Traffic Filtering: The ABCs of Network Visibility
2020-04-30 | 8 min read
Originally posted by Jeff Harris.
How do you find a needle in a haystack? In MythBusters Episode 23, Jamie and Adam each ended up destroying the hay in order to find the needle. But this is not an option for network and security administrators.
Monitoring and securing modern networks requires finding “the needle” without destroying the network, or even the network traffic. Very sophisticated and automated analytics tools make this possible. Specialized tools like:
- Network performance monitoring and diagnostics (NPMD)
- Application performance monitoring (APM)
- Next-generation firewalls (NGFW)
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
It is simply not possible to manually monitor and secure our networks without these automated tools.
But these tools are expensive. How do we get the most from our monitoring and security investments?
This is when most companies start investigating the use of network packet brokers (NPB). Intelligent NPBs have a whole host of features, such as those listed below.
Traffic filtering and application filtering (traffic filtering by Layer 7 application) are features that directly help get more visibility and security from less monitoring and security tools capacity.
Purpose of Traffic Filtering
Seeing more with less. Securing more with less. Traffic filtering is all about delivering on these promises. Traffic filtering allows the user to define:
- Specific traffic I want to see excluding all other traffic (pass by criteria)
- Specific traffic I do not want to see accepting all other traffic (deny by criteria)
Each approach is designed to limit the amount of data sent to monitoring and security tools making the individual tools much more efficient. After all, it is easier to find a needle in half a haystack than in a whole haystack.
Traffic filtering allows us to reduce the amount of tool capacity needed. Or we can use the saved budget dollars to purchase additional tools that we might not have had the funds for otherwise.
In short, the purpose of filtering traffic for our monitoring and security tools is to:
- Make the tools operate more efficiently.
- Make optimal use of the tool capacity.
- Reduce our overall investment in individual tools sets.
- Allow us to purchase additional tools.
Typical Use Cases
Here are some real life use cases where traffic filtering is beneficial.
1. Reducing Security Tool Costs
The University of Texas at Austin recently deployed intelligent NPB’s in their network. Using Ixia’s application filtering, they were easily able to send some traffic, like student Netflix movies and streaming music around their IDSs. This simple step reduced the load on their security tools by 20-30% and delivered a 100% return on investment.
2. Improving Voice and Video Monitoring
Citrix unified communication services are a critical productivity application for many organizations. Monitoring quality of experience can require analyzing SIP based and PSTN originated call data. However, the VoIP call data and PSTN call data are analyzed on different tools. Traffic filtering easily sends only the relevant traffic to each tool for analysis.
3. Filtering Encrypted Traffic for Decryption
Although there are variations by platform and browser, most metrics show well over 50% of web traffic is encrypted. Unfortunately, this prevents monitoring and security tools from inspecting the traffic. So SSL decryption is required. With an intelligent NPB, companies can use application filtering to identify SSL traffic and send only this traffic to SSL decryption tools or internal SSL decryption capabilities. Here application filtering saves as much as 80% of the capacity of SSL decryption tools.
4. Expediting “On-the-Fly” Troubleshooting
Reducing trouble resolution times is a critical metric for IT organizations. Filtering traffic “on the fly” for forensics tools or built-in packet capture is an important troubleshooting feature on NPBs that helps significantly speed trouble isolation and reduce resolution times. In fact, customers have experienced as much as 80% reduction in troubleshooting times.
Considerations When Researching Network Packet Brokers
Traffic filtering can be one of the most complex operations performed on any NPB. So it is critical to know what to look for when evaluating these tools. Below are some important NPB traffic filtering selection criteria.
- Layer 7 Application Filtering – Being able to easily route application flows is critical for network visibility and security. Many NPBs only route traffic on Layer 2-4 protocols. Consider an NPB with intelligence that can classify and filter applications and even make RegEx filtering simple.
- Operational Ease of Use – Configuring traffic filters can be extremely complex. Consider a NPB that automates the entire traffic filtering process, which eliminates all that complexity. Do not get forced into a solution that requires your team to manually deal with the traffic filtering complexity.
- No Dropped Packets – Traffic filtering can be computationally difficult if not implemented well in an NPB. Consider only NPB’s that maintain the complete packet stream when filtering is enabled. An NPB should NEVER drop packets, not even when users are making multiple simultaneous traffic filtering changes to the NPB configuration.
- Simultaneous Usage – NPBs are typically used by multiple teams within an IT organization. Consider an NPB that supports simultaneous usage by multiple team members without causing any traffic filtering issues or configuration errors. Without this capability, teams can bump heads when emergencies arise.
Finding a Needle in a Haystack with Ixia
Finding a needle in a haystack is difficult. Network packet broker traffic filtering capabilities help monitoring and security tools do the job much more efficiently. But choose wisely. Not all traffic filtering capabilities on NPBs are the same.
Ixia’s entire series of blogs on visibility are available now in the e-book Visibility Architectures: The ABCs of Network Visibility.