Best Practices for Mainstreaming Monitoring Fabrics, an EMA Research Summary

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

Network Visibility Controllers: Best Practices for Mainstreaming Monitoring FabricsReport SummaryBy Jim Frey An ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) Research

October 2013

Sponsored by:

Table of Contents

©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

Network Visibility Controllers: Best Practices for Mainstreaming Monitoring Fabrics (Report Summary)

Executive Summary .......................................................................................................................... 1Network Visibility Controllers – Definitions and Drivers................................................................. 1Setting the Stage: Deployments and Monitored Environments ........................................................ 2

The In-line Use Case ................................................................................................................... 3Inexorable Growth in Network Link Speeds ............................................................................... 3Virtualization: A Major Challenge for Monitoring...................................................................... 4Diversity Thrives amongst NVC-Supported Tools ..................................................................... 7

NVCs in Use: Primary Value Experiences ......................................................................................... 8NVC Packet Manipulation Feature Priorities .............................................................................. 8NVC Architectural Feature Priorities ........................................................................................ 10NVC Administrative Feature Priorities ...................................................................................... 10

Changing Landscape: Alternative Approaches ................................................................................ 11Standard Ethernet Switches as an NVC Alternative .................................................................. 12SDN/Soft Switches as an NVC Alternative ............................................................................... 12

EMA Perspective ............................................................................................................................. 13

http://www.enterprisemanagement.com/



Page 1

Executive SummaryPacket inspection technologies for monitoring network activity and network security are not only here to stay, their use continues to expand. The scale and criticality of networked infrastructures within the enterprise is growing as well. Finally, the cost of management tools for maintaining vigilance and assuring reliable performance within IT is similarly growing apace. This perfect storm has led to a rapid evolution of a specialized product technology category that ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) analysts have defined as Network Visibility Controllers (NVCs). Also known as network monitoring switches or network packet brokers, NVCs have quickly established themselves as an essential building block for network and security packet monitoring fabrics, allowing flexibility and resilience along with significant cost savings for the race to monitor and secure modern enterprise networks. This EMA research report investigates current uses of NVCs, the influence of the changing monitored environment, and the best practices experiences of organizations large and small who have embraced this technology.

Network Visibility Controllers – Definitions and DriversNetworks, systems, applications, data centers – all of these keep growing, both in number, scale, and complexity. Keeping on top of it and securing it all represents an ongoing battle for IT operations and security professionals. A key set of management tools have arisen to help organizations gain and maintain the upper hand function by analyzing streams of packets pulled from the network. Some of these are used to understand application and user behavior, performance, and capacity utilization. Others are looking for threats and anomalous behavioral signatures. And more uses will likely be found in the future. What these products share is the need for access to a continuous stream of packets from the network for analysis. And herein lies the problem – how many monitoring systems can effectively be deployed to look at what is oftentimes the same stream of network packets?

This is where network visibility controllers, or NVCs, come in. NVCs are an evolution of simple tools that were historically used to facilitate access to packet streams on behalf of monitoring and analysis tools. Originally, tools would be attached to the network by use of a tap or by a SPAN (a.k.a. port mirroring) session from a network device, such as a router or switch. But these connection points typically could not be shared, so you had to have one for each of your management and monitoring tools. This doesn’t work well for SPAN, because only two SPAN sessions can be supported by any individual network switch. Further, each tap point represents a potential break in the wire, and some organizations have strict limitations on such access points. A better plan is to take a single stream of packets and share it with multiple consuming analysis tools. NVCs were born out of this need, designed to support flexible configuration of packet stream inputs and outputs, with the goal of improving efficiency, reliability, and cost effectiveness of packet-based network and security monitoring tools deployments.

EMA has chosen to use the term network visibility controller to represent this class of products. There have been a number of other names used to describe the technology, including network monitoring switch, network packet broker, matrix switch, aggregation switch, data access switch, and distributed filter tap. While no name is likely going to be perfect, EMA believes that network visibility controller represents the best active description of the role that these products play in providing control over visibility systems. And with the fact that many such products offer programmable, automated actions, they have clear potential to go beyond the static concept of taps and aggregation to achieve a true controller-like level of capability.

