The Purview™ Solution – Technical Overview
Transcription
The Purview™ Solution – Technical Overview
The Purview™ Solution – Technical Overview Network-powered application analytics and optimization A SOLUTION WHITE PAPER WHITE PAPER Introduction Architectural Advantages of Purview: Built-in Intelligence and Deep Packet Inspection (DPI) with a difference Purview is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence - about applications, users, locations and devices. It is the Industry’s very first and only – patent pending - solution to transform the Network into a Strategic Business Asset - by enabling the mining of networkbased business events and strategic information that help business leaders make faster and more effective decisions. It does this all from a centralized command control center that combines Network Management with Business Analytics, and at unprecedented scale (100M sessions) and scope. Enterprise Mobility is more than the mobile device. To provide access to data from any device it has also resulted in a change of the application landscape: away from installing and maintaining traditional applications to cloud based delivery models such as, SalesForce.com, Google Apps, AWS Business Applications, and many more. Millions of new applications have been developed to support new workflows on mobile devices, with new “apps” showing up every day; some become business critical the next day while others may have no real value. Instant access to social media is expected from mobile device users as well. Social, mobile, cloud and Big Data is everywhere. To maximize the user experience IT must make sure that applications can be seamlessly delivered from the cloud – private or public - to those mobile users and devices that require them. With the flexibility, and the agility of this new application world there also comes a new set of challenges for IT and the business. The transport from private and public cloud data centers for those applications is mostly encapsulated within an http and/or https connection (web traffic). This results in a total lack of visibility and control. And it applies not only at the access but also in the data center: private cloud data centers utilizing software oriented architectures (SOA) and virtualization make it hard to identify applications and provide appropriate services at huge scale with high throughput (80% of the traffic in those data centers stay within the data center). Purview – White Paper 2 Apps Everywhere – Public and Private Cloud How users see applications: How traditional switches see applications: Port 80 Port 443 Figure 1–Loss of application visibility and control These challenges drive the need for a pervasive, network based application visibility and control architecture using Deep Packet Inspection (DPI) technologies. Many solutions currently on the market, such as Network or Application Performance Management (NPM, APM) solutions may offer visibility into the application but they are not able to provide control over the application. Solutions such as next generation firewalls NG-FW, WAN accelerators, application delivery controllers ADC and Wi-Fi specific solutions rely on funneling large amounts of traffic from across the network through an appliance (choke points) to overcome the scalability and/or cost challenges that are typically associated with DPI in the enterprise IT infrastructure. In addition these solutions are de-coupled from one another – there is no homogenous application classification between all of these various tools, therefore true end-to-end management and control becomes impossible. The fragmented nature of using individual point products does not allow for a unified network management view of the entire network, which makes it difficult to manage the network in its entirety. A DPI architecture that can be deployed at scale, across the entire network infrastructure from the data center to the mobile edge – wired and wireless – will provide this superior user experience while optimizing network resource utilization. A well integrated and unified solution can also eliminate point products thereby reducing the operational complexity and cost that is associated with these existing approaches. By providing more contextual information the solution becomes a business asset for analytics and network-driven business intelligence. This is what makes up “project Purview”. In summary the solution is a patent pending architecture with the key differentiators like • Unmatched throughput at Tbit/s speeds with up to 2.56 Tbit/s per switch and no performance impact for flow visibility and control • Massive scale for millions of flows (up to 100M flows per switch) at a million flows per minute • Pervasive across entire network infrastructure with no network overlay • Transport layer independent application and decoding – true DPI at scale Purview – White Paper 3 • Single architecture for edge, distribution, core, data center, perimeter • Contextual information beyond the application – user, role, location, time, device • Open customizable application fingerprints on top of 13,000 pre-defined • Integrations with 3rd party products such as Splunk and SIEM How is that all possible? The 3 main solution components that make up this unique architecture are: • OneFabric Control Center • Purview Application Fingerprint Engine • CoreFlow2 based Data Collection Device (Data Plane) and a million flows a minute! Extreme Networks offers a unified application delivery fabric from the data center to the edge, including wired, wireless, and mobile. By creating one network environment, delivering one network and application experience, OneFabric Control Center provides centralized visibility and control over the entire network. Centralized visibility and control enables infrastructure and application teams to work together, eliminating costly misalignments and errors that occur through typical operational workflows. Embedded automation and orchestration features improve application delivery for dynamic and mobile