The Purview™ Solution – Technical Overview

The Purview™ Solution –
Technical Overview
Network-powered application analytics and optimization
A SOLUTION WHITE PAPER
WHITE PAPER
Introduction
Architectural Advantages of Purview: Built-in
Intelligence and Deep Packet Inspection (DPI)
with a difference
Purview is a network powered application analytics and optimization solution
that captures and analyzes context-based application traffic to deliver meaningful
intelligence - about applications, users, locations and devices.
It is the Industry’s very first and only – patent pending - solution to transform the
Network into a Strategic Business Asset - by enabling the mining of networkbased business events and strategic information that help business leaders make
faster and more effective decisions. It does this all from a centralized command
control center that combines Network Management with Business Analytics, and at
unprecedented scale (100M sessions) and scope.
Enterprise Mobility is more than the mobile device. To provide access to data from
any device it has also resulted in a change of the application landscape: away from
installing and maintaining traditional applications to cloud based delivery models
such as, SalesForce.com, Google Apps, AWS Business Applications, and many
more. Millions of new applications have been developed to support new workflows
on mobile devices, with new “apps” showing up every day; some become business
critical the next day while others may have no real value. Instant access to social
media is expected from mobile device users as well. Social, mobile, cloud and
Big Data is everywhere. To maximize the user experience IT must make sure that
applications can be seamlessly delivered from the cloud – private or public - to
those mobile users and devices that require them.
With the flexibility, and the agility of this new application world there also comes
a new set of challenges for IT and the business. The transport from private and
public cloud data centers for those applications is mostly encapsulated within an
http and/or https connection (web traffic). This results in a total lack of visibility
and control. And it applies not only at the access but also in the data center:
private cloud data centers utilizing software oriented architectures (SOA) and
virtualization make it hard to identify applications and provide appropriate services
at huge scale with high throughput (80% of the traffic in those data centers stay
within the data center).
Purview – White Paper
2
Apps Everywhere – Public and Private Cloud
How users see applications:
How traditional switches see applications:
Port 80
Port 443
Figure 1–Loss of application visibility and control
These challenges drive the need for a pervasive, network based application
visibility and control architecture using Deep Packet Inspection (DPI)
technologies. Many solutions currently on the market, such as Network or
Application Performance Management (NPM, APM) solutions may offer visibility
into the application but they are not able to provide control over the application.
Solutions such as next generation firewalls NG-FW, WAN accelerators, application
delivery controllers ADC and Wi-Fi specific solutions rely on funneling large
amounts of traffic from across the network through an appliance (choke points)
to overcome the scalability and/or cost challenges that are typically associated
with DPI in the enterprise IT infrastructure.
In addition these solutions are de-coupled from one another – there is no
homogenous application classification between all of these various tools, therefore
true end-to-end management and control becomes impossible. The fragmented
nature of using individual point products does not allow for a unified network
management view of the entire network, which makes it difficult to manage the
network in its entirety.
A DPI architecture that can be deployed at scale, across the entire network
infrastructure from the data center to the mobile edge – wired and wireless – will
provide this superior user experience while optimizing network resource utilization.
A well integrated and unified solution can also eliminate point products thereby
reducing the operational complexity and cost that is associated with these existing
approaches. By providing more contextual information the solution becomes a
business asset for analytics and network-driven business intelligence.
This is what makes up “project Purview”. In summary the solution is a patent
pending architecture with the key differentiators like
• Unmatched throughput at Tbit/s speeds with up to 2.56 Tbit/s per switch and
no performance impact for flow visibility and control
• Massive scale for millions of flows (up to 100M flows per switch) at a million
flows per minute
• Pervasive across entire network infrastructure with no network overlay
• Transport layer independent application and decoding – true DPI at scale
Purview – White Paper
3
• Single architecture for edge, distribution, core, data center, perimeter
• Contextual information beyond the application – user, role, location,
time, device
• Open customizable application fingerprints on top of 13,000 pre-defined
• Integrations with 3rd party products such as Splunk and SIEM
How is that all possible? The 3 main solution components that make up this unique
architecture are:
• OneFabric Control Center
• Purview Application Fingerprint Engine
• CoreFlow2 based Data Collection Device (Data Plane) and a million flows
a minute!
Extreme Networks offers a unified application delivery fabric from the data
center to the edge, including wired, wireless, and mobile. By creating one network
environment, delivering one network and application experience, OneFabric
Control Center provides centralized visibility and control over the entire network.
Centralized visibility and control enables infrastructure and application teams to
work together, eliminating costly misalignments and errors that occur through
typical operational workflows. Embedded automation and orchestration features
improve application delivery for dynamic and mobile environments leveraging
cloud, virtualization, and server/storage consolidation.