NVCs play a central role as a building block of packet monitoring fabrics, providing engineering and operations professionals with a means for establishing and controlling visibility and supporting




Page 2

operations monitoring, troubleshooting, and security. They have also proven to be an important means for managing growth in the cost of monitoring and analysis tools, by extending the life of low-speed monitoring tools even though higher-speed network links are being deployed and require monitoring.

The technology vendor-supplier community offering NVCs has been healthy and growing quickly over the past several years. Vendor suppliers such as Gigamon, APCON, VSS Monitoring, Net Optics, Ixia, NetScout, cPacket, and more have been rapidly developing and advancing solutions to meet the burgeoning need. There have been a number of acquisitions amongst the community, brand-new product launches within the past year, such as the Matrix offering from Network Instruments, as well as emerging competitive/alternative approaches. Traditional Ethernet switch vendors, such as Arista, and soft switch vendors, such as Big Switch, have been adding functionality to provide some level of capabilities similar to NVCs at much lower cost points.

This EMA research report has been designed specifically to study the current state and usage of network visibility controllers, as well as the priorities and experiences with various architectural and feature capabilities. The intention of the research is to identify best practices and provide guidance to organizations seeking to understand the functions of NVC products and to set priorities as part of selection, deployment, and ongoing use.

Setting the Stage: Deployments and Monitored EnvironmentsOur first research objective was to build an understanding of the ways in which NVCs are being used. We asked our participants a number of questions designed to help us recognize both where NVCs were being deployed as well as the environment for which they are intended facilitate monitoring. Firstly, we asked our respondents where they had deployed network visibility controllers, from a topological perspective. Results of their responses are shown below in Figure 1, indicating both current deployments as well as additional deployments planned over the coming 12 months.

61%

37%

37%

32%

29%

27%

22%

20%

2%

40%

29%

37%

28%

36%

23%

25%

23%

3%

Data center core network

Top of Rack

Data center Edge (ingress/egress)

Campus backbone

Remote sites

DMZ

End of Row

Backhaul links

Other (Please specify)

Where has your organization deployed Network Visibility Controllers (NVCs)?

Current Planned in 12 months

Figure 1. Current and planned deployments of network visibility controllers.




Page 3

Clearly the most common use case for NVC deployment is within the datacenter core network, particularly from a current use perspective. But beyond that, NVCs are finding use in a wide variety of other locations around the network. On average, our respondents indicated three different locations where they had deployed NVCs. Many of these locations are within the data center, but others are distributed throughout the campus and even at remote sites.

The In-line Use CaseHistorically, network and security monitoring and analysis tools have been deployed in a passive, out-of-band manner, so that packet-based monitoring activity would have no direct impact on production network capacity or integrity. The use of active, in-line technologies on the security side changed that – for example, in the case of intrusion prevention systems. Firewalls are another type of true in-line security technology, though no one would characterize firewalls as a monitoring/analysis solution. NVCs have, for most of their history, been deployed out-of-band in the operations use case, simply facilitating efficient and effective use a packet streams for multiple monitoring and analysis purposes. Test environments, on the other hand, typically use a mix of in-line and out-of-band approaches, depending on the objectives and test network architecture. EMA sought to understand, at a high level, how predominant the in-line use case is within today’s enterprise, as shown below by EMA research results in Figure 2.

40%

50%

10%

Yes - we currently have deployed in-line

No, but we are planning to do so

No, and are not planning to do so

Are NVCs deployed in-line anywhere within your organization's network?

Figure 2. Are NVCs deployed in-line anywhere with in your organization’s network?

The responses to this question are most intriguing, as 90% of respondents indicated active or planned in-line deployments. It should be pointed out that NVCs are, in terms of core architecture, packet switches. Consequently, NVCs are perfectly capable of functioning in an in-line mode. Besides common in-line uses in test environments, EMA is also aware of production network in-line use cases where NVCs are used to load balance multiple security devices, such as IPSs. Unfortunately, we did not include follow-on questions as part of this research to determine precisely the frequency and specific use case associated with these deployments – this will be a subject for ongoing research by EMA.

Inexorable Growth in Network Link SpeedsGrowing network link speeds oftentimes drive the use of and interest in NVCs. Faster networks regularly result in conditions that surpass either the technical capacity of existing monitoring tools or the organization’s ability to afford higher-capacity tool upgrades. We asked our respondents how they expected link speeds to change from today and looking ahead, to help quantify this effect. Within our research, we asked about current versus planned maximum network speeds in data center core and distribution networks. Results from the two questions (data center core versus distribution) aligned quite well, as can be seen below in Figure 3.




