive use of log files to record incident data, but log files themselves are vulnerable to manipulation in today’s sophisticated attacks. Network forensics, on the other hand, records all network activity, not just that which it deems suspicious. Network forensics solutions can capture at line rate on 10G networks (typically at or above 10Gbps), record all network activity at the packet level to fixed storage, display key network performance statistics in real-time, and provide visual tools for post-capture analysis that allow users to quickly drill in on problem areas.

With all of the data in a central location and in a format that can be easily analyzed, security teams can quickly locate the source of a virus or other security breach, or monitor for specific virus ‘fingerprints’ to avoid a major infection. And network forensics goes beyond just providing security insurance. The insight provided by these solutions is even more essential with the growing number of on-the-go users within a company. In fact, it’s often business-critical issues that have nothing to do with cyber attacks, like violations of industry regulations or data breaches, which drive the need for post-incident analysis. A breached mobile device or infected personal laptop brings outside threats inside the network, undetected by most IDS/IPS. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing a potential hack.

In reviewing network activity after a breach to break down the attack, network forensics can be leveraged in three ways:

Real-time Statistics: A key feature in a good network forensics solution is the ability to see important statistics in real-time, while continuing to record abnormal or suspicious traffic on the network. Seeing statistics in real-time provides assurance that you truly are on the right track.

Detailed Analysis: Real-time statistics provide assurance, but the crux of network forensics is in drilling into the data, accessing detailed information for discovering DDoS (Distributed Denial of Service) attacks, worms, or other abnormal activities.

Suspicious Events Discovery: Expert modules can detect potential attack activities or problems in any of the 7 OSI layers. Additionally, network forensics can reduce analysis time by filtering on particular items of interest—for example, IP addresses, applications, payload stings, etc.

Network forensics can be a powerful tool in your security, as well as your compliance, strategy, but the key is to have a solution in place now – before you have a need for post-incident analysis or require data to investigate an attack that’s missed by your IDS/IPS. If you want to learn more about popular security breaches happening now and get more details on network forensics, check out our “It’s Not a Mwebinar When… – Network Forensics, the Ultimate Security Tool” on demand webcast here.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in Cyber Security, Network Security, Uncategorized, network forensics | Tagged , , , , | Leave a comment

The Basics of Wireless Channel Aggregation

Posted on January 19, 2012 by wildpackets

You’ve bought the controllers, the access points (APs), the VoIP Phones – the entire infrastructure required for wireless – and while all of these pieces worked well together during the testing phase, when people in your company start using wireless, a variety of problems begin to pop-up. Problems such as: dropped VoFi calls, low signal strength, and connectivity issues.

So the question now is: why does everything seem fine during testing, but malfunction under real world conditions?

One of the answers may be that you do not have adequate visibility of your WLAN set up. Specifically, in today’s highly mobile environment, it is not enough to monitor each channel of a WLAN independently. As wireless users move around, or roam, they typically transition from one AP to another and from one channel to another; and, it is often these transitions which cause serious issues for wireless-based application use.

To adequately monitor, analyze, and troubleshoot your WLAN you must collect data across multiple channels simultaneously for visibility when users roam. At WildPackets we call this channel aggregation. With traditional wired network analysis, there’s only one “channel” in use, so channel aggregation is a function that is unique to WLAN analysis.

Wireless channel aggregation is relatively straightforward, if not widely available. Most WLAN analysis products scan through the channels of interest to compile overall statistics for WLAN performance. Scanning creates gaps in the data, and the more channels scanned the bigger the gaps. This technique, though adequate for generating statistics, falls far short for detailed analysis and root-cause resolution. For example, let’s say your WLAN uses 10 channels. Because the data capture is only on one channel at a time, you are only receiving 10% of the data on any single channel. This means that you’re blind to 90% of the activity on that channel, woefully inadequate for detailed analysis. This is especially true for analyses that involve critical timing, like roaming. Roaming should take place within a few hundred milliseconds, or less. If you go back to our 10 channel example, and assume that the dwell time on each channel is 0.5 seconds, then you will have a 5 second gap between times when data is collected on any given channel, and this is obviously inconsistent with the millisecond granularity needed to detailed timing analysis.

