Best Practices for Building Scalable Visibility Architectures

Best Practices for Building Scalable

Visibility Architectures

February 11, 2014

Jim Frey

VP of Research

Network Management

Enterprise Management Associates

Scott Register

Senior Director

Product Management

Ixia

Today’s Presenters

Slide 2 © 2014 Enterprise Management Associates, Inc.

Jim Frey

Vice President of Research, Network Management

Jim has over 25 years of experience in the computing industry

developing, deploying, managing, and marketing software and

hardware products, with the last 20 of those years spent in network

and infrastructure operations and security management, straddling

both enterprise and service provider sectors.

Scott Register

Senior Director, Product Management

Scott has more than 15 years of experience leading product

management operations for global technology companies. Scott lead

product management at BreakingPoint Systems prior to its acquisition

by Ixia. Other past experience includes leading product lines for Blue

Coat, Permeo, and Check Point Software.

Logistics for Today’s Webinar

• An archived version of the event

recording will be available at

www.enterprisemanagement.com

• Log questions in the Q&A panel located

on the lower right corner of your screen

• Questions will be addressed during the

Q&A session of the event

• A PDF of the PowerPoint

presentation will be available

Questions

Event recording

Event presentation

http://www.enterprisemanagement.com/

Agenda

• What is a Visibility Architecture?

• Definitions and Drivers

• Best Practices and Decision Points

• Topology

• Tap or SPAN?

• In-line vs Out-of-Band

• Dealing with Virtualization

• Key Features for NPBs

• Ixia Visibility Solutions

• Wrap-up and Key Takeaways

• Q&A


Visibility Architecture Defined


Systemic approach to establishing access to network traffic

streams for packet-based monitoring and management

purposes

Visibility Architecture Defined

Key Value

• Permanent, adaptive packet stream

management infrastructure for reliable,

resilient, effective network and security

operations

Essential Attributes

• Scalability

• Sustainability

• Flexibility


Systemic approach to establishing access to network traffic

streams for packet-based monitoring and management

purposes

Basic Components of a Visibility Architecture


…

Network Infrastructure



…


Performance MonitorSecurity Monitor

Packet Recorder

…

Performance Monitor

Packet Analysis & Monitoring Systems




Packet Recorder

…

…

Performance Monitor



Tap Tap

SPAN SPAN




Packet Recorder

…

…

Performance Monitor



Tap Tap

SPAN SPAN

Network Visibility Controller

(a.k.a. Network Packet Broker)

…

…

…

Visibility

Architecture

NVC/NPB Defined

Heart of the Visibility Architecture

• Network devices that provide managed access to packet streams from

SPAN and TAPs to network and security analysis tools

NVCs provide advanced features beyond simple “Agg Tap”

• 1:1, 1:M, M:1, and M:M connections between packet sources and

packet consumers (tools)

• Filtering and manipulating packet streams to improve effectiveness and

efficiency of tools

• Load balancing tools for greater resilience


NVC/NPB Defined

Heart of the Visibility Architecture

• Network devices that provide managed access to packet streams from

SPAN and TAPs to network and security analysis tools

NVCs provide advanced features beyond simple “Agg Tap”

• 1:1, 1:M, M:1, and M:M connections between packet sources and

packet consumers (tools)

• Filtering and manipulating packet streams to improve effectiveness and

efficiency of tools

• Load balancing tools for greater resilience

Aliases….

• Network Monitoring Switch

• Matrix/Aggregation Switch

• Data Access Switch

• Distributed Filter Tap


Why a Visibility Architecture?

Network Growing Faster than the Tools!


0% 10% 20% 30% 40% 50%

100M

1G

10G

40G

100G

Current Planned in 12 months

Sept. 2013; Sample Size = 177

Maximum networking link speeds within data center / core networks


Network Growing Faster than the Tools!


0% 10% 20% 30% 40% 50%

100M

1G

10G

40G

100G



Maximum networking link speeds within data center / core networks

Tools Challenged to Keep Pace!


Growing Number of Tools!


