The blind spot in virtual servers - seeing with network analysis

www.wildpackets.com © WildPackets, Inc.

Show us your tweets! Use today’s webinar hashtag:

#wp_virtualblindspot with any questions, comments, or feedback.

Follow us @wildpackets

Jay Botelho

Director of Product Management

WildPackets

[email protected]

Follow me @jaybotelho

The Blind Spot in Virtual Servers:

Seeing with Network Analysis

© WildPackets, Inc. #wp_virtualblindspot

Administration

• All callers are on mute ‒ If you have problems, please let us know via the Chat window

• There will be Q&A at the end ‒ Feel free to type a question at any time

• Slides and recording will be available ‒ Notification within 48 hours via a follow-up email

2


Agenda

• Current Trends in Virtualization

• What Causes Virtual Network Blind Spots?

• Configuring Virtual Networks for Analysis

• Establishing Goals for Network Analysis in Virtual

Environments

• Defining the Requirements

• WildPackets Corporate Overview

• WildPackets Product Line Overview

3


Current Trends in Virtualization


Current State of Virtualization

• 75% of large companies have implemented some form of

virtualization1

• Percentage of servers actually virtualized remains small at

approximately 10 – 15% in these companies1

• Virtual systems are a tempting target for security breaches

‒ Compromising only one layer provides access to many2

• Storage virtualization – 45% adoption; 5th most effective IT

strategy3,7

‒ Deduplication

‒ Thin provisioning

‒ Tiering


Adoption Drivers in Virtualization

• Bundling virtualization with servers1

• SMBs get into the action4, 5

• Automation on the rise5, 6

• Better backup, recovery and live migration tools5, 6

• I/O and network virtualization 6

• SDN (Software Defined Networks)

• Desktop Virtualization5, 6, 8 ‒ Benefits depend on vertical industry

‒ Mobile access devices (eg. iPads) driving adoption

6


What Causes Virtual Network Blind

Spots?


Virtualization

11000110101 11000110101

11000110101 ?


Configuring the Virtual Network for

Analysis


Categories of Virtualization

• Standalone

• Coordinated/Distributed

• Cloud

10


Terminology

• VM Host

‒ Physical hardware running the hypervisor

‒ “Server” or “VM Server”

• VM Guest

‒ Virtual machine running as an image inside the server

‒ “VM”

• Networking

‒ vNIC: Virtual NIC

‒ vSwitch: Virtual Switch

‒ pNIC: Physical NIC

11


Standalone VM Networking

• Multiple guests, single host

‒ One or more vNICs per guest

‒ One or more physical NICs on

host

• Switch interfaces

‒ Guest vNICs

‒ Host physical NICs (pNICs)

‒ Possible network separation

via multiple L2 vSwitches

• Logically behaves like a TOR

or workgroup switch

‒ No transit traffic, leaf network

‒ Usually no L3 (Routing)

between VLANs/vSwitches

12


The Blind Spots

13


Eliminating the Blind Spots

11000110101 ?


Eliminating the Blind Spots

• The Good:

‒ Visibility of intra-host

traffic

‒ Built into infrastructure

• The Bad:

‒ Capturing on local VM

increases demand on

VM resources

‒ Still have to know

which host for specific

VM guest

‒ May violate separation

of customer traffic

15


Configuration Details

• Create a VM for

OmniVirtual

• Allocate resources

based on goals

• Install OmniVirtual

• Connect to

OmniVirtual using

OmniPeek


Configuration Details (cont.)

