Network visibility is getting murkier, and enterprises are investing in tools to cut through the fog, tighten security, and boost IT pros’ productivity.
A majority (78 per cent) of companies plan to increase their spending on network visibility tools over the next two years, according to Shamus McGillicuddy, vice president of research at Enterprise Management Associates (EMA). Traffic growth is the main impetus, due in large part to adoption of hybrid and multi-cloud architectures.
Other factors driving the need for better visibility include increases in east-west data centre traffic and greater use of encryption by bad actors to hide malicious traffic.
There’s more and more data coming out of networks that needs analysing, and enterprises need to ensure it doesn’t overwhelm systems such as security solutions and performance analysis tools that analyse the traffic, said McGillicuddy in a web briefing.
“You can't have an ad hoc approach to getting traffic data to your analysis tools,” McGillicuddy said. “You can't say, ‘Well, okay, so I think something's happened. I'm going to go and physically tap into the network here, do a packet dump, and then do some forensic analysis.’
"No, you really need to be instrumented to have full visibility at all times. You need to have the lights on; you can't turn the lights off to save money and then turn them on when you need to see what's happening.”
What is network-visibility architecture?
EMA defines a network-visibility architecture as an overlay of traffic mirroring, aggregation, and distribution tools that delivers network traffic data to other systems. It captures packet data from the cloud and on-premises networks and feeds it to security tools and performance analysis systems, such as intrusion detection or application performance-management software.
The key components of a network visibility architecture are TAPs and SPAN ports, which are used to mirror traffic data from the production network, along with aggregation devices, such as a network packet broker appliance.
An enterprise-caliber visibility architecture also typically incorporates software-based probes and packet brokers for virtual infrastructure, and cloud-based probes and packet brokers for cloud systems. Traffic mirroring services from cloud providers have emerged over the last couple of years and are also becoming part of some enterprises’ network-visibility architectures.
Most enterprises agree there’s room for improvement when it comes to current network-visibility conditions. Only 34 per cent of the organisations surveyed by EMA said they are fully successful with the overall use of network visibility architecture, down from 40 per cent when the firm asked the same question in 2020.
The top challenges, according to enterprises, are scalability issues (cited by 27 per cent), architectural complexity (26 per cent), data quality (23 per cent), skills gaps (19 per cent), budget (19 per cent), and limited cloud visibility (17 per cent).
“The two big ones are scalability issues and architectural complexity,” McGillicuddy said. “Scaling up their visibility architecture is a heavy lift, in some cases. They're trying to keep up with that traffic growth, so they're spending more on these architectures. It's a race to keep up.”
In terms of architectural complexity, the problem is not having a full, end-to-end understanding of the state of their networks, which can guide how they instrument the network with a visibility architecture, McGillicuddy said.
“Where do I need to mirror traffic to my analysis tools? Do I know all the parts of my network that I need to be doing that on? A significant number of them are telling us they don't.”
Cloud degrades effectiveness of visibility tools
Overall, the effectiveness of network visibility systems is degrading for a variety of reasons, the top reason being the cloud, McGillicuddy said. Migration of applications to the cloud has created blind spots, and multi-cloud makes visibility even worse.
“Network operations teams tell me this a lot. They're not happy with the amount of visibility they're getting into cloud networks. They're trying to extend their solutions into the cloud, and they frequently are challenged in that regard,” McGillicuddy said.
Network blind spots introduced by the cloud can lead to problems including policy violations (cited by 49 per cent), IT service problems or downtime (46 per cent), security breaches (45 per cent), and cloud cost overruns (44 per cent).
Building an end-to-end visibility architecture that spans on-premises infrastructure and public cloud can remove those blind spots, according to EMA.
“The cloud is not making these products less relevant, it’s making them more relevant,” McGillicuddy said.
EMA asked companies about their primary method for supplying cloud-related network packet data to security and performance analysis tools.
The majority (60 per cent) are using third-party software such as a virtual network packet broker or a virtual TAP. Another 38 per cent are using native packet mirroring services offered by cloud providers. The remaining two per cent use an alternative method or don’t analyse packet data in the cloud.
