Network Visibility Briefs

Understanding Link Aggregation

Link aggregation is a way of bundling a bunch of individual (Ethernet) links together so they act as a single logical link. For link aggregation, physical ports must reside on a single switch. Split Multi-Link Trunking (SMLT) and Routed-SMLT (RSMLT) remove this limitation and physical ports are allowed to connect/split between two switches. If you have a switch with a whole lot of Gigabit Ethernet ports, you can connect all of them to another device that also has a bunch of ports and balance the traffic among these links to improve performance.

Link aggregation uses software to combine two to eight physical interfaces at layer 2 or layer 3 of the OSI model. The goal is to have the multiple physical links act as a single logical interface. The most important feature of link aggregation is its ability to enhance or increase the network capacity while maintaining a fast transmission speed and not changing any hardware devices, thus reducing cost. Link aggregation brings traffic together from separate sources or locations and forwards the traffic as one stream to a single monitoring tool. Link aggregation can be enhanced further by using traffic replication, which allows the same traffic stream—aggregated traffic in this case—to be sent to more than one monitoring tool.

It can be used for visibility of both sides of a link over a single interface. Aggregation is used to accomplish two key tasks. The first is to increase overall bandwidth between two switches or servers where the logical aggregate interface is configured. This can eliminate bottlenecks by allowing data to be transmitted and received over multiple interfaces. The second key reason to use link aggregation is to eliminate any single points of failure between switches. You can lose one or more physical interfaces on a logical aggregate interface, but as long as one physical connection is up and operational, you maintain connectivity. Link aggregation provides fast and transparent recovery in case one of the individual links fails.

Link Aggregation also supports network load balancing. Different load balancing algorithms are set by network engineers or administrators. Furthermore, network speed is increased by small increments, saving both resources and cost. Link aggregation can affect how efficiently connected tools operate. When monitoring tools require great network visibility to perform efficiently, consolidating the traffic from many locations and sources is valuable to those tools. When link aggregation is combined with traffic replication, the copies of the same combined traffic can be forwarded to different analysis tools.

Cubro’s Aggregation TAP series combine traffic into two of more traffic streams, each of which has the aggregated data from the duplex flows and allow network staff to monitor a full duplex connection with a single monitoring tool.

Bypass Switches

A bypass switch (or bypass TAP) is a simple piece of hardware that allows you to connect inline security tools to your network – without the risk of network downtime. It provides a fail-safe access port for an in-line active security appliance such as an intrusion prevention system (IPS), next generation firewall (NGFW), etc.

Active, in-line security appliances are single points of failure in live computer networks because if the appliance loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically 'switching traffic via bypass mode' to keep the critical network link up. These switches safeguard a network with automated failover protection, preventing temporary tool outages from escalating into costly network outages.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link. Two monitor ports are used to connect the in-line monitoring appliance. During normal operation, the bypass switch passes all network traffic through the appliance as if it were directly in-line itself. But when the in-line appliance loses power, is disconnected, or otherwise fails the bypass switch passes traffic directly between its network ports, bypassing the appliance, and ensuring that traffic continues to flow on the network link.

Bypass switches can detect when an inline tool has failed or lost power through heartbeat packets. Heartbeat packets are signals sent from the bypass switch, through the inline tool at regular intervals. If a packet doesn’t make it back to the bypass switch, the inline tool is assumed to have failed, and network traffic is rerouted.

Cubro Bypass Switches are deployed between network devices and in front of security tools, providing a reliable separation point between the network and security layers. They lead to comprehensive support of network and security tools without the risk of network interruptions. Bypass Switches enable multiple security tools to process traffic from a single network link.

Advantages of using Cubro external bypass switch:

  • Keeps network traffic flowing when the in-line appliance fails.
  • Allows the in-line appliance to be removed or serviced without impacting network traffic. For example, an IPS can be taken offline for upgrades, maintenance or troubleshooting
  • The in-line appliance can be moved from one network segment to another without impacting network traffic.

Cubro's (GUI) for configuring NPBs

Network Packet Brokers are important tools which perform a number of network visibility tasks. They simplify complicated network problems because trying to connect every tool to every network device is very complicated and expensive. Configuring NPBs via command line interfaces can be tedious and error prone. Cubro Network Packet Brokers have a graphical user interface (GUI) in addition to a traditional command line interface (CLI) which makes it easier for customers to set up and use their Cubro devices.