Wireless channel aggregation gets us past these problems. All that is needed is an analysis solution capable of receiving data from multiple channels simultaneously, and enough wireless adapters to cover each of the channels to be analyzed. The data is then captured into a single analysis session, and you have all the data from all the channels and can perform any level of detailed analysis that’s required.

Now that you have a better understanding of wireless channel aggregation, you can be better informed when looking for solutions capable of true root-cause wireless troubleshooting. At a minimum, we suggest that these tools be able to capture wireless packets from multiple channels simultaneously (without scanning) and measure vital statistics on each channel separately, as it provides you with a better understanding of the activities happening on each channel. Additionally, having a wireless channel aggregator that calculates latency of devices roaming between access points is also very helpful.

For more details on what is out on the market, and the hardware and software needed to perform wireless channel aggregation, check out this whitepaper by the Certified Wireless Network Professional titled The Triple Blendy.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in Compass, Network Analysis, Network Managment, Network Monitoring, Network Performance Management, Wireless Network | Tagged , , , , , , , | Leave a comment

Network Monitoring 101

Posted on January 12, 2012 by wildpackets

Network monitoring is far more complex than its name implies – ask anyone in the field. Technically speaking, network monitoring is a systematic checking of key performance metrics to assure that the quality of service and the network capacity are within predetermined boundaries. Simply put, network monitoring examines an internal network for problems or irregularities with the end goal of ensuring network uptime.

To complete the task of network monitoring, network engineers are equipped with tools that provide them with an overall as well as a granular view of the network. There are three main technologies that are primarily used for network monitoring: SNMP, flow-based monitoring, and packet-based monitoring. Each of these technologies has benefits and downsides.

With that in mind let’s look at each of the technologies used in network monitoring and determine which one(s) might be the best option for your business.

Simple Network Management Protocol (SNMP)

SNMP is one of the oldest network monitoring techniques on the market, and its main purpose is to manage devices on IP networks. These devices typically include routers, switches, servers, workstations, printers, and others. SNMP data provide network engineers with a high-level view of the condition of networked devices. With SNMP you can see, for example, the core temperature of a device, how many users are accessing a device, overall throughput (for network connections), etc.

This device view is one of the major reasons why SNMP is still frequently used. However, one of the drawbacks to SNMP is that it is based on polling, so configuration for each device is required before meaningful data can be obtained, and a specific polling interval must be specified, typically every minute, or longer. As the number of devices being monitored grows, SNMP polling can create a significant amount of network traffic, further taxing the network you’re trying to monitor. In addition, detailed troubleshooting and root-cause analysis of network issues is not possible with the level of data available via SNMP, so even if you know that a device has a problem, you cannot typically determine the exact nature of the problem in order to fix it.

SNMP is a bit archaic as a network monitoring solution, but it still provides one of the best ways to see device metrics and summary-level activity on your network — just be aware of the network overhead attached with SNMP solutions, and the limited ability to perform root-cause analysis.

Flow-based Monitoring

Flow-based monitoring solutions are by far the most popular solutions on the market today. Flow-based solutions use existing resources like network switches and/or routers to obtain data that is already being processed by these devices. It can be very cost-effective because it eliminates the need for additional hardware and software to obtain network data for analysis.

Flow-based technologies are intended to provide network engineers with an overview of network performance, including information like application performance and overall bandwidth utilization. Flow-based systems analyze seven distinct characteristics of each packet on the network and group the overall data into network conversations. All network statistics must be compiled on the basis of these seven characteristics and the resulting network conversation data.

With all the positives that flow-based solutions can provide a network engineer, they lack the ability to zero in on specific problems that require deeper packet information and decodes. In addition, flow-based systems can tax the very devices being used to run your network – your switches and routers – when networks get busy. In this case, network devices will default to their primary objective, routing IP packets, and loss of flow-based data and analysis can result.

If you want a deeper dive into how flow-based systems work, as well as the various vendors and how their products differ, please check out our blog “Basics of Flow.”

Packet-based monitoring

Packet-based analysis was historically reserved for deep dive troubleshooting. However, packet-based systems have evolved into complete network monitoring, reporting, and troubleshooting solutions that can deliver the same statistical data as flow-based and SNMP systems while also providing the most detailed network analysis possible. Packet-based monitoring analyzes the complete details of every IP packet on the network, including the packet payloads, providing a complete view of network activity and allowing for true root-cause analysis of the most complex network problems. Packet-based systems typically require additional hardware to capture network data, but this extra cost is offset by the ability to achieve root-cause analysis, and it allows your network analysis solution to be truly passive – a significant advantage as network speeds move from 1G to 10G and beyond.

