Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
NOVEMBER 2011, VOLUME 1, NO. 4 IT Europe in k NETWORKING EDITION Special European edition of Network Evolution e-zine | www.searchnetworking.co.uk u u u u u Applicationaware networking emerges but has far to go Application awareness is emerging on firewalls and WAN optimisation devices, but efforts fall short of a network-wide strategy, especially at Layers 2 and 3. u u HOME idealab Where evolving network concepts come together IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? Employees Want Social Networking Tools survey of 2,800 college students and professionals under 30 shows the majority will “follow” or “friend” their co-workers and managers on Facebook and Twitter, indicating that millennials will freely intertwine their personal and professional lives with social networking tools. Cisco’s second annual Connected World Technology Report also shows 66% of students and 58% of professionals consider a mobile device their most important technology, even more important than television. In the 2010 edition of the study, 60% of employees globally said offices are unnecessary for productivity. Cisco focused the survey on students and young professionals so that the company can “develop solutions that help IT prepare for the next-generation workforce,” said Scott Gainey, Cisco’s director of mobility product marketing. A CISCO-SPONSORED Enterprise social networking tools Cisco has already come to the table with enterprise social networking software in Cisco Quad, but Gainey said the company must continue to invest in these efforts. As an example of an expanded use of social networking tools in the enterprise, Gainey explained how Cisco and other companies are proactively mining social net- 58% of professionals under 30 consider a mobile device their most important technology. working communities for customer service complaints as users increasingly turn to these forums for support. “It’s not that they are dissatisfied with traditional call-in [customer service], but they’re finding there is a peer base of people they can draw on and get questions answered more quickly,” said Gainey. IT IN EUROPE E-ZINE • NOVEMBER 2011 2 IDEA LAB HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? Eventually, enterprise social networking tools will enable corporate community space with wikis, blogs, live chat and collaboration that allow users to pull mission-critical data and applications into the shared forum. Enterprise mobility “The traditional applications that people are using today [on mobile devices] are mostly email and collaboration, and these sit outside the firewall. But that changes if you start to look at some of these new core applications like Informatica’s new cloud integration application where you [reach into] the internal workings of the data centre,” said Gainey. “We’re seeing a convergence of mobile technology with social networking and core applications.” In addition, as demand for enterprise mobility grows, Cisco will be looking for ways to stretch security across enterprise Wi-Fi and cellular networks. “We have to look at how we can build trusted networks not just for conventional IT but for service providers, and then how can we link those so that data can be secured,” said Gainey. “That’s where I think you will see the majority of investment in the coming year.” ■ RIVKA GEWIRTZ LITTLE , Senior Site Editor, TechTarget CISCO CONNECTED WORLD REPORT: SOCIAL NETWORKINGS A survey of professionals under 30 revealed the importance of social networking for the next-generation workforce. 88% 73% 33% 70% 68% Percentage of employees who have Facebook accounts (90% of college students have them) Percentage of employees who check their Facebook accounts at least once a day (81% of students check theirs once a day) Percentage of all respondents check Facebook accounts at least five times per day Percentage of employees surveyed friended their co-workers and/ or managers on Facebook Percentage of employees who follow their co-workers and/ or managers on Twitter SOURCE: CISCO CONNECTED WORLD REPORT. SEPTEMBER 2011 IT IN EUROPE E-ZINE • NOVEMBER 2011 3 IDEA LAB Who Needs MPLS? A Dark Fibre Network Saves York Councils HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? CITY OF YORK COUNCIL (CYC) set out to rethink its patchwork of network service contracts for voice and broadband and ended up building a city-wide dark fibre network that delivers fixed and wireless free public Internet access to all York libraries. Those services will be expanded into public parks later this year. CYC’s dark fibre network design The city-wide network is a metro Ethernet design with a single mode fibre backbone. There are two core 10 GB fibre rings, one for schools and one for the council. Both rings are linked via five POP sites, with OSPF as the backbone routing protocol. “The fibre ring is effectively a ’dark fibre’ install which means that potentially any kit can be attached in the future, such as WDM (wavelength division multiplexing), which can, in effect, give you almost unlimited bandwidth,” said Roy Grant, head of ICT at CYC. So far there are 104 sites connected to the network, all on 1 GB uplinks, and City Fibre has laid around 