Cloud environments challenge network visibility

Network visibility is getting murkier, and enterprises are investing in tools to cut through the fog, tighten security, and boost IT pros’ productivity.

A majority (78%) of companies plan to increase their spending on network visibility tools over the next two years, according to Shamus McGillicuddy, vice president of research at Enterprise Management Associates (EMA). Traffic growth is the main impetus, due in large part to adoption of hybrid and multi-cloud architectures.

Other factors driving the need for better visibility include increases in east-west data center traffic and greater use of encryption by bad actors to hide malicious traffic.

There’s more and more data coming out of networks that needs analyzing, and enterprises need to ensure it doesn’t overwhelm systems such as security solutions and performance analysis tools that analyze the traffic, said McGillicuddy in a web briefing.

“You can’t have an ad hoc approach to getting traffic data to your analysis tools,” McGillicuddy said. “You can’t say, ‘Well, okay, so I think something’s happened. I’m going to go and physically tap into the network here, do a packet dump, and then do some forensic analysis.’ No, you really need to be instrumented to have full visibility at all times. You need to have the lights on; you can’t turn the lights off to save money and then turn them on when you need to see what’s happening.”

What is network-visibility architecture?

EMA defines a network-visibility architecture as an overlay of traffic mirroring, aggregation, and distribution tools that delivers network traffic data to other systems. It captures packet data from the cloud and on-premises networks and feeds it to security tools and performance analysis systems, such as intrusion detection or application performance-management software.

The key components of a network visibility architecture are TAPs and SPAN ports, which are used to mirror traffic data from the production network, along with aggregation devices, such as a network packet broker appliance.

An enterprise-caliber visibility architecture also typically incorporates software-based probes and packet brokers for virtual infrastructure, and cloud-based probes and packet brokers for cloud systems. Traffic mirroring services from cloud providers have emerged over the last couple of years and are also becoming part of some enterprises’ network-visibility architectures.

Network-visibility challenges

Most enterprises agree there’s room for improvement when it comes to current network-visibility conditions. Only 34% of the organizations surveyed by EMA said they are fully successful with the overall use of network visibility architecture, down from 40% when the firm asked the same question in 2020.

The top challenges, according to enterprises, are scalability issues (cited by 27%), architectural complexity (26%), data quality (23%), skills gaps (19%), budget (19%), and limited cloud visibility (17%).  (Read more: Hybrid cloud demands new tools for performance monitoring)

“The two big ones are scalability issues and architectural complexity,” McGillicuddy said.

“Scaling up their visibility architecture is a heavy lift, in some cases,” he said. “They’re trying to keep up with that traffic growth, so they’re spending more on these architectures. It’s a race to keep up.”

In terms of architectural complexity, the problem is not having a full, end-to-end understanding of the state of their networks, which can guide how they instrument the network with a visibility architecture, McGillicuddy said. “Where do I need to mirror traffic to my analysis tools? Do I know all the parts of my network that I need to be doing that on? A significant number of them are telling us they don’t.”

Cloud degrades effectiveness of visibility tools

Overall, the effectiveness of network visibility systems is degrading for a variety of reasons, the top reason being the cloud, McGillicuddy said. Migration of applications to the cloud has created blind spots, and multi-cloud makes visibility even worse. “Network operations teams tell me this a lot. They’re not happy with the amount of visibility they’re getting into cloud networks. They’re trying to extend their solutions into the cloud, and they frequently are challenged in that regard,” McGillicuddy said.

Network blind spots introduced by the cloud can lead to problems including policy violations (cited by 49%), IT service problems or downtime (46%), security breaches (45%), and cloud cost overruns (44%).

Building an end-to-end visibility architecture that spans on-premises infrastructure and public cloud can remove those blind spots, according to EMA. 

“The cloud is not making these products less relevant, it’s making them more relevant,” McGillicuddy said. 

EMA asked companies about their primary method for supplying cloud-related network packet data to security and performance analysis tools. The majority (60%) are using third-party software such as a virtual network packet broker or a virtual TAP. Another 38% are using native packet mirroring services offered by cloud providers. The remaining 2% use an alternative method or don’t analyze packet data in the cloud.