Definition of GUI:
A GUI is a graphical (rather than purely textual) user interface for a computer system. The term came into existence because the first interactive user interfaces to computers were not graphical; they were text-and-keyboard oriented and usually consisted of commands which had to be remembered and computer responses that were infamously brief. The command interface of the DOS operating system is an example of the typical user-computer interface before GUIs arrived. An intermediate step in user interfaces between the command line interface and the GUI was the non-graphical menu-based interface, which lets the user interact with using a mouse rather than by having to type in keyboard commands.

Cubro’s GUI features for NPB users:

  • Makes creating monitoring filters more fault-proof – The traditional command line interface uses many commands and there are chances of mistyping or forgetting the commands. Keeping track of long command line can be difficult. Customers find it much easier to use the WebGUI as it removes some sources of error.
  • Makes testing and troubleshooting filters more efficient – The filters which are created in NPB require testing to ensure they pass the correct data. WebGUI makes this process much efficient and faster.
  • Makes provisioning of SPAN sessions faster – Creating SPAN sessions using command line interface requires typing several commands. It can be done much faster using the WebGUI.
  • Makes filter-changing process quicker – When the connections between the tools and NPBs are changed, it often requires changing filter rules. This is done much quicker with the WebGUI rather than using the command line interface.
  • No special training required – For using Cubro’s WebGUI, customers do not need any special training. The graphical interface is simple to use and can be used by a highly skilled engineer to even a junior engineer.

Cubro’s Sessionmaster for Data Centers

The increasing sophistication of network equipment and design combined with the increased traffic on those networks has changed the face of network management. With the advanced application-level traffic-shaping techniques, network hardware can now slice and dice distinct data flows and treat them accordingly. This increasing focus on Layer 4-7 services requires more sophisticated network monitoring. Some businesses need monitoring for certain functional needs whereas there are other cases where it is required for security and law requirements. Some of the typical functional use cases include a recording of conversations. For e.g. recording of an executive’s conversation with the customer to provide feedback/improvement suggestions or for providing training to new staff.

All the businesses which need monitoring would need the deployment of a specialized Intelligent Network Packet Monitoring solution, a Network Packet Broker (NPB). There are multiple ways in which the NPB can be deployed. One method of classification is inline, wherein the NPB sits in the path of the traffic and performs certain functions. This method is suitable for the deployment where the throughput needs are not very high and the application is not latency sensitive. However, in deployments where there is high throughput and low latency requirement an offline method is chosen, wherein the data packets are mirrored on the SPAN ports and sent to the device which is sitting on the side rather than inline.

Challenges for Data Center:
Networks are critical for traditional uses: client/server communications, server/storage data transfer, and long distance communications for branch or internet access. In these traditional uses, the computational workloads or storage tended to reside on one side of the connection, and the network was used to access the results. In more modern workloads, the computation and data are distributed. By examining and controlling the network, we can place better controls over program behavior, and gain visibility over their actions.

Perhaps one of the significant challenges that today’s data center pose is of identifying the correct mirroring point in the scenario of East West Traffic, i.e. the traffic that flows within the data center. For North South Traffic, i.e. the traffic coming in and going out of the data center, this challenge is not there, as we can enable the SPAN at the data center entry/exit point since that would be a single point through which all North – South traffic would flow. Day by day, the amount of East West Traffic is increasing and hence optimization of correct mirroring point can reduce the duplicate traffic flowing in the data center network.

Functions of a typical Network Packet Broker

  • Traffic/Packet Filtering – Analyze and store only those packets which are needed by applying packet matching rules.
  • Traffic/Packet De-duplication – Remove the duplicate packets that are being monitored
  • Load balancing - Load Balancing is another reason that makes Network Packet Brokers the prime devices to enhance network security. They effectively divide all the network traffic to their relevant monitoring tools.
  • Removal of Repetitive Data - During the deep packet inspection process, a Network Packet Broker checks each packet for redundant or repeating data. It removes all such packets that contain redundant data, which ultimately saves your monitoring tools from being overloaded. During this secure removal process, original packets remain intact without having to face the threat of data compromise or data loss and are successfully delivered to the monitoring tools.
  • Optimization of Packets - Apart from deep packet inspection and the ability to remove repetitive data packets, Network Packet Brokers optimize the packets in a number of other ways, including conditional packet slicing and time stamping. Optimizing packets allows monitoring tools to function more effectively and efficiently.