environments leveraging cloud, virtualization, and server/storage consolidation. OneFabric Control Center provides a unified, centralized management and control experience, which allows network operations to leverage the power and intelligence, built into Extreme Networks networking solutions and so unlock the full potential of Purview. Finally, OneFabric Control Center integrates with major virtualization solutions, delivering unique and differentiated capabilities for virtual data centers and enabling the software defined data center - SDDC. With all of the data that the solution is able to generate, it is critically important that users are presented with a fast and intuitive reporting interface which is the key enabler for efficient analytics. The initial dashboard shows aggregate data at a glance for the total number of Figure 2–Dashboard Purview – White Paper 4 distinct applications in use on the network along with total bandwidth consumed, total number of clients, and more: At a next level the view shows fingerprinted applications on a coordinated plot. As expected, the huge percentage of modern communications take place over Figure 3–Radar view of applications the HTTP and HTTPS protocols, therefore the graph is tilted towards the “Web Applications” group: Another powerful visualization technique is the treemap view. This technique plots each application group within a colored box, and the size of each box is related to the amount of bandwidth consumed (although this can be changed to other metrics such as the number of clients). A treemap instantly allows the user Figure 4–Treemap view of applications by group Purview – White Paper 5 to easily view large amounts of data and quickly gain an understanding of the relative importance of each fingerprinted application: The solution provides pre-configured vertical specific dashboards for several primary verticals such as; Healthcare, Education and so forth. The following example, is the Enterprise Dashboard, which displays bandwidth usage over time for applications that are primarily used within a typical enterprise network. Figure 5–Loss of application visibility and control These dashboards are customizable so that customers can influence the set of applications that are selected for dashboard display: Drilling deeper into the data, the following screenshot shows the “top clients” view for a selected application, here Google Mail traffic. This allows the user to quickly understand which client is consuming the most resources in terms of a specific selected application. Below we see that the client IP 134.141.68.78 has Figure 6–Top clients per application consumed well more that twice the amount of bandwidth for gmail than the next closest client (134.141.235.9): If one chooses to combine this information within OneFabric Control Center with contextual information from the network access control solution then user, role, device type and location can also be used for those reporting and data aggregation purposes. Drilling down again, the “Application Flows” view for Google traffic displays everything from the application name (Google), to application context to TCP vs. application response times. The application layer context can be selected out of the application flows view, and allows the user to gain a detailed understanding of the application layer beyond Purview – White Paper 6 Figure 7–Application Flow Context what is included in the typical fingerprint. That is, for HTTP, context fields such as the raw URI, cookie information, the HTTP request method, and more are included: The solution can measure and differentiate TCP vs. application response times. This allows network administrators to quickly differentiate a network related issue from an application layer issue. The solution also provides users with the ability to view and customize application fingerprints, whereas other application fingerprinting vendors do not release how they do their fingerprinting. They don’t release their signature sets let alone the Figure 8–Open fingerprint database signature languages they build into their products. The Purview solution eliminates this trend: The Purview application fingerprint engine, managed by OneFabric Control Center, provides transport independent application detection using DPI technologies. This means that OSI layers 4 through layer 7 packets are sent to the fingerprint engine forinspection; protocol headers are decoded and assembled based on various fingerprinting techniques against the header, the content and other characteristics of the traffic flow for the application is determined. This information is combined with flow statistics coming from the data plane and sent up to OneFabric Control Purview – White Paper 7 Center, where it is combined with contextual information like user and user role, device type used, locations and other attributes of the parties, endpoints that are involved in a particular communication and application traffic flow (refer to figure 9 below). CoreFlow2 is the cornerstone of Extreme Networks’ switching technology (in the S-Series and K-Series switching products) and the key component in the Purview data plane – addressing the need for application visibility and control. CoreFlow2 is a highly programmable, custom designed flow based ASIC which delivers flexibility in flow classification, policy enforcement and packet reframing, not found in competitive offerings. The granularity of flow awareness and control is unsurpassed, and translates into real-world benefits in the data center and across the entire campus network infrastructure from edge to core. Based on the flow based ASIC design, the switch detects new flows and sends a few packets for each new flow to the engine for application fingerprinting and Visibility Control Context Collect Analyze Classify OneFabric Control Center Purview Engine NetFlow Purview Mirror Massive scalability Multiple Tbit/s and millions of flows CoreFlow2 Data Collection Device Figure 9 – Purview solution components context extraction. This function