Page 4

What are the maximum link speeds within your organization's networks?

10%

20%

39%

23%

8%

4%

7%

28%

29%

32%

100M

1G

10G

40G

100G

Datacenter / Core


14%

21%

37%

22%

6%

6%

13%

27%

27%

28%

100M

1G

10G

40G

100G

Distribution


Figure 3. Maximum networking link speeds in data center core networks and distribution networks.

Current network link speeds, not surprisingly, show slightly higher speeds in the data center core than in distribution network, but not hugely so. What was surprising was that our respondents indicated, in large numbers, that 40G and 100G Ethernet are coming in the immediate future. The fact that one third of respondents expect that 100G will be present in their networks within the next 12 months is a wake-up call for monitoring tools vendors as well as NVC product suppliers alike. As of the publication date of this report, there are no network or security monitoring tools that can support 100G directly, and precious few that can support 40G.

Virtualization: A Major Challenge for MonitoringOne of the major recent IT trends – the amazingly rapid growth of virtualized computing infrastructure – is creating new challenges for network and security managers. Server virtualization brought along with it a new wave of network virtualization, which in turn created pockets of blindness. With server virtualization allowing multiple VMs to reside on a single physical host, VM-to-VM communications can take place purely across a hypervisor virtual network switch, never traversing a physical network link. Monitoring fabrics, and hence the role of NVCs, must embrace and accommodate this new barrier if they are to provide necessary levels of visibility.

EMA has been closely watching the impact that these new architectures have been having on network management tools, technologies, and practices for over five years. For this study, we wanted to understand the way in which virtualization was changing the landscape for packet-based monitoring, and so we asked a number of questions around this topic. First, we wanted to understand which types of virtualization technologies were currently deployed within our respondent’s environments. Shown below in Figure 4 is an accounting of such technologies in use today.




Page 5

63%

63%

62%

38%

29%

20%

2%

Virtualized Computing

VLAN

Virtualized Storage

Other tunneling protocols (i.e. GRE, PPP, L2TP, SSH)

Virtual overlay network encapsulations (i.e. NVGRE, VXLAN)

Virtual “underlay” networks (i.e. OpenFlow/SDN)

None of the above

Which of the following virtualized infrastructure technologies are present in your organization's managed environment?

Figure 4. Virtualization infrastructure technologies in production within respondents’ managed environments.

EMA analysts were a bit surprised that virtualized computing did not receive a higher response rate then it did; however, it is present within a majority of organizations we surveyed. VLANs, while not directly related to infrastructure virtualization, are also quite frequently in place. And virtualized storage, which again is not a new phenomenon, was essentially equally present. Both VLAN and virtualized storage have new importance and new directions to be charted as part of emerging software-defined architectures.

The initial manifestations of more advanced, multi-location and multi-server virtual networking were tested in the latter three response categories shown above. A significant percentage, 38%, indicated the use of at least some tunneling protocols. Of those responses, larger organizations were the most likely to be using tunneling (53%) versus medium-sized organizations (37%) or smaller organizations (25%). Without deeper details available, EMA speculates that the vast majority of this will be SSH. Virtual overlay networks were a bit less common, at 29% overall; however, also showed surprising frequency given the relatively recent rise of such technologies. And the most disruptive of all, virtual underlay networks using technologies such as OpenFlow, showed up only in one out of every five shops surveyed.

So how do organizations accommodate these virtualized environments? The vast majority have changed their monitoring approaches. EMA research indicated that 89% are seeing an impact, with 49% having deployed new monitoring products or configurations and another 40% indicating such deployments had not yet been made but were indeed needed. We dug further to assess which choices and adaptations were being made to accommodate virtualization, and results are shown in Figure 5.




Page 6

65%

55%

53%

33%

1%

Packet analysis tools deployed on VMs for intra-host visibility

SPAN/Port Mirroring from virtual switches

Virtual taps

Header stripping for overlay encapsulations


Which of the following approaches is your organization using or considering for adding packet monitoring to virtualized environments?

Figure 5. Approaches used or considered for adding packet monitoring to virtualized environments.