Advantages of Cubro’s Sessionmaster for Data Centers:

Best practice recommendations around NPBs include finding a solution that delivers true link layer visibility. In some cases, this simply means implementing tools to monitor network devices and individual links. In other cases, monitoring all the way to the application layer is required.

Cubro’s Session Master offers the ability to monitor network-only functions or monitor and alert on both network and application issues that arise. Deep Packet Inspection (DPI) is a technology by which a deeper examination of the packet, up to the Layer 7 can be performed.


Defining Layer 7 Visibility

The Open Systems Interconnection (OSI) model, developed by the International Standards Organization (ISO), divides network communication into seven layers. Layers 1-4 are considered the lower layers, and mostly concern themselves with moving data around. Layers 5-7, the upper layers, contain application-level data. Networks operate on one basic principle: "pass it on." Each layer takes care of a very specific job and then passes the data onto the next layer.

Layer 1 is called the physical layer, layer 2 is the data link layer, layer 3 is defined as the network layer, layer 4 is transport layer, layer 5 is referred to as session layer, layer 6 is the transport layer and layer 7 is application layer. OSI Model, Layer 7, supports application and end-user processes. This layer refers to the top communication layer, supporting applications and end-user processes. Communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified. Everything at this layer is application-specific. This layer provides application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that exist entirely at the application level.

Layer 3 or Layer 4 network visibility solutions are limited to basic attributes, such as source and destination IPs, protocol types, and the number of active connections. These must be known in order to route network packets, but they offer no data about the packets’ actual payload. Whereas with layer 7 visibility, a user can gain insight into client type, request destination, a number of consecutive requests, etc.

Layer 7 visibility offers granular information to a security solution, which differentiates between legitimate users from malicious DDoS bots. In a load balancing context, Layer 7 visibility helps the user understand the exact load being transferred which is critical information for all traffic distribution decisions. It lets the system assess each server’s response time and then use this data as an indication of availability. The result is optimal load distribution, as opposed to hit or miss alternatives.

Layer 7 visibility is also useful for server health checks. With a layer 7 failover solution, a user is able to devise a more accurate health check process. For example, a user can set one up to monitor a specific URL that shows if the application’s database is up and running.

Introduction to VLANs

Virtual LANs (VLANs) allow network administrators to subdivide a physical network into separate logical broadcast domains. A VLAN might comprise a subset of the ports on a single switch or subsets of ports on multiple switches. By default, systems on one VLAN don't see the traffic associated with systems on other VLANs on the same network. On a Layer 2 network, all hosts connected to a switch are members of the same broadcast domain and broadcast domains can only be physically separated across different switches by routers.

Ports on switches can be assigned to one or more VLANs, allowing systems to be divided into logical groups. For example, they can be divided based on which department they are associated with and based on rules to be established about how systems in the separate groups are allowed to communicate with each other. These can range from the simple and practical (computers in one VLAN can see the printer on that VLAN, but computers outside that VLAN cannot), to the complex and legal (e.g., computers in the trading departments cannot interact with computers in the retail banking departments.

As VLANs are a Layer 2 protocol, Layer 3 routing is required to allow communication between VLANs, in the same way, a router would segment and manage traffic between two subnets on different switches. In addition, some Layer 3 switches support routing between VLANs, allowing traffic exchange to occur at the core switches and as a result increasing performance by avoiding sending traffic through the router.

As networks scale, it becomes necessary to introduce multiple broadcast domains in order to segment traffic for performance, security or logistics reasons. Without the use of VLANs, this would typically require each network segment to have its own separate switch infrastructure, with one or more routers managing communication between each switch segment.

Some VLAN functions include:

  • Separating network management traffic from end user or serve traffic
  • Isolating sensitive infrastructure, services, hosts such as corporate users from guest users
  • Prioritizing or implementing Quality of Service (QOS) rules for specific services, such as VoIP Phones
  • Providing network services for different clients in an ISP, Datacenter or Office Building using the same switch and router infrastructure
  • Separating groups of hosts logically, irrespective of physical location—for example, allowing Human Resources employees to share the same network subnet and access the same network resources, regardless of their location within the building

Difference between optical TAPs and copper TAPs

A network test access point (TAP) is a simple device that connects directly to the cabling infrastructure to split or copy packets which can be used for analysis and security. It is a hardware component that connects into the cabling infrastructure to copy packets for monitoring purposes.