100 km of fibre. The single mode fibre is driven using SNMP managed transition media converters located in two chassis at the five POPs and at remote sites. The transition units convert the fibre into Cat 6 copper, which then plugs into two HP 5406 chassis—one for council and one for education—in the POPs and HP 2610 switches at the edge. Both pieces of kit are managed for alarms, and the links are monitored and measured for traffic utilisation. Makings of a dark fibre network rollout The deployment team selected a few sites to roll out a staged cutover, and when that went well, it accelerated the rate of deployment. The issues that faced the council were not at all technical network problems: “If I had to do the same work again I would ask more environmental questions,” said Grant. “We were struggling to get access over one of the railway bridges because [the owners] were slow to respond. If there were lessons learned it was around where you need access to areas or buildings that you don’t own. Five or six sites were delayed a little bit due to access over just one railway bridge.” CYC has ended up with a single unified IP network across the city, “an outcome that we never thought we would get anywhere near when we started the tender process,” said Grant. “We have a footprint in York now that puts us in the top five or 10 councils in the UK in terms of being future proof. Most importantly it has exceeded any upcoming guidelines for school connectivity and will support around 24,000 pupils,” he said. ■ TRACEY CALDWELL Tracey Caldwell is a professional freelance business technology writer. IT IN EUROPE E-ZINE • NOVEMBER 2011 4 IDEA LAB CRITICAL CONSIDERATIONS FOR APPLICATION-AWARE FIREWALLS Here’s how respondents to a recent TechTarget survey on application-aware firewalls ranked the most useful questions when making a firewall purchasing decision. HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? What security functions, besides port and protocol identification, does your firewall product perform? Can your firewall product enforce varying policies on different types of application traffic? How? Does your firewall product integrate intrusion prevention functions? Can it truly substitute for a separate IPS? How does your firewall product identify and classify different types of application traffic? Does your firewall product incorporate user identity access and management? What directories does it interoperate with? Can your firewall product enforce varying policies on specific features or content within an application? How? What are the performance ratings on your firewall product? How does your product distinguish itself as truly next-generation? What is the architecture behind your firewall product? What is your plan for users integrating these products into their security infrastructure? How does your company define and accomplish firewall “intelligence?” 0 20 40 60 80 100 120 140 160 SOURCE: "APPLICATION-AWARE FIREWALLS 2011 SURVEY," TECHTARGET, INC. JULY 2011. N=221 I.T. MANAGERS IT IN EUROPE E-ZINE • NOVEMBER 2011 5 IDEA LAB Virtual Extensible SLAN: Awesome or Braindead? HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? Virtual Extensible LAN (VXLAN) announcement made by Cisco and VMware at the recent VMworld event has caused quite a ruckus among networking engineers (I actually received an email with the subject I used for the title of this post). We wonder: Is this another ploy to get rid of the pesky networking people in a virtual environment or does this actually make sense? The truth, as always, is somewhere in the middle. Fast Packet Blogger Ivan Pepelnjak provides answers some key questions on VXLAN. THE What is VXLAN? It’s a very simple MAC-in-UDP encapsulation scheme allowing you to build virtualised Layer 2 subnets spanning multiple physical IP subnets. Why do we need a new technology? There are several existing MAC-over-IP standards—including EtherIP and bridging over GRE tunnels—but none of them addresses the need to go beyond VLAN-based segment tagging, which limits you to 4,096 distinct VLANs. Even if you could use these standards to implement logical segments, you would have to dig deep into the MAC header (in the payload) to find the virtual segment ID. VXLAN uses a 24-bit segment ID, which allows you to deploy millions of virtual segments in a single data centre. Furthermore, the VXLAN packet format is easy to implement in hardware, opening the door for future tighter integration with physical networking gear. Is VXLAN another proprietary technology? No. It started as an IETF draft coauthored by VMware, Cisco, Arista, Broadcom, Citrix and Red Hat. It would be hard to get a better team (You can guess that Arista and Broadcom have joined the efforts since Broadcom is making chipsets that Arista is using in data centre switches.) When would I need VXLAN? Contrary to some claims that “you should consider VXLAN if you have more than 250 virtual machines in your data centre” (Who doesn’t?), you should consider VXLAN if you need hundreds of logical segments. Stick with time-tested technologies like VLANs if you need just a few—or a few tens—of logical segments. Is there a difference between VLANs and VXLAN? VXLAN obviously scales better— 4,096 VLANs