A new perspective on NETWORK VISIBILITY- 10th RiSK Conference, Laško, Slovenia -

Siniša PopovićRegional Sales Manager

11-12th March 2015

Agenda

• Brief introduction

• Today‘s challenges

• Architecting Visibility

• Visibility Architecture components

• Visibility Architecture technology

• Conclusion, Q&A

Net Optics –acquired by Ixia

but... NetOptics will still remain as a brand name!

About Net Optics

• Founded in 1996.• HQ: Silicon Valley, USA• Offices: Germany, Netherlands, Australia, China• Manufacured industry 1st TAP ever!• 7.500+ global deployments• 20+ patents• 85% of fortune 100

Awards

Media

Service Providers trust IXIA to: Improve and speed service delivery Speed roll out of next gen services Improve network and application visibility

and performance

Equipment Manufacturers trust IXIA to: Develop next generation devices Speed time to market Improve performance and reliability

Enterprises trust IXIA to: Assess vendor equipment and applications Improve network security posture Improve network and application visibility

and performance

Chip Fabricators trust IXIA to: Validate protocol conformance Speed time to market

Test

Secu

rity

Visi

bilit

y

The MOST TRUSTED namesin networking trust

Today’s Challenges

Network growing faster than tools!

0% 10% 20% 30% 40% 50%

100M

1G

10G

40G

100G

Current Planned in 12 months* by EMA research

Maximum networking link speeds within data center / core networks

Threats are growing

Important factor: Network Performance!

Growing number of tools

Where are the blind spots created?

ESX Stack

Hypervisor

PhantomMonitor™V Switch

vm 1 Vm 2 Vm 3

Where are the blind spots created?

ESX Stack

Hypervisor

PhantomMonitor™V Switch

vm 1 Vm 2 Vm 3

Where are the blind spots created?

ESX Stack

Hypervisor

PhantomMonitor™V Switch

vm 1 Vm 2 Vm 3

Where are the blind spots created?

ESX Stack

Hypervisor

PhantomMonitor™V Switch

vm 1 Vm 2 Vm 3

Traditional access methods don‘t work!

1. Dropping packets2. High switch CPU and memory load3. Doesn‘t forward L1/L2 errors4. Needs to be configured5. Mixing source/destination information6. Limited number of SPAN ports7. Compliance issues!!!8. Distorts packet arrival times

SPAN port

Step 1: use Network TAP instead of SPAN

Benefits

• 100% visibility, no dropped packets

• Doesn’t affect switch CPU and memory

• Plug-and-play — no configuration required

• Permanent access: no need to break the link each time you need to remove tool

• Forwards important L1 and L2 errors

• Dual power supplies: keeps the network link up and running in case of power failure

• Doesn’t change packet arrival times

SwitchFirewall

Analyzer

Switch

SPAN or TAP?

New challenge: amount of traffic is growing!

Walmart collects over 1 million transactions every hour. This data is streamed into massive data stores currently containing over 2.5 petabytes of data.

Result: Tools are OVERSUBSCRIBED

Where are the blind spots created?

ESX Stack

Hypervisor

PhantomMonitor™V Switch

vm 1 Vm 2 Vm 3

Where are the blind spots created?

ESX Stack

Hypervisor

PhantomMonitor™V Switch

vm 1 Vm 2 Vm 3

Director

Aggregation

Visibility Architecture

Advanced Packet Distribution

Aggregation and regeneration

Intelligent Filtering

Bypass switching

Packet Slicing & DeDuplication

Total Network Visibility

Ixia – Portfolio

Net Tool Optimizer®

NetworkVisibilitySolutions

Network TAPs Copper and fiber TAPs for passive network access

Bypass Switches Copper and fiber switches for secure inline access

Network Packet Brokers Intelligent data access with aggregation, filtering, load balancing, de-duplication and more

Virtualization TAPs Get the full visibility into virtual networks

GTP Session ControllerIntelligent distribution and control of

mobile network traffic

Intelligent data access

Network Packet BrokersIntelligent Traffic Distribution

− Aggregation of traffic from multiple links− Filtering (by IP, MAC, VLAN, Port, etc.)− Load-balancing traffic across tools− Replication of traffic to multiple tools

Network Packet BrokersIntelligent Packet Processing

− Header stripping (MPLS, VLAN, ...)− Time-stamping with nano-second precision− De-duplication for removing duplicated packets− Packet slicing for removing unnecessary payload

