For many years enterprises and service providers have implemented network visibility architectures in their on-premises environments.
The goal of network visibility was, and still is, to gather copies of network data such as packets, as well as network-derived metadata such as flows. Then, it looks to deliver them to security and performance monitoring tools where the data can be stored, searched, analyzed, and reported for use cases, including threat hunting, incident response, application performance monitoring, and more.
The first building block of network visibility was using the switch mirror port, or network tap device, to gather copies of packets from a single network link.
But for large environments with many network links of increasing speeds, and many different tools needing access to the data, the simple mirror or tap wasn’t enough and didn’t scale.
So, the next building block became the network packet broker appliance. It could gather data from many links of varying speeds, optimize the data feed using techniques such as de-duplication, decryption, filtering, and load balancing, and replicate the traffic to different tools.
When organizations started moving their workloads to the cloud, they faced a challenge.
The traditional network methods used to mirror or tap packets didn’t yet exist. They had to rely on other data sources such as logs, which, while useful, didn’t provide the level of detail that network data does.
More recently, cloud providers, such as Google Cloud (GCP), have introduced packet mirroring services.
At a high level, you can think of these packet mirror services as similar to their physical mirror/tap counterparts.
They do a good job at straightforward network visibility needs, such as forwarding packets from particular hosts to a tool. But for broader and more complex network visibility requirements, packet mirror services can be complemented by data brokering services.
But in the cloud, there’s more to consider than traditional network visibility functions.
By its nature, monitoring cloud-hosted resources is dynamic, ephemeral, and more complex than static physical networks. Furthermore, many organizations have hybrid cloud/non-cloud and multi-cloud deployments, each with differing network visibility capabilities.
Meanwhile, data must be collected and securely delivered to wherever the analysis tools live, over infrastructure that may not always be secure.
To meet these challenges of cloud visibility, organizations should look for tools or solutions that can enable security operations with a uniform way to quickly and safely deploy or change network visibility policies.
The adopted solutions should be able to create a distributed and encrypted packet brokering layer between native cloud packet mirroring functions such as GCP’s and the traffic analysis tools, so that data can be securely delivered regardless of whether the visibility traffic sources and destination reside in the same availability zones, regions, or even infrastructure provider. Full network visibility and security analysis capabilities should be maintained without sacrificing data security.
In other words, organizations should opt for intent-based analytics and visibility for multi-cloud deployment where they can forward whatever data is needed in a simple intent-based manner using a drag and drop user interface or programmatic APIs, with traffic monitoring policies that scale and adjust dynamically along with the cloud infrastructure.
Gregory Copeland, the director of technical alliances at Keysight Technologies, wrote this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/kanawatvector