From a business perspective, packet-based solutions are the only sure-fire way to solve issues quickly and effectively, without impacting the performance of the network itself.

Whether you are a business looking for the best network monitoring solution on the market, or simply want to brush up on your network monitoring 101, hopefully this helped you determine what monitoring technology is best for your environment and your budget.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in Network Monitoring, Network Monitoring and Analysis Education, Network Performance Management, OmniPeek Network Analyzer | Tagged , , , | Leave a comment

The Clock is Ticking: How Quickly Can You Respond to a Data Breach?

Posted on January 5, 2012 by wildpackets

What would the holidays be without the inevitable email phishing campaigns, cyber attacks, and data breaches? This year’s recipients included Apple, Telstra, an Australia-based telecommunications and information services company, and Stratfor Global Intelligence, an Austin, TX-based security group, among others. And when it comes to responding to breaches, time is of the essence.

“‘Every minute you take to figure this out, you could be losing more e-mails and more credit data,’ Kevin Mandia of Mandiant recently said to the NY Times. The goal is to determine quickly the “fingerprint” of the intrusion and its scope: ‘How did the guy break in? What did he take? When did he break in? And, how do I stop this?’”

In fact, your cyber security solution needs to address these five key questions:

  1. Who was the intruder?
  2. How did the intruder penetrate security?
  3. What damage has been done?
  4. Did anything get left behind?
  5. Did you capture sufficient information to effectively analyze and reproduce the attack?

Question 5 is the gotcha for most solutions. While Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) raise an alarm, they fail to provide network engineers with the details they need to quickly locate and correct the source of an attack. Augmenting these systems with a network recorder enables post-event analysis that exposes the attacker, the method, and the damage.

The following video shows why you should employ data recorders in line with your IDS/IPS systems.

Join us February 15, 2012 at 8:30AM PST, for a free live seminar, “Cyber Security – IDS/IPS is not Enough,” to learn how with Network Forensics and Network Recording you can characterize not only the breach, but also assess the damage, ensure no further compromise, and comply with corporate and legal requirements for reporting.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in Cyber Security, Network Security, Uncategorized | Tagged , , , , , | Leave a comment

Announcing Our Winter Roundtable Series

Posted on January 3, 2012 by Eden Hensley

Our technical experts are hitting the road once again to bring interactive educational seminars to a town near you. These free, half-day Network Performance Roundtables feature real world examples and best practices for monitoring, analyzing, and troubleshooting highly utilized 10G networks, VoIP, virtual network infrastructures, wireless networks, and much more. Following the seminar, network with your peers over a complimentary lunch.

Agenda:
9:45 Registration
10:00 Welcome and Introductions
10:15 Total Network Visibility!

  • Implementing Distributed Packet Capture and Methodologies at 10G
  • VoIP Monitoring, Analysis, and Troubleshooting
    • Handling Conflicting Demands of Data and VoIP
    • Rethinking the Metrics: What do MOS, Jitter, and Latency Mean?
  • Configuring Your Virtual Network for the Realities of Network Analysis
    • Understanding Your Options
    • Monitoring and Analysis for Large Virtual Environments
  • WLAN Capture and Analysis
    • Troubleshooting Wired and Wireless Simultaneously
    • Troubleshooting Roaming Issues
  • Overview of WildPackets Product Lines
  • Questions

12:00 Lunch/ Q&A Roundtable Discussion

Attend a roundtable in your area and learn how to:

  • Implement total network visibility at 10G speeds
  • Monitor, analyze, and optimize voice and video quality
  • Configure your virtual network for the realities of network analysis
  • Pinpoint network issues and anomalies on both wired and wireless networks

Besides leaving this roundtable with a full stomach, you’ll be armed with tips and tricks for realizing full capture and real-time visibility. Have a specific question you’re dying to know the answer to? Let us know and we’ll be sure to cover it in your session.

