The Purview™ Solution–Integration With Splunk Integrating Application Management and Business Analytics With Other IT Management Systems

A SOLUTION WHITE PAPER

The Purview Solution – White Paper 2

WHITE PAPER

Purview Integration with Splunk Purview is a network powered application analytics and optimization solution

that captures and analyzes context-based application traffic to deliver meaningful

intelligence - about applications, users, locations and devices.

It is the Industry’s very first and only – patent pending – solution to transform the

Network into a Strategic Business Asset - by enabling the mining of network-based

business events and strategic information that help business leaders make faster and

more effective decisions. It does this all from a centralized command control center

that combines Network Management with Business Analytics, and at unprecedented

scale (100M sessions) and scope.

Enterprise mobility is more than the mobile device – mobility and agility across the

entire enterprise requires access to data from any device, which has resulted in a

change of the application landscape by moving away from installing and maintaining

traditional applications, to private and public Cloud-based delivery models, such as

SalesForce.com, Google Apps and many more.

Millions of new applications have been developed to support new work efficiencies,

with new “apps” showing up every day; some become business-critical the next day

while others may have no real value. Additionally, mobile users demand immediate

access to all of their social media apps. Social, mobile, Cloud and Big Data is

everywhere. To maximize the user experience IT must make sure that applications

can be seamlessly delivered from the Cloud – private or public—to those users and

devices that require them to perform their jobs.

Introduction

The Purview Solution – White Paper 3

What is Purview?The three main solution components that make up this unique Purview

architecture are:

• OneFabric Control Center with OneFabric Connect

• Purview (Application Fingerprint) Engine

• CoreFlow2 based Data Collection Device

OneFabric Control Center provides centralized visibility and control over the entire

network. Centralized visibility and control enables infrastructure and application

teams to work together, eliminating costly misalignments and errors that occur

through typical operational workflows. Embedded automation and orchestration

features improve application delivery for dynamic and mobile environments

leveraging Cloud, virtualization, and server/storage consolidation.

OneFabric Control Center provides unified, centralized management and

control, which allows network operations to leverage the power and intelligence,

built into Extreme Networks networking solutions and thereby unlock the full

potential of Purview.

Additionally, OneFabric Control Center as a SDN (Software Defined Network)

management and control solution integrates with external systems via OneFabric

Connect—a set of APIs that increases visibility and control to new heights. The data

that Purview provides can be accessed via OneFabric Connect to create new third

party integrations or augment existing integrations. The integration options are:

• Scheduled reporting (email via PDF)

• OneFabric Connect API (XML) support for integration with other

IT applications

• Real-time application detection notification (using syslog)

Purview is in fact a deep packet inspection (DPI) solution that can be deployed at

scale, across the entire network infrastructure from the data center to the mobile

edge – wired and wireless – to provide a superior user experience while optimizing

network resource utilization. A fully integrated and unified solution can also

eliminate point products, thereby reducing the operational complexity and cost

Apps Everywhere – Public and Private Cloud

How users see applications: How traditional switches see applications:

Port 80

Port 443

Figure 1–Loss of application visibility and control

The Purview Solution – White Paper 4

that is associated with these existing approaches. By providing more contextual

information the solution becomes a business asset for analytics and network-driven

business intelligence.

CoreFlow2 is the cornerstone of Extreme Networks’ switching technology –

addressing the need for application monitoring and control at scale and high-

performance. CoreFlow2 is a highly programmable custom designed ASIC, which

delivers flexibility in packet classification and reframing not found in competitive

offerings. The granularity of packet analysis and controls is unsurpassed, and it

translates into real-world benefits in the data center and the campus network. The

flow-based application visibility provided by CoreFlow2 is used to provide the

Purview flow mirroring to the Purview Fingerprint Engine.

Overview – Purview Integration Splunk EnterpriseWhat is Splunk Enterprise?