The most compelling benefits of third-party visibility software in the cloud are:
- Reliability of data collection (54 per cent)
- Administrative security (36 per cent)
- Manageability/automation (34 per cent)
- Advanced packet filtering and modification features (32 per cent)
- Integration with visibility technology in private infrastructure (30 per cent)
TAPs vs SPAN ports: Enterprises pulling back on TAPs
Every two years, EMA asks enterprises what percentage of port mirroring on their networks is accomplished via a switched port analyser (SPAN) port or a test access port (TAP). With SPAN ports, one of the ports on a network switch becomes a traffic mirroring service that can copy and forward traffic to other systems.
A TAP is a dedicated device that copies network traffic from a production network, offloading that task from the switches.
In the past, a majority of enterprises did port mirroring via TAPs rather than SPAN ports. But there's been a swing toward SPAN ports, rather than TAPS, more recently. Too many organisations are leaning on SPAN ports more than TAPs for traffic mirroring, “and there are implications for that,” McGillicuddy said.
As network complexity climbs, enterprises might be looking to mirror more points on their network to improve overall visibility, and SPAN ports can be a cheaper approach in terms of CAPEX spending, he said.
But there are benefits to using TAPS. For example, TAPs typically come from a vendor that specialises in visibility and provides software to manage the TAPs, particularly as network configuration changes are made. “It reduces operational complexity,” McGillicuddy said.
Conversely, with SPAN ports, “you may not have a central view of your SPAN ports configured on your various switches across the network,” he said, “and that means it's very hard to manage change and [prevent] unauthorised changes on a visibility fabric at the traffic-mirroring layer.”
Data quality is also better with TAPs, McGillicuddy said. TAPs are optimised to deliver mirrored traffic to the visibility architecture, whereas SPAN ports are best-effort.
“If the network switch is experiencing high utilisation, it’s going to withhold resources from the SPAN port in order to fulfil its primary mission. That SPAN port will start to drop packets, for instance, and that's going to impact the data quality,” McGillicuddy said. “That's why people invest in TAPs, and that's why it's a little troubling to me to see a lot of people rely more heavily on SPAN ports in recent years.”
Encrypted traffic thwarts network visibility
A network visibility architecture can play a key role in inspecting encrypted traffic and detecting malicious activity, but a lot of enterprises aren’t seeing as much of the malicious traffic as they should, according to McGillicuddy.
EMA asked respondents to estimate how much of the malicious activity that they detected on their network over the past year was hidden within encrypted packets, and the mean response was 27 per cent.
However, that percentage varies depending on how successful a company is with its network-visibility solutions. The more successful enterprises say 34 per cent of all malicious activity on the network was in encrypted traffic, whereas those enterprises that are just somewhat successful reported rates of 23 per cent.
“That's a pretty big gap. It tells you that network visibility-architecture is essential, in my view, to detecting malicious activity that's hidden within encrypted traffic. However, a lot of people aren't doing it,” McGillicuddy said.
EMA also asked enterprises to share their preferred resource for decrypting TLS/SSL traffic for inspection. The most popular response was security and performance analysis tools (cited by 43 per cent).
However, using security analysis tools for decryption can consume resources from those tools, which impacts their ability to actually analyse the traffic once it's decrypted, McGillicuddy said. Too many organisations are decrypting traffic on analysis tools, and “it's not efficient.”
The second most popular approach (cited by 23 per cent) was to decrypt the traffic on a network packet broker, “which I think is an ideal spot for it,” he said. Other methods include a dedicated decryption appliance (12 per cent), packet capture appliance (11 per cent), and application delivery controller (seven per cent).
Visibility boosts IT effectiveness
Ranked by survey respondents, the most important benefits of using a network visibility architecture are:
- Improved IT/security team productivity (cited by 36 per cent)
- Reduced security risk (33 per cent)
- Improved capacity management (25 per cent)
- Optimised cloud migration (23 per cent)
- Network/application performance/resiliency (22 per cent)
- Better cross-team collaboration/decision-making (19 per cent)
- Reduced compliance risk (18 per cent)
- Extended life of security and performance analysis tools (14 per cent)
It can be hard to put a dollar figure on reduced security risk, but it’s easy to quantify the benefits of boosting productivity, McGillicuddy said. “If you are boosting the productivity of your IT team and the security team, you can demonstrate to leadership how that has freed up full time FTE hours,” he said.
In many enterprises, valuable IT people are spending hundreds of hours making sure network traffic data gets to the analysis tools that need it. With a network-visibility architecture, it’s automated. IT pros don’t need to do the heavy lifting to pull the data and feed it to the tools, McGillicuddy said. “That’s the improved IT security productivity, and it’s a major driver of ROI.”