Tag Archives: Network Recorders

The Growth of Data on the Network and What You Should Do about It

More applications, more devices, and server virtualization adoption are all key contributors to the growth of data on networks. Recently, we came across an Infonetics research report that showed that the demand for higher-speed ports (10G, 40G, 100G) rose 62% from 2012. Not a surprise really for anyone in the networking industry.

Data on networks are colossal, and growth continues seemingly unabated.

So what does that mean for a network engineer in terms of monitoring and analyzing data? How should your habits and practices change?

Below we provide four key tactics that network engineers should abide by when handling increased network data.

Continuous Capture
With network backbones either at 10G or greater, it is essential to capture data 24/7. Traditional network analysis in the form of portable troubleshooting is no longer an option. By the time you dig out the network analyzer, find the right port(s) to monitor on the 10G switch, and get things fired up the problem is ancient history. And most laptops aren’t going to have a 10G card in them, and even if they do “standard” network interface cards (NIC) are not up to the task of lossless 10G packet capture. At 10G, you need dedicated hardware that can capture data 24/7 for easy troubleshooting the instant an issue occurs.

Check out this video for more details:

Adequate Storage
Network analysis at 10G requires not just new hardware and 24/7 monitoring, it also requires a different approach. Detailed, real-time analysis is just not practical at 10G – and it’s not required since the problem you’re looking for only encompasses a small subset of the data. What is required is ongoing recording of all network data (packets) so you can “rewind” to the timeframe of interest and perform a more targeted analysis of the specific problem. To do this, you need to store all of this packet data so it’s available when you begin your investigation. For example, if you’re recording at a full 10Gbps, and you have 32TB of disk space in your appliance, you can record about 7.0 hours of network data. Fortunately, even on a 10G network segment, you’re not going to find 10Gbps steady state on the line, so you should have enough storage space even If the problem occurs overnight. However, if you need storage for an entire weekend, you need to carefully plan your disk space against your expected aggregate traffic. One solution is to add an aggregation tap in your network infrastructure. This helps by sending packet data to multiple appliances and increases to overall storage available for heavily utilized high-speed networks.

Proper Capture Points
If you are monitoring a physical network connection, your capture points are pretty obvious, especially when dealing with a network backbone. However, with the increased volume of east-west traffic due to virtualization, you may need to adjust your monitoring points, or add some, to maintain full visibility. The best way to deal with this in a distributed virtual environment is to add a vSwitch into the architecture and use it as the connection point for your network analysis appliance. For more details on this tactic, check out our blog “Where to capture packets in high-speed and data center networks.”

Prioritizing the data you collect is key. Any amount of data that you can filter out increases the overall throughput of data you can monitor and extends the range of your available storage. For example, if you have a lot of web traffic on your network (and who doesn’t), and it’s all encrypted, why not slice all of the payloads off the data? This will significantly reduce the overall volume of data. Or perhaps backups are the biggest source of overnight network traffic. Again, you really don’t need the payloads of backup traffic; you really just want to know that it’s happening and perhaps log some metrics like the latency of the transfers. By leveraging what you know about your own network you can significantly reduce your network analysis needs, and either save money or extend the capabilities of your existing assets.

Cyber Attacks: 5 Ways to Keep Your Guard Up

Let’s face it, the statistics are just not in your favor when it comes to avoiding cyber attacks. Just to cite a few, 85% of those surveyed by Trusted Strategies in September 2009 either had or expect a cyber attack within 36 months. Care to take the 1:6 odds on this table? Combine that with the fact that the number of personal records compromised in cyber attacks jumped 500% in 2009, and I don’t think this is a bet that anyone wants to take. Cyber attacks are now dominated by organized criminal activity, with 91% of the personal records compromised in 2009 linked to organized criminal groups.

And not all attacks are financially motivated, as witnessed by the distributed denial of service (DDoS) attacks launched last week against several sites, including those belonging to Amazon, Mastercard, Visa, PayPal, and others after terminating WikiLeaks accounts. Given the speed with which these attacks were mounted, it’s beginning to feel like successful attacks can be carried out anytime and anywhere, as long as the motivation is compelling. And it looks as if botnets are being recruited for the DDoS attacks.

So what can you do? Cyber attacks are by their nature designed to be covert, especially those targeting personal or financial data, so identification and elimination can be difficult. Diligence is the key, and there are many ways to keep your guard up. Roland Dobbins, a solutions architect at Arbor Networks, felt the attacks were “able to achieve disproportionate impact due to the unpreparedness of the defenders.” Here are five key ways to help ensure you are doing everything you can to keep the overwhelming odds in your favor.

Processes, Processes, Processes
Even the most sophisticated technological solutions cannot overcome absent, poor or unmonitored processes. In a study done by the Verizon Business RISK team published in July 2010, 67% of network breaches were aided by significant errors, with 87% considered avoidable through simple or intermediate controls, in other words, with adequate processes in place with constant validation that these processes are being followed.

Use Network Recorders
Network recorders are appliances designed to capture, store, analyze and mine high speed network traffic. The most capable appliances can capture at greater than 10Gbps, with zero packet loss, and include either large amounts of built-in storage or a SAN interface. Network recorders can be placed at core switches to capture all enterprise traffic, thereby recording a breach even if it is not detected until a later time. With the recording you can determine exactly how the attack happened, what damage has been done and perhaps even the source of the breach.

Establish Network Baselines
It’s really hard to know if something funny is going on with the network if you have no idea of how it normally behaves. Baselines provide a record of how your network is behaving, over time, so you always have a reference at hand for comparison when you suspect something out of the ordinary.

Monitor Security on Both Sides of the Firewall
Most security solutions are designed to monitor traffic traversing the firewall. Though this does a good job of protecting you from external threats, it does nothing to prevent threats from within, which, according to the Verizon Business RISK Team report, resulted in 20% of the network breaches. Packet-level monitoring and analysis solutions installed at key network and data center connections can provide detailed security data as well as overall network monitoring and troubleshooting to secure your entire network.

Watch for Minor Policy Violations
Industry studies indicate a correlation between minor policy violations by employees, like illegal content on a corporate computing asset, and more serious data breaches down the road involving the same computing asset. This could be due to malicious behavior, but is just as likely to be due to careless activity on the computing asset that eventually makes the asset vulnerable. Constantly monitoring for minor policy violations can protect you from more serious breaches down the road.