How TAPs work
Different TAPs have different network speed and therefore different cable structure. The network TAP is fixed between the two endpoint devices connected directly to each of them. This enables the TAP to see and copy the traffic and offer simple network visibility solution.

Simple steps on how to use a TAP

  • Place the TAP on a shelf or in a rack
  • Connect the cables (right ones)
  • Verify if it is working

TAPs are simple devices that run for years and are generally placed in secured locations. Once the traffic is tapped, the copy can be used for any sort of monitoring, security, or analytical use. TAPs can be standalone devices or integrated directly as a module inside a visibility node. In both cases, traffic is copied for monitoring, security, and analysis as the traffic continues to pass through the network unimpeded.

Optical splitters or Optical TAPs
Optical TAPs are made by connecting optical fibers. There is an optical splitter between the network port. The splitter splits an optical stream into two paths. A portion of the light continues onto its original destination; the second path is directed to a monitor port. These TAPs are available for a wide variety of speeds and cable types. Cubro’s optical TAPS have a speed of 1Gb, 10Gb, 40Gb and 100Gb.

Copper TAPs
A copper tap can be used onto any inline copper network link, delivering permanent monitoring access ports. The copper tap provides an out-of-band monitoring or security tool, with all traffic as if it were sitting inline. The taps send copies of traffic, including Layer 1 and Layer 2 errors, from each side of the full-duplex network link to its respective monitor ports. The copper taps have an advantage that they have no IP address and therefore they are eliminated from exposure to external attacks.

TAP failures
Most TAP failures are due to improper cabling. If the cables are mixed and matched incorrectly then the TAP does not work. Match each TAP to the cable type in use and never bend cabling beyond specifications. To make the usage simple, Cubro’s optical TAP has different coloured ports which make it easy for customers to use.

Cubro provides optical TAPs, Copper TAPs and aggregator TAPs which are designed to enable flawless in-line monitoring of 1G, 10G, 40G and 100G networks. These TAPs offer 100% visibility to link traffic to security and network monitoring tools. They are an extremely useful tool in eliminating high cost related to monitoring.

Scalability in Network Architecture

There is a surge in the network traffic and no industry is immune to being overwhelmed by data. Network visibility is a requirement for all industries ranging from financial corporations, telecom companies, shipping/logistics firms, retailers, pharmaceuticals, insurance, government and healthcare. And all are vulnerable to becoming constrained due to scalability issues.

With non- scalable tools, companies have limitations of the switches and therefore the architecture does not allow them to address all their network visibility concerns. As a result, they end up investing a huge amount in changing the entire network architecture.

If a company’s existing network monitoring setup consists of a limited number of network TAPs feeding a monitoring switch, the system provides limited visibility and is not scalable. Such a system is not capable of addressing regular microbursts in network traffic. The architecture also generates substantial duplicate packets that the switch is not equipped to eliminate, creating challenges in monitoring. In such cases, when a company has a requirement for installing new TAPs and new port SPANs to accommodate the network expansion, the old switch is not able to handle the load.

A scalable solution which offers multi-stage filtering, deduplication and other features help a network operate more efficiently. Customers can ease these problems by building scalable network monitoring solutions.

  • Tools which can intelligently aggregate data and precisely channel them to the appropriate monitoring tools without missing or dropping data, provide 100-percent visibility. Instead of using several TAPs, SPANs and tools, a scalable tool can gain 100 percent visibility on all data passing through it.
  • With a scalable solution, it is easy to add ports with the change in network traffic. Network expansion is easy to accommodate if there is room for adding more ports. A solution that consists of small boxes with low port count might patch a momentary need, but in the process of fixing one problem complexity has been added to the network.
  • As networks move from 1G to 10G speeds; and from 40G and 100G speeds; data centers would need new hardware if the ports on its monitoring switches aren’t able to handle the increase. This can cause network unavailability which can lead to dropped packets and loss of visibility. Data centers need tools which provide an easy migration path to future high-speed technologies.

