​Growing traffic volume is a challenge for NetOps and SecOps as they work to ensure high-quality network performance and network security. As traffic volume exceeds a monitoring tool's capacity, congestion at the data port can cause a tool to slow down, start dropping packets, or even stop working altogether.

While you wait for budget approval to add capacity to your overworked monitoring tools, spend some time making sure you are doing everything you can to help the tools you have work efficiently. If you can boost return on your existing investments, management might feel more inclined to allocate additional funds.

These four words characterize strategies to increase the efficiency of high-volume traffic monitoring: Share. Eliminate. Offload. Filter.

Share tool capacity

The first strategy for improving tool efficiency is to make sure you can use the tool capacity you already have where it is needed most. Do an inventory of your monitoring tools. Is there a device in your monitoring system that is under-utilized while other devices are overloaded and oversubscribed? Adopt the practice of sharing tool capacity across your network, no matter where that tool is deployed. A network packet broker functions as a centralized traffic manager, aggregating traffic from multiple network links and delivering whatever subset of traffic you want to your tools. Traffic brokering eliminates the need to have tools on every segment.

Ideally, your tools should operate at no more than 80 percent of total capacity. This gives them room to handle normal operating peaks and microbursts. This threshold can be difficult for IT to maintain without a way to throttle traffic and redistribute when needed. An NPB provides automatic load balancing to sense and relieve overloaded tools by distributing traffic across multiple devices. The same feature makes it easy to add a new device when that budget approval does come through. Plug in the tool anywhere on your network and the NPB can automatically begin delivering traffic without taking any part of your network offline.

Eliminate redundant processing 

​The next strategy involves eliminating unnecessary processing tasks that use up valuable capacity on your monitoring tools. Network paths in the modern enterprise are complex and not easily distinguishable. To make sure you are monitoring every corner of your network, you probably collect traffic on a large majority of your network segments. That's good, but it also results in a lot of duplicate packets being collected. If you send all of these duplicate packets through your monitoring tools, you are wasting a lot of processing cycles.

You can use a high-performance NPB to identify and eliminate all duplicate packets before streaming traffic to your monitoring tools for analysis. This one technique can substantially reduce the workload for your tools and even eliminate the need to add capacity. If you haven't implemented de-duplication, you might be surprised at how much you can reduce workload. One academic study found 50 percent of all packets collected for analysis were duplicates.[1]

​Offload non-core tasks

​Organizations worldwide are using encryption more frequently to protect communications and sensitive data from being exposed to the public or intercepted by malicious actors. That's a good thing, but your security and performance monitoring tools do not understand encrypted packets. They only recognize plain text. This means you need to decrypt secure traffic so your tools can process it.

Some security tools offer onboard decryption as a way to generate the plain text they need. The downside of this approach is that decryption is very process-intensive and can quickly use up a tool's available capacity. In addition, you may end up decrypting the same packet at multiple tools, further wasting monitoring capacity.

A faster, more efficient approach is to offload decryption from your monitoring tools completely and let a more cost-efficient NPB do the work. An NPB like Ixia's Vision ONE with SSL/TLS 1.3 decryption capability decodes secure traffic one time and delivers plain text packets to any monitoring tools you choose.

Filter to isolate relevant packets 

​The last strategy is to deliver only the most relevant packets to each monitoring tool. Video traffic, for instance, can be completely irrelevant to security monitoring but constitute a large portion of the traffic passing through your network. If you filter out video traffic before security inspection, your monitoring tools can deliver results more quickly and avoid congestion.

The advanced filtering capabilities of NPBs streamline the workflow for each tool. You can send NetFlow data to tools that need it or packet data to other tools. The intelligence of Ixia's Vision ONE NPB also allows you to isolate packets with particular characteristics, to assist in problem resolution. For instance, you can provide all of the packets associated with mobile users if they report delays or outages.

Conclusion 

If traffic volume is overwhelming your monitoring tools, squeeze a little bit more out of the tools you have. Implement the Share, Eliminate, Offload, and Filter strategies. 

​[1] Ucar, Morato, Magana and Izal: "Duplicate detection methodology for IP network traffic analysis," Department of Automatics and Computer Science, University of Navarre, Spain; November 2013.

Thank you to Lora O'Haver from Ixia for the article.