Enterprise Network Traffic Informatics
1. The end of Business, as we know it
In today's world, where the business landscape is changing fast, computer networks play a vital role. No longer is business confined to the four walls of the enterprise. Large enterprises today, need to pursue strategies like offshoring, outsourcing, smart-sourcing etc to be competitive. Under this, the nature of work gets globalized and work gets done across geographies and time zones. Welcome to the "Distributed Enterprise"!
Figure 1: The Distributed Enterprise
Some of the strategies pursued by today's enterprises:
In such conditions facilitating access/communication between the various constituents of the distributed network and ensuring access to the datacentre/SaaS application from the remote offices becomes crucial. Also to monitor the whole network from a centralized location having a unified view of the entire network becomes indispensable.
Enterprise bandwidth monitoring is today an indispensable core requirement, and quite a strategic one at that.
2. Enterprise Bandwidth Monitoring - A Strategic Requirement
With such sweeping changes embracing the enterprises, has the network administrator's responsibility to ensure high level of WAN availability all the time, become very critical. Especially as enterprises get global, there comes the challenge of managing the health and performance of the entire network including the remote/branch office. Any degradation in the network performance anywhere in the network, could lead to significant productivity loss and employee frustration. It gets all the more important to be sure that no unwanted traffic / network abuse /network attack is happening at any point in time.
The main challenges in such a scenario include:
The only way to address these problems is by having a very strong enterprise wide bandwidth monitoring and traffic analysis tool. By having a knowledge of the traffic patterns in similar departments across offices / geographies and the causes of bandwidth consumption a Network Admin / CIO can take educated decisions. This information enables the network admin to enforce appropriate policies to restrict undesired bandwidth usage - like downloading music files or watching videos off you-tube during business hours.
At the CIO level, a unified collective view of the bandwidth consumption across the distributed enterprise can help in taking an accurate strategic decision - capacity planning (ordering more bandwidth), for instance. Also, having access to historic data of traffic usage pattern helps to benchmark current usage levels
3. Typical Approaches to Bandwidth Monitoring
A cursory look at the solutions available in the market shows that there are solutions of various types to choose from. In general they can be classified based on the underlying technology (data acquisition technique)
Based on the data acquisition technique:
The solutions available in the market adopt one of these techniques: SNMP query, Test Access Ports (TAPs) or SPAN Ports, Packet Sniffing and analyzing Flow exports like NetFlow / sFlow / cflowd / J-Flow / Netstream / IPFIX.
SNMP or Simple Network Management Protocol uses SNMP queries on SNMP agents running in the network device, to get information on the bandwidth usage in the network. SNMP query gives a consolidated or bulk traffic figure. So, this needs to be complemented with in depth network traffic analysis that answers questions like who, when, what aspects of the bandwidth usage. Also, as it uses the "pull-technology" it may cause considerable load on the enterprise bandwidth.
Span ports (Switched Ports Analyzer) is a port designated on switches to mirror traffic received on other ports. Test access ports are traffic replicators placed in between two routers, firewalls or enterprise switches that sends a copy of all the network traffic flowing through them. Span or Tap ports can be used to forward network traffic to Software applications or hardware probes for traffic analysis. Network traffic can be tapped via them. The downside is the cost involved in procurement, deployment and management of these
Packet Sniffer intercepts and collects the local traffic by capturing the packets from the network that the sniffer is attached to. A "sniffer" is useful in network troubleshooting, network intrusion detection, monitoring network usage. The advantage is the ability it lends to account the actual traffic by IP address and the protocol. The downside is the heavy load caused on the monitoring system.
Flow based technology harness the information contained in the flow exports like NetFlow, sFlow, cflowd, J-Flow, Netstream, IpFix and present an in depth view of the traffic flow. They offer a scalable and a low cost approach to have deep insight into the network traffic based on layer 3 and layer 4 level, packet information. With them one can know the - who, what when aspects of bandwidth usage. Using the data extracted from the flows the following can be known:
This approach provides the information necessary to make capacity planning decisions and to detect any form of network abuse, in monitoring QoS and to certain extent in identifying security attacks.
The below table lists the vendors, whose devices are capable of exporting one of - Cisco NetFlow, sFlow, cflowd, J-Flow, NetStream, IPFIX.
Let us consider the case of a software solution that is based on harnessing the data contained in the "Flows" to monitor an enterprise network bandwidth.
4. The Flow-based software solution
When a global enterprise decides to use a flow based software solution for the purpose of monitoring its distributed global enterprise, the setup looks like the figure below. The software has to be deployed in each of the remote locations and the data gathered from the location is visible to the network admin at that level/ location only.
The report on the bandwidth usage in each of the office is visible only to the network administrator at that level. Here the data is in "silos". For a consolidated overall view the data available with each network admin has to be collated by the chief Network Administrator / CIO.
Drawback of this solution:
A distributed monitoring solution can fix the drawback in the above model. By collating data from all the distributed locations and presenting it in a unified fashion, it brings greater control to the Chief Network Administrator/ Network Manager.
5. The Flow-based distributed monitoring solution
The NetFlow Analyzer Distributed Edition is a flow based scalable software solution from ZOHO Corp., ideal for large corporations with tens of thousands of interfaces. It uses distributed collectors (shown in the diagram), which are installed, in remote offices. The remote collectors collect the flow information from all the routers in the location. It processes the data and after compression sends it to the central server through a secure https link. This way the bandwidth that is consumed is just a fraction of what would be consumed otherwise.
The central server receives the compressed data exported by all collectors and does further analysis for the purpose of reporting. The central server is ideally located at the Head Quarters. A chief network administrator or CIO can access the reports generated by the Central Server through a web-client and get a unified view of the entire network.
Benefits of the NetFlow Analyzer Distributed Edition:
Take in to consideration the below key points before choosing your traffic analysis / bandwidth monitoring solution, in order to ensure that the investment delivers value, as expected.
9 Key Points for the CIO/Network Manager to consider in choosing the right solution
For more details on ManageEngine NetFlow Analyzer visit http://www.netflowanalyzer.com.
For technical queries contact
"NetFlow Analyzer has helped us reduce the time taken to isolate and
Fred Hassard, Sr. Network Engineer, Adventist Health