next-generation network packet broker (ng-npb)network & security visibility challenges firewall...

Dejan Laketić Sr. Sales Engineer, Gigamon, EMEA Central

Kompletní viditelnost síťového provozuNext-Generation Network Packet Broker (NG-NPB)

© 2013 Gigamon. All rights reserved.

“It’s What You Can’t See That Will Sink You”

“It’s What You Can’t See That Will Sink You”

“What you can’t see, can’t be monitored. What you can’t monitor,

can’t be managed & secured”

“What you can’t see, can’t be monitored. What you can’t monitor,

can’t be managed & secured”

Introduction to Next Generation Network Packet Broker (NG-NPB)

Introduction to Next Generation Network Packet Broker (NG-NPB)

Benefits and Use Cases Benefits and Use Cases

© 2018 Gigamon. All rights reserved. 3

Network & Security Visibility Challenges

Firewall

Routers

Remotesites

Spine switches

Leafswitches

Public cloud

Internet

Virtualizedserver farm

IPS/IDS

WAF

SIEM

CEM

APT

DLP

APM/NPM

FORENSIC

Full Visibility / Asymmetric Traffic ?

Network Upgrades ?

Data Volume Increase ?

Tool Load & Performance ?

New Tools ?

Compliance ?

Encryption / Decryption ?

CAPEX / OPEX ?

IPS/IDS

WAF

SIEM

CEM

APT

DLP

APM/NPM

FORENSIC

IPS/IDS

WAF

SIEM

CEM

APT

DLP

APM/NPM

FORENSIC


Solution for better visibility – NG NPB

Firewall

Routers

Remotesites

Spine switches

Leafswitches

Public cloud

Internet

Virtualizedserver farm

IPS/IDS

WAF

SIEM

CEM

APT

DLP

APM/NPM

FORENSIC

Full Visibility / Asymmetric Traffic ?

Network Upgrades ?

Data Volume Increase ?

Tool Load & Performance ?

New Tools ?

Compliance ?

Encryption / Decryption ?

CAPEX / OPEX ?

IPS/IDS

WAF

SIEM

CEM

APT

DLP

APM/NPM

FORENSIC

IPS/IDS

WAF

SIEM

CEM

APT

DLP

APM/NPM

FORENSIC

NEXT GENERATIONNETWORK

PACKET BROKER

GIGAMON

Confidential and Proprietary. Not to be distributed without express written consent from Gigamon. © 2019 Gigamon. All rights reserved. 5

Complete Visibility into Data-in-Motion

Leaf

Core Core

Leaf Leaf

Spine

Leaf

Spine

De-duplication FlowVUE Sampling

GTP, SIP & RTPCorrelation

NetFlow & Metadata

SSLDecryption

Application Intelligence

TimeStamping

PacketSlicing

Src PortLabeling

HeaderStripping

Masking Tunneling

Regional Center

Security

V-SeriesV-SeriesV-SeriesV-Series

Regional Center

REST APIs

Automation

ApplicationPerformanceManagement

NetworkPerformanceManagement

CustomerExperience

Management

CentralizedTools

Forensics, Detection, Prevention

PublicCloud

Cloud TAP


PREVENTIONDETECTION

Network Monitoring & Security Tools

SPAN

TAP

Out-of-Band Tool

Out-of-Band(Passive)

Packets

SPAN

TAP

NetFlow Collector

NetFlow /Metadata

NetFlow / IPFIX / CEF records & metadata

Inline Tool

Inline(Active)


Working with any tool and any networkAgnostic Visibility Solution

Network & Security VisibilityImplementation Use Cases


Use Case:1. First Step to Visibility: Get Reliable Data Access for Tools

FIREWALL

ROUTERS

REMOTE SITES

SPINE SWITCHES

LEAF SWITCHES

PUBLIC CLOUD

VIRTUALIZED SERVER FARM

INTERNET



X1X2X3X4

X5X6X7X8

X9X10

X11X12

X13X14

X15X16

X17X18

X19X20

X21X22

X23X24

X25X26

X27X28

X29X30

X31X32

X33X34

X35X36

X37X38

X39X40

X41X42

X43X44

X45X46

X47X48

1G/10G PORTS (SFP+)

1G/10G PORTS (SFP+)

1G/10G PORTS (SFP+)

1G/10G PORTS (SFP+)

10G/40G PORTS (QSFP)