The slight majority favored the use of packet analysis tools deployed directly within the virtualized compute environment, on virtual machines. By connecting to the virtual switch in promiscuous mode, analysis tools can establish intra-host visibility and complete the analysis locally. The downside of this approach is the compute intensity associated with packet analysis – for instance, some vendors offering such deployment options require dedication of a CPU core for VM-based analysis tools. This deployment scenario obviates the need for NVCs, as analysis is done locally. But it also presents a serious scale challenge. How many such VM-based devices must be deployed to properly monitor a heavily virtualized datacenter? And can this approach still work when three or four different packet-based network and security monitoring technologies need to be deployed in parallel?

An alternative to this is the use of virtual taps – another popular option amongst our respondents, also receiving majority acknowledgment. Some virtual taps are deployed inside the virtualization host and attached to the virtual switch in promiscuous mode as a VM, although there are alternatives in the market that connect directly to the hypervisor kernel. In either case, the virtual tap grabs a copy of packets going across the virtual switch or switches and pipes that out to a physical NIC, to be received by an external NVC or analysis system.

The use of SPAN/port mirroring from virtual switches also received significant favor. SPAN, RSPAN, and ERSPAN are now features available in VMware’s virtual switches as well as Cisco virtual switches, and represent perhaps the most logical extension of techniques typically used in the physical world to the virtual world. What remains to be seen is whether or not virtual switch SPAN can keep pace with the dynamic nature a virtualized environment and/or the rising volumes of virtual switch traffic. In other words, virtual switch SPAN may end up suffering from the same architectural limitations as SPAN from a physical switch.

Finally, header stripping to peer inside overlay network encapsulations is another technique that is being given some attention amongst our respondents. While only a third indicated using such approaches, that percentage lines up closely with those who indicated that encapsulations were present within their environment in the first place (see prior question). Header stripping also happens to be a feature of NVCs, and was further evaluated as part of feature priority questions later in this research.




Page 7

Diversity Thrives amongst NVC-Supported Tools Besides recognizing the environmental factors in which NVCs were being deployed, we were also interested to understand what is on the other side of those NVCs. The more tools being deployed, the more value NVCs can deliver as a means for leveraging a common set of packet streams for multiple purposes. We asked our respondents what tools they had attached to their NVCs and the responses are shown below in Figure 6.

56%

53%

51%

47%

38%

37%

35%

29%

1%

38%

29%

34%

27%

30%

32%

34%

36%

2%

Network Performance Monitor

Data Loss Prevention

Intrusion Detection / Prevention

Troubleshooting / Packet Analyzers (e.g. packet “sniffers”)

Compliance Monitor

Data / Packet Recorder

Application Performance Monitor

VoIP / UC / Video Analyzer


What types of tools does your organization have attached to its NVCs?


Figure 6. Monitoring and analysis tools attached to NVCs.

Quite clearly, there are several types of tools that are the most commonly deployed behind NVCs. From a network monitoring perspective, network performance monitors and troubleshooting/packet analyzers are the most common. From a security monitoring perspective, DLP and IDS/IPS are most common. But even in those cases, only a simple majority of deployments are using such tools, and the story here is the diversity rather than the concentration and commonality. On average, respondents have deployed three types of tools, a measure which has steadily grown as EMA has sampled such usage over the past several years.

Also interesting here are the responses indicating planned tool deployments in the coming 12 months. All types of tools we asked about are seeing essentially similar levels of planned deployments, each by roughly 1/3 of respondents. The only tool type that received more planned deployment attention than current deployment cases is for VoIP/UC/Video analysis. EMA attributes this interest to the fact that such technologies are continuing to grow in ubiquity and scale and are demanding greater attention from a specialized monitoring and troubleshooting perspective.




Page 8

NVCs in Use: Primary Value ExperiencesA recurring question that arises during EMA’s dialogue with network practitioners and network management technology vendors is which features offered by NVCs are really important? Competing NVC vendors offer a long list of capabilities and solution attributes, but which ones really make the difference in real-world deployments? Which ones were critical and which ones were “nice to have?” Our research into these questions leads to this section of results, where we examine the priority for capabilities from a features, architecture, and administrative perspective.

