a new perspective on network visibility - risk 2015
TRANSCRIPT
A new perspective on NETWORK VISIBILITY- 10th RiSK Conference, Laško, Slovenia -
Siniša PopovićRegional Sales Manager
11-12th March 2015
Agenda
• Brief introduction
• Today‘s challenges
• Architecting Visibility
• Visibility Architecture components
• Visibility Architecture technology
• Conclusion, Q&A
Net Optics –acquired by Ixia
but... NetOptics will still remain as a brand name!
About Net Optics
• Founded in 1996.• HQ: Silicon Valley, USA• Offices: Germany, Netherlands, Australia, China• Manufacured industry 1st TAP ever!• 7.500+ global deployments• 20+ patents• 85% of fortune 100
Awards
Media
Service Providers trust IXIA to: Improve and speed service delivery Speed roll out of next gen services Improve network and application visibility
and performance
Equipment Manufacturers trust IXIA to: Develop next generation devices Speed time to market Improve performance and reliability
Enterprises trust IXIA to: Assess vendor equipment and applications Improve network security posture Improve network and application visibility
and performance
Chip Fabricators trust IXIA to: Validate protocol conformance Speed time to market
Test
Secu
rity
Visi
bilit
y
The MOST TRUSTED namesin networking trust
Today’s Challenges
Network growing faster than tools!
0% 10% 20% 30% 40% 50%
100M
1G
10G
40G
100G
Current Planned in 12 months* by EMA research
Maximum networking link speeds within data center / core networks
Threats are growing
Important factor: Network Performance!
Growing number of tools
Where are the blind spots created?
ESX Stack
Hypervisor
PhantomMonitor™V Switch
vm 1 Vm 2 Vm 3
Where are the blind spots created?
ESX Stack
Hypervisor
PhantomMonitor™V Switch
vm 1 Vm 2 Vm 3
Where are the blind spots created?
ESX Stack
Hypervisor
PhantomMonitor™V Switch
vm 1 Vm 2 Vm 3
Where are the blind spots created?
ESX Stack
Hypervisor
PhantomMonitor™V Switch
vm 1 Vm 2 Vm 3
Traditional access methods don‘t work!
1. Dropping packets2. High switch CPU and memory load3. Doesn‘t forward L1/L2 errors4. Needs to be configured5. Mixing source/destination information6. Limited number of SPAN ports7. Compliance issues!!!8. Distorts packet arrival times
SPAN port
Step 1: use Network TAP instead of SPAN
Benefits
• 100% visibility, no dropped packets
• Doesn’t affect switch CPU and memory
• Plug-and-play — no configuration required
• Permanent access: no need to break the link each time you need to remove tool
• Forwards important L1 and L2 errors
• Dual power supplies: keeps the network link up and running in case of power failure
• Doesn’t change packet arrival times
SwitchFirewall
Analyzer
Switch
SPAN or TAP?
New challenge: amount of traffic is growing!
Walmart collects over 1 million transactions every hour. This data is streamed into massive data stores currently containing over 2.5 petabytes of data.
Result: Tools are OVERSUBSCRIBED
Where are the blind spots created?
ESX Stack
Hypervisor
PhantomMonitor™V Switch
vm 1 Vm 2 Vm 3
Where are the blind spots created?