The most compelling benefits of third-party visibility software in the cloud are:

• Reliability of data collection (54%)
• Administrative security (36%)
• Manageability/automation (34%)
• Advanced packet filtering and modification features (32%)
• Integration with visibility technology in private infrastructure (30%)

TAPs vs SPAN ports: Enterprises pulling back on TAPs

Every two years, EMA asks enterprises what percentage of port mirroring on their networks is accomplished via a switched port analyzer (SPAN) port or a test access port (TAP). With SPAN ports, one of the ports on a network switch becomes a traffic mirroring service that can copy and forward traffic to other systems. A TAP is a dedicated device that copies network traffic from a production network, offloading that task from the switches.

In the past, a majority of enterprises did port mirroring via TAPs rather than SPAN ports. But there’s been a swing toward SPAN ports, rather than TAPS, more recently. Too many organizations are leaning on SPAN ports more than TAPs for traffic mirroring, “and there are implications for that,” McGillicuddy said.

As network complexity climbs, enterprises might be looking to mirror more points on their network to improve overall visibility, and SPAN ports can be a cheaper approach in terms of Capex spending, he said. But there are benefits to using TAPS. For example, TAPs typically come from a vendor that specializes in visibility and provides software to manage the TAPs, particularly as network configuration changes are made. “It reduces operational complexity,” McGillicuddy said.

Conversely, with SPAN ports, “you may not have a central view of your SPAN ports configured on your various switches across the network,” he said, “and that means it’s very hard to manage change and [prevent] unauthorized changes on a visibility fabric at the traffic-mirroring layer.”

Data quality is also better with TAPs, McGillicuddy said. TAPs are optimized to deliver mirrored traffic to the visibility architecture, whereas SPAN ports are best-effort. “If the network switch is experiencing high utilization, it’s going to withhold resources from the SPAN port in order to fulfill its primary mission. That SPAN port will start to drop packets, for instance, and that’s going to impact the data quality,” McGillicuddy said. “That’s why people invest in TAPs, and that’s why it’s a little troubling to me to see a lot of people rely more heavily on SPAN ports in recent years.”

Encrypted traffic thwarts network visibility

A network visibility architecture can play a key role in inspecting encrypted traffic and detecting malicious activity, but a lot of enterprises aren’t seeing as much of the malicious traffic as they should, according to McGillicuddy.

EMA asked respondents to estimate how much of the malicious activity that they detected on their network over the past year was hidden within encrypted packets, and the mean response was 27%. However, that percentage varies depending on how successful a company is with its network-visibility solutions. The more successful enterprises say 34% of all malicious activity on the network was in encrypted traffic, whereas those enterprises that are just somewhat successful reported rates of 23%.

“That’s a pretty big gap. It tells you that network visibility-architecture is essential, in my view, to detecting malicious activity that’s hidden within encrypted traffic. However, a lot of people aren’t doing it,” McGillicuddy said.

EMA also asked enterprises to share their preferred resource for decrypting TLS/SSL traffic for inspection. The most popular response was security and performance analysis tools (cited by 43%). However, using security analysis tools for decryption can consume resources from those tools, which impacts their ability to actually analyze the traffic once it’s decrypted, McGillicuddy said. Too many organizations are decrypting traffic on analysis tools, and “it’s not efficient.”

The second most popular approach (cited by 23%) was to decrypt the traffic on a network packet broker, “which I think is an ideal spot for it,” he said. Other methods include a dedicated decryption appliance (12%), packet capture appliance (11%), and application delivery controller (7%).

Visibility boosts IT effectiveness

Ranked by survey respondents, the most important benefits of using a network visibility architecture are:

• Improved IT/security team productivity (cited by 36%)
• Reduced security risk (33%)
• Improved capacity management (25%)
• Optimized cloud migration (23%)
• Network/application performance/resiliency (22%)
• Better cross-team collaboration/decision-making (19%)
• Reduced compliance risk (18%)
• Extended life of security and performance analysis tools (14%)

It can be hard to put a dollar figure on reduced security risk, but it’s easy to quantify the benefits of boosting productivity, McGillicuddy said. “If you are boosting the productivity of your IT team and the security team, you can demonstrate to leadership how that has freed up full time FTE hours,” he said.

In many enterprises, valuable IT people are spending hundreds of hours making sure network traffic data gets to the analysis tools that need it. With a network-visibility architecture, it’s automated. IT pros don’t need to do the heavy lifting to pull the data and feed it to the tools, McGillicuddy said. “That’s the improved IT security productivity, and it’s a major driver of ROI.”