What is network visibility?
Network visibility is an awareness of the components and data within an enterprise computer network. The term is often used to refer to the various tools enterprises use to increase awareness of their data and other network contents.
Taking a proactive approach to network visibility allows enterprises to better monitor network traffic and network performance. It also serves as the foundation for a healthy network security infrastructure.
Network visibility allows companies to have more control over their networks and to make better decisions regarding data protection and flow.
Why is network visibility important?
Network visibility allows organizations to have a better awareness of the behavior of traffic on their networks, and can use it to improve the efficiency, security and performance of those networks. The growing volume and variety of data that typical enterprise networks carry make network visibility an increasingly important priority.
Enterprises are accountable for the data that travels on their networks. As this data becomes more complex, network monitoring becomes more difficult, and potential threats become more likely. Having network visibility allows the enterprise to parse noisy data environments and ensure sensitive data is accounted for and properly secured.
Enterprise network visibility challenges
Broad network visibility challenges involve adapting to the increasing speed and scale of modern enterprise networks without sacrificing performance. Below are some specific, common challenges organizations face in maintaining network visibility:
Remote work. Virtual private networks (VPNs) enable employees to work securely from a remote location but sacrifice the visibility that on-premises employee technology offers. Software-defined WAN (SD-WAN) presents a solution to this problem. Many enterprises let mobile users connect directly to the cloud, in which visibility will suffer.
Visibility blind spots. While the cloud and mobile offer considerable performance advantages, they create blind spots in a network visibility architecture. For example, it is difficult to measure application-level traffic to and from cloud data centers because cloud platforms often have their own communication protocols and security architecture.
Many traditional network monitoring tools and security measures don't work as well in the cloud, such as Simple Network Management Protocol (SNMP). This is because they may have been configured for on-premises networks before the rise of the cloud, and now cannot adapt to the new type of network.
Encrypted data. Encrypted network traffic makes up a considerable portion of modern network traffic and makes visibility more difficult. In some cases, it also conceals security vulnerabilities.
Visibility tool limitations. Visibility is usually maintained and monitored by a combination of network visibility tools, each with its own specific purposes and limitations. Modern network switches, for example, only come with a couple of switched port analyzer (SPAN) ports. Updating the physical network architecture may also make existing tools less effective, as they may lack the processing power for higher network bandwidths and throughputs. Also, network performance monitoring tools can be overloaded when fed data they can't parse, or too much data.
Complex networks. Modern networks consist of a wide spectrum of network monitoring and analysis tools such as firewalls, intrusion prevention systems, data loss prevention (DLP) and antimalware software. Linking these elements in an efficient way and maintaining performance while also making all data visible becomes more difficult as networks become more complex and have more network segments to account for.
Network visibility best practices
A good network visibility architecture should be scalable, sustainable and flexible.
- Scalability. Network visibility tools should be able to accommodate rising network connectivity speeds and the consequent increase in packet volume, as well as the general size of the network, including new geographical locations and infrastructure.
- Sustainability. Technologies used in a visibility architecture should be easily upgradable to accommodate increasing speeds and newer components of the network.
- Flexibility. Technologies used should be flexible and adapt to changes in the network on their own, so that maintenance and upgrade cycles occur less frequently.
Best practices for implementing and maintaining network visibility architectures include:
- Packet source selection. Network administrators should focus on collecting data from select points in the network with the most visibility into other parts -- instead of connecting to and monitoring every single packet source in the network. This keeps excess data to a minimum, and consequently keeps other network tools functioning properly.
- Choosing a packet access technique. In addition to choosing the source of packets for analysis and monitoring, administrators should decide which packets are watched and how they are watched. Common options for this are test access points (TAPs) for passive monitoring or SPAN ports on network switches for port mirroring functions. TAPs generally don't generate any load on the infrastructure but create a small but significant security vulnerability in the network. SPANs are considered to be more flexible than TAPs but have performance and bandwidth limitations.
- Passive vs. active deployment technologies. Administrators may opt for a passive approach that provides basic insights into performance or an active approach that allows administrators to reorganize traffic flow using the visibility technology.
- Accommodate virtual infrastructure. Specific technology may be required for accommodating cloud and mobile in a network, which creates new visibility challenges that traditional visibility tools fail to pick up on.
Top network visibility tools and vendors
Network visibility tools can be used to help monitor network performance, traffic, big data analytics and managed resources. Below are some commonly used network visibility tools:
- Network packet brokers (NPB). An NPB is a network monitoring tool that aggregates data from multiple points and distributes it through the network to network operations, application operations and security administrators. They help reduce the workload of network security tools like intrusion detection systems (IDS), which can be overwhelmed by large quantities of data. They do this by sorting and forwarding data to security and monitoring tools using context-aware data processing. They optimize the input other security tools receive so they can make better decisions. A good NPB is high performance and can scale to growing enterprise networks.
- SD-WAN. SD-WANs shift visibility from the traditional, appliance-centric approach to a software-defined approach. Network traffic is routed through a managed cloud service instead of an on-premises appliance, which improves performance and security by reducing network complexity and avoiding the inherent limitations of physical appliances like traditional firewalls. It provides a secure connection to cloud applications while maintaining visibility.
- Network TAPs. These are hardware devices inserted in the network at specific points to provide access to network traffic for testing and troubleshooting. It makes a copy of traffic and sends that copy to be used by another tool in the network without impeding the flow of traffic. Because they are hardware appliances, they have physical limitations, such as a limited number of ports. These are sometimes referred to as bypass switches.
Vendors commonly offer managed services as "visibility solutions" that combine several of the tools mentioned above and others. Some examples of network visibility vendors and their tools include the following:
- Keysight, which offers network packet brokers and network TAPs for insight into physical and software-defined networks;
- Niagara Networks, which offers TAPs, packet brokers and its Open Visibility Platform for hosting virtualized security and network applications; and
- Gigamon, which offers TAPs and aggregation nodes, both physical and virtual.