Dates and Locations:

Don’t see a venue near you? Let us know you want us to visit your area and we’ll try to bring a roundtable to you in the Spring.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in 10G, Virtual Networks, VoIP Troubleshooting, Wireless Network | 2 Comments

Network Traffic Capture Systems = The ONLY System for Highly Utilized Networks

Posted on December 22, 2011 by wildpackets

When it comes to securing – and analyzing – your highly utilized networks you have a choice: individual SPAN ports and taps to capture network traffic, resulting in spotty overall visibility with potential failure when your system is under attack OR a network traffic capture system with 24×7 capture of network and security data and total network visibility. Which will you chose?

In a recent article, Shamus McGillicuddy of SearchNetworking, compares network traffic capture systems with network security appliances that simply plug into SPAN ports and taps. Know which solution offers broader security visibility? Network traffic capture systems do. Did you choose right?

Network traffic capture systems employ highly sophisticated network taps that split live, extremely high data rate traffic from switches and routers, and feed it to multiple network security appliances. They also offer matrix switches that aggregate traffic from these taps, allowing a single security appliance to analyze traffic from multiple network ports. Shamus illustrates how relying on individual SPAN ports and taps to capture network traffic for security appliances usually results in spotty overall visibility of your network. Even though SPAN ports can be cheaper than a network capture solution, they often times are unreliable and quit functioning when your system is under attack, in other words, exactly when you need them most. Network traffic capture systems provide a more fault tolerant view of the network, consistently providing all network traffic to security appliances so they can better detect even the normally invisible attacks like APTs (advanced persistent threats).

This same philosophy can be applied to network analysis. As networks get faster and more complex, SPAN ports and taps become more unreliable and oftentimes fail to provide the data needed for network analysis when you need it most. Also, with 10G and now even 40G networks in place, it can even be too much to ask for a single network management appliance to handle these extremely high data rates while still providing the detailed analysis to which we’ve become accustomed. It is essential in today’s high-speed networks to have a complete network analysis solution in place, one which employs both a network traffic capture system as well as network analysis appliances to help you quickly identify and solve problems at the network level, as well as achieve compliance at the business level.

From a network engineer’s perspective, network traffic capture solutions will help you:

  • Fully utilize the capabilities of underlying network analysis solutions, even as network speeds grow to 10G and beyond
  • Better architect your overall network analysis and network security infrastructure by taking advantage of a centralized, highly available, network traffic capture appliance that can both dissect and aggregate traffic, and deliver it to multiple analysis appliances
  • Ensure that network and security data is captured 24×7, and not sacrificed when the precious SPAN port is needed for another application
  • Constantly monitor your network, providing the baseline data needed to understand your existing network, as well as the impact of deploying new technologies such as VoIP or video
  • Employ network recorders that save all network data, eliminating the time consuming step of having to reproduce problems before they can be analyzed
  • Mitigate security issues

From a CIO and manager’s perspective, network traffic capture solutions will help you:

  • Save time and money through “always on” network and security analysis
  • Respond to issues in real-time, often solving issues before they impact mission critical applications
  • Understand service level compliance within organizations
  • Audit and track network activity for government and HR compliance

If you are dealing with a network that is highly utilized, SPAN ports and taps are inefficient when it comes to meeting your security, compliance, and network analysis needs. In today’s 10G world, you need to have a system in place that can capture ALL network data, 24×7, to ensure a stable and safe network.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in 10G, Network Analysis, Network Managment, Network Monitoring, Network Performance Management, Network Security, Uncategorized, network forensics, network recorder | Tagged , , , , , | Leave a comment

Your Security and Your Business’ Security: The Cyber Intelligence Sharing and Protection Act

Posted on December 15, 2011 by wildpackets

Earlier this month, the House Intelligence Committee introduced a bill promoting shared cyber security information between the government and corporations. The bill exempts companies from liability for voluntarily disclosing hacking incidents and gives corporations access to data from the National Security Administration to help protect their networks.

Who’s For the Bill
Representative Mike Rogers, the chairman of the House Permanent Select Committee on Intelligence, stated that “Through hard work and compromise we have struck a delicate balance that provides strong protection for privacy and civil liberties, while still enabling effective cyber threat sharing and providing clear authority for the private sector to defend its own networks.”

Internet, cable, and telecommunication companies like Verizon and Comcast support the bill as it creates strong incentives for the private sector to cooperate with the government on a voluntary basis. Corporations also have access to classified intelligence on cyber security threats so they can protect their own networks.