PW

R1

CON

SOLE

MG

MT

GigaVUE-TA10X53 – X56 | Q2

X49 – X52 | Q1

X61 – X64 | Q4

X57 – X60 | Q3

PW

R2S

YSTEMFA

N

FIREWALL

ROUTERS

REMOTE SITES

SPINE SWITCHES

LEAF SWITCHES

PUBLIC CLOUD


INTERNET



X1X2X3X4

X5X6X7X8

X9X10

X11X12

X13X14

X15X16

X17X18

X19X20

X21X22

X23X24

X25X26

X27X28

X29X30

X31X32

X33X34

X35X36

X37X38

X39X40

X41X42

X43X44

X45X46

X47X48

1G/10G PORTS (SFP+)

1G/10G PORTS (SFP+)

1G/10G PORTS (SFP+)

1G/10G PORTS (SFP+)


PW

R1

CON

SOLE

MG

MT


X49 – X52 | Q1

X61 – X64 | Q4

X57 – X60 | Q3

PW

R2S

YSTEMFA

N

De-Duplication

Fan

PP

SR

ear

Rd

yP

wr

M/S

Loc

k

PT

PIE

EE

1588

Sta

ckM

gmt

Por

t

Mgm

t

Co

n-so

le

Gig

aVU

E-H

C2

13

X1

X2

Rdy

Pw

rX

3X

4X

5X

6X

7X

8X

9X

10X

11

X1

2X

13

X1

4X

15X

16B

MA NE

TW

OR

K 1

BM

A NE

TWO

RK

2B

MA NE

TW

OR

K 3

BM

A NE

TWO

RK

4

MODE (M)Off = BypassOn = Inline

SX

/ S

R 6

2.5

um

PRT-HC0-Q06

Rdy Pw

r

Q1

LN

K

EN

A

Q1

LNK

EN

A

Q1

LNK

EN

A

Q1

LN

K

EN

A

Q1

LN

K

EN

A

Q1

LN

K

EN

A

X1

X2

Rd

y

Pw

r

SMT-HC0-X16

X3

X4

X5

X6

X7

X8

X9

X1

0X

11

X1

2X

13X

14X

15

X1

6

H/S

TAP-HC0-G100C0

Rd

y

Pw

rTA

P 1

TAP 2

TAP 3

TAP 4

TAP 5

TAP 6

TAP 7

TAP 8

TAP 9

TAP 10

TAP 11

TAP 12

Netflow / Metadata

XX

GigaSMART Functionalities

Smart Flow Mapping

OOB SSL Decryption

Tools

IDSNACAPMNPMATPDLP…

FIREWALL

ROUTERS

REMOTE SITES

SPINE SWITCHES

LEAF SWITCHES

PUBLIC CLOUD


INTERNET



Without Gigamon With Gigamon

Customer is unable to use all tools! Customer has complete visibility for all tools!

Application PerformanceManagement

Intrusion Detection System (IDS)

Packet Capture

VoIP AnalyzerSwitch with two SPAN

session limitation



VoIP Analyzer

Packet Capture

Eliminate SPAN Port ContentionFew SPAN ports, many operational and security tools



Run Multiple Proof of Concept in ParallelAccelerate Certification of New Tools


Customer performs each proof of concept serially at different times using different data

Customer is able to run multiple POCs concurrently using the same data

POC #1 – Vendor X Tool POC #2 – Vendor Y Tool POC #3 – Vendor Z Tool

1 month 2 months 3 months

POC #1Vendor XTool

POC #2Vendor YTool

POC #3Vendor ZTool

1 month 2 months 3 months

Tool tested w/ NWSegment – 4 weeks




Use Case:2. Visibility During Network Upgrades/Expanding Network Coverage

Change Media and Speed10Gb, 40Gb or 100Gb Traffic to 1/10Gb Tools


Customer migrates to a 100Gb network and 1Gb/10Gb monitoring tools become useless

Customer is able to extend the life of their 1Gb/10Gb network and security tools using GigaStream®

load balancing and GigaSMART® intelligence

GigaVUE® Matches Your Network to Your Tools

Intrusion DetectionSystem

Application Performance Management

Intrusion Detection System

PacketCapture

VoIP Analyzer



Packet Capture

100Gb 10Gb

100Gb 10Gb


Use Case:3. Improve Threat Prevention Efficacy with Inline Bypass

FanPPS Rear

RdyPwr

M/S

Lock

PTPIEEE1588

StackMgmtPort

Mgmt

Con-sole

GigaVUE-HC2

1 3

X1 X3 X5 X7 X9 X11

X2 X4 X6 X8 X10 X12

X13 X15 X17 X19 X21 X23

X14 X16 X18 X20 X24X22

PRT-

HC0

-X24

TAP-

HC

0-G

100C

0

Rdy

PwrTAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

X1X2

Rd y

Pwr X3X4

X5X6

X7X8

X9X10

X11X12

X1 3X1 4

X15X16

B MANETWORK 1

B MANETWORK 2

B MANETWORK 3

B MANETWORK 4

MODE

(M)

