VSS Network Packet Brokers for Dummies

Transcription

These materials are the copyright of John Wiley & Sons, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
Network Packet
Brokers
FOR
DUMmIES
‰
VSS MONITORING SPECIAL EDITION
by Steve Piper, CISSP
Network Packet Brokers For Dummies®, VSS Monitoring Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2012 by John Wiley & Sons, Inc., Hoboken, New Jersey
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108
of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher
for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken,
NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The
Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered
trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be
used without written permission. VSS Monitoring and the VSS Monitoring logo are trademarks or registered
trademarks of VSS Monitoring, Inc. All other trademarks are the property of their respective owners. John Wiley &
Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS
WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF
FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR
EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED
IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE
IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE
PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN
ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE
OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER,
READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR
DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Business Development Department
in the U.S. at 317-572-3205. For details on how to create a custom book for your business or organization, contact
[email protected]. For information about licensing the brand for products or services, contact
BrandedRights&[email protected].
ISBN 978-1-118-42404-9 (pbk); ISBN 978-1-118-42454-4 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Publisher’s Acknowledgments
We’re proud of this book and of the people who worked on it. For details on how to
create a custom book for your business or organization, contact info@dummies.
biz. For details on licensing the brand for products or services, contact
BrandedRights&[email protected].
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and
Vertical Websites
Development Editor: Kathy Simpson
Project Editor: Jennifer Bingham
Editorial Manager: Rev Mengle
Business Development Representative:
Kimberley Schumacker
Custom Publishing Project Specialist:
Michael Sullivan
Production
Senior Project Coordinator: Kristie Rees
Layout and Graphics: Carl Byers
Proofreader: Dwight Ramsey
Special Help from VSS Monitoring:
Gina Fallon, Andy Huckridge,
Tony Zirnoon, Cris Dalesio,
Rob Markovich
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Director, Acquisitions
Mary C. Corder, Editorial Director
Publishing and Editorial for Consumer Dummies
Kathleen Nebenhaus, Vice President and Executive Publisher
Composition Services
Debbie Stailey, Director of Composition Services
Business Development
Lisa Coleman, Director, New Market and Brand Development
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
How This Book Is Organized.................................................................................... 1
Icons Used in This Book........................................................................................... 2
Chapter 1: Starting with the Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What You Need to Know about Networks............................................................. 3
Switch SPAN ports....................................................................................... 4
Popular network interfaces........................................................................ 4
Common network tools............................................................................... 6
Key Challenges for Distributed Networks.............................................................. 7
Lack of tool access points........................................................................... 7
Limited network visibility........................................................................... 7
Tools that can’t keep up............................................................................. 8
Spiraling costs.............................................................................................. 8
Potential Solutions.................................................................................................... 8
Chapter 2: Understanding TAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
What Is a TAP?........................................................................................................... 9
Understanding Types of TAPs............................................................................... 11
Network TAPs............................................................................................. 11
Aggregation TAPs....................................................................................... 12
Regeneration TAPs.................................................................................... 12
Deploying TAPs....................................................................................................... 13
Inline (or active) versus passive.............................................................. 13
Fail open versus fail closed...................................................................... 14
Common TAP Use Cases........................................................................................ 15
TAPs versus Bypass Switches............................................................................... 16
Chapter 3: Understanding Network Packet Brokers . . . . . . . . . . . . 17
What Is a Network Packet Broker?........................................................................ 17
TAPs versus NPBs...................................................................................... 18
Network intelligence optimization........................................................... 20
Centralized administration....................................................................... 20
Key NPB Capabilities.............................................................................................. 21
Fault tolerance............................................................................................ 21
Traffic grooming......................................................................................... 23
Packet optimization................................................................................... 26
Common NPB Interconnection Designs............................................................... 29
Daisy chaining............................................................................................ 29
Star or hub-and-spoke............................................................................... 29
Mesh system............................................................................................... 30
Chapter 4: Use Cases for Network Security. . . . . . . . . . . . . . . . . . . . 31
Common Network Security Tools......................................................................... 32
Passive security tools................................................................................ 32
Active security tools.................................................................................. 33
Typical Network Security Deployment Challenges............................................ 36
Extending current investment in 1G security tools............................... 36
Safely deploying multiple active security tools in series..................... 36
Gaining complete network visibility........................................................ 37
Supporting active–passive network configurations.............................. 37
vi
Network Packet Brokers For Dummies, VSS Monitoring Special Edition
Chapter 5: Use Cases for Network Performance. . . . . . . . . . . . . . . . 39
Common Network Performance Tools................................................................. 39
Passive performance tools....................................................................... 40
Active performance tools......................................................................... 42
Typical Network Performance Deployment Challenges.................................... 44
Deploying active WAN acceleration tools.............................................. 44
Extending current investment in 1G performance tools....................... 45
Gaining complete network visibility........................................................ 45
Optimizing tool throughput for efficiency and scale............................ 46
Chapter 6: Use Cases for Service Providers. . . . . . . . . . . . . . . . . . . . 47
Types of Service Providers.................................................................................... 47
Mobile network operators (MNOs)......................................................... 48
Fixed network operators (FNOs)............................................................. 48
Multiple-system operators (MSOs).......................................................... 48
Other service providers............................................................................ 49
Common Service Provider Traffic Types............................................................. 49
OTT and operator-based video services................................................ 50
IP telephony................................................................................................ 50
Common Service Provider Use Cases................................................................... 50
4G greenfield deployments....................................................................... 51
3G ATM-to-IP conversion.......................................................................... 52
Fixed-line TDM-to-IP conversion.............................................................. 52
Lawful interception / CALEA.................................................................... 53
SLA monitoring........................................................................................... 53
Chapter 7: Selecting the Right NPB Vendor. . . . . . . . . . . . . . . . . . . . 55
Step 1: Catalog Bandwidth and Connectivity Requirements............................. 56
Network bandwidth................................................................................... 56
Network connectivity................................................................................ 56
Step 2: Document Your NPB Feature Requirements.......................................... 56
Administration........................................................................................... 58
Fault tolerance............................................................................................ 58
Traffic grooming......................................................................................... 59
Packet optimization................................................................................... 60
NPB interconnection requirements......................................................... 61
Future requirements.................................................................................. 61
Step 3: Evaluate Potential NPB Vendors.............................................................. 62
Step 4: Select a Vendor........................................................................................... 62
Chapter 8: Ten Ways to Lower Your Network’s TCO . . . . . . . . . . . . 63
Prevent Tool Oversubscription............................................................................. 63
Alleviate SPAN-Port Contention............................................................................ 64
Solve Your Media-Conversion Challenges........................................................... 64
Expand the Network Visibility of Your Existing Tools....................................... 64
Maximize Network Uptime through Fault Tolerance......................................... 65
Increase System Reliability with a Mesh Design................................................. 65
Centralize Network and Security Operations...................................................... 65
Extend the Life of Your Existing Tools................................................................. 66
Increase Tool Selection Flexibility........................................................................ 66
Plan for Future Growth........................................................................................... 66
Introduction
N
etwork security and performance tools undertake critical
functions to keep your organization’s networks safe and
performing optimally. They’re the central nervous system of
today’s IP networks, but they’re often oversubscribed and/or
lack network visibility.
