Without fast and reliable connectivity to company resources, business screeches to a halt. Credit cards must be processed. Managers need access to inventory. Email messages must be answered. As much as IT managers and network operations teams are happy to see a new appreciation for IT, problems have also emerged that require new tools and workflows to solve.
Until recently, network visibility was often an ancillary tool in IT’s toolbelt. Legacy methods couldn’t provide granularity and real-time state data that technology teams craved. The growing complexity of networking, though, means that good visibility is no longer a nice-to-have. It’s a necessity.
Recent advancements in programmability enable network engineers to interact with the network in new ways. This latest trend in network visibility helps solve several problems in network operations, such as:
- Monitoring IoT devices.
- Micro-segmentation in the data center.
- Workloads moving between private and public clouds.
Monitoring IoT Devices
It’s relatively straightforward to identify a company-owned Windows laptop and apply an access control policy. However, how do we identify and monitor the wide variety of IoT devices appearing on our network? It would be easy to lump them all together as “untrusted” and under one DENY policy. However, many of these devices are integral elements of a business and must be monitored and managed accordingly.
Manufacturing environments provide a powerful example of mission-critical “things,” such as:
- HVAC systems
- Thermostats in industrial refrigerators
- Valve control mechanisms in chemical plants
- Radio receivers on autonomous forklifts
The problem is that many of these devices are somewhat new. Forklifts, for example, have been and typically still are operated by a person. So, we don’t have years of tested software development behind the latest autonomous forklift systems. This is true for many IoT devices: They are often insecure, hastily constructed, and managed with only rudimentary software.
To gain visibility into absolutely everything connecting to the network, the network itself must become a sensor to detect and identify everything with an IP address.
Detecting an up/down state of a switch’s interface was possible with SNMP or screen-scraping, but that’s about where the information stopped. However, today’s visibility tools make use of programmable network interfaces and open APIs to capture granular information about even the most obscure IoT devices.
Businesses can’t manage or secure what they can’t see. Today’s network security threats demand manufacturing facilities, hospitals, retail stores, and so on secure the information and resources on their network. Without strong visibility into what’s connected, this is nearly impossible. Security and visibility go hand-in hand.
Data Center Micro-Segmentation
Second, virtual machine sprawl and the nature of dynamic workloads means it’s difficult to secure applications and troubleshoot connectivity problems in a typical data center. There is inherent risk to workloads leaving on-premises, managed data centers to operate in public, unmanaged cloud environments. Performance monitoring is affected, troubleshooting is more difficult, and there are concerns about security.
Does a front-end web server need to communicate with every back-end data base?
Does an SQL server running in the primary data center need to communicate with the file servers in the backup data center?
How can a NetOps team troubleshoot an application performance issue if no one knows what the application is supposed to be talking to?
As enterprises scale to large data centers running thousands of hosts with tens of thousands of virtual machines, identifying dependencies to secure applications and troubleshoot performance issues becomes completely unrealistic.
For instance, a large financial company with variety of business units would likely consolidate resources into one (or several) private data centers. However, data center separation must still exist among resources dedicated to one business unit or another. This can be very difficult to accomplish if no one knows what needs to talk to what.
Micro-segmentation is great in theory. But it falls apart when NetOps teams throws their collective hands up in frustration and give an application full access to everything else in the data center.
Mapping dependencies becomes a game of chance as NetOps teams make a change, break an application, and try again. Since no one knows where to start, it’s nearly impossible to map dependencies accurately in a larger environment.
The solution is granular and accurate real-time visibility. Visibility tools such as VMware vRealize Network Insight map dependencies within an environment and between virtual machines and internet resources. The trend in network visibility tools and software make this easier which, in turn, allows for:
- Performance enhancement.
- Increased security.
- Shorter time to resolution.
Workloads Moving Between Private and Public Clouds
Finally, today’s workloads move back-and-forth between private and public clouds. In some cases, these workloads also move between public clouds. At one time, it was enough to know on which hosts virtual machines lived and where they were connected. Today, workloads migrate autonomously from on-premises resources to public cloud resources.
Visibility into how traffic moves is a requirement for security professionals, not to mention several regulatory bodies. It’s also integral to troubleshooting performance and connectivity issues.
This is especially important because NetOps doesn’t own or manage many of the hops in a packet’s journey anymore.
For example, a NOC for a hospital using private and public cloud resources needs to understand application dependencies for its mission-critical apps. IT needs to troubleshoot connectivity to back-end databases, front-end servers, or the end-users themselves. Physicians working in hospital buildings or at partner locations need instant and reliable access to patient information.
There is no room for error. There is no tolerance for downtime.
Information, in this case patient information, can exist anywhere. Patient data also likely traverses both private and public pathways. Real-time visibility into traffic flows and link performance is more than mission critical. It can be a matter of life and death.
The ability to interact with the network programmatically means network operations can deal with the network as a single source of truth — and achieve better visibility than ever before. NetOps can peer into traffic flows that were until recently masked by complexity and network abstraction using:
- On and off-box automation methods
- The variety of automation tools now at our disposal
With the proliferation of IoT, the public cloud, and the ubiquity of network abstraction, network visibility software is a primary tool in a network operator’s toolbelt. The growing complexity of networking means that network visibility is no longer a luxury, but a necessity for IT and the business.