By Alyson Behr

August 28, 2007 — CIO —

• What is network monitoring?
• Why is monitoring the network important?
• What kinds of things can network monitoring systems see?
• What kinds of network monitoring systems are available?
• What do they cost?

Network monitoring for a corporate network is a critical IT function that can save money in network performance, employee productivity and infrastructure cost overruns. A network monitoring system monitors an internal network for problems. It can find and help resolve snail-paced webpage downloads, lost-in-space e-mail, questionable user activity and file delivery caused by overloaded, crashed servers, dicey network connections or other devices.

Network monitoring systems (NMSs) are much different from intrusion detection systems (IDSs) or intrusion prevention systems (IPSs). These other systems detect break-ins and prevent scurrilous activity from unauthorized users. An NMS lets you know how well the network is running during the course of ordinary operations; its focus isn't on security per se.

Network monitoring can be achieved using various software or a combination of plug-and-play hardware and software appliance solutions. Virtually any kind of network can be monitored. It doesn't matter whether it's wireless or wired, a corporate LAN, VPN or service provider WAN. You can monitor devices on different operating systems with a multitude of functions, ranging from BlackBerrys and cell phones, to servers, routers and switches. These systems can help you identify specific activities and performance metrics, producing results that enable a business to address various and sundry needs, including meeting compliance requirements, stomping out internal security threats and providing more operational visibility.

Deciding specifically what to monitor on your network is as important as giving network monitoring a general thumbs up. You must be sure that your corporate network topology map is up to date. That map should accurately lay out the different types of networks to be monitored, which servers are running which applications on which operating system, how many desktops need to be counted into the mix and what kind of remote devices have access for each network. A dose of clarity at the outset makes choosing which monitoring tools to purchase down the line somewhat simpler.

Why is monitoring the network important?

You might think that if the network is up and running, there is no reason to mess with it. Why should you care about adding another project for your network managers to scribble across their whiteboards, already crammed floor-to-ceiling? The reasons to insist on network monitoring can be summarized on a high level into maintaining the network's current health, ensuring availability and improving performance. An NMS also can help you build a database of critical information that you can use to plan for future growth.

The best argument for attempting to predict your network's growth is your existing infrastructure's history, and the problems that resulted from decisions made with too little data. Chances are, significant changes have been made to the network since it was installed (was that the same year the Red Sox won the title?). Along with those configuration changes, added devices, servers and desktops, come traffic load imbalances on Web and e-mail servers, over-taxed connections and links that go nowhere fast.

In addition, if you have a service-level agreement (SLA) in place, monitoring is a must-have. An NMS can ensure that target device, service and application performance level contractual obligations are being met. Real-time SLA verification eliminates the finger-pointing and ensuing rhubarbs that weaken relationships with your service providers by identifying service demarcation points that designate the network "change of control" boundaries—in other words, where a provider's network begins and a customer's network ends.

For more on service-level agreements, see The ABCs of SLAs. Additional references are provided at the end of this article.

What kinds of things can network monitoring systems see?

Network monitoring won't help unless you track the right things. The usual areas examined are bandwidth usage, application performance and server performance.

You don't want too much data, or you will be inundated and thus unable to discern important variations. Too little data, and you miss the important stuff. So you need to figure out the fine line you need to "right size" your monitoring system.

Traditional network monitoring starts with the basics at the network's core. It checks and reports WAN link bandwidth numbers, latency or response time from your switches, routers and servers, and server CPU utilization numbers. For example, a server running at 100 percent utilization should raise more than just an eyebrow.

Network monitoring can help you manage users too. Tools with automatic discovery offer the ability to monitor devices as they're added, removed or undergo configuration changes. Some tools can group devices dynamically (on a parameter such as an IP address) or by service, type and location; these are extremely helpful when managing a large network.

Enterprise IT departments need greater visibility at the user level, while an external ISP pays attention largely to domains. To a degree, there's a distinction between the requirements of a corporate enterprise and a large service provider. A corporate manager may want to look at information such as primary traffic type across a switch and percentage of load across IP addresses. The right monitoring tools will identify which IP addresses are pulling the heaviest percentage of traffic; you can diagnose oddities such as the cause of dropped mail sessions due to large file sharing and other pesky peer-to-peer usage during high mail server usage times. Tools provide reports that let you track down the heaviest users based on application type, server, client or subnet; then you can search out the corporate doorknob of a user and give him some religion on proper usage.

Once, simplistic metrics such as packet round-trip time, packet loss and packet delay served to give a reasonable picture to IT managers. These are no longer sufficient or indeed even very relevant. Performance sensitive applications, including voice-over-IP (VoIP), Internet Protocol TV (IPTV) and video on demand (VOD) have raised the bar for network monitoring. Today, managers (especially for service providers) are more interested in how well these complex applications and services are delivered to the customer.

Managers of these converged networks now spend more time looking at application performance and bandwidth utilization, using tools that provide a real-time performance window into what's happening on their networks. They look for and resolve issues quickly surrounding service-degrading factors like latency, jitter and dropped packets, each of which result in substandard services. Each network executive needs to determine his network's priorities and choose tools that enable him to deliver the highest possible quality of experience to users, whether they are employees or customers.

What kinds of network monitoring systems are available?

