July 2009 Archives

Enterprises and data centers can now easily and cost-effectively upgrade their network infrastructure to 10GigE. If you have plans to make the switch, or perhaps you have already done so, below are six tips for successful 10G network analysis.

 

1.       Match network analysis requirements with the appropriate network analysis techniques

 

Before commencing any network analysis task, it is important to understand what you hope to accomplish. This is a great time for making and archiving some baseline measurements, whether on specific network traffic like HTTP or key business applications, or the network as a whole. Filtering and periodic statistics recording are the best techniques for isolating data for baselines. Is the network slow? Are you receiving alerts? This is the time to start troubleshooting. Running multiple captures with different focuses and turning on key Expert analysis modules (if you didn't already have them enabled) are excellent techniques to use in troubleshooting.  

 

2.       Ensure you're collecting and analyzing the data you expect

 

Networks are busy places, and the higher up the stack you analyze the more data you need to sift through. Before diving into detailed analysis, step back and make sure you're collecting the data you need. Start with high-level views, like node, protocol and statistics summaries. Compare these to established baseline data to make sure nothing has changed, either in your environment or with your data collection settings. Only after convincing yourself that the basic data is in place and being collected and analyzed should you embark on detailed analysis and drill-down of the data.  

 

3.       Learn to work within the hardware limitations of network analysis probes

 

Networks are getting faster. 10 Gigabit deployments are becoming more and more common, and this will put a strain on any network analysis software or network appliance. The key here is the analysis. The packets can obviously be moved and possibly even stored at line rate, but to analyze means to interrogate every packet as well, creating competition for precious processor and memory-buffering resources. If you need to analyze in real-time, embrace the fact the in-depth, real-time analysis at 10Gbps is just not feasible with current hardware solutions. Take advantage of solutions on the market today that receive 10Gbps line-rate traffic and separate the data into more manageable streams for analysis, typically 1Gbps data streams. Then you can comfortably and confidently accomplish the real-time analysis you require.

 

4.       Optimize data collection settings to meet the demands of your network and your analysis solution

 

Network analysis, is a compromise. In most cases, your most significant compromise in network analysis is depth of analysis versus the throughput of data you hope to analyze. The greater the analysis load, the lower the throughput that can be analyzed without dropping packets. Fortunately you are not typically analyzing everything simultaneously. For example, if you're monitoring a heavily used gig interface, you don't need any wireless analysis, so why not turn the wireless analysis module off and benefit from the increased performance? Not running VoIP or video on that interface, or there's no problem with VoIP or video right now? Turn off VoIP and video analysis modules, again improving the performance of what you do wish to analyze that much more. Only interested in post-capture analysis? Then turn off all analysis modules. You can always turn them back on when you go back to analyze the data. That's why there's the option to enable and disable the functions.  

 

5.       Use advanced settings like hardware filtering and time stamping to your advantage

 

Certain functions that are critical in performing network analysis, like establishing the time each packet is captured from the network or filtering certain categories of network traffic, can be accomplished within some network interface cards themselves. This means the functions are performed in hardware, making them much faster, and relieving the network analysis software of some of the processing burden. Taking advantage of advanced features available in hardware should always be seriously considered when purchasing network interface cards for use in network analysis.  

 

6.       Determine the proper placement of network analysis probes to ensure network management and troubleshooting success

 

Collecting network data for analysis at multiple locations is always best. You'll get the most accurate results, and more collection points implies greater granularity in analyzing conditions like network response time. The same holds true for VoIP analysis. Collecting data at both ends of the call, at least for your internal phone traffic, can help you identify the source of VoIP deficiencies much more quickly. But increased collection means more appliances and more cost. Each network is different, and your analysis needs undoubtedly have unique elements. Only you can make the trade-off between collection points and cost. At a minimum, capturing data for analysis at core routers and WAN connections is essential. From there, it becomes a cost-benefit analysis to determine how deep and how wide into the network you go.

 

WildPackets is in the business of providing network analysis software, so if you have any questions about 10G, wireless, 1G, etc - get in touch, we'd love to help out.

The Cisco AP Capture Adapter is a feature in the OmniPeek Console that can capture and aggregate wireless packets from multiple Cisco Access Points.    This feature is especially useful to companies with large numbers of Access Points (APs) that are spread throughout offices, stores, and warehouses.    It allows any one or more of the APs to be temporarily used as probes to capture traffic, and then switched back to AP mode, all remotely through software.    Being able to multi-purpose the APs in this way increases the ROI of both OmniPeek and the Cisco AP.

So the Cisco AP Capture Adapter, as a solution, is very good.   Of course, as the developer of the Cisco Remote Adapter, I am going to say that, right?    But seriously, we have been pleasantly surprised by the  popularity of this feature, and the growing number of customers who are using it.  

However, it has its drawbacks.    Because it runs on the OmniPeek Console, the captured packets have to be streamed over the network from the APs to OmniPeek, wherever it may be.    This could be on a different segment, in a different building, or in a different country.    The stream is also not encrypted.    Furthermore, if the IP address of the OmniPeek Console machine changes, which is likely, the AP configuration has to be changed to reflect that.

