Essentials for Assuring Network and Application Performance

IT MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS AND CONSULTING

An ENTERPRISE MANAGEMENT ASSOCIATES® _{(EMA™) White Paper}

Prepared for WildPackets February 2009

Table of Contents

Executive Summary ...1

The Mandate for Performance Management ...1

The High Road or the Low Road? ...2

The Completeness Challenge ...2

Putting It All to Work...4

EMA Perspective ...4

Page

Essentials for Assuring Network and Application Performance ©2009 Enterprise Management Associates, Inc. All Rights Reserved.

Executive Summary

Fast access to packet-based analysis tools is becoming an absolute requirement for adequately assuring the performance of today’s enterprise networks and applications. Without it, operations teams risk being left in the dark when faced with degradation problems and trying to determine a clear root cause. And yet, diving into packet streams is rarely the best starting point when trouble-shooting performance incidents. The answer to this challenge is to find performance monitoring solutions that can provide both high-level visibility and tightly integrated workflow paths to the deepest underlying packet/flow details that can be invoked as needed. This paper presents a frame-work of criteria that operations teams should consider regarding performance monitoring and management initiatives, and how solutions from WildPackets align versus those needs.

The Mandate for Performance Management

Network operations must evolve along with the environment that it manages, and with the busi-ness or organization that it serves. From a managed technology perspective, this means more layers of complexity, virtualization in the data center, network, and desktop, remote computing environments, growth in the branch both in number and sophistication, and the introduction of various types of optimization and security technologies that sit in the delivery path. One thing remains constant – the network is the means that all of these systems, applications, services, transac-tions, and activities use in order to function. And it is this common thread which holds the greatest promise as a means for monitoring the organizational and end-user “patient” – the network is like a circulatory system which carries markers and indicators when one of the subsystems isn’t doing what it’s supposed to be doing, thus giving rise to the symptoms the broader organization sees in terms of slow response times or interruptions in accessibility.

So why is performance management important? Simply put, as network technology becomes more stable and mature, and redundant architectures become standard practice, the number of network failures occurring that directly and immediately affect service is declining. This is a good thing, because this trend is allowing operations professionals to focus on a much more challenging issue – assuring performance. And that challenge takes many forms – first in terms of how you assess performance, second in where you assess performance, and third, how you interpret the clues provided by infrastructure monitoring technologies.

One of the most essential elements in selecting technology solutions in this vein is the need for definitive visibility coupled with an efficient work process, which requires tight integration between monitoring and troubleshooting capabilities. A clear, graphical presentation of monitoring data is an ideal starting point, but the ability to drill down to lower levels of detail in order to solve dif-ficult problems as needed is the real kicker. Further, real-time information must be coupled with a sufficiently rich historical data store, so that the context of conditions leading up to an incident can be properly included in the analysis process, and intermittent problems can be found and studied in sufficient detail to avoid the need for waiting on recurrence for analysis and resolution.

Network operations must

evolve along with the

environment that it manages,

and with the business or

organization that it serves.

The High Road or the Low Road?

There are many technology options for performance monitoring and management. Some of them start with high level data, typically traffic volume or quality metrics, and stay there. The result is grand vistas of the managed environment, but limited help with where to turn when performance problems occur. Others start with the lowest level of data, such as network packet traces, and stay there. The result here is you often get everything you need to analyze problems, if you happen to be in the right place to capture a trace in the first place. The trick is to find a low road solution that gives you definitive actionability but can also let you enjoy the fresh air and excellent views from the high road.

Basic SNMP statistics can give you a view to the overall picture, but lack the detail to understand which applications or services are driving the usage and/or are performing adequately or not. Flow records, such as NetFlow, IPFIX, sFlow, or Jflow, provide application usage information, and meet a majority of most organizations’ needs for understanding application and service activity. But the problem with flow records is lack of detail within the upper layers of the stack, an inability to track and understand quality of experience, a blind spot for network and application-layer errors, and insufficient details to reveal the most difficult problems, such as application design flaws. The best and most comprehensive source is direct monitoring of network packets, via a technique called Deep Packet Inspection, or DPI.