versus 16 million VXLAN segments—but it has a tremendous handicap at the moment: A logical subnet using VXLAN encapsulation cannot communicate with the physical devices such as switches, load balancers or firewalls, although one would expect IT IN EUROPE E-ZINE • NOVEMBER 2011 6 IDEA LAB HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? some data centre switch vendors to implement Layer 3 VXLAN termination support. The only way you can connect a VXLAN segment to the outside world is through a virtual Layer 3 appliance such as vShield Edge, Vyatta router or F5 load balancer—having one vNIC in a physical VLAN and one or more vNICs in VXLAN segments. Can I run VXLAN across any IP network? Almost—it does require IP multicast to implement Layer 2 flooding (broadcasts or multicasts). Can I use VXLAN to implement long-distance VM mobility? I wouldn’t. The technology allows you to do that—assuming you can propagate IP multicast between the data centres—but just because you can doesn’t mean that you should. VXLAN has no mechanism to alleviate longdistance traffic trombones that will inevitably start to appear once you spread the virtual machines in the same logical subnet across multiple data centres. What then is the VXLAN’s sweet spot? VXLAN is an ideal technology to use if you’re building a totally virtualised Infrastructure-as-a-Cloud service where you want to rely on customerconfigured virtual appliances to connect the customer subnets with the outside network. ■ IVAN PEPELNJAK, CCIE No. 1354, is a 25-year veteran of the networking industry. APPLICATION-AWARE STORAGE DEFINED is a storage system with built-in intelligence about relevant applications and their utilisation patterns. Once the storage “understands” the applications and usage conditions, it is possible to optimise data layouts, caching behaviors and Quality of Service (QoS) levels. This is a particularly challenging goal because application-aware storage does not run application code locally. Instead, it demands significant integration of the operating system (OS), the host bus adapter (HBA) and the applications themselves. Application-aware storage allows storage managers to better utilise commodity disks for low-priority applications, while still getting the best possible performance, capacity and reliability for mission-critical applications. Application awareness can be particularly useful for boosting performance in storage-intensive tasks such as archiving, backups, disaster recovery, replication, data modeling and index/search. —BY WHATIS.COM APPLICATION-AWARE STORAGE IT IN EUROPE E-ZINE • NOVEMBER 2011 7 COVER STORY APPLICATION-AWARE NETWORKING HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO EMERGES BUT HAS FAR TO GO Application awareness is emerging on firewalls and WAN optimization devices, but efforts fall short of a network-wide strategy, especially at Layers 2 and 3. BY SHAMUS MCGILLICUDDY NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? environment dominated by cloud computing, mobility and Web-based applications, enterprises need smarter, application-aware networks to ensure performance. But while application awareness is emerging on individual Layer 4-7 network components, such as firewalls and WAN optimisation appliances, there’s still a way to go in generating application-intelligent policy across these components. What’s more, application intelligence in Layers 2 and 3, where it could be most crucial, is a way off. IN A BUSINESS WHY THE NEED FOR APPLICATIONAWARE NETWORKS NOW? Ten or 15 years ago, Layer 4 visibility was application-aware enough. If a router could see the port destination, it could make a decent guess about the nature of the application and apply quality of service (QoS) policy. With the same information, a firewall could decide whether to allow or deny traffic. If it was headed for Port 80, for example, it was pretty clear that it was HTTP traffic. It was a best-effort affair. But today, best effort isn’t good enough. Hundreds of applications are running over HTTP, including video conferencing, SalesForce.com and even hosted SAP applications, and the network needs to get smarter and go deeper into these applications in order to enable high performance. “How does video within a conferencing session with a potential IT IN EUROPE E-ZINE • NOVEMBER 2011 8 APPLICATION-AWARE NETWORKING EMERGES BUT HAS FAR TO GO HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? client look relative to highlights from a football game?” said Christian Moses, chief technology officer of E.K. Riley Investments, an independent brokerage and investment advisory firm headquartered in Seattle. “In a traditional network, it just looks like video data, but from a business standpoint we all know that people are going to be watching video on YouTube in the corporate network. You have to take that into consideration; otherwise you are prioritising slacker time.” LAYERS 4-7 APPLICATION AWARENESS IS HERE, BUT MUST EVOLVE WAN optimisation and application delivery controllers have become increasingly application-aware and more sophisticated about how they optimise and accelerate applications, which is well understood and appreciated by network engineers. Meanwhile, firewalls have moved up the OSI stack to Layer 7 in order to adapt to the evolving threat landscape. “[Legacy] firewalls are dead. There is no firewall anymore,” said Doug Tamasanis, chief IT architect and director of networks and security for Kronos Inc., a Chelmsford, Mass.-based workforce management solutions company. “You open up three or four ports, and you might as well throw out your firewall. So the only hope you have is going up the stack to start looking at applications.” To secure and optimise his network, Tamasanis is adopting technology that looks beyond ports and protocols with new applicationaware firewalls from Palo Alto Networks and new WAN optimisation appliances from Silver Peak that can do packet-level optimisation. All three classes of network appliances—firewalls, application delivery controllers and WAN optimisation controllers—are managing traffic based on application awareness, but they quite often exist as islands within the infrastructure, which lessens their overall effectiveness. “It would be great if you could say, ’here is an application and I want all three classes of tools in my network to recognise that application is important, and I want to apply a consistent set of policies around it regardless of where I’m seeing it,’” Frey said. “There is some argument that you won’t see all the same applications at each of those viewpoints, and that’s probably true. But with a select group of critical applications, you could.” Citrix Systems, whose products include NetScaler application delivery controllers, Branch Repeater WAN optimisation products, and Access Gateway SSL VPN controllers, envisions a future where the service and application delivery fabric formed by its products could IT IN EUROPE E-ZINE • NOVEMBER 2011 9 APPLICATION-AWARE NETWORKING EMERGES BUT HAS FAR TO GO HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? become a control plane for the rest of the network. “In a heterogeneous fabric, you can envision components talking to each other using a protocol that is a variation on OpenFlow,” said Sunil Potti, vice president of product management and marketing at Citrix. “Today, OpenFlow is a protocol that allows heterogeneous switches to be controlled using a particular standard, but it’s only Layer 2/Layer 3.” Citrix is exploring ways to make the rest of the network more application-aware by decoupling the control plane of its NetsScaler ADCs and applying it to Layer 2 and Layer 3 infrastructure, much like OpenFlow allows a server to serve as the control plane of a Layer 2/Layer 3 network. The NetScaler SDX model, for instance, has a builtin hypervisor that allows companies to run third-party network services within the same box. “If you have a have a NetScaler SDX in the data centre and a wireless LAN controller in the campus, you could instantiate that wireless LAN controller on the SDX and exchange control protocols with it,” said Potti. “We [Citrix NetScaler] recognise that a virtual desktop infrastructure (VDI) session is emanating from the data centre: Typically when it goes to the wireless network, it has no clue about that. What if you are able to construct protocols that go to the wireless data network and say, ’hey, this is a VDI session’? Then you can apply a lot of QoS and other policies.” APPLICATION-AWARENESS AT LAYER 2 AND LAYER 3 NOT JUST FOR SERVICE PROVIDERS While application awareness for Layers 4-7 is emerging, intelligence at Layer 2 and Layer 3 could take longer and could be more costly. “The application awareness stuff is not cheap in terms of resources. You need to do deep packet inspection to drag part of a HTTP header or decode part of an FTP string. That’s a heavier resource requirement, which means that application awareness capabilities are typically found in higher-end devices that have more processors and more programmable silicon. In the access layer, there’s not a lot of unused silicon. This is a real problem because of the interest in monitoring the wireless mobile access layer of networks, where you have a lot of people coming in with Internet-enabled devices,” said Adam Powers, CTO of Lancope, which sells the StealthWatch NetFlow analysis product. Cisco Systems has also expanded the number of devices in its portfolio that support NetFlow v9 and IPFIX, the network flow protocols that allow switches and routers to export application-aware information to the management tier. The 2- IT IN EUROPE E-ZINE • NOVEMBER 2011 10 APPLICATION-AWARE NETWORKING EMERGES BUT HAS FAR TO GO HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? terabit version of the Catalyst 6500, the Catalyst 3750-X and Catalyst 4500 all export this programmable NetFlow. In fact, Cisco considers application-aware networking so fundamental that it is bringing carrier grade deep packet inspection (DPI) capabilities to its entire portfolio of enterprise routers. “We think application awareness has to become a core attribute of that edge [router] device at remote sites and central sites,” said Scott Harrell, senior product director of network systems at Cisco. “We launched the first phase of that on the ASR series in July, and we’re going to bring it to the whole portfolio of access routers in November.” Cisco’s Application Visibility and Control (AVC) solution will roll out to the company’s popular Integrated Services Router (ISR) line this fall, integrated into the router’s operating system. “In the old world—the Layer 3/ Layer 4 world—having port-based visibility was sufficient. I could use that to tell a lot about what the application was. I could decide how to apply controls to it and how to apply optimisation to it. As you fast forward and everything becomes Web-enabled, you need to be more and more Layer 7-aware and application-aware and to be able to apply all your network services on that layer. We’re also looking to populate the ability to recognise different media streams, not just application flows but also video traffic, so that you can prioritise and appropriately treat those streams,” Harrell said. Cisco considers application-aware networking so fundamental that it is bringing carrier-grade DPI capabilities to its entire portfolio of enterprise routers. “If I am in a branch today and have an ISR connected to an ASR at the head end, and I have a QoS policy that says HTTP is best effort, my problem is that my SAP Business Objects is on the Web. My video communications is on the Web,” he said. “That’s all on Port 80. I don’t want that traffic to be scavenger class. I want to be able to differentiate traffic within that class and treat it differently based on the business value. Today that is a very difficult thing to do and not well suited to the Web, which is constantly changing.” ■ SHAMUS MCGILLICUDDY is the News Director for TechTarget Networking Media. IT IN EUROPE E-ZINE • NOVEMBER 2011 11 CASE STUDY HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING A LONDON SCHOOL BEEFS UP SERVICE Application performance monitoring tools must provide visibility to everything from storage I/O to remote end-user access and a whole lot in between. BY JOHN BURKE NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE in North London gained an extra 600 students and began the move into a virtualised environment, network manager David Crawley knew the school would need network and application monitoring tools to support growth. Over time, Park High’s network has developed piecemeal, connecting a total of 1,700 students and 170 staff, with support for a mixture of laptops, desktops, thin clients, PCs, Macs and a partially virtualised server estate. “As with most schools, it’s very much something that has grown sporadically over the years, and we do tend to run computers a year or two longer than ideally you’d like to. So it can be quite a challenging netWHEN PARK HIGH SCHOOL HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? work to manage,” said Crawley. In the past, attempts to monitor the network were “probably a little backwards,” he added. “If you had a device that was slowing down your entire network, to track that back you’d pretty much have to start at the centre of your network and work out step by step, he said. “[You would] log on to every switch individually, see if there was a particular port that was having too much traffic. If the traffic was too bad, you may not even be able to log on to a switch; you’d end up having to take a laptop, plug a console cable in and query it directly.” Old-school troubleshooting is especially lacking considering the strain that virtualisation can place IT IN EUROPE E-ZINE • NOVEMBER 2011 12 NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? on networks. “[With virtualisation] one of the key aims is to get more processing power out of each physical server by loading it with as many virtual machines as is reasonable. That stresses the network and the network bandwidth, and network I/O assigned to a physical server may become the main performance bottleneck, rather than CPU and storage,” said Quocirca analyst Bob Tarzey. So Crawley sought a network monitoring tool that could handle both physical networks and virtual environments, choosing to pilot the PRTG Network Monitor from Paessler, which provides a real-time view of network activity as well as historical reporting. The monitoring tool would start by taking on the physical network, which is based on a 10 GB, 12 core fibre backbone with 1 GB fibre links and HP ProCurve switches. This summer, Crawley’s team also installed a new wireless system based on Netgear wireless routers with a Wavesight wireless bridge that went live at the start of the new term in September 2011. APPLICATION MONITORING IN THE NETWORK After first focusing on basic network functions, Crawley will extend the reach of the monitoring tool to look more deeply at how applications are performing. “We are in [the] process of updating our school’s website, and once the new system is in place, we’ll monitor the external Web server,” said Crawley. One of the key aims of virtulisation is to get more processing power out of each server by loading it with as many virtual machines as possible. Eventually that monitoring will drill down into some applications to look at specific transactions. “We do have the ability to monitor something that runs on a server as a service. I can monitor their uptime and make sure that they’re not exceeding any threshold and that they’re just essentially working for people.” Yet some applications are still beyond the reach of most network