Network packet brokers (NPBs) enable your tools to perform
optimally while providing unprecedented network visibility.
Unlike their TAP predecessors, NPBs are sophisticated,
high-end devices that provide traffic regeneration, aggregation,
load balancing, packet de-duplication, and much, much more.
If you’re tasked with deploying network security and/or
performance tools on your organization’s complex, distributed
network, then this book is for you.
How This Book Is Organized
This book is organized so that you don’t have to read it
cover-to-cover, front to back. You can skip around and read
just the chapters that are of interest.
✓
In Chapter 1, Starting with the Basics, I cover computer
network-related topics that are essential to understanding
how NPBs work, including switch SPAN ports, popular
copper and fiber network interfaces, common network
security and performance tools, and key challenges for
distributed networks. If any of these topics are foreign to
you, then you should definitely start here.
✓
Before there were NPBs, there were TAPs. In Chapter 2,
Understanding TAPs, I define what a TAP is and then contrast the three basic types of TAPs: network, aggregation,
and regeneration. I then describe ways in which TAPs are
deployed and discuss common TAP use cases. And finally, I
end the chapter by contrasting TAPs with bypass switches.
✓
In Chapter 3, Understanding Network Packet Brokers, I
get to the heart of the matter by defining NPBs, contrasting
2
them with basic TAPs, describing the benefits of a network
intelligence layer, and exploring key capabilities of
today’s leading NPBs.
✓
Chapter 4, Use Cases for Network Security, depicts the
most common passive and active network security tools
that organizations deploy using NPBs. Here I describe
typical network security tool deployment challenges and
how NPBs can be used to overcome them.
✓
In Chapter 5, Use Cases for Network Performance, I
describe passive and active network performance tools
commonly deployed using NPBs. I then discuss typical
challenges organizations face when deploying them and
how to overcome these challenges using NPBs.
✓
In Chapter 6, Use Cases for Service Providers, I describe
different ways service providers can benefit from deploying
NPBs to support 3G, 4G, and IP telephony infrastructures.
✓
In Chapter 7, Selecting the Right NPB Vendor, I outline
a four-step process you can follow to select an NPB
vendor. I also provide a comprehensive checklist you can
use to document your NPB requirements.
✓
Chapter 8, Ten Ways to Lower Your Network’s TCO,
describes how NPBs can dramatically reduce your
capital and operating expenses by interfacing with your
mission-critical network security and performance tools.
Icons Used in This Book
This book uses the following icons to indicate special content.
You won’t want to forget the information in these paragraphs.
These paragraphs provide practical advice that will help you
craft a better strategy, whether you’re planning a purchase or
setting up your software.
Look out! When you see this icon, it’s time to pay attention —
you’ll find important cautionary information you won’t want
to miss.
Maybe you’re one of those highly detailed people and really
need to grasp all the nuts and bolts, even the most techie
parts. If so, these tidbits are right up your alley.
Chapter 1
Starting with the Basics
In This Chapter
▶Getting grounded in network infrastructure
▶Appreciating key challenges with today’s distributed networks
▶Recognizing potential solutions
T
oday, computer networks are at the core of modern communication. All aspects of telecommunications infrastructure are computer-controlled, and telephony increasingly
runs over Internet Protocol (IP). Cloud computing, Software
as a Service (SaaS), Voice over IP (VoIP), virtualization, smartphones, and tablet computers are among the latest trends
facing IT organizations. These technology advancements yield
significant business benefits, but also introduce network security and performance risks.
Before you delve into the primary subject of network packet
brokers (and TAPs, which I define in Chapter 2), this chapter
level-sets your knowledge of network infrastructure components and reviews some of the most basic challenges to
modern distributed networks.
What You Need to Know
about Networks
Because you’re reading a book on the granular topic of network packet brokers, I’m going to assume that you’re generally knowledgeable about the fundamentals of computer
networks, including firewalls, routers, and switches. In this
section, though, I give you some background on a few concepts that appear frequently throughout this book.
4
Switch SPAN ports
Modern switches typically come equipped with one or more
interfaces (ports), commonly known as SPAN (Switched Port
Analyzer) ports or port mirroring interfaces. SPAN ports copy
and aggregate network traffic flowing through all of a switch’s
networking interfaces and export that traffic to security and/
or performance monitoring tools for analysis.
Popular network interfaces
Network infrastructure, like switches and routers, must support not only the speed of a given network, but also its connectivity. The following sections describe some common
network interfaces used in today’s network infrastructure.
10/100 and 10/100/1000 copper
Copper network interfaces represent the lowest common
denominator of networks, supporting Ethernet speeds of
10Mbps, 100Mbps, and 1Gbps (also known as Gigabit Ethernet
or GigE). Each network cable (typically, a category 5 cable
featuring four copper-wire pairs) comes equipped with plastic
RJ-45 couplers.
1G fiber
Fiber-optic cabling has become the de facto standard backbone of high-speed networks. 1G fiber is common in small to
medium-size businesses and in branch offices of large enterprises. Figure 1-1 depicts a typical 1G fiber connector.
Figure 1-1: 1G fiber cable connector.
Chapter 1: Starting with the Basics
5
10G fiber
10G fiber supports the 10Gbps Ethernet standard and has rapidly become the standard for high-speed networking. 10G fiber
is commonly available in SR (short-range multimode fiber)
and LR (long-range single-mode fiber) options, and the cables
often come with SC (see Figure 1-2) or LC connectors.
Figure 1-2: 10G SR fiber with SC cable connectors.
XFP fiber
XFP is a standard for transceivers in high-speed computer networks that use optical fiber. XFP modules are hot-swappable
and support 10G Ethernet, 10G Fibre Channel, synchronous
optical networking (SONET), and other interfaces. XFP modules often use an LC fiber connector type (see Figure 1-3) to
achieve high density.
Figure 1-3: 10G XFP transceiver.
6
SFP/SFP+ fiber
SFP is a compact, hot-pluggable transceiver supporting speeds
up to 4.25Gbps, typically used for Fast Ethernet or Gigabit
Ethernet applications. SFP+ (see Figure 1-4) is an enhanced
version of SFP that supports speeds of 1Gbps or 10Gbps.
SFP+ is smaller than XFP, enabling greater port density.
Figure 1-4: 10G SFP+ transceiver.
Common network tools
New network security and performance tools have flooded
into the market over the past decade. Following are the tools
most commonly used in distributed networks today.
See Chapter 2 for an explanation of active and passive tools.
Chapter 4 provides a review of common network security
tools, while Chapter 5 does the same for performance tools.
Passive network security tools
✓
Intrusion detection systems (IDS)
✓
Network forensics
✓
Network behavior analysis (NBA)
Active network security tools
✓
Intrusion prevention system (IPS)
✓
Next-generation firewalls (NGFW)
Chapter 1: Starting with the Basics
7
✓
Advanced malware protection
✓
Secure web gateways (SWG)
✓
Data loss prevention (DLP)
✓
Distributed denial of service (DDoS) prevention
Passive network performance tools
✓
Network performance monitoring (NPM)
✓
Application performance monitoring (APM)
✓
Unified communications monitoring
✓
Active network performance tools
✓
Traffic shaping
✓
WAN optimization controllers (WOC)
✓
Web caching
✓
Application acceleration
Key Challenges for Distributed
Networks
Now that you’re familiar with common network interfaces and
the tools that plug into them, you’re ready to explore some of
the key challenges that plague today’s distributed networks.