• Log into the VMware

Infrastructure Client

• Choose the Configuration

tab in Networking

• Put the virtual switch into

promiscuous mode – Switch

Properties -> Edit ->

Security tab – set

promiscuous mode to

“accept”

• Similar to spanning a switch

in a “real” environment

• Start a capture


Coordinated VM Networking • Single switch among multiple

VM hosts

‒ Each vSwitch per host like a

blade switch

‒ Physical network like a

backplane, but usually no L3

• Maintains single forwarding

table

‒ Inter-VM traffic between hosts

sent encapsulated to target host

‒ No need to “learn” VM MAC

addresses

• Port profiles per guest

‒ If VM moves, profile moves too

‒ vSwitch forwarding tables

automatically updated

‒ Physical switches must learn new

host for VM 18

Distributed vSwitch (shared across VM hosts)


The Blind Spots

19



Eliminating the Blind Spots - Virtual Taps

• The Good: ‒ Reduced effort, increased

visibility

‒ Should auto-filter for

customer traffic separation

• The Bad: ‒ May be VM vendor

specific, e.g. only VMware

• Examples: NetOptics,

Gigamon, BigSwitch

20


Virtual Tap


Cloud

• Private Cloud (In-house)

• Public Cloud (3rd Party) ‒ Software-as-a-Service (SaaS)

‒ Infrastructure-as-a-Service (IaaS)

‒ Hosted services

21


Network Analysis in the Cloud

• Private Cloud (In-house)

‒ Under your control -

functionally similar to

distributed VM

‒ If you control the network,

you can sniff “anywhere”

• Public Cloud (3rd Party)

‒ IaaS VMs can likely sniff their

own traffic

‒ SaaS and Hosted Services -

unlikely that you can

negotiate network sniffing

rights

22


Establishing Goals for Network

Analysis in Virtual Environments


What’s The Difference?

• All the same goals apply ‒ Monitoring/alarms

‒ Real-time analysis

‒ Post-capture analysis

‒ Network performance/application performance/VoIP

• Only the implementation is different

Traditional NA – Virtual NA = 0


Analyze The Essentials

• Monitor

‒ Statistics only

‒ Alerts/alarms

‒ Perfect for conserving resources

• Real-time analysis

‒ Disable what you don’t need to

increase performance

• Post-capture analysis

‒ Turn off ALL analysis options

‒ Significantly increase overall

performance


Best Practices

• Be specific (regarding your analysis requirements)

• Understand your virtual environment and network

• Analyze the essentials

• Know your resource limits

• Anticipate hardware resource needs

• Be reasonable (monitor the number of analysts

accessing data)


Defining the Requirements


Anticipate Hardware Resource Needs

• Real-time analysis ‒ Keep buffer size, file size and saved files within reasonable limits

‒ Use the minimum number of captures possible to accomplish

your objective

• Post-capture analysis - hard disk and RAM ‒ Assuming steady-state traffic of 1Gbps:

7.68 GB/min

460 GB/hr

11 TB/day

‒ Forensics searches are CPU and RAM intensive

‒ Pre-compute the maximum RAM your search could use

‒ Disable unneeded analysis options

‒ Experiment: search for just packets and then add several

analysis options and note the difference


Q&A

Show us your tweets! Use today’s webinar hashtag:

#wp_virtualblindspot with any questions, comments, or feedback.

Follow us @wildpackets

Follow us on SlideShare! Check out today’s slides on SlideShare

www.slideshare.net/wildpackets


WildPackets Corporate Overview

Optimizing Network and Application Performance


Corporate Background

• Experts in network monitoring, analysis, and troubleshooting

‒ Founded: 1990 / Headquarters: Walnut Creek, CA

‒ Offices throughout the US, EMEA, and APAC

• Customers spanning leading edge organizations

‒ Mid-market and enterprise lines of business

‒ Financial, manufacturing, ISPs, major federal agencies,

state and local governments, universities

‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000

• Award-winning solutions that improve network performance

‒ Internet Telephony, Network Magazine, Network Computing awards

‒ United States Patent 5,787,253 issued July 28, 1998 • “Apparatus and Method of Analyzing Internet Activity”


Why Our Customers Need Us

• VoIP, video, cloud, virtualization, and key business

applications are saturating critical network services

• Evolving network technologies create discontinuities ‒ 1 Gig 10 Gig 40 Gig 100 Gig networks