Network monitoring tools come in all flavors and levels of complexity. If you're a lab rat, plenty of Command Line Interface (CLI) tools are available. One example is the venerable Ping, a reliable tool for operating on the "KISS" theory. Ping tests whether a particular host is reachable across an IP network; it works by sending ICMP echo request packets to the target host and listening for echo response replies. Ping estimates the round-trip time in milliseconds, records any packet loss and spits out a summary when finished.

Obviously, there are learning curve issues associated with CLI tools. For those less geek-minded, an abundance of Web-based GUI solutions including detailed reporting and graphical chart features are available. These tools can be easier to set up and use. Many come with pre-scripted configurations. Plus, the charts they produce are very handy when putting together executive presentations for network investment pitches.

Open-source tools, always an IT geek favorite, abound for network monitoring. They're generally innovative, irreverent but stylish and, best of all, mostly free or cheap. Additionally, open-source monitoring tools are interoperable with almost every other tool or platform. The data from these open-source tools is almost always dumped into XML; even major vendors tend to drink from the XML cup at one stage or another. For example, one tool that was free under the GNU GPL began life as a nondescript little script to graph the use of a university connection to the Internet. It was later used as a tool for graphing other data sources including speed, voltage, temperature and number of printouts. Then network folks began using the software to poll network devices, retrieve MIB (Management Information Base) and SNMP (Simple Network Management Protocol) values, and use Perl scripts to post the results in graphs on webpages. The tool quickly became widely used not only by the open-source folks cobbling their own solutions together but also by very large proprietary vendors who borrowed from some of the tool's capabilities to enrich their own solutions.

If you're in the market for new gear, several network equipment manufacturers have developed tools that provide very detailed info for their own devices, adding significant value to the purchase. Be sure to investigate how well those tools interoperate, especially with operating systems on your network, to determine just how helpful the tools will be to your overall plan. It's entirely too possible to end up duplicating expenses. For instance, you don't want to find yourself in a situation where you bought new servers with a monitoring tool included for one location and the monitoring tool doesn't play well with your servers running a different, non-supported operating system at another location.

If you already have a plethora of disparate devices, with varying degrees of inter-working talent and a sizable learning curve, all is not lost. There are monitoring appliances on the market that may be able to fish you out by aggregating and simplifying the management aspects of network monitoring. They accomplish this by managing the traffic to the standalone tools, whether they're appliances or applications. The appliances provide the option of load-balancing across appliances living on different subnets. Theoretically, the process is more flexible and helps alleviate network bottlenecks caused by multiple monitoring tools, which slow down traffic to inspect it. The learning curve is also lessened, so your network managers aren't staying up nights with five to six manuals on their bed-stands.

As the network becomes more complex, so must the monitoring system. Converged, or "triple play" networks, combine voice, video and high-speed data transmission over a single pipe. These need real-time performance management and monitoring. This type of network needs a system that examines each packet for jitter, latency and packet loss, and that's just for starters. The traditional way of managing networks—using SNMP agents to poll network devices every five seconds to determine whether there is a network problem—will not do. There are monitoring solutions available that handle more demanding tasks such as fail-safe operation during a blackout, provide support for mirrored switch ports and VLANs, and niceties like an LCD display for troubleshooting.

If your network has become simply too complex and you can't keep tabs on what's happening, other people can do the job for you. There are companies to whom you can outsource your monitoring that provide various monitoring, management and analytical services. For example, one European service provider offers different modules to network customers and to companies using third-party networks. One module's services include profiling a customer's network over a specified time frame to identify issues, and producing a performance report on traffic and applications. A different module takes that information and makes recommendations to improve network efficiency. A third module gives ongoing tracking, reporting and performance reports, and another module manages the network against agreed-upon targets. 

What do they cost?

Network monitoring solutions can be totally free or they can be extremely expensive. Most open-source tools are free, as are tools that may have been bundled with infrastructure purchases. Appliances, software-only solutions and services range from $50 on into five figures.

With service vendors, you're likely to be able to choose from a buffet-style menu of monitoring services; these may tally up to a savings over device purchases depending on network priorities. There are other trade-offs. Purchasing services may give you the advantage of rubbing elbows with the latest monitoring technologies; in contrast, purchasing appliances can provide more control.

One thing's a certainty when it comes to network monitoring. The cost of not using these technologies can be greater than you think, if you're not getting the performance and availability you're paying for and if you're not willing to spend sufficiently to ensure that your network is healthy and secure. What's it really worth? It could be worth your job.

Additional Reading on CIO.com

• Data Leaks: What You Don't Know Will Hurt You
• How to Monitor Workers' Use of IT Without Becoming Big Brother
• How One CIO Escaped E-Mail Attachment Hell
• ABC: An Introduction to Service-Level Agreements (SLAs)
• Five Enterprise Content Monitoring Tools

Alyson Behr is a Los Angeles, Calif.-based technology journalist and business communications consultant. Formerly director of technical marketing with Spirent Communications, she has served as a product test and reviews contributing editor for InfoWorld and Information Week, and senior contributing editor with Internet Week and SD Times. Behr edited PlanetIT's networking and advanced IP portals and also served as a judge for several N+I Best of Show and SIIA Codie Awards. She currently covers networking, emerging technologies, and test and measurement issues.