OneFabric Control Center provides a unified, centralized management and
control experience, which allows network operations to leverage the power and
intelligence, built into Extreme Networks networking solutions and so unlock the
full potential of Purview. Finally, OneFabric Control Center integrates with major
virtualization solutions, delivering unique and differentiated capabilities for virtual
data centers and enabling the software defined data center - SDDC.
With all of the data that the solution is able to generate, it is critically important
that users are presented with a fast and intuitive reporting interface which is the
key enabler for efficient analytics.
The initial dashboard shows aggregate data at a glance for the total number of
Figure 2–Dashboard
Purview – White Paper
4
distinct applications in use on the network along with total bandwidth consumed,
total number of clients, and more:
At a next level the view shows fingerprinted applications on a coordinated plot.
As expected, the huge percentage of modern communications take place over
Figure 3–Radar view of applications
the HTTP and HTTPS protocols, therefore the graph is tilted towards the “Web
Applications” group:
Another powerful visualization technique is the treemap view. This technique
plots each application group within a colored box, and the size of each box is
related to the amount of bandwidth consumed (although this can be changed to
other metrics such as the number of clients). A treemap instantly allows the user
Figure 4–Treemap view of applications by group
Purview – White Paper
5
to easily view large amounts of data and quickly gain an understanding of the
relative importance of each fingerprinted application:
The solution provides pre-configured vertical specific dashboards for several
primary verticals such as; Healthcare, Education and so forth. The following
example, is the Enterprise Dashboard, which displays bandwidth usage over
time for applications that are primarily used within a typical enterprise network.
Figure 5–Loss of application visibility and control
These dashboards are customizable so that customers can influence the set of
applications that are selected for dashboard display:
Drilling deeper into the data, the following screenshot shows the “top clients”
view for a selected application, here Google Mail traffic. This allows the user to
quickly understand which client is consuming the most resources in terms of a
specific selected application. Below we see that the client IP 134.141.68.78 has
Figure 6–Top clients per application
consumed well more that twice the amount of bandwidth for gmail than the next
closest client (134.141.235.9):
If one chooses to combine this information within OneFabric Control Center
with contextual information from the network access control solution then user,
role, device type and location can also be used for those reporting and data
aggregation purposes.
Drilling down again, the “Application Flows” view for Google traffic displays
everything from the application name (Google), to application context to TCP vs.
application response times.
The application layer context can be selected out of the application flows view, and
allows the user to gain a detailed understanding of the application layer beyond
Purview – White Paper
6
Figure 7–Application Flow Context
what is included in the typical fingerprint. That is, for HTTP, context fields such as
the raw URI, cookie information, the HTTP request method, and more are included:
The solution can measure and differentiate TCP vs. application response times. This
allows network administrators to quickly differentiate a network related issue from
an application layer issue.
The solution also provides users with the ability to view and customize application
fingerprints, whereas other application fingerprinting vendors do not release how
they do their fingerprinting. They don’t release their signature sets let alone the
Figure 8–Open fingerprint database
signature languages they build into their products. The Purview solution eliminates
this trend:
The Purview application fingerprint engine, managed by OneFabric Control Center,
provides transport independent application detection using DPI technologies. This
means that OSI layers 4 through layer 7 packets are sent to the fingerprint engine
forinspection; protocol headers are decoded and assembled based on various
fingerprinting techniques against the header, the content and other characteristics
of the traffic flow for the application is determined. This information is combined
with flow statistics coming from the data plane and sent up to OneFabric Control
Purview – White Paper
7
Center, where it is combined with contextual information like user and user role,
device type used, locations and other attributes of the parties, endpoints that are
involved in a particular communication and application traffic flow (refer to figure
9 below).
CoreFlow2 is the cornerstone of Extreme Networks’ switching technology (in the
S-Series and K-Series switching products) and the key component in the Purview
data plane – addressing the need for application visibility and control. CoreFlow2 is
a highly programmable, custom designed flow based ASIC which delivers flexibility
in flow classification, policy enforcement and packet reframing, not found in
competitive offerings. The granularity of flow awareness and control is unsurpassed,
and translates into real-world benefits in the data center and across the entire
campus network infrastructure from edge to core.