‒ Wireless, BYOD initiatives

• Users and business can not tolerate network

problems for mission critical services

Increasing demand for better real-time network visibility,

network analytics, network forensics, and DPI


How We Create Value

We provide innovative, industry-leading, real-time

network performance management solutions

‒ Easy-to-use, easy-to-learn user interface

‒ Uniquely extensible solutions

‒ Wireless network leadership

‒ Detailed analytics related to network applications

‒ Fastest network traffic capture appliance in its class

‒ Technical superiority at competitive price point

WildPackets has continually advanced its solution to meet the needs of its

customers


Unprecedented Network Visibility

ROOT-CAUSE ANALYSIS

OmniPeek network analyzer performs deep packet inspection

and can reconstruct all network activity, including e-mail and

IM, as well as analyze VoIP and video traffic quality.

PINPOINT NETWORK ISSUES ANYWHERE

Omnipliance Portable can rapidly identify and troubleshoot

issues before they become major problems—wired or

wireless—down the hall or across the globe.

UNDERSTAND END-USER PERFORMANCE TimeLine and Omnipliance network recorders monitor

and analyze performance across critical network

segments, virtual environments, and remote sites.

NETWORK HEALTH

WatchPoint can manage and report on key

device performance and availability across

the entire network, from anywhere on the network.

GLOBAL

DISTRIBUTED

PORTABLE

DPI


A History of Innovation

2003 Distributed real-time

troubleshooting

2001 • First 802.11

wireless analyzer

• First network

analyzer with

automated expert

analysis

2005 Combined distributed

network and VoIP

network analysis

2008 Enterprise-wide

Monitoring and Reporting

2009 Innovative dashboard

with drill-down for VoIP

and video

2012 • Capture, record, and

analyze from 40G

network segments

• First wireless network

analyzer to support

801.11ac, k, r, u, v, w

2011 • Total visibility with

zero packet loss

• First wireless

network analyzer to

support capture and

analysis of 802.11n

3-stream wireless

2010 First to achieve 11 Gbps

sustained capture-to-disk


Product Line Overview


Omni Distributed Analysis Platform

OmniPeek Enterprise Packet Capture, Decode and Analysis

• Ethernet,1/10 Gigabit, 802.11, and voice and video over IP

• Portable capture and OmniEngine console

• Aggregate analysis data across multiple capture points

Omnipliance / TimeLine Distributed Enterprise Network Forensics

• High-performance packet capture and real-time analysis

• Stream-to-disk for forensics analysis

• Integrated OmniAdapter network analysis cards up to 40G

WatchPoint Centralized Enterprise Network Monitoring Appliance

• Aggregation and graphical display of network data

• WildPackets OmniEngines

• NetFlow and sFlow


Omni Distributed Analysis Platform Software and Turnkey Solutions

• Enterprise monitoring and reporting

‒ WatchPoint Server

‒ OmniFlow, NetFlow, and sFlow Collectors

• Software probes and network recorders

‒ Omnipliance network recorders – Edge, Core

‒ TimeLine network recorders

‒ OmniAdapter analysis cards

• Distributed analysis software

‒ OmniPeek – Enterprise, Professional, Basic, Connect

‒ OmniEngine – Enterprise, Desktop, OmniVirtual

• Portable solutions

‒ OmniPeek network analyzer

‒ Omnipliance Portable


Key New Features in v7

• 40G network support

• Analyze issues from end to end:

Multi-Segment Analysis (MSA)

• Collect data from non-technical end users:

OmniPeek Remote Assistant (ORA)