IT systems and technology infrastructure – websites, applications, servers,

networks, sensors, mobile devices and the like –generate massive amounts of

machine data. By monitoring and analyzing everything from customer clickstreams

and transactions to network activity and call records, Splunk Enterprise turns

machine data into valuable analytics. Troubleshoot problems and investigate

security incidents in minutes, not hours or days. Monitor your end-to-end

infrastructure to avoid service degradation or outages. Gain real-time visibility into

user experience, transactions and behavior.

The integration with Splunk Enterprise and Purview allows users to take full

advantage of layer 7 application fingerprints produced by Purview within the

Splunk framework. This enables complex use cases and analytics that Splunk makes

possible through its excellent user interface, but powered under the covers by

Purview application fingerprints derived from real world network communications.

Splunk also has the ability to issue complex queries over incoming data sources.

This allows network and security administrators to gain insight into what is actually

happening with networks and systems that they are responsible for. The addition

of Purview data will allow such investigations to take into account full application

layer fingerprinting information. This provides a rich enhancement to network

visibility for Splunk users.

Visibility Control Context

Collect Analyze Classify

Massive scalability Multiple Tbit/s and millions of flows

OneFabric Control Center

Purview Engine

NetFlow

CoreFlow2 Data Collection Device

Purview Mirror

Figure 1–Loss of application visibility and control

The Purview Solution – White Paper 5

Purview Alerts with Splunk EnterpriseSplunk has a light-weight correlation system capable of producing custom-built

Alerts. The Splunk system allows the administrator to create security, policy, or

behavioral Alerts tied to specific values extracted from the results of a saved search.

These Alerts can be posted to the Splunk user interface, configured to launch an

administrator supplied script, or emailed to provide immediate notification.

The Splunk system does not come with a large number of default Alerts, instead,

Splunk administrators create their own custom Alerts to match their particular

needs. In the example below a custom Splunk Alert is created via a wizard to

detect virtual network computing (VNC) network reconnaissance and then post

the Alert to the Splunk user interface.

Purview Visibility within SplunkSplunk is able to provide in-depth visibility derived from the Purview event feed.

Splunk provides a facility for complex queries, custom aggregations, multiple

chart formatting options, real-time dashboards, and historical views through

trend reports. Splunk’s strength is to parse, normalize, and process all available

fields within the Purview event feed without any burdensome customization

requirements placed upon the administrator. In the example below the Application

Response Time field provided in the Purview feed is monitored for all values greater than 200 ms, aggregated by application, and then displayed in an auto-updating time-series chart.

The Purview Solution – White Paper 6

Additional visualizations of Purview data are displayed below.

Figure 5 – Raw Purview data collected from a relatively busy network:

The Purview Solution – White Paper 7

Figure 6 – The Purview data is fully indexed and is searchable

Figure 7 – Top source IP addresses in the current data set along with an aggregate graphical view

The Purview Solution – White Paper 8

Figure 8 – Top Apps

Top applications in the current sample set. This illustrates Splunk indexing of our application specific fingerprint information:

WWW.EXTREMENETWORKS.COM

©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/about-extreme/trademarks.aspx . Specifications and product availability are subject to change without notice. 6667-0114

The Purview Solution – White Paper 9

Top applications in the current sample set. This illustrates Splunk indexing of our application specific fingerprint information:

Splunk Queries of Purview DataA strength of Splunk is the ability to issue complex queries over incoming data

sources. This allows network and security administrators to gain insight into what

is actually happening with networks and systems that they are responsible for. The

addition of Purview data will allow such investigations to take into account full

application layer fingerprinting information. This provides a rich enhancement to

network visibility for Splunk users.

SummaryPurview provides application visibility for IT operations and business analytics at

unparalleled scale and performance. Purview is also part of the OneFabric Control

Center suite of network management solutions. By taking advantage of the

OneFabric Connect API, Purview acts as a data broker and can feed application

layer data to other third party applications to use for things such as SIEM, Splunk for

detailed compliance reporting and analytics, and much more.