This philosophy of “sharing is caring” or, better put, “sharing stops hacking” has been key in the anti-fraud world, where early warnings have helped to reduce fraud. The success of this could provide for a good benchmark going forward with this bill.

Who’s Against the Bill
Members of the administration and privacy groups are arguing against the bill, stating that the generous liability and antitrust protections could limit the government’s ability to protect citizens due to the lack of corporate accountability. As Michelle Richardson, legislative counsel for the American Civil Liberties Union, states, “The concern is that the government will be able to create records of people’s Internet use in the name of cyber security.”

The information presented to the government would be shared without a court order, and some incidental data might be transferred to the government. Companies could require that their security providers remove any reference to the firm’s name, employees or customers before sharing with the government, however this is left to the company’s own discretion.

For You and for Your Business
Cyber security is an ever-present issue no matter how big or small your business. However, many security attacks can be traced to a lack of diligence within an organization or a lack of understanding of how to accurately create a plan and process around protecting your network, as shown through this recent Healthcare report.

Whether or not this bill gets passed, in order to protect your business from an attack and likewise to protect yourself from having to reveal data to the government, here are our tips on how to arm your company and yourself against cyber attacks.

  1. Assume it’s a matter of if, not when.
    There are many reports available in the public domain, mostly with disturbing statistics, like more than 90% of respondents to a Security Megatrends Survey admitting their companies have been victims of a cyber attack. That’s 10:1 odds that an attack WILL happen. Seems like a bad bet.
  2. IPD/IPS is not enough.
    Intrusion detection and prevention systems, though valuable, are not enough. Even with these protections in place, significant breaches still occur. It’s in the news all the time. IDS/IPS must be augmented with ongoing, 24×7, network recording and analysis. When a breach does occur, network recordings can be replayed and analyzed, providing the very best information to address the breach, including the ability to address the five key questions that need to be addressed whenever a breach occurs.
            1. Who was the intruder?
            2. How did the intruder penetrate security?
            3. What damage has been done?
            4. Did the intruder leave anything behind?
            5. How can we prevent this attack from reoccurring?
  3. Technology is not enough.
    Though technology is an instrumental part of any security solution, technology alone isn’t enough. Good old-fashioned policies and procedures must be established and enforced. More and more studies are indicating that Advanced Persistent Threats (APTs), which are becoming the most common form of attacks, often result from risky behaviors from within the network. Controlling and monitoring each individual user is not realistic, but a well-documented and socialized security plan can help users identify, and hopefully refrain from, risky behavior, especially if the magnitude of the risks is also made clear.

Regardless of the outcome of the Cyber Intelligence Sharing and Protection Act, the best approach is to make every effort possible to prevent an attack from happening. Then, you won’t have worry about whether or not, and how, you want to share your cyber security data with the government.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in Cyber Security, Network Managment, Network Security, Uncategorized | Tagged , , , , | Leave a comment

The State of the Network: Wired vs. Wireless

Posted on December 8, 2011 by jaybotelho

In a November article by John Cox of NetworkWorld, he pointed out two very important facts about networks as we know them, or at least how we use them:

  • In June WLAN vendor Meraki found that smartphones and tablets have overtaken computers on Wi-Fi networks.
  • Colleges and universities have spent the last decade and lots of money running Ethernet cables to dorm rooms and now are discovering that 50% to over 90% of those wired ports are never used.

Our devices are now designed for wireless network access, and the younger generation rarely even considers connecting a computer to a wired port. Even for me, a guy who started his career before PCs (yes, old as dirt), I often find myself in a hotel room with a wired Ethernet port that I can’t connect to because I’ve stopped carrying a cable, so I need to rely on the wireless network (which usually performs much more poorly).

But that won’t be for long. With 802.11n, the latest evolution in WLANs, maximum throughput is increasing tenfold, enabling the dream of reliably streaming video and walking into our company headquarters and having our mobile phone automatically transition from the cellular network to the WLAN to take advantage of better signal strength.

So where does that leave LAN infrastructure and should you plan on investing in more LAN infrastructure when users’ expect wireless?

Do you imagine devices retrograding back to wired or do you see them progressing to wireless?