Based on the flow based ASIC design, the switch detects new flows and sends
a few packets for each new flow to the engine for application fingerprinting and
Visibility
Control
Context
Collect
Analyze
Classify
OneFabric Control Center
Purview Engine
NetFlow
Purview Mirror
Massive scalability
Multiple Tbit/s and millions of flows
CoreFlow2 Data
Collection Device
Figure 9 – Purview solution components
context extraction. This function enables the scale of the solution as the appliance
does not need to see all packets of a flow, does not need to be in-line with the
application traffic and, thanks to remote mirroring, can be deployed anywhere
in the network. Combined with the non-sampled (Net)flow statistics from the
application flow these results provide full application flow visibility within the
OneFabric Control Center. Policy enforcement can subsequently be based on the
application visibility provided.
The proof points to our claims about differentiation look like this:
Unmatched throughput at Tbit/s speeds with up to 2.56 Tbit/s per switch
and no performance impact for flow visibility and control
The flow based CoreFlow2 architecture in Extreme Networks products is unique. The
technology comprises more than 15 years of advanced research and development,
providing industry leading application visibility and control at terabit speeds. It
also provides investment protection and future proofing through programmable
interfaces, yielding both technical and business benefits. Unlike a Longest Prefix
Match design that uses (T)CAM content addressable memory, a flow based switch
using an ASIC design, like CoreFlow2 provides an exact match lookup for each
packet of a flow against the flow table. The flow table is implemented in the memory
system that is directly connected to the packet processor (the CoreFlow2 ASIC).
Purview – White Paper
8
As the system is already flow-aware, additional features like NetFlow, NAT, SLB
(LSNAT), GRE, 6in4/6in4 tunneling and others run at wire speed and are easier to
implement at scale. The first packet of a new flow is processed in the control plane
additional controls, manipulations (like forwarding/mirroring) and potentially the
integration with external flow admission systems can be easily implemented. The
basis for software defined networks – SDN is laid out. This is also how the forensic
mirroring is implemented.
Leveraging this flow-based architecture in the S-Series and K-Series switches,
Extreme Networks has implemented NetFlow version 5 and version 9 on both
CoreFlow2 platforms. Extreme Networks can provide this functionality without
any performance deficit by leveraging the inherent functionality of its flow-based
CoreFlow2 architecture that collects NetFlow statistics in the flow based ASIC
for every packet in every flow without sacrificing CPU or switching performance.
The Extreme Networks implementation enables the collection of NetFlow data on
both switched and routed frames, allowing the modules in all areas of a network
infrastructure to collect and report unsampled flow data at gigabit and even terabit
speeds. The highest performing system today – the Extreme Networks S8 Series scales up to 2,56 Tbit/s.
Every packet in every flow is tracked at the scale necessary any size data center.
For example; the S-Series can collect and report over 70,000 (Net)flow records per
second in a fully populated S-Series chassis. This is an order of magnitude greater
performance than any other appliance vendor and as such can provide network
managers with 100% traffic visibility in the data center.
Massive scale for millions of flows (up to 100M flows per switch)
It is essential to understand that the notion of a “flow” is what makes the data
plane for CoreFlow2 and an SDN infrastructure different. Why is this important
at all? When you use a flow-based system the first packet can be used to make
very sophisticated decisions in software (and thus in the controller or even other
applications) and then subsequently all packets of that flow are switched in
hardware. This is also the basis for all of the new, advanced and agile services that
are associated with SDN. As you are going to provide application visibility in the
data plane it results in more and more flows. So how many flows are we talking
about? Based on our experience, one can expect one to two new flows per second
per client device like a desktop or tablet and anywhere from 10 to 20 concurrent
flows per device as well if you consider the edge of the network. A Server in an
Enterprise Data Center is typically 10x higher than that (in terms of flows per
second and concurrent flows). Servers hosting internet facings services will be
orders of magnitude higher. So this means that given a standard 10,000 employee
Enterprise campus network with three devices per user, one can expect up to 30k
to 60k new flows per second and also 300k to 600k concurrent flows in normal
operation. The Extreme Networks CoreFlow2 ASICs are able to support up to 100M
concurrent flows today in a 2,56 Tbit/s system or at a million flows per minute.. The
memory system attached to the packet processor in the switch enables this scale
of flows at an optimized cost.
Pervasive across entire network infrastructure
The Extreme Networks S-Series® is the premier family of high performance
enterprise Ethernet switching and routing solutions from Extreme Networks. The
Extreme Networks S-Series delivers a powerful combination of Terabit-class
performance along with granular visibility and control over users, services and
applications to meet the increasing demands of today’s businesses and enable
optimization of key technologies including voice and video, virtualization and
cloud computing. The S-Series uses a modular architecture to provide specific
Purview – White Paper
9
configurations and classes that meet a variety of performance and value
requirements from Small Enterprise/Edge to Medium Enterprise/Small Network
Core and Large Enterprise/Data Center
The Extreme Networks K-Series is the most cost-effective flow-based switching
solution in the industry. Providing exceptional levels of automation, visibility and
control at the network edge, these flexible, modular switches significantly reduce
operational costs while still offering premium features.