NVC Packet Manipulation Feature PrioritiesThe primary purpose of an NVC is to gather streams of packets and redistribute them to multiple tools. But in order to improve the efficiency of those tools and the flexibility of that distribution, all NVCs offer a number of specific features for manipulating the packet streams. EMA asked our research respondents about the relative importance of these feature sets based on their demands and uses of NVCs within their organizations. A high-level summary of those results is shown below in Figure 7, with responses separated between technical/staff participants versus those who hold executive roles.

2.56

2.49

2.34

2.31

2.27

2.23

2.21

2.18

2.17

2.10

2.09

2.07

2.07

2.43

2.40

2.33

2.32

2.22

2.32

2.20

2.14

2.14

2.14

2.11

2.05

2.06

Load Bal across multiple tools

Inbound Filtering

Outbound Filtering

Decryption

Time stamping

Tunneling

Port labeling

Masking

De-duplication

IPv6 support

Header stripping (de-encapsulation)

Media conversion (i.e. 10G to 1G)

Packet slicing

Which of the following NVC packet manipulation features are important for your organization?

Executive Staff

3 = Critical 2 = Helpful 1 = Not Important

Figure 7. NVC packet manipulation features importance by role.




Page 9

Close behind load balancing are filtering techniques, collectively considered the next most critical capabilities. What may be subtle is the difference between inbound vs. outbound filtering. In most cases, these filters can be quite similar from a technology perspective; however, what is important is the way in which they are applied. Inbound filters will change the format and content of the packet stream before any monitoring tool is provided a copy, whereas outbound filters are applied on a tool-by-tool basis. For organizations wishing to keep a complete and unfiltered set of packets for at least some monitoring purposes, inbound filtering would not be appropriate. But for more leveraged approaches (and typically non-security uses), inbound filtering can and does make sense.

There is a slight but clear difference of opinion between executives and staff when it comes to tunneling features. Tunneling is used to encapsulate a copy of packets and move that copy of packet streams across the network to a remote location for analysis. This is not a sustained monitoring use case; rather, it is one that would most likely be used during remote troubleshooting activities. As a result, such capability is more highly prized by staff, and likely less understood or valued by executives.

Among the additional types of manipulations reviewed here, many tend to be valued slightly more by some organizations and parties than others. For instance, when we looked at the responses to this particular question by industry vertical, we found clear variations in the priority order. Shown below in Figure 8 are the top four features by industry vertical.

Financials1. Inbound Filtering2. Load Balancing3. Outbound Filtering4. Time Stamping

Manufacturing1. Load Balancing2. Outbound Filtering3. De-duplication/Tunneling

Healthcare/Pharma1. Load Balancing2. Inbound Filtering3. Packet Slicing / IPv6 / Port Labeling /

Decryption / Outbound Filtering

All Others1. Load Balancing2. Inbound Filtering3. Decryption4. Tunneling

Figure 8. Packet manipulation feature priorities by industry vertical.

While load balancing and filtering still come out on top in every vertical, the order can vary slightly, and what comes after that gets more interesting. For instance, time stamping makes the top four within the financial vertical, but not in any others. Time stamping is used within financials, in particular within trading environments, for monitoring and troubleshooting financial transactions down to an immensely fine level of accuracy.

The healthcare sector also valued load balancing and filtering, but listed five other features evenly tied for third most important. Among those ranked third is decryption, perhaps reflecting a more predominant presence of encrypted data due to healthcare privacy regulations.

Once again, the manufacturing sector most highly values load balancing and filtering (outbound in this case), but then prizes de-duplication and tunneling equally as third most important. This may reflect the fact that manufacturing organizations are often broadly distributed, geographically, with relatively light IT support in remote locations, driving the need for more effective remote troubleshooting practices.




Page 10

NVC Architectural Feature PrioritiesChoices among NVC solutions are not restricted purely to packet manipulation features. Also of great importance are underlying architectural features of the products. EMA sampled the importance of several architectural choices and attributes of NVC solutions and the responses gathered are shown below in Figure 9, presented again by organizational role.

2.52

2.47

2.46

2.40

2.34

2.26

2.16

2.51

2.26

2.25

2.30

2.33

2.20

2.12

High availability / fault tolerance

Event-triggered automated actions

Onboard data storage

Data-triggered automated actions

Direct / embedded performance monitoring

RSPAN / remote access

NEBS compliance

Which of the following NVC architectural features are important for your organization?