Scalability and simplicity seem to go hand-in-hand. An elegant, well-designed network architecture makes scalable network monitoring possible. Cubro’s network packet brokers enable cost-effective network traffic scaling. With these network packet brokers, customers benefit from cost-effectiveness, scalability, and flexibility. Cubro’s advanced NPBs offer centralized visibility architectures that demand high performance, scale, and advanced traffic optimization features.

Towards a more transparent network…

In the recent years, the demand for network visibility tools has increased because they make existing monitoring tools work better and save costs for the users. Network Packet Brokers (NPBs) gather and aggregate network traffic from switch SPAN ports or network TAPs and then tap that traffic to enable the more efficient use of security and performance tools – inline and/or passive. They make existing security and performance tools work better, enabling users to get more out of their investments and lengthen the life of these tools.

The growing complexity of enterprise networks has created a need for more effective solutions to the issues related to a blind spot. Companies look for cost-efficient solutions that would cater to their specific needs of providing high port density, agility, security, scalability and network visibility. As a result, instead of adding new monitoring tools which lead to higher costs, added hours of configuration time and additional management complexities; the companies use NPBs which enable the migration to higher network speeds and increase the effectiveness of security and monitoring tools that are already in place.

Preventing failures is much more effective than repairing them especially when it involves providing a reliable and secure data environment to the customers. With proper visibility into your network, you can capture the data you need to prevent costly outages. NPBs provide comprehensive network visibility solutions for monitoring networks. The final goal of a visibility architecture is to be able to capture data smartly at regular intervals for troubleshooting or any other monitoring need.

These days the organizations are boosting network speeds up to 10 Gbps and higher, but have already invested significantly in security and monitoring tools that only work at 1 Gbps. This is another reason for the need for NPB as their load balancing capabilities provide for even distribution of packets from a single high-speed link to less expensive or already existing tools designed for lower throughput.

Cubro is among the leading vendors of TAPs and Network Packet Brokers (NPBs) and partner of the world’s largest telecommunication and enterprises with installations on all continents. Our mission is to provide simple, flexible and reliable network visibility solution to our customers. We successfully tailor our products to meet the exact requirements of the customers and offer excellent technical support at all stages.

Types of Cubro Network TAPs

Cubro’s wide range of network taps includes optical taps, BiDi (bidirectional) taps, flex taps, copper taps, converter taps and aggregation taps. Here’s a brief information of the different kind of taps.

Optical taps are used to connect a monitoring tool to the network without affecting the network link and performance, moving cables and interrupting traffic. These taps are completely passive so even if the tap loses power, it fails-open to ensure traffic continuity. Optical taps provide 100% visibility because they pass 100% of all network traffic without introducing bottlenecks or points of failure into your network design.

BiDi taps are fiber taps designed for use in Cisco 40G BiDi networks, specifically Application Centric Infrastructure (ACI). BiDi transceiver technology utilizes multiple wavelengths within a single cable so the standard fiber tap technology will not work.

Flex taps are built using fiber-optics and deliver 100% visibility into network traffic and permanent, passive access points while preserving top network performance. Flex Taps allows a user to effectively monitor network performance, avoiding issues of degradation and disruption. These taps are compatible with all protocols and monitoring devices and can be deployed at any inline connection on the network without increasing overhead or management workflows.

Copper taps (Cubro Copper 10/100/1000 TAPs) allows the uninterrupted pass through of full duplex data over standard Category 5/6 copper network cable. The taps duplicate the network signals, including any existing physical errors to the transmit-only monitoring ports. They feature auto-negotiating between 10Mbps, 100Mbps and 1000Mbps. The TAPs can also work as converter tap in Gbit mode, to convert copper signals to optical signals.

Convertor taps are developed based on the latest PHY chips. The taps are also a converter tap because the output ports are SFP, so the user can select which media he/she wants by changing the SFP. There are some special add-ons available - PoE powered and PoE transparent. With the advanced option, it is possible to look in the physical details and change some parameters for a faster recovery.

Aggregation taps are new intelligent TAPs for network data packets featured in high port density, diversified operation mode, flexible deployment and easy management and maintenance. With excellent adaption to a various network environment, the taps can provide telecommunication data for IDS, Network Protocol Analyser and Signalling Analyser in real time as needed.

Encrypted traffic SSL - Why network visibility matters for enterprises?