enables the scale of the solution as the appliance does not need to see all packets of a flow, does not need to be in-line with the application traffic and, thanks to remote mirroring, can be deployed anywhere in the network. Combined with the non-sampled (Net)flow statistics from the application flow these results provide full application flow visibility within the OneFabric Control Center. Policy enforcement can subsequently be based on the application visibility provided. The proof points to our claims about differentiation look like this: Unmatched throughput at Tbit/s speeds with up to 2.56 Tbit/s per switch and no performance impact for flow visibility and control The flow based CoreFlow2 architecture in Extreme Networks products is unique. The technology comprises more than 15 years of advanced research and development, providing industry leading application visibility and control at terabit speeds. It also provides investment protection and future proofing through programmable interfaces, yielding both technical and business benefits. Unlike a Longest Prefix Match design that uses (T)CAM content addressable memory, a flow based switch using an ASIC design, like CoreFlow2 provides an exact match lookup for each packet of a flow against the flow table. The flow table is implemented in the memory system that is directly connected to the packet processor (the CoreFlow2 ASIC). Purview – White Paper 8 As the system is already flow-aware, additional features like NetFlow, NAT, SLB (LSNAT), GRE, 6in4/6in4 tunneling and others run at wire speed and are easier to implement at scale. The first packet of a new flow is processed in the control plane additional controls, manipulations (like forwarding/mirroring) and potentially the integration with external flow admission systems can be easily implemented. The basis for software defined networks – SDN is laid out. This is also how the forensic mirroring is implemented. Leveraging this flow-based architecture in the S-Series and K-Series switches, Extreme Networks has implemented NetFlow version 5 and version 9 on both CoreFlow2 platforms. Extreme Networks can provide this functionality without any performance deficit by leveraging the inherent functionality of its flow-based CoreFlow2 architecture that collects NetFlow statistics in the flow based ASIC for every packet in every flow without sacrificing CPU or switching performance. The Extreme Networks implementation enables the collection of NetFlow data on both switched and routed frames, allowing the modules in all areas of a network infrastructure to collect and report unsampled flow data at gigabit and even terabit speeds. The highest performing system today – the Extreme Networks S8 Series scales up to 2,56 Tbit/s. Every packet in every flow is tracked at the scale necessary any size data center. For example; the S-Series can collect and report over 70,000 (Net)flow records per second in a fully populated S-Series chassis. This is an order of magnitude greater performance than any other appliance vendor and as such can provide network managers with 100% traffic visibility in the data center. Massive scale for millions of flows (up to 100M flows per switch) It is essential to understand that the notion of a “flow” is what makes the data plane for CoreFlow2 and an SDN infrastructure different. Why is this important at all? When you use a flow-based system the first packet can be used to make very sophisticated decisions in software (and thus in the controller or even other applications) and then subsequently all packets of that flow are switched in hardware. This is also the basis for all of the new, advanced and agile services that are associated with SDN. As you are going to provide application visibility in the data plane it results in more and more flows. So how many flows are we talking about? Based on our experience, one can expect one to two new flows per second per client device like a desktop or tablet and anywhere from 10 to 20 concurrent flows per device as well if you consider the edge of the network. A Server in an Enterprise Data Center is typically 10x higher than that (in terms of flows per second and concurrent flows). Servers hosting internet facings services will be orders of magnitude higher. So this means that given a standard 10,000 employee Enterprise campus network with three devices per user, one can expect up to 30k to 60k new flows per second and also 300k to 600k concurrent flows in normal operation. The Extreme Networks CoreFlow2 ASICs are able to support up to 100M concurrent flows today in a 2,56 Tbit/s system or at a million flows per minute.. The memory system attached to the packet processor in the switch enables this scale of flows at an optimized cost. Pervasive across entire network infrastructure The Extreme Networks S-Series® is the premier family of high performance enterprise Ethernet switching and routing solutions from Extreme Networks. The Extreme Networks S-Series delivers a powerful combination of Terabit-class performance along with granular visibility and control over users, services and applications to meet the increasing demands of today’s businesses and enable optimization of key technologies including voice and video, virtualization and cloud computing. The S-Series uses a modular architecture to provide specific Purview – White Paper 9 configurations and classes that meet a variety of performance and value requirements from Small Enterprise/Edge to Medium Enterprise/Small Network Core and Large Enterprise/Data Center The Extreme Networks K-Series is the most cost-effective flow-based switching solution in the industry. Providing exceptional levels of automation, visibility and control at the network edge, these flexible, modular switches significantly reduce operational costs while still offering premium features. With both platforms one can achieve pervasive application visibility and control across the enterprise. Transport layer independent application and decoding – true DPI at scale While some vendors attempt