Lack of tool access points
Modern network switches typically come equipped with one
or two SPAN ports. The problem is that several tools typically
need to plug into every SPAN port. This dilemma is commonly
referred to as SPAN-port contention.
Limited network visibility
Every network performance and security tool comes
equipped with a fixed number of copper and/or fiber interfaces. Although major advancements have occurred in both
8
port density and processing power over the years, it doesn’t
take long to max out the interfaces on a given tool. As a result,
the tool has limited network visibility, and IT may be forced to
invest in additional (often very expensive) tool appliances.
Tools that can’t keep up
Mainstream adoption of 10G fiber has rendered many existing
1G network security and performance tools obsolete — not
just because of increased bandwidth requirements, but also
because of physically different 1G/10G/40G copper or fiber
interfaces. The IT staff is forced to replace perfectly good,
functional tools before the end of their useful lives. In other
cases, newly acquired tools meet your connectivity needs but
not your throughput requirements due to inadequate processing power.
Spiraling costs
All three of the aforementioned challenges are causing capital
and operating expenses to spin out of control, because they
require companies to purchase additional high-cost tools and
hire additional IT personnel to manage them.
Potential Solutions
To solve these challenges, IT departments need intelligent,
cost-effective solutions that do all of the following:
✓
Extend the life of existing performance and security tools
✓
Eliminate SPAN-port contention
✓
Expand network visibility and tool availability
✓
Enable 1G tools to interface with 10G networks, and vice
versa
I explore such solutions in the next two chapters, starting
with basic TAPs in Chapter 2 and moving on to feature-rich
network packet broker systems in Chapter 3.
Chapter 2
Understanding TAPs
In This Chapter
▶Getting acquainted with TAPs
▶Exploring common TAP use cases
▶Contrasting TAPs with bypass switches
B
efore there were network packet brokers (NPBs), there
were TAPs. In fact, until market research firm Gartner
coined the term network packet broker in 2012, the industry
collectively referred to these sophisticated devices as TAPs,
or sometimes intelligent or smart TAPs. (Many people in
the industry still do.) So because TAPs preceded NPBs, and
because TAP functionality is a subset of NPB functionality, it’s
only fitting to talk about TAPs first, as I do in this chapter.
First, though, a definition.
What Is a TAP?
A TAP is a hardware device that provides a way to access
the data flowing across a computer network, typically for the
benefit of network security and performance monitoring tools.
The monitored traffic is referred to as the pass-through traffic,
and the ports used for monitoring are called monitor ports.
Although some people have attempted to convert TAP to an
acronym, it isn’t one. A TAP is analogous to a phone tap. Also,
though the term is sometimes spelled tap, it more frequently
appears as TAP, so I follow that convention in this book.
10
Figure 2-1 illustrates the flow of traffic through a TAP. Here,
traffic flows in both directions between network ports A
and B, while traffic received on network port A is copied to
monitoring port A and traffic received on network port B is
copied to monitoring port B.
Figure 2-1: TAP conceptual diagram.
TAPs are offered in many form factors with varying port
counts and media configurations. Figure 2-2 depicts a selection
of TAPs from VSS Monitoring.
Figure 2-2: Sample TAPs.
Chapter 2: Understanding TAPs
11
Understanding Types of TAPs
There are three basic types of TAPs: network, aggregation,
and regeneration. Each type performs the basic function of
directing copied network traffic to monitoring tools, but the
types differ in their ratios of network ports to monitoring
ports, as follows:
✓
Network: One-to-one (1:1) relationship
✓
Aggregation: Many-to-one (M:1) relationship
✓
Regeneration: One-to-many (1:M) relationship
In the following sections, I explore these three types in detail.
Network TAPs
Network TAPs are the most basic TAP devices. All network
ports (sometimes labeled A and B) have equivalent monitoring
ports (also labeled A and B) — that is, they have a 1:1 ratio of
network to monitoring ports (as illustrated in Figure 2-1).
Figure 2-3 depicts a basic four-port copper network TAP.
Network TAPs are used to tap into network segments to route
copied traffic either to a single passive monitoring tool or,
more often, to a high-density network packet broker that
services multiple (often several) monitoring tools.
Figure 2-3: A four-port copper network TAP.
12
Aggregation TAPs
Aggregation TAPs are similar to network TAPs, but instead of
maintaining a 1:1 ratio of network ports to monitor ports, they
support a M:1 (many-to-one) ratio, meaning that a single tool
can inspect traffic from multiple network segments.
Figure 2-4 displays a basic five-port copper aggregation TAP
that’s capable of aggregating traffic from two inline network
segments or four SPAN ports for analysis by a single passive
monitoring tool. (For details on inline deployment, see
“Deploying TAPs,” later in this chapter.) High-density
aggregation TAPs can accommodate many more network
inputs and tools.
Figure 2-4: A five-port copper aggregation TAP.
At the end of Chapter 1, I discuss the challenge of working
with monitoring tools that have limited network visibility.
Aggregation TAPs can help you solve that challenge by
enabling a single monitoring tool to inspect traffic from many
network segments.
Regeneration TAPs
A regeneration TAP is basically the opposite of an aggregation
TAP, in that it maintains a 1:M (one-to-many) ratio of network
to monitoring ports. Instead of directing copied traffic from
multiple network segments to a single monitoring tool, a
regeneration TAP replicates traffic from one network segment
to many monitoring tools. Traffic from a single network
segment can be inspected by an intrusion detection system
(see the next section), recorded by a network forensics probe,
and reviewed by a compliance audit scanning probe, all at the
same time.
13
Figure 2-5 displays a 20-port 1G fiber regeneration TAP that’s
capable of redirecting copied traffic from one (inline) network
segment to up to 12 monitoring tools.
Figure 2-5: A 20-port 1G fiber regeneration TAP.
Deploying TAPs
TAPs can be deployed in a variety of ways to support your
network security and performance monitoring tools, as I
discuss in this section.
Inline (or active) versus passive
Some security and performance tools are deployed inline,
meaning that traffic actively flows into and out of the device
so that it can actually alter (or block) the traffic. A classic
example of an active security tool is an intrusion prevention
system (IPS). In this system, traffic flows continuously into
and out of the IPS, whereas bad traffic (such as malware and
exploits) is blocked.
Other tools are passive, meaning that they monitor traffic
without actually altering it, triggering alerts based on
predefined search criteria. An example of a passive security
tool is an intrusion detection system (IDS). Traffic is copied by
the TAP and sent to the IDS for analysis, as shown in Figure
2-1 earlier in this chapter, but that traffic terminates at the IDS
and doesn’t proceed onward.
Network TAPs can be deployed inline or passively (with
switch SPAN ports as input; refer to Chapter 1), but they
support only passive monitoring tools. Thus, a TAP can
support passive IDS but not active IPS. To support active
tools, you need an NPB, which I cover in detail in Chapter 3,
or a simpler bypass switch, which I cover at the end of this
chapter.