SSL-encrypted traffic is a fast-growing portion of all enterprise traffic. According to several research studies, approximately 25 to 35 percent of enterprise traffic is encrypted in SSL and the number is growing. In many networks, half of all internet-bound traffic is already encrypted (mostly HTTPS) and it is likely more than three-quarters of network traffic will be encrypted within the next couple of years. With an increasing number of advanced threats hiding in SSL traffic, it is more important than ever to monitor and manage encrypted traffic in an enterprise. Decrypting/inspecting SSL traffic has created a number of challenges for security and networking teams in enterprises.

What is SSL?
SSL stands for Secure Sockets Layer. It is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. SSL traffic is increasing because it is encrypted traffic and prevents criminals from reading and modifying any information transferred. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information).

It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This information could be anything sensitive or personal like credit card numbers, telephone numbers and other financial information, names and addresses.

Challenges due to encrypted SSL traffic
Decrypting/inspecting SSL traffic has created a number of challenges for security and networking teams in enterprises. SSL-based malware entering a network can easily go undetected and exploit a host or series of hosts. And since the traffic is invisible, it is not possible for an enterprise to know how much traffic is encrypted on the network on a certain today. As a result, it is not easy to know if the monitoring tools are tackling the entire traffic. SSL decryption is required for data loss prevention and application performance monitoring.

Cubro Solution
Cubro Sessionmaster EXA series is the next development stage of Cubro’s product line of network packet brokers which offers the application of delivering SSL/TLS decryption to various inline and out-of-band monitoring and security tools. The Sessionmaster helps maximize the overall efficiency, security and performance of the network infrastructure. Due to the sensitivity of the data, the SSL decryption capabilities in Sessionmaster provides the ability to selectively decrypt traffic based on policies using a variety of parameters including IP address, ports, VLAN tags, domain names and URL categories.

What is IMSI Filtering?

IMSI Filtering with Cubro Sessionmaster
The International Mobile Subscriber Identity (IMSI) number is central to identifying users on a carrier network. It is a unique number that is assigned to a cell phone or mobile device to identify it on the GMS or UTMS network. Typically the IMSI number is stored on the SIM card of the mobile device and is sent to the network as required. An IMSI number is 15 digits long, and includes the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Station Identification Number (MSIN).

Why do we need IMSI Filter
IMSI is used to identify the user of a cellular network and is exchanged in GTP-control (GTP-C) sessions. GSC keeps track of the IMSIs that a mobile provider is interested in monitoring and correlates these to the corresponding data/user-plane sessions for the subscriber and/or group of subscribers. IMSI filtering is used for the following reasons:

  • To reduce the load on monitoring equipment
  • To prevent VIP and classified customers from monitoring
  • Either for small scale monitoring or to capture a single subscriber with Wireshark or similar tools

The challenge on IMSI filtering is the high load and the fact that the IMSI is not found in any packet depending on the network design and used technology (2G/3G/4G). The IMSI information is typical on a different logical and physical interface. To make IMSI filtering possible, aggregation, load balancing, session correlation and filtering functions must be combined.

The Cubro Sessionmaster can provide all these functions in one box. Look at this solution for up to 100 Gbit and one million IMSI filtered out (white list).

Mobile Network Monitoring Using a Probe

A monitoring probe is used to monitor LTE network. A probe is a device which can decode the traffic from the network and produce meta data records (XDR extended data records). The probe is connected via a TAP network and aggregation devices (Network Packet Brokers) to the different interfaces of the network. These interfaces should be logically and physically different to get a full view of the network traffic. All these different interfaces are analysed by a probe. These records are sent to a database. The database must be very powerful in terms of processing and storage in order to handle the huge amount of data. Such a system produces, even on a mid-size network, terabyte of data which means a billion of records per day. Typically, such a monitoring probe covers the layer 5 – layer 7 in the OSI stack. Mobile network monitoring provides protocol traces, call statistics, CDRs, information on bandwidth utilization and many KPIs.

Why is monitoring required?

Real time response to issues in the network is a key factor in attaining customer satisfaction. This can be achieved by network monitoring because it makes the network visible and enables network engineers to detect abnormalities. Monitoring is important to networks and this data can be used for several applications like:

  • Improving customer satisfaction
  • Network planning, trouble shooting and dimensioning
  • Detecting fraud and security related issues
  • Performance measurement -
    • SLA against Customers
    • SLA against other providers
    • SLA against network vendors

A good working monitoring system can save a lot of money and help to improve the performance. Mobile network monitoring is vital because all mobile operators want to maintain a superior quality of service.