monitoring tools. “It would be useful if you could monitor certain applications, but a lot of that comes down to the application developers themselves making that information available to external monitoring solutions to read. That interoperability isn’t always there,” he said. Still, applications that are available for monitoring can be used as a IT IN EUROPE E-ZINE • NOVEMBER 2011 13 NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO gauge for how well networks are working and vice versa, said Tarzey. “When it comes to monitoring application performance, there are aspects you can report on which do not need much access to the application itself; for example, end-toend performance ... if you can establish that the network is working well, then that is the time to take a closer look at the application, however you achieve that,” he said. NETWORK MONITORING IN A VIRTUAL ENVIRONMENT NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? The monitoring solution also allows Crawley to keep a weather eye on the virtualised estate and pre-empt any bottlenecks, as well as avoid overprovisioning. Yet this is mostly a manual operation. “It’s very useful to see if one of my physical hosts is particularly overloaded for the task, [so I can] migrate certain virtual servers to other hosts,” said Crawley. Using the PRTG monitoring tool also enables Crawley to avoid overprovisioning. “The PRTG monitoring has been helpful if I’m taking services or servers that are currently running on physical hosts and determining just how much processor capacity and RAM they actually needed to give to the virtual machine. It’s meant that we can then not need to overprovision our virtual servers too much and make more use of what we’ve got.” What’s more, remote monitoring of the virtual environment and network proved invaluable during a recent outage. “I was on holiday Applications that are available for monitoring can be used as a gauge for how well networks are working and vice versa. and one of our fans went offline,” Crawley said. “This took out about two-thirds of our virtual machines, and at the moment the majority of our servers are now running on virtual machines, so that essentially took out the majority of the network. “I was able to get on to the network remotely, see exactly which fan had gone down, which physical hosts it had taken down, which virtual machines were down. I was able to get the network back up and running from home within 45 minutes.” ■ TRACY CALDWELL is a UK-based technology journalist. IT IN EUROPE E-ZINE • NOVEMBER 2011 14 TECHWATCH SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? HAVE HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? Vendors have long promised that service assurance tools could monitor across IT systems, but they’ve always fallen short. Are these tools finally growing up? BY RIVKA GEWIRTZ LITTLE Whether or not a specific link on your network is healthy is the least of your worries. In fact, service assurance (SA) vendors warn that networking is only a tiny fraction of what can go wrong behind an application, yet poor user experience still falls at least partially on the shoulders of the networking team. That’s where SA tools come in. SA tools monitor across IT infrastructure and report into a single console where the information can be analysed to track both the root cause behind poor application performance and troubled end-user experience. The idea is to take monitoring completely away from specific infrastructure elements, such HERE’S A CONCEPT: as networks, storage, servers, virtual machines and databases, and instead examine the interdependencies among these systems. “The problem is not just the network or the servers; it’s that and everything in between,” said Steve Shalita, vice president of marketing at management and monitoring company NetScout. Multi-tiered applications, for example, depend on a collection of middleware, servers and databases that can all cause problems, he said. What’s more, the emergence of virtualisation and converged storage/data centre networks have only increased the need for correlated event analysis. IT IN EUROPE E-ZINE • NOVEMBER 2011 15 HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? “Ten years ago you had Fibre Channel SAN, and if there was a problem, you knew what HBA (host bus adapter) was attached to a specific server, and you knew which application was affected,” said Bob Laliberte, senior analyst at Enterprise Strategy Group. “Now servers, networks and storage are all interdependent, and with virtualisation, you need new tools that are able to accommodate a dynamic infrastructure.” But tossing aside elemental monitoring for an integrated approach may not be so easy. For one thing, users question whether there is really any one tool good enough to handle the job. “I am not aware that anyone has come up with a magic bullet,” said Carl Mazzanti, vice president of network strategies at systems integrator eMazzanti Technologies. “The number of vendors you have to be able to interoperate with in order to make this work is so high. Think about how many firewall companies and disk manufacturers [in addition to switch, router, server and storage vendors] you would need to work with.” Even if you could