14
Fail open versus fail closed
All network TAPs (and NPBs) are designed to fail open in the
event that the device loses power (see Figure 2-6), whereas
network ports A and B continue to pass traffic almost as
though a contiguous network cable were routed right through
the box. A delay of a few milliseconds occurs when copper
TAPs fail open; fiber TAPs incorporate fiber optic splitters, so
the term fail open doesn’t really apply.
Figure 2-6: TAP triggers a fail-open state. Traffic continues to flow.
Although TAPs support only fail-open configurations, NPBs
also support fail-closed configurations. When configured as
fail-closed (see Figure 2-7), if an NPB loses power, the network
connection is effectively broken, potentially affecting dozens
or even hundreds of nodes. Fail-closed configurations are
often associated with perimeter firewalls and devices
connected to highly sensitive government networks.
broken
connection
Figure 2-7: NPB triggers a fail-closed state. Traffic ceases.
The terms fail open and fail closed have opposite definitions
within the realm of electrical engineering. When you’re
speaking with IT colleagues, don’t assume that these terms
have the same meaning to them.
Be sure to weigh the pros and cons of fail-open and fail-closed
conditions with your team to minimize the potential for
unwanted consequences.
15
Common TAP Use Cases
This section explores how TAPs are commonly used in the
context of network security and performance monitoring.
As you may recall from earlier in this chapter, basic TAPs
support only passive monitoring tools, such as IDSs and
network probes. Thus, the following TAP use cases apply to
passive monitoring tools only:
✓
Creating access points: A monitoring tool can’t inspect
what it can’t see. As available SPAN ports may be
limited on network switches, network engineers often
turn to TAPs to create access points for their security
and performance tools. A TAP is strategically placed in
the network where maximum network visibility can be
achieved, often between a router and a switch. Tools can
be plugged into and removed from the TAP’s monitoring
ports without affecting the network adversely.
✓
Expanding network visibility: Although a TAP can
provide network visibility to a given monitoring tool,
an aggregation TAP can provide even greater network
visibility by aggregating traffic from several network
segments and forwarding it to a single monitoring (port)
tool, thus vastly improving that tool’s view of the network.
This type of TAP is especially useful when the number of
network segments to be monitored exceeds the number
of ports on the monitoring tool.
When you’re aggregating traffic from multiple network
segments to a single monitoring tool, be careful not to
exceed the processing capacity of that tool. If you have
a 4Gbps IDS, for example, aggregating traffic from ten
network segments may result in 10Gbps of traffic,
exceeding the capacity of the IDS.
✓
Replicating traffic to multiple tools: Your organization
may want to deploy multiple tools to monitor a single
(critical) network segment. A regeneration TAP can help
by replicating traffic from one network segment to an
IDS, network forensics probe, and an application analysis
probe — all from one device.
A TAP is designed to either aggregate traffic or replicate
(regenerate) traffic — not both. You need an NPB if you wish
to perform both functions using the same device, as I discuss
in the next chapter.
16
TAPs versus Bypass Switches
As I discuss earlier in this chapter, TAPs are designed to
serve passive monitoring tools only. Two types of alternative
devices can serve the needs of active (inline) network security
and performance tools: bypass switches and NPBs.
A bypass switch is a hardware device that provides a fail-safe
access port for an inline monitoring tool, such as an IPS,
firewall, wide-area network (WAN) optimization controller,
or unified threat management (UTM) appliance. The bypass
switch’s sole purpose is to maintain the flow of network
traffic flow in the event that the attached active tool is no
longer functional for any reason (such as power loss or software
failure) and can’t continue to process or pass traffic.
An NPB can also redirect traffic in the event that a connected
active tool ceases to function, and it offers a far richer feature
set to boot — which is a nice segue to the next chapter.
Chapter 3
Understanding Network
Packet Brokers
In This Chapter
▶Comparing NPBs with TAPs
▶Exploring NPB capabilities
▶Contrasting three types of NPB interconnection designs
G
artner first coined the term network packet broker in
2012. Before then, the industry collectively referred to
these very sophisticated devices as TAPs, or sometimes as
Intelligent or Smart TAPs. I agree that such a sophisticated
category of network devices deserves a more-impressive
name — so much, in fact, that I decided to write this book!
This chapter introduces you to the features and capabilities
of network packet brokers — starting with a definition.
What Is a Network
Packet Broker?
A network packet broker (NPB) is a network device (typically,
a rack-mount appliance) with copper and/or fiber interfaces
that directs network traffic from switch SPAN ports (passive
configuration) and/or between two connected routers and/
or switches (inline configuration) and then manipulates that
traffic to allow the more efficient use of network security and
performance tools, both inline and passive. (For a refresher
on inline and passive configurations, see Chapter 2.)
18
Every NPB must provide many-to-many port mapping of
network ports to monitoring ports and must provide the
following basic features (which I describe in detail later in this
chapter):
✓
A configuration interface, such as a graphical user
interface (GUI) or command-line interface (CLI)
Leading NPB providers generally offer a web-based
interface that allows you to centrally configure and
monitor NPB devices via a web browser. HTTPS (HTTP
with SSL encryption) is often used between the web
browser and the NPBs that it configures.
✓
Packet filtering, slicing, and de-duplication
✓
Traffic aggregation, regeneration, and load balancing
✓
Time-stamping
NPB market leaders provide numerous additional capabilities,
such as deep packet inspection, port-stamping, conditional
packet slicing/masking, and high data-burst buffering. These
capabilities are described in detail later in this chapter.
Figure 3-1 depicts a 24-port NPB appliance. Each SFP port can
be configured as a network port or monitoring port.
Figure 3-1: Sample NPB appliance.
TAPs versus NPBs
If a TAP were an airplane, it would be a Cessna. If an NPB
were an airplane, it would be a Boeing 747. Both single-engine
aircraft and jumbo jets get you from point A to point B, but
their capabilities, their costs, and even their use cases differ
greatly (to say the least).
This analogy, although extreme, helps distinguish a TAP from
an NPB. Each type of device takes traffic in and redirects (or
Chapter 3: Understanding Network Packet Brokers
19
copies) that traffic out its monitoring ports, but NPBs are
far more sophisticated (and more expensive) than common,
everyday TAPs.
Table 3-1 compares the capabilities of TAPs and NPBs.
Chapter 2 covers TAPs; for detailed information on NPB
features, see “Key NPB Capabilities,” later in this chapter.
Table 3-1
TAP and NPB Capabilities
Key Capabilities
TAPs
NPBs
Supports passive monitoring tools
✓
✓
Full traffic aggregation
✓
✓
Traffic regeneration
✓
✓
Supports inline monitoring tools
✓
Centralized administration
✓
Power-loss traffic-flow policies
✓
Link state mirroring
✓
Reboot accelerated failover
✓
Health-check packets
✓
Selected traffic aggregation
✓
Hardware-based packet filtering
✓
Session-aware load balancing
✓
High data-burst buffering
✓
Deep packet inspection
✓
Packet ordering
✓
Time- and port-stamping
✓
Packet de-duplication
✓
Packet fragment reassembly
✓
Conditional packet slicing/masking
✓
Protocol stripping
✓
From this point forward, I focus mainly on NPBs rather than
TAPs. Although an NPB can do everything that a TAP can do,
an NPB may be overkill for some applications, making a
basic TAP far more cost-effective. (See Chapter 2 for common
network TAP use cases.)