Actually, I don’t expect to see any significant changes. In the home, where wired ports never really seemed to catch on, even in new development, wireless will be king, and will most certainly grow in scope. Not only will your computer access be wireless, your TV, DVR/set top box and audio equipment will also be wireless, enabling new heights in shared media access. As for the corporate environment, it’s hard to imagine commercial construction without wired access. It may diminish somewhat, especially in large cube farms or “bullpit” areas, but closed offices will continue to be wired. Certain computing applications, especially those employing high performance computing, will still benefit from the wired connection, and commercial landlords don’t want to limit the applicability of their properties. Universities may be the exception to this status quo approach. With their young and mobile “customers,” wireless is the only approach that makes sense and the up to 90% unused wired ports in university dorm rooms have not gone unnoticed as an unfortunate waste of money.

Even though wireless seems to be stepping in the door while wired is stepping out, there is a state of limbo between the two and there will be for more years to come. And even though wireless is gaining ground, the backbone of every wireless network is wired, and this is not likely to change for a very long time, if ever. So where does that leave you, and how do you ensure that you are reaping the full potential of your wireless as well as your wired infrastructure?

The key is that your network is now a convergence between wired and wireless, and it must be managed accordingly. You need network management solutions that can handle both networks, simultaneously, because this is how your network traffic is delivered. Here are three key reasons for considering converged network management and troubleshooting:

  • Elimination of multi-vendor, multi-product solutions, allowing for better management and cost savings.
  • Better visibility into which network is causing network problems: wired or wireless. Issues can easily be on either side.
  • Increased scalability. With both wired and wireless network getting faster all the time, it’s important to have a solution in place that’s been designed from the start with high speed networks (i.e. wired) in mind.

Wireless is starting to reach the throughput and applicability of wired networks with 802.11n, but increased capability leads to increasing user demands, requiring careful planning when implementing wireless network upgrades, including the ability to monitor your wireless and your wired network simultaneously. Converged network management is your only option for handling the higher throughput of improved wireless networks, allowing you to quickly monitor and analyze traffic regardless of the network it traverses.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in Network Managment, Network Performance Management, Wireless Network | Tagged , , , | 1 Comment

3 Tips to Ensure Video Quality on Your Network

Posted on December 1, 2011 by wildpackets

As we discussed in last week’s blog, video is slowly encroaching upon both home and enterprise networks. In a recent Cisco report, all forms of video will be approximately 90% of the global consumer Internet traffic in 2015. We predict that more than 50% of enterprise network traffic will be video by 2015.

Video data types are unpredictable; require a lot of bandwidth; are sensitive to latency, jitter, and packet loss; and demand the highest QoS delivery. As video becomes more pervasive on your enterprise network you’ll need the right tools and approach to manage this demanding data type. Here are our top tips for preparing for video and monitoring video usage and quality.

Determine Overall Video Usage
One of the first things you need to account for is how much video is already being used on your network. The best way to determine this is by using packet-based network analysis systems capable of analyzing networks for all types of traffic simultaneously. With such a system, you will easily be able to see the throughput associated with data versus that associated with video (and audio for that matter) and to determine if the ratio is what you were expecting.

Armed with that data, you want to go one level deeper and review the packet loss, media quality, and number of video sessions/VoIP calls to determine 1) if video may be underperforming on your network or 2) how much video is affecting the performance of other mission critical applications.

Identify Unauthorized Video Traffic
Whether someone outside your company is pilfering your Wi-Fi to access YouTube or someone inside your company is spending too much time watching the World Cup, these three approaches can help you determine who is inappropriately using video and bogging down your network.

First approach: Look at your top nodes and protocols and see what they’re doing. If you have nodes that are exceeding your typical baselines check these first by simply expanding the node to see which protocols are in use. (We’ve covered baselining before! For a refresher, check out Tim McCreery’s Getting Network Baseline Right article (PDF) or Jim Thor’s Baseline Product Tips and Tricks.) RTP? You have a possible culprit. HTTP? Don’t stop there. You have all the packets so dig in bit deeper to see where the user is going. YouTube? It’s probably not work related.

Second approach: Check your overall network utilization and zoom in on spikes in traffic, which are often indications of video downloads. Zooming in on a spike will identify not only the user, but also from the protocols in use and the servers they are communicating with. You might find that someone is simply using the telepresence program you’ve installed.

Third Approach: Create filters and alarms. If you build custom filters for RTP (Real Time Protocol) and Dynamic RTP you can easily see the activity happening on your network that relates strictly to video and voice. You can also create address filters, like for YouTube, to determine if users are abusing certain sites and if this having a negative effect on your network.