build a tool that talked to every system, in many cases, individual monitoring tools fall short or can be difficult to manage, so some users question the point of integrating their information. “All network monitoring tools are flawed from the perspective that unless there is a custom signature and you have the resources to create a solid baseline, you can’t get “I am not aware that anyone has come up with a magic bullet.” —CARL MAZZANTI VP of Network Strategies, eMazzanti Technologies much done,” said a network engineer at a multinational consulting firm, explaining that most reporting from these tools can be so overwhelming that it is never read or analysed. “A simple collection of data requires a little tuning and a lot of massaging, so you need a tool that can do this now across all of that reporting. I haven’t seen one that exists yet.” Even more troubling to users is that the term service assurance is only being thought of as a way to rebrand technology that has been tried in the industry for decades but has always ended up as a project tossed-aside on an IT shop shelf. “Nearly 20 years ago, CA was selling Business Process Views as part of Unicenter,” said Rob England, an IT consultant and creator of the IT Skeptic blog. “Nowadays all the IT IN EUROPE E-ZINE • NOVEMBER 2011 16 HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? vendors promise a service-level view of status in their monitoring tools, and a service entity-type in their CMDB. It runs well in a simple demo, but it is either too expensive to set up or manage for the majority of organisations. In general, I think it is a tech geek fantasy of a magic tool solution to a very difficult problem.” WITH SO MUCH SKEPTICISM, WHY BOTHER WITH SA TOOLS? IT managers may be more convinced to invest in SA tools if they could prove return on investment. And that’s not impossible if these tools actually work and user-facing applications suddenly begin to perform better. What makes SA tools different than basic monitoring tools is that they provide information about IT functions to the business side of an organisation as well as the IT shop, aiming to better support missioncritical applications, or applications that would most hurt business productivity if they go down. SA tool users start by identifying these applications and then creating service models and baselines to measure them by. So, for example, in supporting a customer relationship management (CRM) application, the SA tool would take into account Oracle on the back end, WebSphere for the front end, tools for security and network identity, as well as all of the servers and network links that support these. CA’s Service Assurance tools— like those from most vendors—set “an intelligent baseline that understands what performance looks like at 8 a.m. Monday and how that’s different than Friday at 4 p.m.,” said Patrick Ancipink, vice president of marketing at CA. Then it uses that information to seek out anomalies. DIFFERENT COMPANIES, DIFFERENT APPROACHES, BUT WHICH IS RIGHT? No one takes issue with the idea of seeking out anomalies. Users are more concerned with how these tools will reach across systems. Some vendors offer SA tools that include home-grown monitoring applications, while others seek to funnel information from existing monitoring tools into a joint console for analysis. Which tool to choose depends on the existing monitoring investment. “If [users] just made an investment in individual domain tools, it’s going to be hard to justify replacing all of that and bringing in something new,” said Laliberte. On the other hand, tools that are built to work together for application support may be more effective. CA’s SA strategy is made up of a patchwork of monitoring tools the IT IN EUROPE E-ZINE • NOVEMBER 2011 17 HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? company has either acquired or developed over the years, including network monitoring from its NetQoS acquisition and application performance management from its Wily acquisition. Those tools work alongside the company’s Spectrum network infrastructure management tool that looks at everything from NetFlow information and packet information to line code and application response time. The SA console then pulls the information into a series of maps and impact graphs for both root cause analysis and predictive modelling. For Zenoss, an open source monitoring and management software provider, the ability to adapt to working with any existing system and domain-based monitoring tool is its biggest advantage. “We can talk to any system out there, whether it’s via data protocol like SSH or application protocols like Apache consoles or JBOSS. On the virtualisation front, we’ve gone further to manage Cisco UCS; we talk to VMware vCenter, to Puppet and to Openstack,” said Floyd Strimling, a cloud technical evangelist for Zenoss. “We can monitor the application stack, the server stack, the storage stack, the virtualisation stack, network components and speciality components, like environmental systems and power.” In fact, Zenoss purposely uses existing network monitoring so as to avoid “recreating the wheel,” said Strimling. “We haven’t gone into wanting to becoming Cflow or Jflow—or any flow. We can gather