To manage Ethernet and IP networks effectively, network appliances are needed: That was the conclusion of the previous installment of this series on managing and securing SDN and NFV. (See Managing Ethernet/IP in the SDN/NFV Future.)
This is because all Ethernet frames and IP packets need to be collected and reassembled to enable effective management of services. This, in turn, requires continuous monitoring of the network, even at speeds of 100 Gbit/s, without losing any information. Network appliances can provide this capability in real time.
So, how can this capability be applied to the management and security of SDN and NFV?
By continuously monitoring the network, it is possible, in real time, to assess the performance of the network and get an overview of application and network usage. This information can also be stored directly to disk, in real time, as it is being analyzed. This is typically used in troubleshooting to determine what might have caused a performance issue in the network and is also used by security systems to detect any abnormal behavior in the past.
However, if we take these concepts a stage further and combine these capabilities, we have the possibility to detect performance degradations and security breaches in real time. The network data that is captured to disk can be used to build a profile of normal network behavior. By comparing this profile to real-time captured information, it is possible to detect anomalies and raise a flag.
This kind of capability can be very useful in a policy-driven SDN/NFV network. If a performance degradation is flagged, then a policy can automatically take steps to address the issue. If a security breach is detected, a policy can initiate more security measurements and correlation of data with other security systems. It can also go so far as to use SDN and NFV to re-route traffic around the affected area and potentially block traffic from the sender in question.
The key point is that with the fundamental capabilities that network appliances can provide through real-time capture, capture-to-disk and anomaly detection, the full force of SDN and NFV can be brought to bear on the issue through a policy-driven framework.
At this point, many of you might be wondering what exactly a network appliance is. The majority of network appliances are based on standard server hardware from Dell, HP, Cisco, Intel or other server vendors. The appliance analysis applications are typically multi-threaded, running on multiple standard CPUs. The analysis being performed is normally quite intensive, so it is not uncommon for all the processing resources in the server to be fully utilized. This is especially true for analysis of 10Gbit/s traffic and higher.
The key requirement for network appliances is that they must capture and collect all the network information in order for the analysis to be reliable. The network appliance receives network data either from a Switched Port Analyzer (SPAN) port on a switch or router that replicates all traffic or from passive taps that provide a copy of network traffic. The network appliance then needs to precisely time-stamp each Ethernet frame to allow accurate determination of events and latency measurements for Quality of Experience (QoE) assurance. It also recognizes the encapsulated protocols, as well as determining "flows" of traffic that are associated with the same senders and receivers. These are the fundamental features of most appliances. Where appliances differ is in the further analysis that is performed, whether that is to measure latency, monitor performance or detect security breaches.
It should be noted that while the functionality above could be implemented in software (and often is, for low-speed network interfaces), for high-speed networks in the gigabit range and above, hardware acceleration is essential. In the same way that high-end graphics and gaming machines require video acceleration hardware, so do network appliances to ensure that the functionality above will also be possible at extremely high speeds.
These analysis accelerators are similar to network interface cards (NICs) for communication, but differ in the fact that they are designed specifically for continuous monitoring and analysis of high-speed traffic at maximum capacity. For monitoring of a 10Gbit/s bi-directional connection, this means processing of 30 million packets per second. Typically, an NIC is designed for processing of 5 million packets per second, as it is very rare that a communication session between two parties would require more than this amount of data.
In addition, analysis accelerators provide extensive functionality for offload of data pre-processing tasks from the analysis application. This ensures that as few CPU cycles as possible are used on banal data pre-processing, enabling more analysis processing to be performed.
But, you might ask, isn't the idea in NFV to virtualize these appliances? How can that be achieved and still ensure high performance at high speeds? These are questions we will address in the next installment.
— Dan Joe Barry, VP of Positioning and Chief Evangelist, Napatech