20
Network intelligence optimization
As enterprise IT migrates to new technologies ranging from
virtualization to cloud computing, the focus increases on
making networks faster, more efficient, and more nimble.
NPBs add what leading vendors call a network intelligence
optimization layer. This layer resides between the network
intelligence tools layer (containing network security and
performance tools) and the network/cloud switching layer
(containing routers and switches), as shown in Figure 3-2.
Figure 3-2: Network intelligence optimization layer.
NPBs in the network optimization layer provide critical
mediation functions between security and performance tools
and the underlying network infrastructure to make these tools
more efficient and effective, and to extend their useful life.
Centralized administration
As I mention in “What Is a Network Packet Broker?” earlier
in this chapter, an NPB should offer a GUI or CLI to perform
basic device configuration. Leading NPB vendors also provide
the ability to centrally administer a system of NPBs from one
unified (usually web-based) management console. This setup
makes it easier to monitor, manage, and report on your
NPBs — individually and/or in hierarchical groups — across
the entire organization.
21
Key NPB Capabilities
Table 3-1, earlier in this chapter, lists the key capabilities of
leading NPBs. This section describes those not-yet-discussed
capabilities in detail.
Don’t assume that all network packet brokers are created
equal. Capabilities vary by manufacturer and also by model.
Certain classes of NPBs may be specifically designed to
support one or more active tools; others may be designed to
support dozens of passive tools. It’s important to select your
NPB vendor carefully (see Chapter 7) and to work with your
chosen vendor to design the network intelligence optimization
solution that’s right for you.
Fault tolerance
Fault-tolerance capabilities help minimize unwanted network
downtime in the event of power loss or a malfunction of the
NPB and/or the devices connected to it.
Power-loss packet-flow policies
In Chapter 2, I mention that TAPs are configured to fail open
only when they’re deployed inline. Some NPB models are
different, however, in that the user can determine — through
policy settings — whether the NPB device should fail open
or fail closed, depending on the desired outcome after power
loss.
Link state mirroring
In the event that an NPB passes traffic between a router and
a switch, and the connection to the router goes down, the
switch may never know; it’s connected to the NPB, not the
router. In this case, the switch would continue to attempt to
pass traffic back to the router (through the NPB) without
success — a situation commonly known as asymmetric routing.
Better NPB devices can prevent this problem through link
state mirroring, in which the NPB mirrors (emulates) the state
of the down interface to the up interface of an interface set.
In the preceding example, the switch would recognize that
the connection to the NPB was down and then reroute traffic
through a redundant path.
22
Reboot accelerated failover (1G copper only)
As I mention in Chapter 2, inline NPB devices are commonly
configured to fail open in the event of a power loss, thereby
maintaining network connectivity. In fiber and 10/100 copper
NPBs, network connectivity is maintained constantly,
regardless of the power state of the NPB. The 1G copper NPBs
are unique, however, in that they leverage a magnetic relay to
physically connect the inline interfaces of a network interface
set during power loss.
As power is restored to a 1G copper NPB, the magnetic
(fail-open) relay lifts; then each network interface must
negotiate speed, duplex, MDI/MDIX, and time variables with
the router or switch to which it’s connected. This rebooting
process can be long enough to cause the router or switch to
see a down state and potentially initiate a spanning tree
protocol, which could lengthen network downtime from
200 milliseconds to a full 3 seconds, thereby adversely affecting
the applications communicating over the network.
Leading NPB vendors have responded to this 1G copper
dilemma by implementing technology that accelerates the
rebooting of 1G copper NPBs. This technology reduces
network interruption time between the NPB and its connected
switches and routers to just 30 to 60 milliseconds, which
prevents connected routers and switches from triggering a
spanning tree protocol.
Health-check packets
Leading vendors enable NPBs to know not only when connected
tools are accepting packets, but also when they’re actively
doing the job that they’re intended to do, such as inspecting
and blocking traffic in the case of an intrusion prevention
system (IPS; see Chapter 2). To accomplish this task, the NPB
can periodically send out positive and/or negative health-check
packets that are custom-configured for each tool.
Health-check packets designed to be “allowed” to pass the
active tool’s security check verify the state of the tool’s
hardware, ensuring that it’s powered and linked. Health-check
packets designed to be “blocked” by the tool verify the tool’s
software state, ensuring that an IPS, for example, is blocking
bad packets and protecting the live network.
23
Traffic grooming
Traffic grooming capabilities ensure that the NPB routes only
relevant traffic to connected tools, thereby facilitating the
reliability, efficiency, and effectiveness of each tool.
Traffic regeneration
In Chapter 2, I discuss regeneration TAPs, which allow traffic
from one network segment to be regenerated (or copied) to
one or more monitoring ports. NPBs offer the same capability.
TAPs have pre-assigned (fixed) network and monitoring ports,
which can’t be changed. Better NPBs, however, have ports
that can be configured as either network or monitoring ports,
thereby offering maximum device flexibility.
Selective aggregation
Traffic aggregation pertains to aggregation TAPs (see Chapter 2),
which route traffic from all network ports to attached
monitoring tools. Selective aggregation (see Figure 3-3) takes
this capability one step further by enabling the user to direct
traffic from specific network ports to specific monitoring
ports, or to direct traffic from any single network port to
multiple monitoring ports. This setup is almost like squeezing
several aggregation TAPs into one NPB device.
Hardware-based packet filtering
Today’s NPBs feature purpose-built hardware that can filter
packets based on user-defined criteria. A negative filter drops
unwanted packets, whereas a positive filter extracts only
desired packets.
Most NPBs can filter packets based on the following criteria:
✓
MAC address (source, destination)
✓
IP address (source, destination, range)
✓
UDP, TCP, and ICMP (port, range)
✓
VLAN, QoS, and IP service type
✓
Even and odd ports for RTP and RTCP
✓
Custom 127-byte filter offset for tunneled applications
24
Figure 3-3: Performing selective aggregation.
Hardware-based packet filtering can be performed at line-rate
speeds up to 10Gbps. It helps minimize oversubscription of
monitoring tools by eliminating traffic that the tool was never
designed (or intended) to inspect.
Session-aware load balancing
Session-aware load balancing enables traffic from one or
more network ports to be evenly distributed to two or more
monitoring ports (see Figure 3-4), while all packets from a
unique TCP session are routed through the same monitoring
port to the same monitoring tool, ensuring the effectiveness
of traffic inspection.
25
Figure 3-4: Session-aware load balancing, illustrated.
Load balancing prevents tool oversubscription and adds
a layer of fault tolerance to tool deployments. If the NPB
detects a failed tool (through the aforementioned health-check
packets), it ceases to pass traffic to that monitoring port and
spreads the workload to the remaining load-balanced tools.
Leading NPB vendors provide even more alternatives to
recover from a failed tool participating in a load-balanced
group. Better NPBs can direct traffic bound to the failed tool
to a hot standby tool, or even redirect all traffic to a secondary
(backup) group of load-balanced tools. Be sure to work with
your NPB vendor to determine which option is best for you.
High data-burst buffering
High data-burst buffering is a feature of advanced NPB devices
that solves problems caused by microbursts — consistent or
intermittent traffic data bursts of up to 100 percent of network
capacity that occur at submillisecond speeds. Microbursts
are often associated with the delivery of multimedia (such as
movies and music) over HTTP.