Monitor High-Level Video Delivery
It may be that it’s quality, and not abuse, that’s of importance to you, especially when telepresence is being used. The best way to analyze for success is to look into each individual media stream, breaking it down into its primary audio and video components, and glance at your metrics. This approach allows you to determine the quality of service on each segment of video from picture to sound quality. You can continue to dive deeper into the packet by packet IP conversation, identifying exactly where problems such as quality of service is not being applied to certain packets or jitter exceeds typical guidelines for video. With this information, you have everything you need to find and fix any problems.

Designing your network to meet the influx of video on your network, as well as instilling a proper monitoring system for this sensitive data, will ensure that your network continues to stay stable and colleagues continue to stay happy while watching their favorite YouTube video or using Skype for conference calls.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in IP Video, Network Managment, Network Performance Management, Network Troubleshooting, Uncategorized, network forensics | Tagged , , , , , , | Leave a comment

IP Video – It’s like Living with a Teenager

Posted on November 23, 2011 by wildpackets

Teenagers. Maybe you have one (or more) at home; maybe not. But we’ve all been one, so I know you can relate. Moody and unpredictable. Overly sensitive. Taking up more space than any human has a right to. High maintenance. They’re just so adorable.

Well, it turns out we have an exploding data type on our networks that behaves much the same way – IP video. In a recent whitepaper by Cisco, it was reported that all forms of video (TV, VoD, Internet, and P2P) will be approximately 90% of the global consumer Internet traffic by 2015. And per the report, that’s 90% of what will be 966 exabytes, or nearly a zettabyte, of IP data. To see what that looks like graphically, check out this link. Although video traffic on the enterprise side will not be as heavy as that on the consumer Internet, it will increase dramatically nonetheless, and will certainly be much more than 50% of the enterprise network traffic by 2015. It looks like you’re going to need both network management and high school guidance counselor skills by 2015 to manage enterprise networks.

With this dramatic increase in video traffic, video will be in competition with enterprise corporate data, enterprise application access, SaaS, and cloud computing. And given its tendency towards teenage behavior, you’re going to have your hands full. Below are a few details of how the characteristics of IP video can adversely affect your enterprise network.

Unpredictable
Video is “bursty,” or in the teenage analogy, unpredictable, which is an undesirable characteristic for networks that work best under stable conditions – predictable and consistent. Packet sizes range all over the place, and often hit the network in large bursts. And of course these bursts are tagged with high QoS (quality of service) tags, so they take precedence over your other mission critical application data. Characterization of your IP video traffic, including weeding out business traffic from surfing, is critical to the health of your enterprise network.

Space Hog
Video is a bandwidth hog. One HD video stream can consume up to 20Mbps of bandwidth. So if five people are trying to stream a movie, it means that they are taking up 100Mbps of your network. This may not seem like a ton of traffic, but depending on the distribution of these users on your network, and the number of users serviced, bandwidth availability can certainly become an issue. And remember, the amount of video on your network is increasing all the time.

Overly Sensitive
Video is also very sensitive to latency, jitter and packet loss, even more so than voice, which we covered in this blog post. These sensitive protocols demand that your network is performing at its peak level to ensure that these issues are minimized. As video becomes more common on the network, performance demands will continue to grow and become harder to reach. Specific metrics and demands of latency, jitter, and packet loss are described in more detail below with this video segment and graph:

High-Maintenance
Due to the high performance demands of video, it is typically tagged for the highest QoS delivery as I mentioned earlier. However, as video traffic starts exceeding data traffic, enterprises will need to maintain different quality of service between users or video types since it is self-defeating for most of the traffic on a network to have the highest QoS tagging.

As video continues to grow, or as some might say invade, your enterprise network, it is more important than ever to plan and design your network to carry video. And just as the teenage years pass, the video phase will also pass in time, allowing networks to again hum along in a predictable pattern. That is, until the next disruptive technology come along! In next week’s blog, we’ll be providing some best practices on designing, monitoring, and managing your network to help that teenager grow up.

Share this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Digg
  • Reddit
  • DZone
  • StumbleUpon
Posted in IP Video, Network Analysis, Network Monitoring, Network Performance Management, Network Troubleshooting, Uncategorized | Tagged , , , , , , , , , | Leave a comment