• Single, interactive dashboard for

utilization, top talkers, top protocols,

latency, Experts, flows, and wireless

signal strength

• New wireless specifications

‒ 802.11ac 802.11k

‒ 802.11r 802.11u

‒ 802.11v 802.11w


OmniPeek Network Analyzer

• Distributed analysis manager

– Connect to and configure distributed OmniEngines, Omnipliances,

and TimeLines

• Comprehensive dashboards present network traffic in real-time

– Vital statistics and graphs display trends on network and application

performance

– Visual peer-map shows conversations and protocols

– Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution

– Packet and payload visualizers provide business-centric views

• Automated analytics and problem detection 24/7

– Easily create filters, triggers, scripting, advanced alarms, and alerts


Omnipliance Network Recorders

• Captures and analyzes all network traffic 24x7

– Runs WildPackets OmniEngine software probe

– Generates vital statistics on network and application performance

– Intuitive root-cause analysis of performance bottlenecks

• Expert analysis speeds problem resolution

– Fault analysis, statistical analysis, and independent notification

• Multiple issue digital forensics

– Real-time and post capture data mining for compliance and troubleshooting

• Intelligent data transport

– Network data analyzed locally

– Detailed analysis passed to OmniPeek on demand

– Summary statistics sent to WatchPoint for long term trending and reporting

– Efficient use of network bandwidth

• User-extensible platform

– Plug-in architecture and SDK


TimeLine Network Recorder

• Continuous network recording and comprehensive

real-time statistical display — simultaneously ‒ 12Gbps sustained capture with zero packet loss

‒ Network statistics display in TimeLine visualization format

• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding

‒ Several pre-defined forensics search templates making

searches easy and fast

• A natural extension to the WildPackets product line

• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect


WildPackets Network Recorders Price/Performance Solutions for Every Application

Portable Edge Core TimeLine

Ruggedized

Troubleshooting

Small Networks

Remote Offices

Datacenter Workhorse

Easily Expandable

Enterprise, Highly-

Utilized Networks

Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis 3U rack mountable chassis

Dual 2.13 GHz Quad-Core Intel

Xeon L5630 "Westmere"

Quad-Core Intel Xeon X3460

2.80Ghz

Dual Intel Xeon Quad Core

E5530 2.4GHz

Dual Intel Xeon Quad Core

X5560 2.8GHz

24GB RAM 4GB RAM 6GB RAM 18GB RAM

2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots 4 PCI-E Slots

2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports

6TB SATA storage capacity 1TB SATA storage capacity 8/16TB SATA

storage capacity

8/16/32/48TB SATA

storage capacity

4.5Gbps CTD 1.1Gbps CTD 3Gbps CTD 12Gbps CTD


WatchPoint Centralized Monitoring for Distributed Enterprise Networks

• High-level, aggregated

view of all network

segments

– Monitor per campus, per

region, per country

• Wide range of network

data

– NetFlow, sFlow, OmniFlow

• Web-based, customizable

network dashboards

• Flexible detailed reports

• Direct link to detailed,

packet-based analysis


Comprehensive Support and Services

Standard Support

Maintenance and upgrades

Telephone and email contacts

Knowledgebase

MyPeek Portal

Premier Support

24 x 7 x 365

Dedicated escalation manager

2 customer contacts per site

Plug-in reconfiguration assistance

WildPackets Training Academy

Public, web-based, and on-site classes

Complete curriculum: technology and product focused

Practical applications and labs covering network analysis,

wireless, VoIP monitoring and advanced troubleshooting

Consulting and Custom Development Services

Deployment, configuration, and assessment engagement

Systems integration and testing

Application integration, driver, decode, interface development


WildPackets Key Differentiators

• Visual Expert intelligence with intuitive drill-down

– Let computer do the hard work, and return results, real-time

– Packet /payload visualization is faster than packet-per-packet diagnostics

– Experts and analytics can be memorized and automated

• Automated capture analytics

– Filters, triggers, scripting, and advanced alarming system combine to provide

automated network problem detection 24x7

• Multiple issue network forensics

– Can be tracked by one or more people simultaneously

– Real-time or post capture

• User-extensible platform

– Plug-in architecture and SDK

• Aggregated network views and reporting

– NetFlow, sFlow, and OmniFlow


24x7 Network Monitoring,

Analysis, and Troubleshooting


Thank You!

WildPackets, Inc.

1340 Treat Boulevard, Suite 500

Walnut Creek, CA 94597

(925) 937-3200

The blind spot in virtual servers - seeing with network analysis

Technology

Transcript of The blind spot in virtual servers - seeing with network analysis