Off = By

pass

On = Inlin

e

SX / SR 62.5 um

PRT-

HC

0-Q

06

Rdy

Pwr

Q1 LNK

ENA

Q2 LNK

ENA

Q3 L NK

ENA

Q4 LNK

ENA

Q5 LNK

ENA

Q6 LNK

ENA

Inline Tool

IPS, WAF, …

FIREWALL

ROUTERS

REMOTE SITES

SPINE SWITCHES

LEAF SWITCHES

PUBLIC CLOUD


INTERNET



Maximize availability & resiliency (for network teams)• Maximize tool efficacy• Increase scale of security monitoring• Bypass protection with advanced health

checks to maximize availability

IPS = Intrusion Prevention SystemWAF = Web Application FirewallATP = Advanced Threat Prevention

WAF

ATP

IPS

ATP ATP

IPSWAN Router

Firewall

2x IPS

WAF

3x ATP

Core Switch

Maximize operational agility (for security teams)• Add, remove, upgrade tools seamlessly:

reduce risk and security effort• Migrate tools from detection to prevention

modes (and vice versa)• Integrate inline, out-of-band, flow-based

tools and metadata to a common platform

Example:Generic Web Traffic: IPS + WAFSpecific Web Traffic: IPS + WAF + ATPNon-Web Traffic to/from Specific Subnets: IPS + ATPBackup traffic: No inspectionAll other traffic: IPS


Use Case:4. Encrypted Traffic Management (TLS Decryption)

1 Source: Gartner “Predicts 2017: Network and Gateway Security” 2 Source: SSL Performance Problems, NSS Labs

80% performance degradation of security appliances due to SSL2

50% of malware will use encryption by 20191

80% of enterprise traffic will be encrypted through 20191

100% need for visibility into SSL traffic entering or leaving an organization

Need for Efficient SSL/TLS Inspection



SSL Decryption Options:

Do nothing?Not the right answer

Enable SSL decryption on each tool?Serious performance hit on tools (>50% up to 80% capacity lost)Multiple decrypt/encrypt latency, troubleshooting difficulties

Insert standalone SSL decryption appliance?Another vendor/component added to mix, point of failure/problemsVery limited tool chaining

Use Gigamon Next-Gen Packet BrokerSingle SSL decryption instance feeds all toolsDecrypt once, feed any number of inline and out-of-band toolsNo physical wiring/changes required with existing NGPB

WAN router

Firewall

Core switch

T1

T2

T3

IPS x2

WAF

ATD x3

WAF

ATP

IPS

ATP ATP

IPS



Inline Tool Group(Decrypted Traffic)

Highlights• Servers and clients located internally

or externally • Private keys not needed• RSA, DH, PFS can be used• Supports inline and out-of-band tools

Out-of-Band Tool(Decrypted

Traffic)

SSL SessionLeg 1

(Encrypted)

SSL SessionLeg 2

(Encrypted)

12

2

3

Encrypted Traffic Decrypted Traffic

Web Monitor Tool(Decrypted Traffic)

4



Key Capabilities

Encrypted Traffic Decrypted/Unencrypted Traffic

Clients Internet Servers

Corporate Servers Clients

APTPrevention

IPS

NetworkForensics

Anti-malware

Active, InlineAppliance(s)

Passive, Out-of-BandAppliance(s)

Gateway

Internet

Automatic SSL/TLS detection on any port or application:

inbound and outbound

Scalable interface support (1Gb to 100Gb)

Decrypt once, feed many tools

Strong crypto support: PFS, DHE, Elliptic Curve ciphers

Certificate validation and revocation lists: strengthens

organizations’ security posture

Strong privacy compliance: categorize URL before decryption


Use Case:5. Centralized NetFlow/IPFIX Generation

The Power of the Platform: NetFlow/IPFIX Generation


Benefits of the Gigamon approach:• Pervasive visibility w/ centralized, high-fidelity, unsampled NetFlow generation• Export in all standard formats (NetFlow v5, NetFlow v9, IPFIX, CEF)• Combine Flow Mapping® with IPFIX generation for high-fidelity output• Optional enhanced metadata added to flow records• Combine with full packet analysis to create an effective monitoring strategy

Challenges:• High impact on switches that generate flow records• Switches generate sampled NetFlow inadequate for security• Different formats across different switch manufacturers• Lack of ubiquitous NetFlow generation capabilities across infrastructure• Vanilla NetFlow records do not contain metadata beyond basic flow info

