In a recent interview, Ariana Lynn, Principal Analyst at The Fast Mode spoke to Phil Gervasi, Director of Technical Evangelism at Kentik on the impact of traffic visibility on modern IP networks. Phil joins us in a series of discussions with leading networking, analytics and cybersecurity companies, assessing the need for traffic filtering technologies that can deliver real-time, granular application awareness. The series explores how advanced analytics power various network functions amidst the rapid growth in traffic and applications.
Ariana: How do your solutions and products fulfill the demands of today's networks?
Phil: Today's networks demand resilience, performance, and operational reliability across on-premises resources in the data center and on the campus, in the public cloud, from SaaS providers, as well as the service providers that connect it all - and that's even when NetOps doesn't own or manage all these areas. This is a difficult problem to solve considering the vast amount and diversity of the type of telemetry generated by these devices and components. It's only compounded by the fact that a typical NetOps team has little to no purview over some of these components like SaaS providers or service providers. Kentik fulfills this demand by ingesting telemetry from all of these components including traditional network devices, security devices, public cloud providers, SaaS providers, containers, and even service provider networks. This represents a modern application's end-to-end journey from source to the end-user, which means Kentik provides deep visibility of the entire infrastructure that applications depend on to work properly. Without this end-to-end perspective, an engineer is missing crucial aspects of the application's journey including all the factors affecting performance and the end user experience.
Ariana: How important is traffic visibility for your suite of solutions and products?
Phil: Since most applications today are delivered over a network, network and traffic visibility is absolutely crucial to ensuring optimal performance and a fantastic end-user experience. This means network visibility is now the cornerstone of understanding what's happening with our networks and application performance. Today's modern network encompasses many more components and services today than it ever has, so it is crucial to have an understanding of how these physical and virtual devices, virtual services such as DNS and DHCP, components such as network overlays, load-balancing, and so on individually play a role in application delivery and work together to create the very mechanism we rely on for both mundane and mission critical application activity.
Ariana: What technologies are most effective in delivering real-time traffic visibility?
Phil: Real-time traffic visibility relies on flow data from any type of device participating in an application's delivery to an end-user. Flow logs give us the understanding of application activity across on-premises networks and public cloud without needing to capture and copy every single packet in a transaction, a task that's normally much too difficult or expensive to accomplish. The analysis of flow logs give us an understanding of what's happening with traffic in real-time which can be used to measure performance, capacity, and detect security threats. Furthermore, to understand how devices themselves are affecting network performance, we need highly accurate protocols and mechanisms such as streaming telemetry and eBPF to capture at the second or sub-second level what's happening with the network.
Ariana: What challenges do you often face in using existing traffic visibility tools?
Phil: Many existing or legacy visibility tools rely on visibility protocols that don't meet the demands of modern network operations. For example, most network visibility tools don't support streaming telemetry, and if they do, they don't support it alongside SNMP which is a ubiquitous network visibility protocol used in the vast majority of networks. Additionally, most existing visibility tools treat each type of telemetry and each data source as a standalone element. This may produce some colorful graphs, but it doesn't permit network operations the ability to see and understand all of the data in a single context, namely the delivery of a specific application. Kentik has solved this problem by creating a single unified database of network telemetry in which all data, regardless of the type and source, resides and is analyzed. Treating network visibility (and telemetry in general) as more of a data analysis problem gives Kentik a distinct advantage to legacy tools that have one login for metrics, another for flow, and yet another for some other type of telemetry, leaving it to the engineer to toggle and figure it out manually, if at all.
Ariana: What are your views on open-source software for delivering visibility?
Phil: Open-source tools can be very effective for delivering network visibility if the technical staff and resources are available. However, it's important to remember that open-source requires the care and feeding by technologists to keep up with functionality, bug fixes, code maintenance, and feature requirements of the tools. The inherent cost and complexity of open-source software for visibility is a hard sell for many (if not most) enterprise network operations teams who need a functioning solution today. This doesn't mean Kentik is opposed to openness, though. In fact, we put much of our information on GitHub for the community to consume and utilize to improve their own monitoring strategy.
Ariana: How effective is deep packet inspection (DPI) technology in addressing today's traffic complexities?
Phil: DPI is an effective way to investigate specific problems in which unencrypted packets from source to destination are available. This could be for a security analysis after a security breach, or perhaps a close investigation about a new application's local connection problem. In a complex environment, this could be extremely helpful. However, deep packet inspection beyond the security use case and application connection corner cases is a very expensive and often an impossible undertaking due to regulatory concerns, the cost of operating a tap network, and the resources necessary to analyze packet captures representing all the traffic of an enterprise. Therefore, DPI is an excellent choice for specific security and analysis use cases and not necessarily a viable option for addressing network visibility in today's traffic complexities.
Phil Gervasi is Director of Technical Evangelism at Kentik.
This interview is a part of The Fast Mode's Traffic Visibility segment, featuring leading networking, analytics and cybersecurity companies and their views on the importance of network intelligence and DPI for today's IP networks. A research report on this topic will be published in June 2024 - for more information, visit here.
