Modern approaches to network monitoring

Modern approaches to network monitoring

The network monitoring arena is an always crowded and popular place with dozens of vendors and tools competing for the favor of viewers and market share. You probably have your favorites and you certainly have something to say on the subject.

A lot is going on in the network monitoring arena, with network systems becoming more complex, Software Defined Network (SDN) slowly coming into the picture and malware speeding up the pace. Solutions are adapting to hybrid cloud to fill the visibility gaps, using Artificial Intelligence (AI) as their integral part as well as coping with constant and dramatic bandwidth growth. In this technology shifting period, do you have an outright and complete network monitoring strategy? Are you sure?

Why do most network monitoring strategies fail? 

Network monitoring is a set of mechanisms and tools that provide network administrators with visibility into network traffic, the past and current state of the network, network performance, the health and availability of infrastructure and services, as well as security breaches that occur within the network. Together, these mechanisms and tools enable administrators to proactively and quickly respond to any issues or anomalies, thus maintaining smooth network and business operations.

Common practice in implementation of monitoring and security policies includes implementation of Intrusion Detection and Prevention Systems (IDS/IPS) and firewall solutions on one perimeter, and antivirus software on another. More responsible and security-aware companies will also have Security Information and Event Management (SIEM) systems installed. But network monitoring in most SMBs as well as Enterprises is usually limited to infrastructure monitoring by checking the availability and health of network connected devices and services they run. We also have our preferences which we use in helping our Customers get visibility, like Nagios XI for SMBs and Inceptum UMBOSS for Enterprises and Telco.

To put things straight – while checking availability and performance of infrastructure and services is mandatory and irreplaceable for networks of any size, in today’s complex environments device-centric monitoring with a simple and basic set of (usually SNMP) performance counters is not sufficient to ensure visibility, availability and reliability of network and critical business services, as it leaves network traffic completely unmanaged and unknown.

Can you really be sure that everything is going well just because no one is complaining? Do you just see the conversation participants but do not hear the conversation? This silence can come at a high cost. Especially when it comes to security issues which are usually a keep-low-profile type of conversation. And this is exactly where a lot of network monitoring strategies simply – fail.

Let’s talk about network traffic monitoring tools

So, how about joining the conversation? We need to get back to basics. Techniques of network performance monitoring can be either active or passive. While passive monitoring reads data from the network without affecting the traffic, active monitoring modifies or injects traffic into the network.

Active monitoring, such as system of probes distributed in network (for e.g. ICMP ping probes, software agents simulating application users, etc.), provides a set of metrics between monitored endpoints. Pitfalls of active monitoring are introducing additional hardware, software and traffic overhead into the network, and the availability of metrics data for synthetic traffic and very specific communication routes, which do not provide complete visibility into network performance. Active monitoring is thus rarely implemented as a solitary solution for network monitoring.

Passive network performance monitoring does not introduce overhead in the network, is less resource-intensive and enables analysis of larger volumes of data. Depending on the amount of details of the monitored network traffic, several approaches arise, each with its trade-offs. Passive network performance monitoring can be divided into two processes: traffic duplication and traffic analysis. The two most common ways for traffic duplication include port mirroring and inline TAP device positioning.

On the other hand, flow analysis – stripping the payload from the data – gives detailed insight into network traffic much faster, with less stored data and privacy concerns. While multiple vendor protocols exist, all conforming to a basic set of details such as source and destination IP addresses, communication ports, protocols and transferred traffic in bytes and packets, the most flexible is IPFIX developed by IETF which enables vendors to export a much larger, proprietary set of parameters. This allows enrichment of exported data and analysis of traffic all the way to the upper levels of the OSI model. This further enables analysis of special types of traffic (DNS, DHCP, HTTP, etc.)  and insight into both network and application performance.

The availability of flow statistics for your entire network traffic will help you streamline network optimizations, troubleshoot and enhance security by detecting traffic anomalies that are beyond reach to perimeter systems.

  • Basic performance counters information
  • How many packets, bytes
  • Device/interface centric
  • Who talked to whom?
  • Which ports, protocols, data amount and type
  • Conversation centric
  • Detailed insight into network packets
  • Time and resource consuming
  • Content centric

While the solutions out there are numerous, our number one choice in delivering network visibility and diagnostics are Flowmon products. They are scalable, robust and offer possibilities of integration that, combined with our infrastructure monitoring, helped us create comprehensive monitoring solutions for our Customers.

Three perspectives you need to include in your network monitoring strategy

The wise and experienced understand two statements: use the right tool for the right job, and there is no “one solution to rule them all”. There is a lot to think about when it comes to deciding on strategy. Solutions shall depend on your size, cloud or on-premise network model, as well as price. You will need to take scalability into consideration as you are going to grow. Multi-vendor support and ease of implementation and configuration is something that is going to make a difference also.

Here at Inceptum, we help our customers and we can help you in getting in the game and making well-informed decisions. Most of all, your existing ecosystem is going to dictate the possibilities and necessities of integrations – which is a crucial question. Having an educated professional is a must have, and this is where our experts can leverage the entire implementation and integration process. This is what we know how to do and love doing it. Nonetheless, your strategy must cover all perspectives – security, infrastructure and network traffic. Get the most from your data for your business. In the end, it’s a data era, right?

Need help in this field? Let's talk.