ApplicationPerformance

Network Performance

Security

Production Network Tools and Analytics

NetFlow Records

N

N

N


Network Performance

Security


NetFlowGeneration


Use Case:6. Extract Network Metadata to Optimize SIEMs

Make it easier for the SIEM to find the proverbial needle in a haystack

Extract and send only the critical metadata to the SIEM

Reduce the quantity of data by several orders of magnitude

SIEM/COLLECTORMetadata EngineNetwork Metadata

Network

DNS, SSL, HTTP, RDP, Powershell


Use Case:7. Leverage Application Intelligence to Optimize Tool Stack

Internet

Firewall

Routers

Spine Switches

Leaf Switches

Virtualized Server Farm

Tools and Analytics

Security

Application Performance

Network DLP

CASB

Filter out (not sent to any tools)

Application Filter

Performance

Visibility Platform


Use Case:7. Leverage Application Intelligence to Optimize Tool Stack

10 Gbps

Internal Network

Network Ingress 10 Gbps

Unanalyzed EmailSMTP, IMAP

- 1.5 Gbps

Streaming VideoYoutube, Netflix, Hulu

- 3.0 Gbps

Filtered from ATD tool 5.7 GbpsDelivered to ATD tool 4.3 Gbps

Backups and UpdatesWindows, iOS, Android

- 1.2 Gbps

10 Gbps4.3

Gbps

-Email-Streaming-Backups


Use Case:8. Visibility into Private Clouds (VMware ESX and NSX)

HYPERVISORSERVER

VIRTUALIDS VM1

VIRTUAL ANTI-

MALWARE

VIRTUALAPM VM

VIRTUAL SWITCHHYPERVISOR

SERVER

VIRTUAL SWITCH

GigaVUE-VMIDS

ANTI-MALWARE

APM

1. Scope of security must cover virtualized workloads

2. Increasing VM density

3. Visibility into VM-VM traffic

4. Creating new virtual tool instances eats into compute capacity

5. Automated visibility after VM migration

5 REASONS WHY YOU SHOULD CARE


Use Case:8. Visibility into Private Clouds (VMware ESX and NSX)

• vCenter integration• Bulk GigaVUE-VM onboarding• Virtual traffic policy creation• Automatic migration of monitoring policies

GigaVUE-FM

PrivateCloud

SERVER I SERVER II


Network Performance

Security

Virtual Traffic Policies

TunnelingInternet


vCenter


Use Case:9. Visibility into Hybrid Clouds (AWS, Azure, OpenStack, VMware ESX and NSX)

Analytics Tools

Applications VPC

Virtual apps

Amazon CloudWatch

Visibility tier Visibility tier

Azure API

AWS Direct Connect(for hybrid connectivity)

Azure ExpressRoute

Applications VNet

Tools

Security Tools

Perf MgmtTools

Amazon Azure

Visibility tier

Tenant Networks

OpenStack Cloud

Tools

Virtual apps

Virtual apps

MME SGW

Virtual Network Functions

PGW

MME SGW


PGW

MME SGW


PGW

Horizon

Nova

Glance

To other physical / virtual elements in Gigamon Platform

GigaVUE-FM Fabric Manager

Tools

Visibility tier

Virtualized workloads

VMware Cloud*

Tools

Virtual apps

MME SGW


PGW

MME SGW


PGW

MME SGW


PGW

To other physical / virtual elements in Gigamon Platform


Use Case:10. Visibility into Remote Sites

• Centralized tools• Metadata generated from

remote sites• Flexibility to extract full

traffic flows when needed• Cost optimized:

Reduce WAN costs with de-dup or slicing or IPFIX at remote site before backhaul

Remote Site

GigaVUE-HC1

Remote Site

GigaVUE-HC1

Remote Site

GigaVUE-HC1

MetadataEngine

Security Operations / Network Operations (in central data center)

SIEMTools

GigaVUE-HC2

GigaVUE-HC3

GigaVUE-FM


Use Case:11. Lawful Intercept


Legal InterceptRecorder



Exchange 1 Exchange 2 Exchange 3Exchange 1 Exchange 1 Exchange 1 Central

Data Center

Benefits of the Gigamon approach:• Higher ROI: GigaVUE® nodes at each exchange tunnel traffic to a centralized

Legal Intercept Recorder• Flow Mapping® policies select only traffic that needs interception• Ability to filter application flows to narrow traffic of interest

Challenges:• Expensive, ad hoc approach• Deploy equipment and staff as needed to each exchange/CO• Requires staff and equipment to be immediately ready to deploy in order to satisfy

the legal dates/terms on the government warrant


Corporate Overview

T H E E S S E N T I A L E L E M E N T O F Y O U R S E C U R I T Y

Gigamon is leading the convergence of networking and security. Our next generation network packet broker helps make threats more visible, deploy resources faster and maximize performance.