26
In a common scenario associated with microbursts, network
switch port-utilization readings may be at 30 to 50 percent,
but dropped packets are being registered in the droppedpacket counter. Capturing data in these environments
requires NPBs to buffer microbursts to help smooth out
captured packet delivery so that passive monitoring tools can
perform at acceptable levels.
Packet optimization
Packet optimization capabilities modify captured packets to
make network security and performance tools connected to
NPBs more efficient and effective.
Time- and port-stamping
Time-stamping allows users to append a time stamp to each
captured packet relative to the time it entered the NPB for
the benefit of network and application latency measurement,
forensic evidence, and transaction-based application
reconciliation (such as stock-market transactions). The time
stamp is inserted as an 8-byte stamp after the payload and
before the cyclic redundancy check (CRC; see Figure 3-5). The
first four bytes indicate seconds, and the second four bytes
indicate nanoseconds. After the stamp is applied, the CRC is
recalculated and forwarded to the monitor ports as a standard
Ethernet frame.
Figure 3-5: Time-stamping packets.
When traffic from more than one network port is captured
and directed to one or more (load-balanced) monitoring tools,
no record exists of which network port each packet flowed
through. Port-stamping overcomes this problem by stamping
the port (interface) number on each packet. This feature is
27
also useful for latency measurement, network forensics
applications (that collect packets for evidentiary purposes),
and trading transaction reconciliation.
Packet de-duplication
Planned redundancies in network design, monitoring-tool
access, and overlapping filters during traffic capture and
aggregation are typical situations that cause security and
performance tools to receive multiple duplicate packets.
Duplicate packets create challenges for IT and security
personnel, including monitoring-tool oversubscription, false
positives, and inaccurate performance reporting. Packet
de-duplication reduces the volume of traffic to monitoring
tools, increasing tool efficiency while reducing false-positive
errors and reporting.
Conditional packet slicing/masking
Packet slicing discards the latter part of a packet from the
copy of traffic before the tool receives it, thereby allowing the
tool to process and store more relevant data or only data of
interest. Conditional packet slicing takes packet slicing a step
further by enabling users to set slice points at different offsets
for each type of traffic to be sliced, such as HTTP, SMTP, and
the VoIP protocols RTP and RTCP.
Conditional packet slicing helps you ensure compliance with
regulations that mandate privacy best practices, such as the
Payment Card Industry Data Security Standard (PCI DSS),
which requires providing access to cardholder information
only on a need-to-know basis.
Packet fragment reassembly
Packets can become fragmented when maximum transmission
unit (MTU) size is exceeded due to tunneling, encapsulating,
and/or tagging traffic, creating mismatches with different
routers as packets traverse one or more networks.
Fragmented packets create difficult obstacles for IT personnel
because tools can’t inspect them properly.
Packet fragment reassembly reassembles fragments into their
original form before forwarding them to tools (see Figure 3-6),
thereby restoring the efficacy of monitoring tools and allowing
them to inspect previously fragmented packets.
28
Figure 3-6: Reassembling packet fragments.
Protocol stripping
Many monitoring tools aren’t designed, at either the hardware
or software level, to handle traffic with certain protocols,
labeling, or encapsulation. Perhaps the tool wasn’t meant to
be used with certain protocols. Take MPLS tagging, for example.
Some security or performance tools either can’t handle MPLS
or can handle only a limited number of MPLS tags.
Protocol stripping allows you to remove a specific protocol
header, such as GTP, MPLS, VLAN, or VN-tag (VMware virtual
network tag). Stripping protocol headers from the packets
sent out the monitor ports means that the monitoring tools no
longer have to handle these headers and load balancing can
be performed on the stripped packets.
Leading NPB vendors offer generic user-defined offset
configurations that can strip any protocol heading information
that exists today and in the future.
29
Common NPB Interconnection
Designs
NPBs are designed to interconnect to improve scalability
and increase fault tolerance. When configured optimally,
monitoring tools located in New York can monitor traffic
generated in London!
Three common types of NPB interconnection designs are
available, although only one of these designs is acceptable to
most organizations.
Daisy chaining
In daisy chaining (see Figure 3-7), multiple devices of the same
type are connected in sequence, with traffic flowing through
them in one long chain. Daisy chaining is often implemented
with network switches, but it leaves much to be desired when
it comes to NPBs, because any NPB in the chain is a single
point of failure that can leave some of the devices stranded
from the stack. Also, daisy chaining usually requires proprietary
cabling, which negates the possibility of having geographically
dispersed NPBs participating in the same system.
Figure 3-7: Daisy-chaining design.
Star or hub-and-spoke
A star or hub-and-spoke design (see Figure 3-8) is more
advantageous than daisy chaining because participating
30
NPBs can be placed in different locations. The NPB in the
middle (hub) still provides a single point of failure for the
capturing infrastructure, however, providing no means for
path redundancy or failover.
Figure 3-8: Star or hub-and-spoke design.
Mesh system
A mesh system design (see Figure 3-9) is the most optimal
configuration for multiple-NPB deployments because it offers
the greatest flexibility and maximum fault tolerance. In a mesh
design, NPBs are interconnected, and traffic can be directed
to any port on any NPB regardless of location — across the
data center or around the globe.
Figure 3-9: Mesh design.
Better NPBs that support mesh design incorporate automatic
failover. If an NPB’s mesh link (interface and/or cable) were
to fail, captured traffic would automatically be redirected
through functioning NPB links, maintaining monitoring-tool
data feeds without network disruption.
Chapter 4
Use Cases for
Network Security
In This Chapter
▶Comparing active and passive security tools
▶Examining typical network security challenges and solutions
W
ith cloud computing and virtualization on the rise,
today’s computer networks are increasingly vulnerable
and constantly evolving, bringing new risks and uncertainties.
Long gone are the days of hacking for fun: Hackers are
financially motivated and more sophisticated than ever.
Some have formed hacking groups, such as LulzSec and
Anonymous, to share intelligence and gain economies of scale.
Nation-states are now employing hackers to commit so-called
advanced persistent threats (such as Internet espionage)
against foreign governments and corporations for political
gain. Examples include the Stuxnet and Flame malware (a new
breed of cyberwarfare) that targeted Iranian nuclear reactors
and China’s attack on Google to uncover the communications
and identities of Chinese dissidents.
IT security professionals struggle to keep up. Although
vendors do well providing network security tools to defend
against the latest cyberthreats, implementing those tools is an
ongoing challenge — for various reasons.
In this chapter, I describe some network security tools that
combat cyberthreats and explore typical challenges in
deploying them.
32
Common Network Security Tools
For every kind of cyberthreat, there’s a network security tool
designed to detect it (passive) and even block it (active). The
next two sections describe the most common passive and
active security tools in use today.
Passive security tools
Passive security tools merely inspect network traffic, typically
from switch SPAN ports, inline TAPs, or NPBs.
Intrusion detection system (IDS)
An intrusion detection system (IDS) is designed to monitor
network traffic for malware, exploits, and other cyberthreats
by leveraging thousands of threat signatures (sometimes
called rules). IDS software can be deployed on purpose-built
appliances; on user-provided hardware; and, in some cases,
as virtual appliances for VMware, Xen, and other virtualization
platforms.
