The vigilant network manager, like Batman looking down on Gotham, knows that somewhere out there, something bad probably is happening — something that’s making an application go astray. But unlike the well-funded Dark Knight, the network manager isn’t equipped with the Batarangs, night vision, and a host of other gadgets to swoop down and quickly nail the problem.
ExtraHop Networks’ Application Delivery Assurance Appliance, introduced earlier this week, doesn’t come with batwings, but it does provide tools to hook the kind of data and insight needed to identify the perpetrators of slowdowns and other snafus clogging up the system. That there are countless other network management and diagnostic tools on the market is not lost on ExtraHop, but none of them, it says, effectively gets to the roots of deep-down performance issues. The young company’s idea is to give managers the ability to have the high-and-wide view as well as the nitty-gritty, street-level-and-below perspective needed to keep critical systems running up to snuff.
“There are some great monitoring tools out there, but most are so high-level that they don’t help with critical performance questions,” says ExtraHop co-founder Jesse Rothstein. “But there’s no single product that will give you this sort of holistic view. Companies end up having to use a hodge-podge of products. You can do SNMP polling, or look at synthetic transactions, for example, but those are just pieces of a much bigger puzzle.”
The biggest shortcoming with existing tools, he says, is they give you either “the telescope view or the microscope view,” either a high-level look lacking in detail (e.g., Netflow and SNMP) or a picture with too many details (packet sniffing). “There’s a huge gap between telescope and microscope,” Rothstein says. “We’re supplementing those existing approaches. Our solution is more like Google Earth for your applications and your network.”
ExtraHop’s device provides “an integrated view of your entire application environment,” Rothstein says. “We’ve designed a passive network appliance that will give customers application-level visibility. We provide L2 through L7 network visibility, but we’re really focused on L4 to L7, on real-time visibility beyond L4. We let you examine literally tens of thousands of network transactions in real time. It’s a level of visibility we don’t see anyone else providing right now, and I’m not familiar with anyone providing as application-centric a view as we do.”
(Rothstein and co-founder Raja Mukerji were the main architects of F5 Networks’ BIG-IP platform. F5 being in the business of accelerating application delivery, these two know a little something about dealing with traffic.)
The appliance is easy to set up, Rothstein says: Plug it into a network tap or SPAN port on a switch, set up an IP address for the management interface, and off you go — all in about 15 minutes. “This is not an inline device, and no agents to install,” he says. The system automatically will discover every server or other device on the network and start tracking metrics immediately, Rothstein says. “Every transaction, every error message, every round-trip response. The system extracts all these performance metrics and puts them in our dynamic data store.” Captured data can be stored for 30 days and searched to detect trends or drill into error codes in order to identify trouble sources.
The Application Delivery Assurance system consists of four main components: a networking microkernel for real-time packet processing and autodiscovery; the dynamic data store for saving metrics, correlating events, reporting, trending and baselining; an intelligent protocol framework; and a “rich” Web user interface that Rothstein says “knows how to turn data into useful information.” Hardware-wise, inside the box are eight CPU cores “along with one fairly large, fast disk,” Rothstein says.
ExtraHop’s inaugural model sells for about $50,000 and, according to the company, can handle tens of thousands of sessions and about 300 network devices.
“We’re going to market with the protocols people can’t live without,” he says, and that includes HTTP, TCP, SSL, IPv6, DNS, DB, ICMP and Multicast. Rothstein points out that the team spent a lot of time trying to get the interface right, including testing by potential users. “Given how specialized a product this is, we needed to watch IT professionals working with it,” he says.
Rothstein walks through a few scenarios to demonstrate how the appliance has pinpointed and resolved the cause of poor performance: “We’ve been able to find things like too many connections to a database, causing performance to slow. We can see which clients are having HTTP problems, and find broken links. We track DNS response code, and in one case, there were an enormous number of errors that the customer was able to track to the Exchange server. In one instance, the customer saw a big network slowdown, every hour on the hour. They were able to track it down to a backup job that was copying gigabytes across the network on the hour. There was lots of CICS activity, and that took only two or three clicks to discover. We can zoom in on a spike and drill down to see what apps or devices contributed. A misconfigured switch, we can track down that sort of thing. We’re able to reconstruct the transaction scheme.”
Better, brighter insight into what’s going on with applications and the network leads to several benefits, ExtraHop says. First, IT teams will spend less time figuring out what went wrong and why. Users can take the information gleaned via the appliance to fine-tune their network infrastructure for performance gains. Detailed metrics can be used for diagnosis, but also to get a more accurate picture of capacity and usage patterns.
The company currently has about 12 customers with the appliance in production mode, including financial services firms, SaaS providers and health care IT.
For its next act, ExtraHop intends to deliver advances like an enterprise version supporting 10 GbE and thousands of devices simultaneously, Rothstein says. The company also is planning more application protocols, including a VoIP module, and “more advanced alerting capabilities based on anomalies that we call ‘trend-based alerts.’”
In his report on ExtraHop, analyst Jim Frey with Enterprise Management Associates says the company “is leveraging the deep and rich information available by monitoring network packets and focusing on what stories that data can tell across the delivery stack but especially within the application layer, where much of the action takes place.”
Rothstein tells of one customer deploying a new application when the ExtraHop appliance revealed that the number of database errors had rocketed from 20 a minute to about 2,000 a minute. The system also flagged a coding error in some stored procedures, right down to the line number. When a similar situation had occurred prior to adopting the ExtraHop device, he says, it took the customer weeks to figure out the true story.