Because of the limitations of SPAN/monitor ports on switches, organizations have turned to using taps and packet monitoring switches. These solutions can be expensive which has lead companies to look for alternatives. Establishing a packet monitoring system is one of the use cases for Software-Defined Networking (SDN). This solution uses lower-cost network switches with a SDN controller to allow for simple and dynamic configuration of a packet monitoring and analysis system.
Limitations of SPAN and Monitor Ports:
Lack of visibility into Information Technology (IT) systems is a major issue. Network administrators have struggled with monitoring their data-plane traffic flowing across their networks. NetFlow can provide some high-level visibility into the flow data, but lacks the packet decode details required for some analysis or troubleshooting. Network administrators have suffered from the limitations of Switch Port Analyzer (SPAN) and port-mirroring technology within the Ethernet switches. Further exacerbating the problem is other IT groups that also want to be able to perform packet captures on the network. The security administrators and the systems administrators are often competing for the limited SPAN capabilities in the switches.
An alternative is to use a packet monitoring matrix switch. These switches connect to the various monitoring points within the network using their "monitor ports". The "monitor ports" can connect to SPAN sessions or to optical/copper taps placed around the network topology. These packet monitoring switches also connect to the monitoring and analysis applications and tools using their "tool ports". The "tool ports" can be anything from an Intrusion Detection System (IDS) to a Web Application Firewall (WAF) to a protocol analyzer. These switches are equipped with special programmability that allow the monitor traffic to be forwarded to the analysis tools using a variety of configurable logic. However, the downside of these products is that they can be quite expensive. It is not uncommon for an organization to spend $50K to $100K or more to obtain these switches and get them all set up correctly. Therefore, many organizations have delayed investing in these solutions because of cost.
Using SDN for Packet Monitoring:
Software-Defined Networking is an approach to networking that separates the control plane from the forwarding plane to support virtualization. SDN is a new paradigm for network virtualization and how network traffic is forwarded across a network based on advanced policies. To learn more about the potential of SDN, check out the NWW Digital Spotlight on "The Promise of SDN".
An emerging alternative for creating a packet monitoring overlay network is to use a Software-Defined Networking (SDN) system. SDN systems use commodity or virtualized network switches controlled by a sophisticated centralized software-based controller to create new ways of handling network traffic. In this way, the low-cost switches can connect to the points in the network where the data packets will be gathered. The management and monitoring tools will also be connected to the low-cost switches. The SDN controller is used to direct the traffic from the various monitor ports to the tool ports based on the configuration in the controller. This creates an overlay monitoring network that is out-of-band (OOB) from the normal traffic paths. Therefore, the amount of traffic that this monitoring network is handling does not adversely affect the production data paths.
Sign up for CIO Asia eNewsletters.