0% 10% 20% 30% 40% 50% 60%

Network Performance Monitor

Data Loss Prevention

Intrusion Detection / Prevention

Troubleshooting / Packet Analyzers (e.g. packet “sniffers”)

Compliance Monitor

Data / Packet Recorder

Application Performance Monitor

VoIP / UC / Video Analyzer



Types of tools attached to NVCs/NPBs


Growing Number of Tools!


0% 10% 20% 30% 40% 50% 60%

Network Performance Monitor

Data Loss Prevention

Intrusion Detection / Prevention

Troubleshooting / Packet Analyzers (e.g. packet “sniffers”)

Compliance Monitor

Data / Packet Recorder

Application Performance Monitor

VoIP / UC / Video Analyzer



Types of tools attached to NVCs/NPBs

Can’t accommodate using old/dedicated approach!


In-Lines Use Cases for Security Deployments

Security priorities: Never Higher

Threat landscape: Never More Daunting

One important answer: Active Enforcement

• Intrusion Prevention Systems (IPS)

• Data Loss Prevention (DLP)


Sept. 2013: Sample Size = 177


In-Lines Use Cases for Security Deployments

Security priorities: Never Higher

Threat landscape: Never More Daunting

One important answer: Active Enforcement

• Intrusion Prevention Systems (IPS)

• Data Loss Prevention (DLP)

Major concerns

• Performance of IPS, DLP

• Resilience of IPS, DLP

Potential answer

• Highly efficient, packet switching

• Advanced resilience features



The MOST TRUSTED namesin networking

Service Providers trust IXIA to: Improve and speed service delivery Speed roll out of next gen services Improve network and application visibility

and performance

Equipment Manufacturers trust IXIA to: Develop next generation devices Speed time to market Improve performance and reliability

Enterprises trust IXIA to: Assess vendor equipment and applications Improve network security posture Improve network and application visibility

and performance

Chip Fabricators trust IXIA to: Validate protocol conformance Speed time to market

trust

Test

Secu

rity Vis

ibili

ty

Who Is Ixia?

Slide 19

Best Practices for Visibility

Architectures

© 2014 Enterprise Management Associates, Inc.Slide 20

Best Practices:

Where NVCs/NPBs Are Deployed


Where has your organization deployed Network Visibility Controllers (NVCs)?

0% 10% 20% 30% 40% 50% 60% 70%

Data center core network

Top of Rack

Data center Edge (ingress/egress)

Campus backbone

Remote sites

DMZ

End of Row

Backhaul links

Other (Please specify)



Best Practices:

Where NVCs/NPBs Are Deployed


Where has your organization deployed Network Visibility Controllers (NVCs)?

0% 10% 20% 30% 40% 50% 60% 70%

Data center core network

Top of Rack

Data center Edge (ingress/egress)

Campus backbone

Remote sites

DMZ

End of Row

Backhaul links

Other (Please specify)



Points of Concentration & Control

Poll Question

If you have network or security monitoring tools that require

SPAN ports or TAP connections, do you (select one):

A. Plan to expand use of SPAN ports

B. Plan to expand use of TAPs

C. Plan to add both more SPAN ports and TAPs

D. Have no plans to add more SPAN ports or TAPs


Best Practices:

Mixing SPAN and TAP for Access


Sample Size = 165 (Sept 2009); 177 (Sept 2013)

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

2009

2013

Best Practices:

Mixing SPAN and TAP for Access


Sample Size = 165 (Sept 2009); 177 (Sept 2013)

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

2009

2013

Need Both, but Leaning Towards Taps

Data Deduplication

D C

C

A

A

AA D

EF

C

C B

B

A

F E D

Necessity if using SPAN ports

Increase throughput efficiency to monitoring tools

Reduce monitoring tool overload

Improve monitoring tool processing efficiency

Eliminate duplicate packet storage

Slide 26

Best Practices:

In-Line vs. Out-of-Band deployments



40%

50%

10%

Yes – currently

deployed in-line

No, but planning

to do so

No, and no plans to do so

Are NVCs deployed in-line anywhere within your organization's network?

