Network Monitoring Appliances (NMA)
Network Application Acceleration up to 200Gbps
The phrase “network monitoring appliance” is a generic term that can be used in many contexts and is often called by other names. In this paper we consider a network monitoring appliance (NMA) to be any hardware centric device that receives network packets from some other device (e.g. network TAP, Ethernet switch SPAN port) and then analyzes those packets with software for some specific network, security or quality of service related purpose. Figure 1 provides a high level view of some typical NMAs and their general application categories.
Figure 1: Network Monitoring Appliances (NMAs)
The purpose of these appliances runs the gamut from tracing a hacker after a security breach, to network troubleshooting, to measuring the quality of voice and video traffic. A common trait of these appliances is they are passive or work in “offline” mode. In other words, they receive packets that have been replicated from the production network-typically by a network TAP or Ethernet switch SPAN port-and therefore are not operating on live traffic.
There is a class of appliance called an “Intrusion Prevention System” or IPS that operates on live network traffic and attempts to identify malicious activity (typically based on some signature or pattern that has been previously identified) and block it. A unique requirement for an in-line IPS is a bypass switch, which “fails open” so that live network traffic is not blocked if the appliance fails. While this type of device could certainly be considered an NMA, in this paper we are more focused on NMAs that capture large volumes of traffic (often include local storage) in an offline mode and do some deep software analysis on the captured traffic. With that definition in mind, an “Intrusion Detection System” (IDS) is more what we are focused on. IPS and IDS however are very closely related and sometimes people lump them together and just call them an IDPS.
Marketing departments and industry analysts routinely coin new terms and related acronyms to spice up the conversation, but these can add confusion if not clearly understood. We will try to demystify some of these terms in order to provide a clearer picture of the market landscape.
Network monitoring appliances (NMAs) are sometimes referred to as “probes” presumably because they are used to search into or thoroughly examine the packets which traverse a computer network. While the term “probe” is still occasionally used to reference an NMA it isn’t the most commonly used word and thus may not provide the clearest description.
“Network sensor” is another term you might hear to refer to an NMA. This is a descriptive term and it is true that an NMA “senses” the state of network traffic. However, this term is not preferred because it can be easily confused with a wireless network sensor that is used to monitor physical or environmental conditions such as temperature, sound, or pressure.
Sometimes network monitoring appliances are generically referred to as “tools”. This is presumably because these appliances come in many flavors and perform various functions such as troubleshooting, security or video quality analysis. This term however is perhaps too generic as it can be applied to almost any piece of hardware or software.
Gartner has coined the term “Network Performance Monitoring and Diagnostics” (NPMD) and even has a magic quadrant to rank vendors in this market. This term is lacking for a few reasons. First it largely ignores the security aspect of the network monitoring market in favor of the troubleshooting or fault isolation aspects. And secondly it also overlaps with the application performance monitoring (APM) market which is less about packet analysis and more about tracking the end-user performance of application components. According to Gartner; “APM differs from NPMD primarily in its focus on monitoring the quality of the end-user’s experience via application interactions across all application and infrastructure tiers, including, but not limited to, the network perspective”. To further complicate the matter Gartner has also coined the term “Application-Aware Network Performance Monitoring” (AA-NPM) which contains certain aspects of APM and is considered a subset of NPMD. All of these different categories seek to slice and dice the market across different dimensions but don’t seem to capture the high level essence of what these products provide. Perhaps the easiest and most straightforward way to capture the essence is simply as “network monitoring appliances”. These three words are plenty descriptive. The word appliance clearly communicates that we are referring to something that is hardware centric as opposed to pure software.Appliance evokes the image of something you purchase from a vendor and install in a rack in your network which is precisely what you do with these products. And finally the dictionary definition of the verb monitor is: “to watch, keep track of, or check usually for a special purpose”. This definition clearly describes that these appliances watch the traffic in a network; keep track of what is occurring in the network and all for a special purpose such as troubleshooting, security or video quality analysis.
We will conclude with our concise definition of a network monitoring appliance (NMA); a hardware centric device which captures packets from a live network and analyzes them with software for some specific network, security or quality of service related purpose.