The point here is that the distance the packets must travel could be long, possibly over the internet, it is not secure, and it changes locations.    These are not ideal characteristics of an enterprise solution, which is why the Cisco AP Capture Adapter is used mostly for local troubleshooting.    This is too bad, since the potential is so much greater.

Now for the good news.  (Imagine a drum roll in the background.)  Ladies and gentlemen ... we have just ported the Cisco AP Capture Adapter to the OmniEngine.   (Now imagine roaring applause.)  Yes, this is good news indeed.   

By running the Cisco AP Capture Adapter on the OmniEngine, and placing the OmniEngine on the same segment or subnet as the Cisco AP wireless mesh, all of the packets from any one of the Cisco APs can be streamed and aggregated directly into the OmniEngine.   The OmniPeek Console is then used to connect to the OmniEngine and view the results of the analysis.  

By inserting the OmniEngine into the equation, a new tier is added, providing better performance, less overhead, and security.    The performance is better because the packets only have to be streamed to the OmniEngine, not all the way back to the OmniPeek Console.    This also provides a permanent capture environment, so that your AP configurations do not have to change.   

The overhead to the network is also less, since the packets have to travel  a shorter distance, through fewer routers and switches.   Security is also much better, because the OmniPeek Console interaction with the OmniEngine is through a secure and compressed connection.

But that's not all.   There are many advantages of using a distributed OmniEngine, and now users of the Cisco AP Capture Adapter will be able to take advantage of them.   Yes, this is good news indeed.    The Cisco AP Capture Adapter  for the OmniEngine is in test now, and will be available to maintenance members soon.    I am sure it will be a big hit.

-SpacePacket

WildPackets recently conducted a network-related survey at Interop Las Vegas, Cisco Live!, and online. In total, over 250 responses came in (not an enormous sample, but statistically relevant). It should be noted that approximately 75% of the participants use products other than WildPackets for network analysis - the survey was as objective as possible.

From this experience (and others), we've concluded that surveys are good at revealing "chasms" between what is being written about in the tech trades today and what is actually being adopted by businesses.

While tech trades provide ample coverage about 10 Gigabit Ethernet and its "onslaught" of adoption, only 28% of survey respondents have these fat pipes in production. An overwhelming majority, around 65%, work with Gigabit Ethernet, 10/100 Ethernet, WAN and / or wireless.

Conversely, surveys can reveal or validate themes and perceptions in the marketplace. For example, this particular survey supported one of the 2009 themes - the increase in distributed operations - that Craig Mathias recently pointed out in his recent webcast, "Wireless LAN Operations: 5 Key Challenges that Stifle Productivity." Survey results indicated that 81% of organizations primarily use network traffic analysis software for either distributed 24x7 monitoring or distributed real-time troubleshooting and analysis.

Perhaps a statistical anomaly, but we were surprised at how few (2%) of the respondents use Aruba network equipment compared to Cisco (the highest at 36%), HP, Dell, Juniper and Foundry. NOTE: this particular survey question was not asked at the Cisco Live! event.

Below is a detailed look into the survey results (with graphs!).

Results

NOTE: Survey respondents could select more than one answer for most questions; percentages will not add up to 100%.

• Types of Networks Managed by Respondents:

• Average Network Throughput Reported by Respondents:

• Respondents' Primary Usages of Network Analysis Software:

Findings

Surprisingly, most of the findings from our website survey supported the findings from our Interop survey. There were a few striking differences.

• 66% of the Interop respondents, compared to 72% of the website respondents, manage a 10/100 Ethernet network either solely or with other types of networks. Only 59% of the Cisco Live! respondents manage a 10/100 Ethernet network either solely or with other types of networks.
• 35% of the Interop respondents, compared to 29% of the website respondents, who reported managing a Gigabit Ethernet network managed a 10 Gigabit Ethernet network as well. 60% of Cisco Live! respondents managed both a Gigabit Ethernet network and 10 Gigabit Ethernet network.
• 61% of the Interop respondents, compared to 86% of the website respondents, who managed VoIP/Video in their network, managed either a Gigabit or 10 Gigabit Ethernet network. 100% of the Cisco Live! respondents who managed VoIP/Video managed either a Gigabit or 10 Gigabit Ethernet network.
• Also, 3% of the Interop respondents (5% of the website respondents) reported managing only a Gigabit or 10 Gigabit Ethernet network, compared to 13% of Cisco Live! respondents.
  

Additionally, website respondents as well as Cisco Live! respondents were more likely than Interop respondents to use network analysis software for distributed data collection for post-capture (forensic) analysis: 26% of the website respondents and 27% of the Cisco Live! respondents, compared to 7% of the Interop respondents. Cisco Live! survey respondents were also less likely to use network traffic analysis software for local real-time troubleshooting (27% versus 49% average for all survey respondents) and more likely to use it for distributed 24x7 monitoring (50% versus 39% average for all survey respondents).