Best Practices:

In-Line vs. Out-of-Band deployments



40%

50%

10%

Yes – currently

deployed in-line

No, but planning

to do so

No, and no plans to do so

Are NVCs deployed in-line anywhere within your organization's network?

Essential: Load Balancing + Bypass Technology

Inline Security

Typical Inline Security DeploymentsN

etw

ork

Branch

Campus

CoreData Center

Cloud

Threat prevention, not reaction

Satisfy compliance requirements

Prevent IPR and publicity “issues”

Critical ConsiderationsWhy Inline Security?

Cannot take the network down

Cannot slow or block application traffic

Must scale with network demands

Slide 29

Best Practices:

Dealing with Virtualized Environments


0% 20% 40% 60% 80%

Packet analysis tools deployedon VMs for intra-host visibility

SPAN/Port Mirroring from virtualswitches

Virtual taps

Header stripping for overlayencapsulations


Approaches using or considering for adding packet monitoring to virtualized

environments

Best Practices:

Dealing with Virtualized Environments


0% 20% 40% 60% 80%

Packet analysis tools deployedon VMs for intra-host visibility

SPAN/Port Mirroring from virtualswitches

Virtual taps

Header stripping for overlayencapsulations


Approaches using or considering for adding packet monitoring to virtualized

environments

Select Techniques Based on Specific Needs

Virtual Visibility

Virtualized Host

Core Switch

Top of Rack

Switch

Hypervisor

Kernel Module

vSwitch

VM

OS

App

VM

OS

App

VM

OS

App

VM

OS

App

VM

OS

App

Enables inter-VM,

east-west traffic

monitoring to

eliminate the blind

spots in virtualized

environments

Virtual Tap

Network Packet Brokers

Slide 32

Best Practices:

Key NVC/NPB Features


Most important packet manipulation features (Mean by role)

2.00 2.25 2.50 2.75

Load Bal across multiple tools

Inbound Filtering

Outbound Filtering

Decryption

Time stamping

Tunneling

Port labeling

Masking

De-duplication

IPv6 support

Header stripping (de-encapsulation)

Media conversion (i.e. 10G to 1G)

Packet slicing

Executive Staff


3 = Critical

2 = Helpful

1 = Not Important

Feature Priorities Vary by Industry Vertical

Financials

1. Inbound Filtering

2. Load Balancing

3. Outbound Filtering

4. Time Stamping


Healthcare/Pharma

1. Load Balancing


3. Packet Slicing / IPv6 /

Port Labeling / Outbound

Filtering

Manufacturing

1. Load Balancing

2. Outbound Filtering

3. De-duplication/Tunneling

All Others

1. Load Balancing


3. Decryption

4. Tunneling

Creating A Network Visibility Architecture

Carrier Networks

Wired and Mobile

Data Center

Private Cloud

Virtualization

Core

Remote Office

Branch Office

Campus

Network Operations

Performance Management

Security Admin

Server Admin

Audit & Privacy

Forensics

Visibility Architecture

AppAware

Out of BandNPB

NetworkTaps

ElementMgmt

Virtual & CloudAccess

PolicyMgmt

InlineNPBInline

Bypass

SessionAware

Data CenterAutomation

Network Access

PacketBrokers

Applications Management

Slide 35

EMA: Key Takeaways on Visibility Architectures

1. Visibility Architectures provide both tactical

and strategic advantages to security and

operations

2. Deploy in the core first; expand to edge

and remote sites over time

3. Top, most-valued NVC/NPB features are

Load Balancing and Inbound/Outbound

filtering, though other features may also be

important based on vertical sector

4. Focus on scalability, flexibility,

manageability, completeness when

seeking solutions


Question & Answer:

Please log questions in the Q&A Panel

Jim Frey

[email protected]

@jfrey80

Scott Register

[email protected]

@swregister

Download this

FREE White Paper

from the follow-up email

you receive from EMA!

Or go to the Ixiacom.com home page

and click on the EMA webinar banner.Slide 37

mailto:[email protected]

mailto:[email protected]

http://www.ixiacom.com/

Best Practices for Building Scalable Visibility Architectures

Technology

Transcript of Best Practices for Building Scalable Visibility Architectures