Executive Staff


Figure 9. NVC architectural feature importance by role.

As with the packet manipulation feature responses, the first thing to note is that all of the architecture feature choices are considered “helpful” at the very least. Without question, high availability and fault tolerance received the highest acknowledgment of value from an architectural perspective. Both executives as well as line staff agreed on this point. The next four most common responses all came in closely together in terms of the overall average response; however, there were differences based on organizational role. Staff practitioners valued direct/embedded performance monitoring next most highly, followed by data triggered automated actions. But executives felt that event triggered automated actions and onboard storage were the next two most important architectural features. This lack of alignment should be understood and embraced by organizations considering NVC solutions.




Page 11

NVC Administrative Feature PrioritiesFinally, it is important to consider systemic and administrative features as part of any NVC solution. Our respondents indicated their perceptions on criticality of three such feature sets as shown in Figure 10, with results presented by vertical group. There are a number of interesting conclusions to be drawn from this particular set of responses. First off, both “integration with other management tools” and “multi-device management from a single console” received strong perceptions of priority versus the third choice, “graphical/drag and drop configuration.” As with the other two sets of feature tests, all of these features are considered at least helpful.

2.58

2.53

2.19

2.44

2.67

2.17

2.48

2.41

2.10

2.51

2.52

2.24

Integration with other management tools/systems

Multi-device management from single console

Graphical / drag & drop configuration

Which of the following NVC administrative features are important for your organization?

Finance/Banking/Insurance Healthcare/Medical/Pharmaceutical

Manufacturing - All other All Other


Figure 10. NVC administrative feature priorities by vertical.

Considering these results by vertical is to highlight the relative differences and priorities between the subgroups. For instance, participants from the healthcare/pharmaceutical vertical showed a much stronger affinity for multi-device management from a single console over other choices. Those in financial services, alternatively, showed the highest value placed upon integration with other management systems. Manufacturing organizations indicated below average priority for both integration and multi-device management, while still exhibiting the same general order of importance as peers. And all other verticals essentially viewed integration and multi-device management as equally important.




Page 12

Changing Landscape: Alternative ApproachesThe last area of investigation within this research project involved recognizing the changing landscape of NVC solutions. In particular, NVCs themselves have mostly sprung from independent packet access technology providers as advanced, high value-add solutions, and today’s high-end NVC products could not be described as low-cost. Nor, in many cases, could they be described as highly flexible. While these characterizations have been changing over time, the relatively high cost and rigidity of NVC solutions has given rise to interest in alternative approaches for gathering and distributing packet streams for monitoring and analysis. EMA chose to investigate two alternative technologies that are finding interest among networking and security professionals.

Standard Ethernet Switches as an NVC AlternativeThe first alternative of interest is the use of traditional, production Ethernet switches as a means for delivering NVC-like capabilities. NVCs are, after all, highly specialized Ethernet switches. As EMA has tracked the use and deployment of NVCs over the past several years, we have often run into cases where NVC products were deployed as a replacement for prior implementations of monitoring fabrics using traditional Ethernet switch products. For instance, more than one case study revealed that organizations had deployed old, end-of-life Cisco Catalyst switches for such purposes, but found the administration too onerous and/or the lack of support risk too great to continue with such a strategy. More recently, Arista Networks has introduced specialized features (under the feature name DANZ) for their own Ethernet switch products to deliver NVC-like capabilities, and has aggressively marketed the solution as a low-cost alternative.

EMA sought to understand whether or not traditional Ethernet switches were perceived as a true alternative to NVCs. Shown in Figure 11 are responses from EMA research participants when asked their opinion.

31%

46%

8%

14%

Valid alternative to NVC

Complementary to NVC

Not relevant to NVC function/role

Don’t know enough to decide

Within your organization, what is the general consensus on using Ethernet switch products for NVC purposes?

Figure 11. Opinions regarding use of Ethernet switch products for NVC purposes.

While a small percentage of our respondents had not yet studied this in detail, the vast majority, 77%, see Ethernet switch products as either an alternative to NVCs or as complementary to NVCs. Less than a third at this point in time perceive them to be a true valid alternative. Interestingly, our three largest verticals among participants (financials, healthcare, and manufacturing) all indicated that they were much less likely than average to consider Ethernet switches to be a viable alternative to NVCs. Further, those who indicated they have deployed or were planning to deploy NVCs in-line were 5X more likely to consider Ethernet switches to be a valid alternative.