Fact: wireless networks save money and increase productivity. Craig Matthias of Farpoint Group has identified five key themes relating to WiFi that have emerged in 2009. These themes are important to consider as organizations plan, deploy, and manage their networks.
 
1. 802.11n is here

Even though the IEEE has yet to ratify the 802.11n specification, the Wi-Fi Alliance has been certifying 11n equipment for 2 years now, and it's been a very successful program for them. The reasons are obvious: 11n equipment is already in widespread use and deployment rates will only increase as use of the technology shifts from consumer-based equipment to widespread enterprise deployments. All new deployments, as well as any replacement projects which are in place for 802.11, should be with 11n gear, period. The benefits are tremendous. Prices are highly competitive. It's not only here - it's thriving.
 
2. Unified networks

I've been saying this since I first started working with 802.11 - if you have a wireless network, you must have a wired network. They do not exist in a vacuum. So to even think of one as separate from the other is ludicrous. Granted, network management may be a bit different between the two, the network must be viewed as a whole, meaning a unified wired/wireless network. And unified wired/wireless network management systems. Look for lots of development in this area over the next few years.
 
3. All applications are going wireless

Even more to the point, all applications ARE wireless. Users don't distinguish between wired and wireless networks when they sit down to work, so applications shouldn't behave differently either. Fortunately, 802.11 has been well specified to deal with this and the cases where applications don't behave well over wireless are few and far between. Though VPN and other tunneling protocols may be exceptions, we're also seeing rapid improvements in these areas as well.
 
4. Wireless security is a myth

Maybe it's more like "wireless security is mythical" based on all of the iterations and misconceptions that have developed over time. This topic has truly been covered to death, so let's just sum it up: WPA2 is easy to use and highly secure, perhaps even more so than your wired network. The debate is over; the myths are debunked. More to the point is that security is a policy, not just a technology, and this policy transcends both the wired and wireless network. For example, authentication can and should take place on the wired network (802.1x), even when users are wireless. The policy must be integrated and consistent, and cover all use cases, whether wired or wireless. This is a topic unto itself for perhaps a deeper dive in an upcoming blog entry.

5. Increased distributed operations

Wireless networks, especially in the enterprise, are often deployed with what I call the "Old McDonald's Farm" approach - "here a WLAN, there a WLAN, everywhere a WLAN". In other words, WLAN's are seen as a "fill in" technology to cover only specific areas where wired coverage may be difficult or where large numbers of transient connections may be required. Fortunately, just as we all outgrow the joys of "Old McDonald Had a Farm," enterprises are outgrowing this deployment mentality in favor of organized, distributed wireless deployments with centralized management. This of course plays into most of our 5 key themes, including unified networks and unified security policies. The last step is high quality, tightly integrated, centralized management and assurance tools for both wired and wireless. Only then do we achieve true unification.
 

So, why does any of this matter to you? Wireless will save you money and increase productivity, and that's with what has been available so far - a/b/g networks and limited integration between wired and wireless network management. With 11n and an upcoming focus on wired and wireless network unification, we're on the verge of something really big. We'll no longer be singing, "Old McDonald Had a Farm" while planning our wireless network. We'll be scoping wireless into our overall network architecture, and including wireless as an integral part in our selection of network management and assurance tools as well as our network usage policies. Oh yeah, and we'll be saving even more money and making our "network customers" ecstatic.
 

In the last few days, cyber attacks have infiltrated U.S. and South Korean government agencies. Some sites still remain down.

While this attack is highly sophisticated and far-reaching, it illustrates just how crucial network security is in a world where organized cyber-terrorism can bring down even the most prominent sites. Your website may not be the next target, but if it was, how would you go about protecting it?

For starters, an analysis tool that specializes in viewing and understanding what the network is doing can help. You need something that will:

   1. Analyze and characterize any attack.
   2. Apply filters to isolate malicious behavior. This will define what action is needed to mitigate the effect if an attack slips past network defense.
   3. Equip your network IT team with a powerful incident response tool that can be used in real time and visually represents attacks.

With the proper network tool -- something like a network security Swiss Army Knife -- IT personnel can zero-in on the problem and troubleshoot.

Network forensics works on analyzing historical network traffic in order to conduct investigations for security attacks. Using network forensics security teams can reconstruct the sequence of events that occur at the time of a breach and get the complete picture. The right network forensic solution in place enables IT managers and network engineers to discover and eliminate possible threats in the network and provide lawful interception capabilities when needed.

Our solution, OmniPeek, for example, helps IT personnel analyze data by capturing network traffic at key network points and minimizes traffic loads on the network that can be caused by polling devices this allows you find the data you're looking for quickly and easily. When dealing with network security breaches, time is of the essence.

We've seen quite a few network attacks - our solutions combat security vulnerabilities and our products are used by a number of government agencies. As these recent attacks demonstrate, the hackers are getting more sophisticated. It makes you wonder, if the most secure sites in the world are being compromised, what does that mean for enterprises?