ESX Stack
Hypervisor
PhantomMonitor™V Switch
vm 1 Vm 2 Vm 3
Director
Aggregation
Visibility Architecture
Advanced Packet Distribution
Aggregation and regeneration
Intelligent Filtering
Bypass switching
Packet Slicing & DeDuplication
Total Network Visibility
Ixia – Portfolio
Net Tool Optimizer®
NetworkVisibilitySolutions
Network TAPs Copper and fiber TAPs for passive network access
Bypass Switches Copper and fiber switches for secure inline access
Network Packet Brokers Intelligent data access with aggregation, filtering, load balancing, de-duplication and more
Virtualization TAPs Get the full visibility into virtual networks
GTP Session ControllerIntelligent distribution and control of
mobile network traffic
Intelligent data access
Network Packet BrokersIntelligent Traffic Distribution
− Aggregation of traffic from multiple links− Filtering (by IP, MAC, VLAN, Port, etc.)− Load-balancing traffic across tools− Replication of traffic to multiple tools
Network Packet BrokersIntelligent Packet Processing
− Header stripping (MPLS, VLAN, ...)− Time-stamping with nano-second precision− De-duplication for removing duplicated packets− Packet slicing for removing unnecessary payload
Aggregation
• Problem: too many network links/segments, expensive to deploy
• Solution: aggregate multiple inputs into few outputs
10 Gbps 1 Gbps 1 Gbps 1 Gbps 1 Gbps 1 Gbps 1 Gbps
1 Gbps1 Gbps
Intelligent Filtering
TCPFilter
HTTPFilter 192.0.0.5
Filter
SNMPFilter
Complex filter
Network Port 1 Monitor Port 5Source IP = 192.168.10.1
Network Port 3Monitor Port 6
Protocol=UDP
Monitor Port 8
Network Port 6Source IP = 192.168.10.1
Protocol = TCP
Layer 4 Port = 80 Monitor Port 2
Multilayer filtering
Simple filter
IDS DAM
Filtering example
Internet
Web Web App EmailFile File File File
Internet
File SecurityWeb Security
Email Security
Data Center DMZ
Filter only File Server traffic Filter only WEB
Server traffic
Filter only Email traffic
10G 10G
Load Balancing
LB Group 2LB Group 1
Switch
IPS 1
Firewall Router
IPS 2 IPS 3 IPS 4 IPS 5 IPS 6
1G 1G 1G 1G 1G 1G
• Sharing 10G link to many 1G tools• Link can be tapped with a bypassswitch for additional protection
De-duplication
2 3 4 5 6 7 8 9input
packets
duplicatedpackets
1
21 3 4 5output packets
= 9 * 1580 bytes = 14220 bytes
= 5 * 1580 bytes = 7900 bytes
55% traffic reduction
Packet Slicing
Problem:
In many cases only the header is needed for analyzing. Forwarding a 1500byte packet to a probe does consume more memory at the disk than a 64byte packet. If the data content is not needed this would be wasting recourses beside that it does consume bandwidth on the downlink to the probe.
Solution:
A Network Monitoring Switch does remove the data content of a packet before the packet will be forwarded to the probe. The user can define by the GUI what header information will retrain after trimming.
MAC IP Data FCS
MAC IP FCS
Port tagging
Network Scenarios
DMZ Segment
Database Farm
Tag 1
Tag 3
Tag 2
Server Array
Problem:
When aggregating packets over multiple TAPs, it’s no more possible to identify from which TAP they have been
originally taken. Measuring the delay e.g. through a
Firewall would result in the need of an additional probe. This is costly.
Solution:
By adding a Port TAG to the packet, the Network
Monitoring Switch provides full visibility again and for the
Firewall example one probe would last.
Timestamping for precise measurements
The first four bytes of the timestamp are a 32-bit binary value in seconds. The second four bytes are a 32-bit binary value representing tenths of microseconds;The final four bytes are reserved for use when higher-precision timestamping becomes available, making the timestamp format capable of supporting a resolution of 0.1 picoseconds.
Tap and optimize virtual traffic
„Phantom Virtual Tap enables 100% visibilityof east-west, inter-VM, and blade server
mid-plane traffic, with ability to do aggregation, replication and multilayer L2-L4
filtering inside the virtual environment.”Best throughput results
Extensive L2-L4 Filtering
Minimal resources used
Virtual and Physical convergence
ESX
App
OS
VM1
Hypervisor
App
OS
VM2App
OS
VM2
V Switch
Phantom™Manager
KV
M
App
OS
VM1
Hypervisor
App
OS
VM2App
OS
VM2
V Switch
Phantom™Manager
XEN
App
OS
VM1
Hypervisor
App
OS
VM2App
OS
VM2
V Switch
Phantom™Manager
Tunnel
IDS
NGFW Protocol Analyzer
DLP
Net Optics Director™
Net Optics Phantom™ HD
Physical Server
Physical Server
LAN/WAN
Without Visibility Architecture
Performance Security Visibility
Good packets
Duplicated packets
Un-filtered packets
Large packets
With Visibility Architecture
Performance Security Visibility
Good packets
Dupl. packetsIxia
NetOptics
Filter. packets
Carrier NetworksWired and Mobile
Data CenterPrivate Cloud
Virtualization
Core
Remote OfficeBranch Office
Campus
Network Operations
Performance Management
Security Admin
Server Admin
Audit & Privacy
Forensics
Visibility Architecture
AppAware
Out of BandNPB
NetworkTaps
ElementMgmt
Virtual & CloudAccess
PolicyMgmt
InlineNPBInline
Bypass
SessionAware
Data CenterAutomation
Network Access
PacketBrokers Applications Management
www.ixiacom.com/solutions/network-visibility/
www.netoptics.com | www.network-taps.eu
The End
Thank you! Siniša PopovićRegional Sales ManagerE: [email protected]: +43 676 793 4000