Page 13

SDN/Soft Switches as an NVC AlternativeSimilarly, it is conceivable that the new class of virtual software switches emerging in part as a portion of the SDN (Software Defined Network) movement can be configured and deployed to accomplish much the same ends as an NVC. OpenFlow-based switches are able to take instructions for establishing paths and forwarding packets to specific destinations on a programmatic basis, opening the possibility for monitoring fabrics that adapt to the changing nature of a software defined network. While the potential for packet manipulations capabilities is somewhat limited today, that could change in the future as soft switch vendors implement features that parallel the likes of Arista’s DANZ. We asked our respondents regarding their consensus around use of these emerging products as NVC alternatives, and the results of their responses are shown in Figure 12 below.

27%

38%

8%

26%

Valid alternative to NVC

Complementary to NVC

Not relevant to NVC function/role

Don’t know enough to decide

Within your organization, what is the general consensus on using SDN / OpenFlow / Softswitch products for NVC purposes?

Figure 12. Opinions on using SDN/OpenFlow/Soft switch products for NVC purposes.

The pattern of these responses is quite similar to the pattern observed when this question was asked regarding traditional Ethernet switching; however, a much larger slice of our respondents does not currently have enough information to make a clear decision. That said, 65% see these products as either an alternative to or complementary to NVCs. Those working in financial organizations were 30% higher in opinions that these are valid alternatives to NVCs, but those working in healthcare were 60% less likely to view them as alternatives. Finally, organizations that had deployed or planned to deploy NVCs in-line were 6X more likely to consider soft switches to be complementary to NVCs than those who had no in-line deployment intentions.

EMA PerspectiveThere are no shortages of challenges in establishing complete visibility as well as accurate, lossless access to sources of packet streams for network and security monitoring and analysis. Network visibility controllers are clearly filling an important role as building blocks of packet monitoring visibility fabrics in organizations of all sizes. Given NVC’s ability to improve tool efficiency and moderate tool costs, combined with unending growth in the volume of packets crossing enterprise and service provider networks, there appears to be no near-term limits to the demand for these products.

Our research into the ways that NVCs are used and the values that they deliver to organizations deploying packet-monitoring fabrics has revealed a number of important indicators and best practices. From a packet manipulation feature perspective, organizations are getting the most value by using NVCs to load balance and distribute packet monitoring and analysis across multiple tools. Inbound and outbound filtering are also delivering real value and are the next most valued set of features. Additional feature capabilities such as time stamping, tunneling, decryption, and others tend to be favored based on an organization’s industry vertical or specific needs. From an architectural perspective,




Page 14

high availability and fault tolerance are the most highly prized capabilities within an NVC solution, followed by automatically triggered actions generated based on observed events or data. Onboard data storage features are of particular interest to smaller organizations, and staff/technical practitioners see relatively greater value in embedded performance monitoring features.

While the growth in deployments and the use of true NVC products continues at an impressive pace, an emerging category of alternative solutions is getting significant attention. More specifically, a majority of organizations surveyed in this research considered traditional Ethernet switches to be either an alternative to or complementary to traditional NVCs. Similarly, there was great interest in SDN/OpenFlow/Soft switch products as alternatives or complements to NVCs. Both categories of alternative products will likely be a part of the mix as packet-based monitoring fabrics are designed and deployed going forward.

The world-wide demand for packet-based network and security analysis and monitoring products continues to grow, despite challenges presented by growing network speeds, increasing traffic volumes, and dynamic, virtualized architectures. As long as that is the case, demand for NVCs and/or alternatives to NVCs will continue unabated. EMA intends to maintain coverage of this fast changing, highly competitive, dynamic sector as an essential aspect of the network and security management tools, technologies, and best practices landscape.


About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2013 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

Corporate Headquarters: 1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com2760-VSS_SUMMARY.123013


http://blogs.enterprisemanagement.com/

http://twitter.com/ema_research

http://www.facebook.com/pages/Enterprise-Management-Associates-EMA/232626436757941

Technology

Best Practices for Mainstreaming Monitoring Fabrics, an EMA Research Summary