Aggregation

• Problem: too many network links/segments, expensive to deploy

• Solution: aggregate multiple inputs into few outputs

10 Gbps 1 Gbps 1 Gbps 1 Gbps 1 Gbps 1 Gbps 1 Gbps

1 Gbps1 Gbps

Intelligent Filtering

TCPFilter

HTTPFilter 192.0.0.5

Filter

SNMPFilter

Complex filter

Network Port 1 Monitor Port 5Source IP = 192.168.10.1

Network Port 3Monitor Port 6

Protocol=UDP

Monitor Port 8

Network Port 6Source IP = 192.168.10.1

Protocol = TCP

Layer 4 Port = 80 Monitor Port 2

Multilayer filtering

Simple filter

IDS DAM

Filtering example

Internet

Web Web App EmailFile File File File

Internet

File SecurityWeb Security

Email Security

Data Center DMZ

Filter only File Server traffic Filter only WEB

Server traffic

Filter only Email traffic

10G 10G

Load Balancing

LB Group 2LB Group 1

Switch

IPS 1

Firewall Router

IPS 2 IPS 3 IPS 4 IPS 5 IPS 6

1G 1G 1G 1G 1G 1G

• Sharing 10G link to many 1G tools• Link can be tapped with a bypassswitch for additional protection

De-duplication

2 3 4 5 6 7 8 9input

packets

duplicatedpackets

1

21 3 4 5output packets

= 9 * 1580 bytes = 14220 bytes

= 5 * 1580 bytes = 7900 bytes

55% traffic reduction

Packet Slicing

Problem:

In many cases only the header is needed for analyzing. Forwarding a 1500byte packet to a probe does consume more memory at the disk than a 64byte packet. If the data content is not needed this would be wasting recourses beside that it does consume bandwidth on the downlink to the probe.

Solution:

A Network Monitoring Switch does remove the data content of a packet before the packet will be forwarded to the probe. The user can define by the GUI what header information will retrain after trimming.

MAC IP Data FCS

MAC IP FCS

Port tagging

Network Scenarios

DMZ Segment

Database Farm

Tag 1

Tag 3

Tag 2

Server Array

Problem:

When aggregating packets over multiple TAPs, it’s no more possible to identify from which TAP they have been

originally taken. Measuring the delay e.g. through a

Firewall would result in the need of an additional probe. This is costly.

Solution:

By adding a Port TAG to the packet, the Network

Monitoring Switch provides full visibility again and for the

Firewall example one probe would last.

Timestamping for precise measurements

The first four bytes of the timestamp are a 32-bit binary value in seconds. The second four bytes are a 32-bit binary value representing tenths of microseconds;The final four bytes are reserved for use when higher-precision timestamping becomes available, making the timestamp format capable of supporting a resolution of 0.1 picoseconds.

Tap and optimize virtual traffic

„Phantom Virtual Tap enables 100% visibilityof east-west, inter-VM, and blade server

mid-plane traffic, with ability to do aggregation, replication and multilayer L2-L4

filtering inside the virtual environment.”Best throughput results

Extensive L2-L4 Filtering

Minimal resources used

Virtual and Physical convergence

ESX

App

OS

VM1

Hypervisor

App

OS

VM2App

OS

VM2

V Switch

Phantom™Manager

KV

M

App

OS

VM1

Hypervisor

App

OS

VM2App

OS

VM2

V Switch

Phantom™Manager

XEN

App

OS

VM1

Hypervisor

App

OS

VM2App

OS

VM2

V Switch

Phantom™Manager

Tunnel

IDS

NGFW Protocol Analyzer

DLP

Net Optics Director™

Net Optics Phantom™ HD

Physical Server

Physical Server

LAN/WAN

Without Visibility Architecture

Performance Security Visibility

Good packets

Duplicated packets

Un-filtered packets

Large packets

With Visibility Architecture

Performance Security Visibility

Good packets

Dupl. packetsIxia

NetOptics

Filter. packets

Carrier NetworksWired and Mobile

Data CenterPrivate Cloud

Virtualization

Core

Remote OfficeBranch Office

Campus

Network Operations

Performance Management

Security Admin

Server Admin

Audit & Privacy

Forensics

Visibility Architecture

AppAware

Out of BandNPB

NetworkTaps

ElementMgmt

Virtual & CloudAccess

PolicyMgmt

InlineNPBInline

Bypass

SessionAware

Data CenterAutomation

Network Access

PacketBrokers Applications Management

www.ixiacom.com/solutions/network-visibility/

www.netoptics.com | www.network-taps.eu

The End

Thank you! Siniša PopovićRegional Sales ManagerE: sinisa.popovic@np-channel.comT: +43 676 793 4000