that data and bring it into the system via partnerships with Infoblx or Plixer. There are certain things in While visibility across the IT spectrum is the defining factor of an SA tool, network monitoring itself plays a crucial role. networking that are well defined,” he said. While visibility across the IT spectrum is the defining factor of an SA tool, network monitoring itself plays a crucial role—specifically packet sniffing, or deep packet inspection (DPI). NetScout—which specialises in packet sniffing—places its tools across the IT spectrum. One monitoring tools sits physically in the data centre, looking at transactions in real time. Virtual appliances sit in each virtual server, and another virtual appliance can live in a Cisco Integrated Services Router (ISR). But NetScout tools look at the packet as it travels through all of these areas. “We see the packet as the IT IN EUROPE E-ZINE • NOVEMBER 2011 18 HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? source of intelligence. It is the one thing that touches every aspect of service delivery; it touches every single piece of technology that makes an application work,” said Shalita. VIRTUALISATION AND THE CLOUD MAKE SA MONITORING EVEN MORE COMPLEX When it comes to virtualisation and the cloud, following data paths isn’t so easy. The biggest complaint among networking professionals is the lack of traffic visibility in a virtual environment. In fact, even systems teams have a problem with visibility. “We put a monitoring agent on every virtual machine—on the host and the client application—but it can only tell you so much,” said Mezzanti. And virtualisation doesn’t stop at the server. As companies build out private clouds, they are moving toward using what is basically a network hypervisor in which the control plane of the network is decoupled from the physical components so that network managers have more granular control over resources. These so-called network hypervisors will also have to provide visibility for SA tools in order to ensure application performance, said Strimling. Without that kind of visibility, moving applications into both private and public clouds will be impossible. At this point, though, most cloud providers are not focused on the level of end-user experience that enterprises and even smaller companies need. So in addition to making very complex internal reporting systems work, SA users will have to place their monitoring tools in the cloud and integrate this information into their management consoles—and that’s a long way off. “What’s going to have to happen is that cloud providers will have to make investments in SA just like enterprises,” said Shalita. In the meantime, companies may have to place their own monitors on their portion of the cloud. A NEW IT JOB: SERVICE ASSURANCE MANAGER Breaking down silos within IT organisations has been a running theme in the industry over the past couple of years as IT professionals grapple with managing virtualised environments and converged networks. Yet even as IT pros realise that working together might help in designing and managing complex environments, there is still resistance to unification, as well as finger pointing between groups when something goes wrong. While SA tools aim to eliminate IT IN EUROPE E-ZINE • NOVEMBER 2011 19 HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? HOME IDEA LAB APPLICATIONAWARE NETWORKING EMERGES BUT HAS FAR TO GO NETWORK AND APPLICATION MONITORING: A LONDON SCHOOL BEEFS UP SERVICE HAVE SERVICE ASSURANCE TOOLS FINALLY COME OF AGE? the blame game when it comes to performance issues, they also require cooperation between IT groups. What’s more, to make SA effective, implementation and reporting need to be shared with the business side of the house. That’s why many SA vendors foresee the emergence of an SA manager who can interface among internal parties. “This person would look across domains and say, ’I have five problems that are affecting business services, which is the highest impact?’” explained Ancipink. NetScout’s Shalita sees the new role of service assurance manager as being a “manager of managers,” or someone that collects the useful information and presents it to each group so that no one is swimming in data. That’s meant to address the issues of complexity that many users see related to SA tools. Until there are tools that can be depended upon across virtual environments and the public cloud, it is highly unlikely that SA managers will become a dime a dozen. “These [vendors] are in the right spot. We need [SA tools], customers are asking for them and solution providers are waiting to see who delivers the best first,” Mazzanti said. ■ Network Evolution Ezine is produced by TechTarget Networking Media. Rivka Gewirtz Little Senior Site Editor [email protected] Shamus McGillicuddy Director of News and Features [email protected] Kara Gattine Senior Managing Editor [email protected] Linda Koury Director of Online Design [email protected] Kate Gerwig Editorial Director [email protected] FOR SALES INQUIRIES, PLEASE CONTACT: Tom Click Senior Director of Sales [email protected] 617-431-9491 RIVKA GEWIRTZ LITTLE is the Senior Site Editor for TechTarget Networking Media. IT IN EUROPE E-ZINE • NOVEMBER 2011 20