to deduce the application layer just by looking at NetFlow records, such a strategy is doomed to failure over the long term as more applications are increasingly delivered over HTTP/HTTPS and others make transport layer port numbers completely meaningless. What is needed is both signature and heuristics based inspection of application layer data in order to gain genuine visibility into what is happening on the wire. With the ability to inspect the application layer, we can do a lot better. Imagine an application fingerprinting engine that has an array of application decoders - including one for SSL - that can drive application layer inspection based on both signatures and heuristic techniques in a port independent way. Want to detect SSH connections over TCP port 443? Want to parse SSL certificates for common names associated with some of the largest web services in the industry? Want to identify how applications are communicating in the cloud regardless of the fact that such communications are traveling over HTTP and HTTPS? Want to do all of this at a massive scale on large networks? This is what Purview does. The fingerprint engine provides true DPI, the forensic mirror in conjunction with non-sampled NetFlow provides the scale. Single architecture for edge, distribution, core, data center, perimeter Many solutions currently on the market, such as Network and Application Performance Management (NPM, APM) solutions may offer visibility into the application but they are not able to provide control over the application. Solutions such as, next generation firewalls, WAN accelerators, application delivery controllers and Wi-Fi specific solutions rely on funneling large amounts of traffic from across the network through a single appliance (choke points) to overcome the scalability and/or cost challenges that are typically associated with DPI in the enterprise IT infrastructure. In addition these solutions are de-coupled from one another – there is no homogenous application classification between all of these various tools, therefore true end-to-end management becomes impossible. The fragmented nature of using individual point products does not allow for a unified network management view of the entire network, which makes it difficult to manage the network in its entirety. This then makes it impossible for IT to provide a superior user experience for application delivery for the virtualized private cloud data centers, to public cloud services to the end-user from within that single management system. Purview can be deployed across all layers of the enterprise network, thus providing a single architecture to address those challenges. Contextual information beyond the application – user, role, location, time, device Going beyond simple role based access control OneFabric Control Center uses Context Based Policy Management enabling a single policy approach for wired, wireless and VPN deployments at the edge and in the data center that simplifies management and eliminates potential security holes. Context based policy management extends the access control decision beyond user and role to include the entire context of the requested access including user & role, device type and Purview – White Paper 10 identity, device location, day and time, authentication method and device security posture. This information is combined with the application flow information from the Purview engine. As part of the network access control process the username can be used to authenticate employees and can be used to distinguish different employees and their roles from guests and contractors. This can be used to grant access to required networked resources, identify different business units and also enforce bandwidth policies per application when combined with the upcoming Purview enforcement options. Device attributes are used to determine if the device is managed by the IT department or if it is a BYOD device that one can report on. The device attributes also determine the type of device and the operating System. A device’s location can be determined as coarsely as wired vs. wireless vs. VPN (=outside the corporate boundaries) or as granularly as switch and port or SSID and Access Point. OneFabric Control Center integrates with external systems via OneFabric Connect - a set of APIs that increase visibility and control to new heights. The additional attributes derived from the integration include customizable entries that enable integration with third party technologies such as Mobile Device Management (MDM), VM Management, Configuration Management Databases (CMDB) and next generation firewalls. The data that Purview provides can be accessed via OneFabric Connect as well to create new integrations or augment existing integrations. The additional context provided unlocks the power of Purview even further and is the basis for network driven application analytics – at unmatched scale and performance. An open, massive and Customizable Application Fingerprints With a library of more than 7,000 applications with over 13,000 fingerprints and growing, and the ability to easily create your own fingerprint, Purview can identify virtually any application. And since fingerprints are in XML formatted they can be easily created and edited. Simplified Integration with Connect SDN API Purview can easily integrate with 3rd party applications. In fact, Purview has already integrated and acts as a data broker for the Extreme Networks SIEM product and Splunk software from Splunk, Inc. http://www.ExtremeNetworks.com/contact Phone +1-408-579-2800 ©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/about-extreme/trademarks.aspx. Specifications and product availability are subject to change without notice. 5984-0114 WWW.EXTREMENETWORKS.COM Purview – White Paper 11
Similar documents
Purview Integration: Splunk
• OneFabric Control Center with OneFabric Connect • Purview (Application Fingerprint) Engine • CoreFlow2 based Data Collection Device OneFabric Control Center provides centralized visibility and...
More information