Virtualization Technology News and Information
Why Better Network Performance and Security Starts with Packet Capture

By Iain Kenney, cPacket Networks

As companies worldwide become ever more digital - global spending on digital transformation is expected to hit $1.8 trillion this year - they must rely heavily on underlying systems to stay secure and performant. Yet the visibility needed to maintain systems can be easily overlooked. And any network downtime - whether due to a performance or security issue - can be incredibly expensive: the price tag can be up to $700 billion per year for North American organizations according to IHS Research

Packet capture is vital to this network performance and security, which follows from the old adage that you can't manage what you can't see. However, for it to be successful, packet capture must be high-quality, complete and granular. And unfortunately, as organizations continue to migrate workloads to the cloud - where they lose a level of direct access to the underlying network - those three elements of quality/completeness/granularity become increasingly difficult to achieve. Ultimately, capturing packets in the cloud can prove complex, even with mirroring solutions available from major cloud providers.

But smart strategies using a combination of virtual packet brokers and new features from public cloud providers can deliver the needed visibility. This article will discuss some of the issues and strategies for optimal and successful packet capture within network performance monitoring (NPM) as well as security.  

Packet Capture for NPM

Packets are the ultimate source of truth for managing network performance. Packets are used for everything from troubleshooting and baselining performance, to planning upgrades or preparing for cloud migration (and judging how that migration is affecting performance).

When it comes to diagnosing problems, a critical concern is the capture of all relevant packets - otherwise your IT team is only working with a fraction of the data, making diagnosis difficult if not impossible. In a very real sense, having only part of the information is little if any better than having none of it. As network speeds increase, this comprehensive packet capture becomes ever more difficult; at speeds of over 10G it actually requires TAPs, capture devices and packet brokers with special hardware assistance to ensure no packets are dropped. A packet processing appliance leveraging a standard CPU simply can't process packets at 40Gbps or 100Gbps network speeds without adding latency or packet loss.

As companies embrace the public cloud, capturing packets becomes especially important. There is often an assumption that the network will always be available, which isn't necessarily the case, even if designed around different availability zones or cloud providers. Networks work... and then don't, and you need to diagnose the problem. If it's an issue with the user application or connection, packets can help troubleshoot as discussed above. But if the problem is due to provider error or issues, not only will packet capture help identify the source, but they will be needed to prove to the provider they are not upholding their SLAs. Otherwise, the troubleshooting can turn into an endless session of finger pointing.

Packet Capture for Security

Security is obviously a grave concern for organizations, and here too packet capture plays a vital role. In particular, capturing the "last packet" before an attack is crucial to understanding what happened. It's this packet capture that makes it possible for forensics and investigation of an attack after the fact.

But because it's impossible to predict when an incident might occur, packet capture needs to be complete - including all parts of the cloud - and constantly on to ensure no packets are missed or dropped. As importantly, this detailed and comprehensive packet monitoring/capture can also be predictive, revealing suspicious traffic that might otherwise fly under the radar. For instance, this might entail a sudden increase in traffic to/from ports that are frequented by malware.

Packet Capture and the Public Cloud

While visibility into both network performance and security is important, capturing packet data from the public cloud is a challenge. Cloud environments - particularly public cloud environments - can be notoriously opaque, making them effectively a "black box" for operations teams. 

The public cloud providers recognize the problems caused by this lack of visibility and have taken different paths to solving the challenge. AWS and Google Cloud use similar approaches: referred to as VPC traffic (AWS) or packet (GCP) mirroring service. Simply stated, this traffic/packet mirroring duplicates network traffic to and from the client's applications and forwards it to cloud-native performance and security monitoring tool sets for assessment, and to capture devices for later analysis. This eliminates the need to deploy ad-hoc forwarding agents or sensors in each VPC instance for every monitoring tool.

Solving the visibility challenge with Azure requires using what's known as "inline mode" This allows the packet broker itself to monitor subnet ingress and egress traffic to capture, pre-process, and deliver packet data in real-time to security, performance management, analytics, capture and other solutions.

Traffic or packet mirroring on its own isn't sufficient, however; it simply provides access to raw packet data, basically creating the equivalent of a virtual Tap. This raw data is not ready to feed directly into monitoring and security tools and requires a virtual or cloud packet broker to handle the pre-processing operations needed to ensure the right data gets to the right tools. Combining these mirroring options with virtual packet brokers can ultimately reduce cost, as a single stream only has to be mirrored once for the broker (as opposed to once per NPM or security tool).

Once this comprehensive, quality packet data is available, capture devices can copy traffic from each packet broker and store it. As discussed above, this opens packet data for future forensic analysis by specialized security and network performance monitoring (NPM) tools, allowing IT and security operations (SecOps) teams to investigate network issues or security threats in greater detail. And that visibility and insight is critical in keeping today's digitally transformed organizations up and running.



Iain Kenney, Senior Director and Head of Product Management, cPacket Networks


Iain leads Product Management at cPacket Networks. His current role allows Iain to partner with the highly experienced engineering team at cPacket based in San Jose and Portland and the product management team to drive the product direction across the suite of cPackets industry leading products. Iain holds a BSc (Hons) in Computer Science from Dundee University.

Published Friday, October 28, 2022 4:03 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2022>