Why is this? The answer is several-fold. First, DPI captures the true interactions, including all of the underlying protocols that must be used successfully in order to accomplish communications across IP networks. Second, the network DPI perspective provides an important viewpoint that the other perspectives miss – that of how the applications are interacting with the underlying and enabling services, such as DHCP and DNS, plus how they are interacting with each other in the shared delivery environment. Third, only with packet-based monitoring can you actually capture and replay a session, including the full context of everything else that was occurring at the time of the incident or problem.

The Completeness Challenge

The next area of consideration is the need for comprehensive coverage – considering both breadth and depth in the service of completeness in order to deliver the best possible value. A performance monitoring architecture exhibiting adequate breadth must draw data from multiple points across the service delivery infrastructure. In topological terms, this means establishing measurement points in the core, distribution, and access layers. In architectural terms, this means instrumenting data centers, WAN provider edge points, internet and customer connection points, and branch facilities. Within core networks, and in particular within data centers, solutions must be able to support very high capacity technologies, including Gigabit and 10 Gigabit Ethernet.

A special mention is needed here about monitoring wireless access networks. With security con-cerns steadily declining due to improvements in technology and practice, wireless network access is becoming the norm in more and more shops. And with data rates climbing, wireless access is poised to become the dominant means for reaching networked resources within the next few

The best and most

comprehensive source is direct

Page

Essentials for Assuring Network and Application Performance ©2009 Enterprise Management Associates, Inc. All Rights Reserved.

years. In fact, much as a growing number of consumers are forsaking land line telephony in favor of pure mobile access, EMA expects that within the next few years, a majority of greenfield enterprise network rollouts will be purely wireless Ethernet in the access layer. And with wireless technologies reaching gigabit speeds, their penetration into the distribution layer seems all but inevitable as well.

What this means for the average operations team is that they need to become savvy in managing performance within the wireless realm, because wireless is now a mainstream access technology and is a piece of the delivery path for applications and services. This poses many challenges for many shops, which may have tools for rollout and administration of their access points, but no means for troubleshooting issues that occur within this new access layer. The answer is to find products that are designed to bring the network performance viewpoint into the wireless realm, much as is readily available in the wired world today. And ideally, those tools should be the same ones you are using on the wired side of your networks, so there is no discontinuity or learning curve when moving from one domain to another.

Another interesting and growing challenge is that of recognizing, tracking, and incorporating traf-fic between virtual server instances as part of the service delivery chain. For many network-based end-to-end performance monitoring tools, this is a blind spot, due to the fact that traffic and conversations may be taking place between virtual machines on the same physical server. Further aggravating the situation is the advent of virtual machine movement, whereby execution elements may be relocated in order to load balance computing capacity, and creating a significant challenge for performance monitoring continuity. In terms of depth, effective performance monitoring and trouble-shooting must incorporate all layers in the delivery stack. The lower layers of the OSI stack hold important information about the health of the underlying delivery infrastructure, including traffic structure details and error indicators that are the time-honored domain of network engineering and operations. But equally as important in modern networks are the details in the upper layers of the OSI stack, where applications communicate with each other, where application virtualization technologies can be seen, and where subtle (and often subversive) traffic like peer-to-peer and malware can be recognized.

Lastly, it is essential to adopt performance monitoring and management strategies that are inclusive of all types of traffic that will be present within the service delivery infrastructure at any point in time. This means not just Web traffic, but file transfers, routing protocol updates, IP voice traffic, client-server, database queries, transactions, video streaming, and protocols specific to industry verticals, such as financial trading or utility infrastructure controls. Without such comprehensive views, the interaction between various network-attached devices and applications cannot be fully understood, and hence the ability to troubleshoot all potential performance problems will be reduced.

Effective performance

monitoring and troubleshooting

must incorporate all layers

in the delivery stack.

It is essential to adopt

performance monitoring and

management strategies that are

Putting It All to Work

Making your technology and architectural selections for performance monitoring only gets you part of the way home. The other major aspect to consider is how the tools will be put to use across planning, engineering, and operations groups. Focus points here should be all about various aspects of efficiency, whether it be rapid identification of performance issues, powerful analysis for rapid and effective troubleshooting, or effective data organization and presentation for col-laborating between IT groups or with a partner, supplier, or customer.

