Ruslan Rakhmetov, Security Vision
We live in a world where digital technologies are more important than ever. Any new improvement in IT can be a significant advantage for a business, make it stand out from the crowd and bring in a lot of profit. At the same time, there are areas of IT infrastructure that are not developing as fast as we would like due to the huge amount of legacy data that has been accumulated over decades. In our article we want to talk about network technologies, and specifically about network infrastructure monitoring tools.
There is a good joke in one good book. How has the network equipment management console changed from 1995 to 2020? It used to be telnet (unencrypted communication channel) to connect to the equipment, now it uses ssh (encrypted communication channel). That is, most of the network equipment in large infrastructures is managed via CLI (command line interface), which looks very strange in the modern world. An example of Cisco network equipment CLI is shown in Figure 1.
Figure 1
While for most IT mechanisms there is a convenient graphical interface. Progress has bypassed this vital part of IT infrastructure.
One of the most important aspects of the network is monitoring, which allows you to keep track of the actual parameters of routers, switches, firewalls, etc. Knowing the current parameters of network equipment allows us to understand its load and correct operation. This information allows us to predict the growth of the network device fleet and determine the causes of failures or performance slippages.
Let's consider what mechanisms for collecting data from network equipment are currently available:
- SNMP;
- Syslog;
- Flows (NetFlow, sFlow, etc.).
Let's consider each one in detail.
SNMP (Simple Network Management Protocol) is a standard Internet protocol for managing and monitoring devices in IP networks. The first official documents for SNMP appeared in 1988, that is more than 30 years ago. Since then, versions 2 and 3 have appeared, but the data collection technology has not changed until now. What can be collected with SNMP is the state of the equipment:
- Traffic volume per unit of time;
- Status of interfaces;
- Delays in sending packets;
- CPU and RAM load.
Syslog (system log) - a standard for sending and recording messages about events occurring in the system (i.e. creating event logs), used in computer networks operating over IP protocol. For a long time syslog was used without any formal specifications, because of which there were many variants incompatible with each other. The first steps to solve this problem were taken in 2001 - the syslog protocol was described in RFC 3164, that is more than 20 years ago. What can be collected with syslog - events about device operation:
- Errors;
- Warnings;
- Informational messages;
- Messages for developers.
NetFlow is a network protocol designed for network traffic accounting developed by Cisco Systems. There are different variations of this protocol from other vendors, but the data composition and collection algorithms are similar. NetFlow was developed for Cisco routers in 1996, that is more than 25 years ago. What can be collected with NetFlow is traffic information:
- Source IP;
- Source IP; destination IP;
- TCP/UDP port of the source;
- TCP/UDP port of the destination;
- Outbound interface of network equipment;
- Incoming interface of network equipment.
All of the above protocols were developed 20-30 years ago and were designed for network infrastructure of a completely different scale. To make sure of this, let's look at the rather well-known law of Internet connection speed by Jakob Nielsen. According to this law, Internet connection speeds are increasing by 50% annually. The law was monitored from 1983 to 2014. The dots on the graph represent different internet connection speeds. In 1984 the experimenter used an old acoustic modem with a speed of 300 bits per second, in 1996 he connected to an ISDN line, and in 2014 he had a high-speed internet connection with a speed of 120 Mbps. The graph is shown in Figure 2.
Figure 2
In order to achieve this impressive increase in speed, a huge amount of network equipment has been designed and implemented, with a constant increase in performance.
The main feature of such networks from a monitoring point of view is the fact that they generate a huge number of events. At the same time, when used, the monitoring system itself should not create a significant additional load on the network equipment, which is already heavily loaded. In addition, the complex service structure with overlay networks (e.g. VXLAN, EVPN, L3VPN), which have become widespread in recent years, is not supported by classical monitoring protocols. New approaches are required to monitor modern high-performance network equipment.
Let's consider Streaming Telemetry, an approach to collecting network equipment parameters that is gaining popularity. This technology is supported by almost all manufacturers of modern network equipment: Cisco, Juniper, Arista (occupies more than 70 per cent of the market).
The key difference between SNMP and Streaming Telemetry is the method of data collection. SNMP uses a pull model, while Streaming Telemetry uses a push model. A monitoring system that operates using SNMP receives information from network equipment through queries, which can take from 5 to 10 minutes (query - response), while a monitoring system that will operate using the new Streaming Telemetry features receives data by default without queries. This approach allows data to be collected online, ensuring that it is relevant and valuable. There is no delay in the data received and changes in the network can be monitored. In addition, the composition of the data received has been greatly expanded to support overlay networks and also enriches the available information on key protocols, in particular bgp and ospf. An example comparison of the data acquisition frequency is shown in Fig. 3.
Figure 3
Currently, monitoring systems use SNMP and between data requests they are virtually blind and can only guess what is happening with the network equipment. This time gap is unacceptable for quality data collection. Streaming Telemetry technology will allow providers, data centres and large organisations to solve this monitoring problem.