With both platforms one can achieve pervasive application visibility and control
across the enterprise.
Transport layer independent application and decoding – true DPI at scale
While some vendors attempt to deduce the application layer just by looking at
NetFlow records, such a strategy is doomed to failure over the long term as more
applications are increasingly delivered over HTTP/HTTPS and others make transport
layer port numbers completely meaningless. What is needed is both signature and
heuristics based inspection of application layer data in order to gain genuine visibility
into what is happening on the wire. With the ability to inspect the application layer,
we can do a lot better. Imagine an application fingerprinting engine that has an array
of application decoders - including one for SSL - that can drive application layer
inspection based on both signatures and heuristic techniques in a port independent
way. Want to detect SSH connections over TCP port 443? Want to parse SSL
certificates for common names associated with some of the largest web services
in the industry? Want to identify how applications are communicating in the cloud
regardless of the fact that such communications are traveling over HTTP and HTTPS?
Want to do all of this at a massive scale on large networks? This is what Purview
does. The fingerprint engine provides true DPI, the forensic mirror in conjunction
with non-sampled NetFlow provides the scale.
Single architecture for edge, distribution, core, data center, perimeter
Many solutions currently on the market, such as Network and Application
Performance Management (NPM, APM) solutions may offer visibility into the
application but they are not able to provide control over the application. Solutions
such as, next generation firewalls, WAN accelerators, application delivery
controllers and Wi-Fi specific solutions rely on funneling large amounts of traffic
from across the network through a single appliance (choke points) to overcome
the scalability and/or cost challenges that are typically associated with DPI in the
enterprise IT infrastructure. In addition these solutions are de-coupled from one
another – there is no homogenous application classification between all of these
various tools, therefore true end-to-end management becomes impossible. The
fragmented nature of using individual point products does not allow for a unified
network management view of the entire network, which makes it difficult to
manage the network in its entirety. This then makes it impossible for IT to provide
a superior user experience for application delivery for the virtualized private cloud
data centers, to public cloud services to the end-user from within that single
management system. Purview can be deployed across all layers of the enterprise
network, thus providing a single architecture to address those challenges.
Contextual information beyond the application – user, role, location,
time, device
Going beyond simple role based access control OneFabric Control Center uses
Context Based Policy Management enabling a single policy approach for wired,
wireless and VPN deployments at the edge and in the data center that simplifies
management and eliminates potential security holes. Context based policy
management extends the access control decision beyond user and role to include
the entire context of the requested access including user & role, device type and
Purview – White Paper
10
identity, device location, day and time, authentication method and device security
posture. This information is combined with the application flow information from the
Purview engine.
As part of the network access control process the username can be used to
authenticate employees and can be used to distinguish different employees
and their roles from guests and contractors. This can be used to grant access to
required networked resources, identify different business units and also enforce
bandwidth policies per application when combined with the upcoming Purview
enforcement options. Device attributes are used to determine if the device is
managed by the IT department or if it is a BYOD device that one can report on.
The device attributes also determine the type of device and the operating System.
A device’s location can be determined as coarsely as wired vs. wireless vs. VPN
(=outside the corporate boundaries) or as granularly as switch and port or SSID
and Access Point.
OneFabric Control Center integrates with external systems via OneFabric
Connect - a set of APIs that increase visibility and control to new heights. The
additional attributes derived from the integration include customizable entries
that enable integration with third party technologies such as Mobile Device
Management (MDM), VM Management, Configuration Management Databases
(CMDB) and next generation firewalls. The data that Purview provides can be
accessed via OneFabric Connect as well to create new integrations or augment
existing integrations.
The additional context provided unlocks the power of Purview even further and is the
basis for network driven application analytics – at unmatched scale and performance.
An open, massive and Customizable Application Fingerprints
With a library of more than 7,000 applications with over 13,000 fingerprints and
growing, and the ability to easily create your own fingerprint, Purview can identify
virtually any application. And since fingerprints are in XML formatted they can be
easily created and edited.
Simplified Integration with Connect SDN API
Purview can easily integrate with 3rd party applications. In fact, Purview has already
integrated and acts as a data broker for the Extreme Networks SIEM product and
Splunk software from Splunk, Inc.
http://www.ExtremeNetworks.com/contact
Phone +1-408-579-2800
©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc.
in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks
please see http://www.extremenetworks.com/about-extreme/trademarks.aspx. Specifications and product availability are subject to change without notice. 5984-0114
WWW.EXTREMENETWORKS.COM
Purview – White Paper
11