A good means for breaking this down into features or capabili-ties that can be assessed is to consider solutions in terms of their support for workflow, integration, and administration. Workflow should include the ability to support smooth triage processes by identifying problems at a high level and then rapidly drilling down as needed, or isolate an issue and provide qualifying information in a readily understood format for handoff to cognizant person-nel outside of the networking team. Integration means the ability of a product or solution to share information with other management tools, in order to reduce communications barriers and improve collaborative effectiveness, and consistency within a suite of products in terms of user interface and task process. Administration needs include simple and rapid deployment, short learning curves for product end users, as well as vendor relations topics such as quality and availability of support.

Lastly, performance monitoring and management solutions should address the full lifecycle of IT services and applications. This means providing not only live production operations support, but also long-term and historical reporting and trending for use in capacity planning, engineering, and compliance auditing. Ideally, the solution should also assist in pre-deployment activities such as quality and interoperability testing, characterizing/baselining existing production environments, and monitoring pilot programs.

EMA Perspective

ENTERPRISE MANAGEMENT ASSOCIATES® _{(EMA™) analysts advocate organizational} advancement towards service-oriented integrated management practices, and application-aware performance management is a keystone to such objectives. EMA believes that the network-based packet viewpoint is an essential foundational element for achieving enlightened operations, and considers WildPackets to be one of the few management technology providers that offers a solu-tion to cover a substantial majority of the performance management requirements and priorities detailed in this paper. The basic value of their packet-facing troubleshooting tools has a strong endorsement in their adoption by Cisco’s worldwide product support organization.

The systemic, organization-wide viewpoint is also essential, and again WildPackets covers most needs. Their instrumentation supports all currently deployed Ethernet speeds, up to and including full-duplex 10 Gigabit, as well as WAN and wireless (both 802.11a/b/g/n and Wi-Fi). Integral support for VoIP, Video, and wireless within same tools brings big value in closing the gaps between these popular and growing new technologies and existing, legacy management

capabili-Consider solutions in terms

of their support for workflow,

Page

Essentials for Assuring Network and Application Performance ©2009 Enterprise Management Associates, Inc. All Rights Reserved.

ties. Wireless monitoring is a point of particular strength for WildPackets, as evidenced by their partnership with Aruba. And for those locations where direct packet-based instrumentation is not available, integrated support for NetFlow adds flexibility for building application awareness. Additionally, the OmniVirtual software probe covers the blindspots created by virtual server instances, and in particular, the communications between virtual machines that may not always transit hard network links.

With respect to workflow, WildPackets has introduced the WatchPoint platform for enterprise-wide performance monitoring and reporting. WatchPoint can gather data from across all portions of a complex network, drawing information from direct packet instrumentation as well as NetFlow streams. WatchPoint provides a starting point for efficient top-down problem identification and localization, combined with tightly integrated workflow for drill-down diagnostics. Further, WildPackets has added features to empower customers to conduct network characterization and what-if planning analysis, bringing added proactive lifecycle value to their solution.

Finally, all sizes of organizations today need access to the high impact of packet-based performance monitoring and analysis tools. WildPackets brings solid technology solutions of this type to bear at a total cost point that is reachable by a broad range of IT teams. EMA would like to see WildPackets continue to push their capac-ity and capabilities in terms of performance and scalabilcapac-ity of the WatchPoint reporting engine, including the development of more intuitive reports that would aid collaboration with non-technical constituents. Their solutions would also benefit from going beyond their current SDK to formal-ize tighter integrations with other network, service, and application management tools to improve impact and effectiveness across the lifecycle of IT services and applications. Further, additional support for IP-based video technology protocols and applications would serve well to support their customers in embracing this important, transformational technology.

In conclusion, EMA believes that IT organizations seeking to improve application awareness as a means of developing service-oriented practices should actively investigate network-based, packet-capable performance monitoring and management suites, and would be well-served to include solutions from Wild Packets in that process.

About WildPackets

WildPackets develops hardware and software solutions that drive network performance, enabling organizations of all sizes to analyze, troubleshoot, optimize, and secure their wired and wireless networks. WildPackets products are sold in over 60 countries and deployed in all industrial sectors. Customers include Boeing, Chrysler, Fidelity, Motorola, Nationwide, and over 80 percent of the Fortune 1000. WildPackets is a Cisco Technical Development Partner (CTDP).

All sizes of organizations today

need access to the high impact

of packet-based performance

monitoring and analysis tools.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.