Today, IDS is a mode of operation on intrusion prevention
system (IPS) appliances. In other words, you can no longer
purchase appliances that are capable only of performing
passive IDS monitoring. IPS appliances with high port densities,
however, typically support active IPS and passive IDS
configurations in the same box. It’s also common for
organizations to deploy an IPS for passive IDS monitoring
only, especially within the network core.
Vendors in this space include Check Point, Cisco, HP, IBM,
Juniper, McAfee, and Sourcefire.
Network forensics
The term network forensics refers to technology that monitors,
records, and analyzes computer network traffic for the
purposes of information gathering, collecting legal evidence,
and detecting and analyzing network security threats. This
technology is often described as a network VCR that records
(literally) all packets that traverse your network.
Network forensics software is most often deployed on
vendor-supplied network appliances with large storage
Chapter 4: Use Cases for Network Security
33
capacities, but some vendors supply it as a software-only
solution so that customers can hand-select the hardware to
support it.
Vendors in this space include AccessData, NetScout, NIKSUN,
RSA (NetWitness), and Solera Networks.
Network behavior analysis
Most network security devices are placed at the perimeter
(behind the firewall) to inspect threats coming in from the
Internet. Mobile devices that are hand-carried into the office,
however, may contain malware that perimeter defenses may
never see.
Network behavior analysis (NBA) detects threats facing your
network from the inside by leveraging NetFlow and other flow
standards (such as cFlow, sFlow, and jFlow) to get a baseline
reading on normal network traffic and detect anomalies such
as malware propagation.
Vendors in this space include Arbor Networks, Lancope, and
Riverbed.
Active security tools
Active security tools do more than just detect threats; they
also block threats without affecting network performance.
Be sure to implement active security tools with best-in-class
NPBs to maximize scalability, increase fault tolerance, and
reduce packet latency to achieve security service assurance.
Intrusion prevention system (IPS)
IPS is the logical evolution of IDS. If you can detect threats,
why not block them? If, however, an IPS blocked good traffic
that it suspected to be bad (a false positive) or crashed
without failing open (a topic discussed in Chapter 2), it could
significantly disrupt business operations. Thus, organizations
must select and deploy IPS technology with great care.
Vendors in this space include Check Point, Cisco, HP, IBM,
Juniper, McAfee, and Sourcefire.
34
Next-generation firewall (NGFW)
Next-generation firewall (NGFW) is the evolution of typical
stateful firewalls. These devices combine firewall technology
with IPS and application-control capabilities in a purpose-built
hardware platform to increase network security and lower
total cost of ownership. NGFWs are often chosen over
stand-alone firewalls and IPS devices because they provide
granular control of application access by users and groups.
Some NGFWs also offer URL filtering, virtual private network
(VPN) capabilities (through SSL and IPSec), and malware
detection as optional components. NGFWs can replace
traditional firewalls or augment them by performing intrusion
prevention and application control both at the perimeter and
inside the network.
Vendors in this space include Check Point, Fortinet, McAfee,
Palo Alto Networks, and Sourcefire.
Advanced malware protection
Traditional security solutions — such as IPS, antivirus products,
and secure web gateways — are designed to detect known
threats and exploits that target known operating system and
application vulnerabilities. Today, however, zero-day exploits —
attacks targeting newly discovered vulnerabilities not yet
patched or detected by an IPS — and advanced persistent
threats cause enterprises and government agencies the most
concern. A new category of signatureless network security
solutions called advanced malware protection has emerged to
defend against these threats.
Vendors in this space include Damballa, FireEye, and Palo
Alto Networks.
Secure web gateway (SWG)
A secure web gateway (SWG), also known as a web filter,
is software typically installed on rack-mount appliances,
designed and optimized to enforce your company’s web
security policies and control user access to websites.
Websites that are known to contain malware or inappropriate
content (such as pornography or gambling) are blocked at
the gateway, thereby improving employee productivity,
limiting the organization’s liability, and keeping users’
computing devices safe from harm.
35
SWG vendors group websites into categories and issue security updates, typically on a daily basis. SWG users can create
access policies based on website categories and assign them
to individual users and groups of users.
Vendors in this space include Blue Coat, Cisco, McAfee,
Trustwave, and Websense.
Data loss prevention (DLP)
Data loss prevention (DLP), also known as data leakage
prevention, is software typically installed on rack-mount
appliances. DLP software is designed to detect and prevent
potential breaches of sensitive data and personally identifiable
information (credit card numbers, Social Security numbers,
hospital patient records, and so on) by monitoring data in
several states:
✓
In use (endpoint actions)
✓
In motion (network traffic)
✓
At rest (data storage)
Vendors in this space include Blue Coat, Check Point, Cisco
(IronPort), Fidelis, McAfee, RSA, Symantec, and Websense.
Distributed denial of service (DDoS) prevention
A denial of service (DoS) attack is an attempt by one computer
to make another computer unavailable to its intended users
by flooding its bandwidth and/or its computing resources,
often through a flood of SYN or ICMP packets. A distributed
denial of service (DDoS) is a DoS attack initiated by a botnet
(a collection of computers called bots that are infected with
zombie agents or Trojans), typically used to target high-profile
websites. All the bots in a given botnet are programmed to
take action at a precisely coordinated time, as instructed by a
central command-and-control (CnC) system operated by the
perpetrator.
On-premises DDoS prevention systems can help detect and
prevent DDoS attacks through proprietary algorithms and
rate-based protection mechanisms.
Vendors in this space include Arbor Networks, Cisco, Corero,
and VeriSign.
36
Typical Network Security
Deployment Challenges
IT organizations face numerous challenges in deploying
network security devices, especially in large, complex,
geographically dispersed networks that change frequently.
(Sound familiar?) Following are just a few of those challenges,
all of which can be solved by using NPBs.
Extending current investment
in 1G security tools
The 10-gigabit Ethernet (10GbE, or 10G for short) computer
networking standard was first published in 2002 but didn’t
reach critical mass until 2007, when 1 million 10G ports were
shipped. Since then, 10G has become the standard-bearer for
larger computer network backbones.
Virtually every large computer network has dozens, if not
hundreds, of 1G fiber network security monitoring tools.
These appliances may have the capacity to inspect more
than 1Gbps of traffic — or up to 4Gbps or 5Gbps, depending
on the model — but 1G tools can’t physically connect to
10G networks because they’re equipped with 1G fiber interfaces.
For sample photos of 1G and 10G fiber interfaces, see Chapter 1.
Solution: NPBs can help by aggregating, load-balancing, and
optimizing traffic from 10G networks to existing 1G security
tools. This solution not only extends the useful life of existing
1G tools, which postpones the expense of replacing them, but
also maximizes their performance and fault tolerance.
Safely deploying multiple active
security tools in series
As I mention in Chapter 2, active tools do more than just
monitor traffic; they can manipulate it as well. Active tools
pose network availability risks, because if such a tool loses
power or otherwise becomes disabled, an entire network
segment could be affected.
37
Many organizations deploy multiple active security tools in
series to achieve defense in depth. Traffic may flow from the
Internet through a firewall, an IPS, and an SWG before it’s
allowed on the network. Organizations need a way to deploy
these active security tools in succession while minimizing risk
of network downtime.
