Network providing new Insights

We have discussed the importance of the underlying network in the previous sections. In a way, it is critical for efficient delivery of packets and in enabling new experiences. The network sees all traffic within the organization and knows which users are communicating with whom. We have learned in Chapter 1, Network Building Essentials, that the intermediate devices in the network, typically routers, operate at layer 3 of the OSI stack. They see all the IP packets and are sources of a lot of other valuable information with regards to the behavior of the users. By collecting the information about the packets traversing the network, and analyzing the data, we can get deeper insights into the network and user behavior. Note that we are not collecting or snooping on the actual data, but are only looking at the layer 3 information that is available in the IP headers. If we run protocols such as NetFlow, we can also get some layer 4 information about the traffic, for example, TCP port numbers that can be used to identify the type of applications running on the network. Additional telemetry information can be received from the network devices by using protocols such as SNMP.

This analysis of telemetry data to gain insights is called NBA. NBA can be used to get information such as which user groups are talking to which other user groups; what are the top applications that are using the most bandwidth on the network; what are the servers that are sending the most amount of data on the network; and the applications being used by different users/user groups.

By collecting this data over a period of time, the network can be baselined with respect to the normal behavior of the types of traffic on the network and the different user behavior with regards to the applications they use, the servers they access on the network, and the normal traffic volume they send on the network. The data collected can then be correlated to the baseline data to detect any significant deviations of traffic, user behavior, or any new applications that are being transported on the network. This can provide valuable information that can be used by the security teams within the organization to predict any virus/worms, suspicious user behavior with respect to any data leaks, or unauthorized access to a set of network resources and to determine whether the network resources are being used for business critical applications, and take corrective action.

The data analysis can be augmented by providing context to the data in terms of what IP addresses are allocated to which users (for example, from an AD server), and the actionable information can be passed on to specific applications that can be used to take corrective action by reconfiguring the network devices. This complete cycle can be automated in an SDN environment, and shown in the following figure: