The MantisNet Containerized Visibility Fabric (CVF) is now generally available, and we want to provide a deeper dive into the challenges that we’ve seen with network visibility which compelled us to develop this much needed cloud native observability solution.

CVF-MantisNet-Cloud-AnimationAs we will discuss more deeply in this and future posts; serverless, cloud native systems are unique in that applications are deployed as microservices and containerized applications which can both more fully exploit the capabilities of the underlying machines and are further decoupled from the constraints of hypervisors. This provides programmatic visibility and access to the underlying nodes (hardware - machines) in such a way as to enable better scaling, fault isolation, observability and control.

In the cloud native world; network topology (physical and virtual) is hidden, interfaces (network namespaces) are hidden, data flows are hidden, and to make matters even more challenging - resources are dynamically configured, provisioned, deployed and reused.

Cloud native technologies enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers, developers, operations and support staff to make mission critical changes, frequently and predictably with a minimum amount of effort or disruption; hence the rise in CI/CD. This evolution has enabled previously unheard-of levels of scalability, efficiency and democratization of computing resources, fueling the new information age of mobility, sharing, and discovery that are now powering the world economy.

Screen Shot 2020-08-06 at 12.55.38 PM

According to the Cloud Native Computing Foundation (CNCF) we are now well into the fourth-wave of cloud computing: from virtualization, to IaaS & PaaS, to containerization, and now Cloud Native and Serverless computing. Cloud native technologies empower organizations to build and deploy scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. Review the presentation by CNCF

As a team that has its roots in networking, network intelligence and monitoring; MantisNet uniquely understands the advantages that clients are harnessing with cloud native capabilities, but we also see the challenges and problems that clients have in instrumenting their infrastructure to access and get to the ground truth using legacy tools.

Furthermore; observability, and monitoring in general, is no longer just packets, logs, metrics and traces, but streaming real-time, network and infrastructure related event telemetry (metadata) derived from the processing nodes that can be correlated to the kernel level, thanks to the capabilities of eBPF we employ. Performant and efficient visibility and access, enabled by advances in compute and processing resources, now enable all this rich and valuable context of network communications available IN REAL-TIME for not just observability but also correlation. That said; why wouldn’t you want to use it? The CVF consists of extremely lightweight cloud native / micro-services-based compute engines (agents) and controllers that are deployed as DaemonSets or containerized applications that can be placed anywhere within your cloud-native infrastructure. The MantisNet CVF closes the observability gap by efficiently producing and delivering rich contextual information in areas that are currently hidden or are beyond what existing (hardware and VM-based) tools have visibility into.

Screen Shot 2020-08-06 at 2.26.41 PM

What got us here today, won’t get us there tomorrow

Legacy approaches to network monitoring used various forms of physical or virtual TAP, SPAN and mirror ports to inspect a variety of network metrics: sent/received traffic, packet counts, flow statistics based on specific IP addressing, port and protocol type to monitor physical and virtual networks.

Likewise, the previous generation of virtual-machine (VM) based approaches performed similarly using virtualized and somewhat equivalent network functions, but operating on top of the hypervisor, giving rise to the Virtualized Network Function (VNF) trend. However, in the virtualized, cloud-native, serverless world - network and packet constructs alone are no longer sufficient or relevant to provide the necessary visibility into the infrastructure. Packets do not provide the appropriate context (container, process, link, machine, flow) and VM-based monitoring tools will not provide the sufficient depth and level of observability.

Additionally, in cloud native environments, more often than not, services and resources interact inside systems where it is not always possible to capture packets in the conventional (physical or virtualized) sense. To make matters worse, the scale and performance of today’s cloud infrastructure are both too dynamic and ephemeral for a general-purpose hardware or virtual packet processing solutions (NGPB). Furthermore, packets are a legacy network construct; in containerized, serverless applications - networks exist in the namespace and a significant proportion of the data flow may be container-to-container, pod-to-pod, or pod-to-service without transiting a conventional, physical network interface; that traffic would be “invisible” to those legacy tools. Consequently, new forms of visibility and monitoring are needed to inspect and analyze information flows in a cloud-native, serverless world. This is especially critical to industries with cloud native organizations or those transitioning to cloud native, like the telecommunications providers for 5G deployment and 5G network visibility.

Given all these considerations, we arrived at the compelling need to develop a better cloud native network function (CNF) observability solution (our CVF). The MantisNet CVF provides a full range of observability functions; from (cloud) native instrumentation and micro-services based processing of machine telemetry directly at the source to providing the ability to more efficiently deliver rich(er) forms of metadata to follow-on analytics that can better correlate events, as they happen, down to the system and application level, thereby enabling new levels of detail and context necessary to keep up with the fluid nature of cloud-native, serverless infrastructure and produce actionable information – efficiently, reliably and effectively. By delivering highly efficient, targeted (processed and filtered) context-rich (namespace, flow, c-groups, group-id, process-id, source-id, destination-id, counters, timestamps…) metadata continuously and in real-time enables for continuous observability, correlation and remediation: at scale and speed.