G L O B A L O F F I C E S

20 CountriesV E R T I C A L S

Public Sector | Financial Services | Healthcare | RetailTechnology | Service Providers

N A M E D

Marketleader

P A T E N T S

51 Global patents issued

S E R V I N G

Over 2,800 customers

E M P L O Y I N G

707 employees

C E O

Paul Hooper

H Q

Santa ClaraCalifornia, USA

F O U N D E D

2004

*Feb 2018: Offices, employee and patent information**Q1 2018: Customer count


Trusted by the World’s Leading OrganizationsGigamon Customers

of the top ten Global Banks7of the top ten Healthcare Providers8

of the top ten U.S. Federal Agencies10

of the top ten largestTech Companies8

of theFortune 10083

of the top ten Mobile Phone Network Operators

8 Customer data from April 2018. List sources available upon request.


SecurityIntelligence

Visibility Nodes

Physical, Virtual, and Cloud Infrastructure

Management and Orchestration

Gigamon Product Portfolio

GigaVUE-FM

▸ Flow Mapping® ▸ Clustering▸ Inline Bypass

▸ GigaVUE H SeriesIntelligent Visibility

Virtual▸ GigaVUE TA Series

Tap Aggregators▸ G-TAP

Taps

GigaVUE-OS▸ GigaStream®

Physical▸ GigaVUE-VM

Tap Aggregator

Cloud▸ GigaVUE V Series

Intelligent Visibility▸ G-vTAP

Virtual Taps

Core Intelligence

InsightData Store

▸ Detect

▸ Investigate

GigaSMART® Application Intelligence► Application Visualization► Application Filter Intelligence► Application Metadata Intelligence

Subscriber Intelligence▸ GTP Correlation▸ FlowVUE® Flow Sampling▸ SIP/RTP Correlation▸ 5G/CUPS Correlation

Traffic Intelligence▸ De-duplication▸ Slicing▸ Masking

▸ SSL/TLS Decryption▸ NetFlow Generation▸ Advanced Load Balancing

▸ Tunneling▸ Adaptive Packet Filtering▸ Header Stripping

API IQL

Confidential only. © Gigamon 2018. All rights reserved. 34

Gigamon Portfolio

Mid-Sized Enterprise Large Enterprise Service Provider

HC1

HC3

Traf

fic In

telli

genc

e C

apac

ity

HC2

Throughput (Gbps)

NG Network Packet Broker

Traffic aggregator

Serie A

Serie M

Serie G

BiDi 40G Fiber TAP

TAP

MGMT

CONSOLE

USBRESET

1G/1

0G P

OR

TS (S

FP+)

1G/1

0G P

OR

TS (S

FP+)

PWR1

CON SOLE

MGMT

PWR2SYSTEM FAN

C1C2

C3C4

C5C6

C7C8

C9C10

C11C12

C13C14

C15C16

C17C18

C19C20

C21C22

C23C24

C25C26

C27C28

C29C30

C31C32

USB A

X1X2

X3X4

X5X6

X7X8

X9X10

X11X12

X13X14

X15X16

X17X18

X19X20

X21X22

X23X24

X25X26

X27X28

X29X30

X31X32

X33X34

X35X36

X37X38

X39X40

X41X42

X43X44

X45X46

X47X48

1G/1

0G P

OR

TS (S

FP+)

1G/1

0G P

OR

TS (S

FP+)

1G/1

0G P

OR

TS (S

FP+)

1G/1

0G P

OR

TS (S

FP+)


PWR1

CON SO LE

MG MT


X49 – X52 | Q1

X61 – X64 | Q4

X57 – X60 | Q3

PWR2S YS TEM FAN

1G/1

0G P

OR

TS (S

FP+)

1G/1

0G P

OR

TS (S

FP+)

PWR1

CONSOLE

MGMT

GigaVUE-TA40

PWR2S YS TEM FAN

Q1Q2

Q3Q4

Q5Q6

Q7Q8

Q9Q10

Q11Q12

Q13Q14

Q15Q16

Q17Q18

Q19Q20

Q21Q22

Q23Q24

Q25Q26

Q27Q28

Q29Q30

Q31Q32

GigaVUE‐TA10

GigaVUE‐TA40

GigaVUE‐TA100

GigaVUE‐TA200


Thank you Dejan Laketić[email protected] +420 774 419 960

next-generation network packet broker (ng-npb)network & security visibility challenges firewall...

Documents