Q&A: Improving Network Visibility

Networks are getting faster and more complex. How can IT network administrators keep up?

Network administrators have their hands full, and expanding networks and bandwidth are only adding to their burden. Then there's the problem of Bring Your Own Devices (BYOD), in which an organization must seem user-friendly enough to keep employees happy while still protecting enterprise assets. We examine the issues with Tim Nichols, vice president of global marketing for Endace, a company focused on network visibility, about the issues facing administrators and what trends lie ahead.

Enterprise Strategies: With the rise of so-called hacktivism and a general increase of network breaches, the notion of network security seems pretty top-of-mind in the media. Why do you think there isn't more attention paid to network visibility and the task of locating/fixing the breach?

Tim Nichols: The truth is that both the vendor community and the media love cyber news because it sells magazines and hardware. The more people read and talk about the threat of cyber attack, the more convinced people become that they should be investing in technology to help them manage the potential risks associated with it.

When it comes to reporting a breach, the (mainstream) media gets bored very quickly. Once a public company is "outed" and the various company officers who need to be named and shamed as part of the process are exposed, the media typically moves on pretty fast. Dealing with the aftermath of a breach -- such as figuring out how the intruders got in and what impact they really had -- are questions typically dealt with by in-house teams outside of the public lens.

Really good network visibility can help organizations deal with the cyber threat more effectively. With the right network monitoring and recording infrastructure, security breaches can be spotted earlier and organizations can be more proactive in how they deal with the negative PR associated with a breach. The only answer to the question that's worse than "We got breached" is "We got breached and we have no idea what the bad guys got away with."

What are some common misconceptions about network visibility and why do they exist?

The truth is that packet-based network visibility is still in its infancy and it's going to take a little time before people really start to understand the power and value of knowing what's really happening inside their networks. There's nothing new about network visibility. In fact, today we're actually looking at the third generation of network visibility technologies (the first was SNMP/Syslog-based solutions, the second was NetFlow, and the current generation is packet-level visibility solutions.)

To make sense of the technology, organizations need to ask themselves what problems they are trying to solve. If organizations simply want very high-level trending data to build models, then NetFlow may well be sufficient. However, as soon as diagnostic or forensic investigation is required, the actual packet payloads become critical. In essence, the true value of network visibility isn't learned until something goes wrong.

Perhaps the biggest misconception about network visibility is that anything less than 100 percent accurate packet capture is acceptable. If you haven't retrieved every single packet, any analysis is pointless. It's guesswork.

Let's talk about expanding networks. How soon do you think 40 and 100Gbps networks will cease to be the "networks of the future" and become a frequent reality for enterprise?

It's already here. There are hundreds of 40Gbps implementations all over the world, and 100Gbps isn't far behind. Today, ultra-high-speed networking is still largely the domain of telcos, governments, and big banks, but it's getting mainstream traction quickly. For organizations using multiple 10Gbps links, the economics of 40 and 100Gbps networks are extremely compelling, and line card, switch, and router vendors are innovating fast which is pushing pricing down. In about two or three years, 40 and 100Gbps networking should be commonplace in enterprise core network environments.

From a visibility standpoint, what measures should decision-makers consider -- or even implement -- today to ready enterprises for such an expansion?

Organizations need to think about network visibility as a network-wide infrastructure play in the same way that they think about routing and switching. If they are serious about pervasive packet capture for the purposes of network visibility, organizations need to ensure that they are working with visibility vendors that are able to meet their current visibility needs (typically 1Gbps and 10Gbps) -- as well as their future needs (40Gbps and 100Gbps). Investing in a strategic technology that simply won't scale is a false economy, and organizations need to ask some tough questions of both their monitoring and security vendors.

How far should enterprise go to restrict BYOD? What can enterprise do to lessen the impact outside devices have on network performance?

BYOD is a red hot topic right now, and organizations are finding it hard to work out the right strategy. Organizations need to strike an effective balance between being open and accommodating and being secure. Technically, it is quite hard to stop employees connecting their personal devices to the network. Sternly worded e-mail messages from HR only go so far.

Forward-thinking organizations are dealing with the situation by providing what is essentially a public WiFi network inside the office which has no access to corporate resources but does allow users to download the latest IOS update, for example.

It's another area where network visibility plays an important role. With 100 percent accurate network visibility, organizations can quickly see the extent of the BYOD problem inside their network. Once the size of the problem is established, they can begin to plan and invest accordingly. As with all these things, it's a question of balance.

This year, the SEC began requiring publicly traded companies to disclose cyber attacks and list the data that has been breached. How do you think mandating companies to air their dirty laundry will impact the focus these organizations have on network visibility and monitoring?

For organizations that take cyber security seriously, the new SEC regulations present little or no threat. Organizations on the forefront know exactly what's going on and have the tools and systems in place to monitor exactly what's going on. The SEC regulations are a challenge to organizations that aren't thinking strategically about network visibility.

The SEC mandate defines today's operational best practice -- organizations should know these things and have the requisite systems in place but frequently don't. In the future, we expect the requirement to be able to provide packet-level evidence of what happened inside the network to be a compliance requirement.

What are some of the biggest trends you see affecting network visibility and monitoring in the coming decade?

The obvious future trend is towards faster networks and with that comes the need to deliver more accurate and faster visibility solutions. In addition, we expect organizations to demand to see and retain more data. The ability to see into the application layer is only the start of the visibility journey. There are many other aspects of network behavior and performance that will require enhanced visibility.

As NetOps and NetSec teams start to collaborate far more closely, we'll see organizations investing in single visibility fabrics that meet the needs of multiple functions within an organization. We're already seeing active collaboration between operational functions at our customer sites, and the business benefits can be extremely positive.

Tell us more about Endace and how it helps companies with network visibility.

Endace's mission is to give companies the power to see all that is happening inside their network -- no matter the size. Endace network visibility solutions deliver the precise information decision-makers need to rapidly troubleshoot network problems, optimize network resources, and unlock the true value of network infrastructure. We recently launched EndaceVision, which delivers application-aware, packet-level visibility across the entire network, powered by our unique multi-application-capable systems that guarantee 100 percent packet capture and recording and is scalable up to 100Gbps.

Must Read Articles