Difference between Cubro Mobile Probe and FlowVista Probe

Cubro Probe is a passive device which receives network traffic from TAPs and Network Packet Brokers (NPBs) and extracts meta data. Cubro Probes can analyse and process the network business and signalling in real time. The Probe correlates this decoded information and generates XDRs (extended data records) which are sent to a database system where they are stored and presented by an application typically called monitoring systems. Each Cubro Probe can be customized based on customer requirement. The three main differences between the two types of Probes – Mobile Probe and FlowVista Probe – are based on the type of traffic, output format and depth of decoding.

The three main differences between the two types of Probes – Mobile Probe and FlowVista Probe – are based on the type of traffic, output format and depth of decoding.

Mobile Probe

  • Mobile Probe is only for mobile networks because of specific interfaces. This Probe cannot be used for other networks, for instance in a data center.
  • The output is proprietor XDR format and the user needs Cubro software to collect the data. However, our approach is still open and if a customer does not want to use our software for collecting the data, we can discuss a possibility which allows the customer to develop its own software.
  • The Mobile Probe decodes the signaling traffic to L7 and correlates the protocols to give a user full output. In addition, a user plan is decoded to layer 5 or 6. For example, you are able to know if a user is working on Skype or Whatsapp but you cannot see or analyse the content.

FlowVista Probe

  • FlowVista Probe can be used in all networks like data center, enterprise, etc including a mobile network on specific interfaces (GI an GN).
  • FlowVista Probe produces Netflow V9 CDR. This is a standardized format.
  • FlowVista Probe decodes the transport information up to L4 and can also do deep packet inspection (DPI) which means that if you look into the network traffic then you can see a lot of http and https traffic (L4) and find the applications which are transported inside http, for instance Skype, Whatsapp, telegram and many more (1000 different).

Features and Benefits of Cubro Sessionmaster

Cubro Sessionmaster filters and modifies traffic up to layer 7 (application layer) of the OSI model. The Sessionmaster works with network processors which are highly optimized processors for handling network traffic. Compared to the legacy processors, many network related functions are implemented in the hardware of the network processors and therefore the Sessionmaster can process large amount of data.

The maximum load on the Sessionmaster is 400 Gbit/sec. The other advantage of the Sessionmaster is the amount of rules (up to 1 Million) and the very fast change rate of rules per second (up to 12000). Cubro Sessionmaster can be used as an endpoint device or inline.

Sessionmaster features

  • Powerful Network Protocol Identifying
    • Pv4/IPv6, TCP/UDP/SCTP, HTTP, L7, etc
    • Gn/IuPS, S11, S1-MME/S1-U/S6a, etc
  • Ultra-detailed Traffic
    • Pv4/IPv6 5-tuple, LTE/3GPP 5-tuple in the tunnel,supporting mask /range
    • IP 7-tuple (dip, sip, dp, sp, pro, input port, vlan id)
  • Classification
    • Key words; key words + 7-tuple rules to make detailed classification
    • Gn, S1-MME, S11, S6a, S1-U, etc protocols in PSC/EPC
  • Traffic Classification Rule
    • 8 groups of 7-tuple ACL rules, each group containing 2048 IPv4 rules and 2048 IPv6 rules
    • 64 groups of key word rules, each group containing up to 128 key words
    • 2048 extensible IP rules
    • Millions of accurate 5-tuple rules (non-range and non-mask)
    • Real-time rule configuration and updating
  • Packet Processing
    • Time stamping, ns-level
    • Slicing
    • Replication
    • IP fragment reassembling
    • VLAN tag adding or deleting
    • Identifying GTP upstream and downstream traffic
    • GRE/GTP/MPLS header stripping
    • Packet order preserving
    • 4 GB data burst buffering
  • Filter on the inner IP addresses in any kind of non-encrypted tunnel like GTP, GRE, VXLAN, GENEVA, and so on.
  • Session and Service based load balancing (inner IP in a tunnel)
  • Filter on protocol flags for advanced trouble shooting, it is possible to match on any byte within the packet.