How the MantisNet CVF works

The MantisNet Containerized Visibility Fabric (CVF) is a cloud-native visibility application designed to handle the challenges of gaining insight into virtual/ cloud resources. Leveraging a lightweight microservices architecture, the CVF can be deployed quickly (and at-scale) to do more than just capture packets. The CVF is scalable and open, deployed via a lightweight DaemonSet or microservice container. It is open and flexible; supporting an event-based message bus architecture (NATS or Kafka), generating serialized metadata, - JSON object notation syntax as well as open RESTful API integrations with tools such as GraphQL for ad-hoc and automated management.

With the MantisNet CVF, network professionals can gain unprecedented insight into resources- to include continuous topology discovery, protocol specific metadata generation, cloud native traffic, NPM, APM, packet capture, CNFlowSM - advanced, cloud native flow record generation, encrypted session visibility and more.

Screen Shot 2020-08-06 at 2.08.44 PMProtocol Metadata Generation


Once installed, CVF sensor agents have machine-level visibility into all the interfaces, regardless of namespace. The CVF monitors, filters, parses, or otherwise captures, decodes and publishes any of the selected protocol(s) it has been instructed to process. The resulting serialized metadata (key:value:pairs) are continuously streamed in real-time via an open message bus for follow-on stream processing, analytic workflows or storage.





Screen Shot 2020-08-06 at 1.21.23 PMTopology Discovery 

Deployed MantisNet Agents performing the topology function can connect to other agents to produce an aggregate mapping visualization of the network resources. The topology output can include a lot of items, but it fundamentally provides output based on a schema (see next section) to produce the topology information that includes information about the resources under control- Flow data, machine info, processes running, process IDs, container information, etc.



Screen Shot 2020-08-06 at 2.11.10 PMCloud Native Traffic and Packet Capture


The key to CVF packet capture is that it is done programmatically - simply publish a directive to turn on packet capture, and instantly start capturing packets from any CVF sensor agent in the environment. The agent will capture all traffic- regardless of namespace - if the information is traversing physical links or moving between microservices. The capture function can easily be toggled on/off, and can be captured at a 1:1 rate, or via a configurable sampling ratio.


Screen Shot 2020-08-06 at 2.12.24 PMEncrypted Session Visibility

CVF agents provide the ability to identify, extract and publish all the encrypted session metadata parameters and raw packets that organizations need to meet all their cryptographic visibility, management and security assurance demands. CVF agents monitor, identify, and access encrypted session controls and associated traffic and selectively extract and publish any or all of the following: encrypted session metadata, encrypted traffic and plain text.


The next step in observability and correlation

As organizations continue to move towards cloud native, having a comprehensive, reliable, seamless and performant observability solution will make event and data correlation easier. This will help companies adopt cloud native more quickly since there is a reliable solution to monitor what couldn’t previously be seen with modified and legacy tools.

Data correlation is probably the hardest aspect of troubleshooting complex distributed environments. When it comes down to actually solving the problem, many of the existing tools are actually part of the problem: you’ll find yourself jumping between multiple user interfaces, charts, graphs, and tables trying to give your teams a view into the right data. But you ideally want to have all that information in a consistent format, with a sane way to correlate all the different data types.

The MantisNet CVF makes observability and correlation in container environments much, much simpler. The ability to correlate metrics with events not only provides powerful metrics for analysis, but also provides the ability to work with semi-structured data within your overall operations analysis and monitoring practice.

The CVF provides cloud native observability that enables streaming, real-time management to help reduce time-to-identify/detect and respond to operational, performance and security issues and can be also serve as a bridge technology as cloud native adoption occurs, supporting “stream to disk” operations for forensic, compliance and data-at-rest analysis. The CVF provides machine/node level visibility into the infrastructure enabling the foundation for a true event-driven architecture with the capabilities we’ve expanded upon above:

  • Kernel level instrumentation and monitoring:
  • Efficient in-node processing and filtering reduces bandwidth and associated costs (cloud egress, etc.)
  • Continuous, real-time streaming output
  • Encryption visibility – session metadata, encrypted traffic, and plaintext

The CVF is a new cloud-native observability solution, one that is simple and easy; can be deployed anywhere and which provides reliable, detailed and efficient insight and intelligence that can be correlated from applications and processes down to the machine and kernel level. The CVF provides unique insights into cloud infrastructure not fully available with other observability solutions. It is an essential tool for DevOps, SecOps, NetOps and SRE teams who need to have the best possible observability and operational intelligence in order to help meet or exceed all their service and security assurance requirements.


Topics: Real-Time Monitoring, mantis, containers, cloud native network function

Peter Dougherty

Written by Peter Dougherty

Peter Dougherty, CISSP, is a technology entrepreneur, strategist & operating executive with over 25 years of experience developing and delivering cyber security, networking, compute, and storage technologies.