Coradiant's TrueSight TS-1000

Effortless Setup

Built on Gentoo Linux, the 2U beta appliance is easy to set up. I configured it in 15 minutes with the help of a Coradiant engineer, though the work would have taken me half an hour tops, even without the assistance. I connected the test unit's optical connectors to a NetOptics 8x1G Passive Regeneration Tap located between the edge routers and Syracuse University's core backbone.

The initial configuration must be done from a serial connection. From there, I created a security-officer account and set up network parameters, such as the IP address and subnet mask.

After rebooting, I made all other configurations over the Web. You'll need a Mozilla Firefox with Sun Microsystems' 1.4.2 Java or Internet Explorer with the Microsoft JVM (Java Virtual Machine) to use the Web interface.

Traffic capture is off by default. I turned it on from the security page accessed through the Web interface. I then asked the system to log each request and store the log files for later perusal. Once traffic capture began, it took about 60 seconds for the TrueSight to classify data and show it on the front page. The appliance kept up with our traffic--roughly 1.5 million requests per day.

Custom Sight

Because of its location on the network, TrueSight watched both inbound and outbound traffic at the university. For my tests, therefore, I created a traffic-screening rule that discarded all outbound Web site requests.

TrueSight's value comes from its "watchpoints," perspectives built from data taken by watching the network from the tap and reassembling each user transaction. You can choose from about a dozen preconfigured watchpoints or create your own. Note that watchpoints must be user-activated to appear on the summary screen. TrueSight highlights the watchpoints with different colors, making it easy for you to differentiate them and get a feel for the end-user experience. To better categorize the data I would encounter on our network, I customized the interface: I clicked on the watchpoint library link and created a watchpoint to analyze the university's Web e-mail system. After naming this watchpoint "GroupWise Webmail," I used the built-in filter-expression builder to ensure the watchpoint would analyze only that traffic.

Filters can be built using a variety of criteria--DNS host names, IP address, TCP port or part of a URL--which can then be combined with logical statements. I activated the Webmail watchpoint, then enabled logging and SNMP access to it.

Then I went back to the watchpoint summary screen to see the number of requests, errors and latency. The display worked like a charm. By default, it showed activity for only the past five minutes, but you can customize the watchpoint to show longer time spans.

Encrypted Traffic

Like all other network-monitoring tools, TrueSight must first decrypt the SSL (Secure Sockets Layer) Web traffic you want it to analyze. So you must give TrueSight the private key of the Web server generating the traffic. Once loaded into TrueSight's one-way encrypted jail, the key can't be viewed--only a designated security officer can manage or remove it. To test TrueSight's SSL analysis, I loaded the private key of the university's Web-based course-management server into the monitoring appliance. Using the filter expression builder, I created a watchpoint that filtered for host names ending with the URL for the SSL-protected login page. Once activated, the watchpoint worked as expected, showing all logins to this page that the server processed.

User Roles

With user roles, TrueSight falls short. Only three roles can be assigned--manager, export and security officer--and there's no way to alter them.

The export role lets users automate log file downloads. Users in the manager role have full access to TrueSight (except for the security page), letting them create watchpoints, modify traffic-capture policies and generate reports. Only the security officer can view the security page. TrueSight would be greatly improved if it let the security officer create customized roles.

Reporting

Reports are generated based on watchpoints and time intervals, and show a graph of action over a metric. Both predefined and customized reports are available. The reports create graphs using Java, which can be problematic in some environments. Among the reports I ran were those involving HTTP status and end-to-end time for page loads. One of the most useful reports--requests per second on a particular watchpoint--showed the point at which the server was unable to accommodate requests, which could be useful for justifying hardware purchases to upper management.

Performance-compliant reports let you set page-response times that users would find acceptable, tolerable or too frustrating. The reports show you, based on your settings, the percentage of your users who are "pleased" or "dissatisfied" with response times.

Network Management

TrueSight can generate SNMP traps that can be integrated into an enterprise-management system such BMC Software Patrol or Hewlett-Packard HP OpenView, but I didn't test this. SNMP MIBs are shown from TrueSight and can be integrated into your enterprise-management system.

Unfortunately, TrueSight doesn't generate alarms to e-mail or pagers. Coradiant should add this feature next time around so users without an enterprise management system can automate TrueSight's capabilities. Despite its drawbacks, the TrueSight TS-1000 is a one-of-a-kind performance monitor. At our Syracuse labs, this Best of Show winner once again proved its worth.

Christopher T. Beers is a Unix systems engineer at Syracuse University. Write to him at [email protected].