Solution: NPBs can route traffic effectively through each
active tool (or active load-balanced tool group) in sequence.
If any given tool fails, the interface set on the NPB associated
with that tool can fail open or to a secondary active tool (or
load-balanced tool group).
Gaining complete
network visibility
Typical network security appliances come with multiple
interfaces to monitor multiple network segments simultaneously. After those interfaces are fully populated, however,
organizations typically buy more security tools, which often
are quite expensive.
Organizations need a cost-effective solution to enable their
security tools to monitor more network segments than their
existing interfaces allow.
Solution: NPBs can aggregate traffic from several network
segments and then optimize that traffic before routing it to
active and passive security tools. NPBs are typically less
expensive than security tools, enabling organizations to save
precious budget resources while maximizing fault tolerance
and tool performance.
Supporting active–passive
network configurations
Most organizations can’t afford prolonged periods of Internet
downtime. Therefore, they often deploy redundant paths to
the Internet, in which the primary link is active and a secondary
link is passive, or on warm standby. The secondary link is
automatically engaged in the event that the primary link fails.
This design is commonly referred to as active–passive network
design.
38
Although active–passive network architectures require
redundant network infrastructure components, such as firewalls
and routers, common network security tools can often be
shared — with the right network design.
Solution: By incorporating an NPB into both the active and
passive Internet paths, you can use one set of network security
tools to monitor traffic on both sides. (The tools connect to
both NPBs at the same time, although they’re analyzing
traffic from only one NPB at a time.) This solution eliminates
the need to purchase twice as many network security tools
just to support an active–passive network configuration.
Biotech company prescribes
VSS Monitoring to safely
deploy its security tools
A leading California-based biotechnology company has provided medicines to treat patients with serious
life-threatening medical conditions
for over thirty years. Its networks
support daily operations for over
10,000 medical, research, and administrative personnel globally.
The company’s IT security team sought
a solution to deploy two sets of loadbalanced 1G active (inline) security
tools in sequence — advanced malware protection appliances and secure
web gateways — safely and costeffectively while supporting a highavailability design. After evaluating
several leading NPB solutions, it
selected NPBs from VSS Monitoring
(www.vssmonitoring.com).
The biotech company was able to
meet their challenges by deploying
one NPB in each of their primary
and secondary gateway network
segments. Each security tool was
connected to both of the VSS NPBs
allowing each tool to protect both
the primary and secondary gateway
segments.
Custom health-check triggers were
configured to monitor the health of
the security tools before redirecting live traffic. Deploying the VSS
NPBs enabled the company to use
existing 1G security tools to protect
10G links while reducing the number
of security tools needed by utilizing
the same security devices for both
the primary and secondary gateway
network segments. This helped the
company surpass its 99.999 percent
uptime objective while significantly
reducing capital expenses.
Chapter 5
Use Cases for
Network Performance
In This Chapter
▶Reviewing common network performance tools
▶Exploring challenges with and solutions for deploying network
performance tools
A
t its most basic level, a computer network keeps a
business running and growing. It’s where business
applications are hosted and where mission-critical customer,
product, and business information is stored. When you have a
resource this valuable, ensuring its performance is essential.
In Chapter 4, I review common types of passive and active
network security tools and discuss typical challenges that
organizations face in attempting to deploy them. This chapter
is laid out very similarly, but instead of talking about network
security, I discuss topics related to network performance.
The term network performance is incredibly broad and means
many things to different people. For the purposes of this
book, I use it simply to refer to the universe of tools that help
IT professionals monitor, troubleshoot, and accelerate the
speed of a network and its applications.
Common Network
Performance Tools
Just like network security tools, network performance tools
are designed for passive or active deployments. I cover the
differences in the following sections.
40
Passive performance tools
Passive network performance tools merely listen to network
traffic, typically from SPAN ports and/or from network flows
generated by network infrastructure devices such as routers
and switches.
Network performance monitoring (NPM)
The network performance monitoring (NPM) industry is quite
mature, having been around for more than a decade. In 2012,
market research firm Gartner amended its name for this
category of products to application-aware NPM. In either case,
these tools monitor the health and performance of a network
through passive packet capture and analysis.
NPM solutions receive and process flow data (NetFlow, cFlow,
sFlow, jFlow, IPFIX, and so on) from network routers and
switches and provide dashboards to display business-relevant
views of network and application performance. Alarms can be
configured to alert IT when minimum thresholds of acceptable
performance have been broken.
Vendors in this space include CA, Cisco, Fluke, OPNET, and
Riverbed.
Application performance monitoring (APM)
A typical enterprise application relies on dozens or even
hundreds of separate hardware and software components to
deliver the business service for which it’s deployed. These
components include web servers, application servers, databases, network devices, load balancers, and storage devices.
Checking the functions of business applications — a task
performed by application performance monitoring (APM)
solutions — is a critical task performed by every enterprise IT
organization. It’s so important, in fact, that according to Gartner,
organizations spend $2 billion globally on APM solutions alone.
APM solutions track real-time execution of all application
components, measuring and reporting on the hardware
resources consumed by application components, as well as
the speed and latency with which applications are delivered.
These solutions also determine why an application failed
to execute successfully or why resource consumption and
latency levels departed from expectations.
Chapter 5: Use Cases for Network Performance
41
Don’t confuse APM with end-user experience monitoring
solutions, which tell you only whether you have an application
performance problem (from an end-user’s perspective) — not
the cause of that problem.
Vendors in this space include CA, Compuware, HP, IBM,
OPNET, and Quest Software.
Unified communications monitoring
Unified communications (UC) is a new technological architecture
whereby communication tools are integrated so that business
and individual users can manage all their communications —
VoIP, instant messaging, IP telephony, videoconferencing,
electronic whiteboards, and so on — in one entity instead of
separately. In short, UC bridges the gap between VoIP and
other computer-related communications technologies.
UC allows an individual user to receive a message in one
medium and access it on another. He could receive a voice-mail
message and choose to access it through e-mail or a cellphone,
for example. If the sender is online (according to her presence
information) and currently accepting calls, the recipient can
send his response to her immediately through a text chat or
video call, or he could send it as a non-real-time message that
she can access later through a variety of media.
New tools in this emerging market also allow monitoring of UC
infrastructure performance.
Vendors in this space include Anritsu, Empirix, EXFO, and JDSU.
In Chapter 4, I discuss NBA in the context of network security.
When this market niche was founded (originally as network
behavioral anomaly detection, or NBAD), its use cases were
all about security. Since then, nearly half the organizations
that purchased NBA solutions have done so for networkperformance-monitoring reasons, as they’ve discovered new
applications for network flow analysis.
Organizations can use NBA solutions to troubleshoot network
outages and performance degradations, and to link application
performance to individual users and groups.
Vendors in this space include Arbor Networks, Lancope, and
Riverbed.
42
Active performance tools
Passive network performance monitoring tools measure
performance, whereas their active counterparts actually affect
performance through a variety of methods, as described in
the following sections.
Traffic shaping
Traffic shaping — also known as packet shaping and quality
of service (QoS) policing — has been around for more than a
decade. This technology enables IT professionals to increase
or decrease bandwidth priority by application and even by user.
Few people would argue, for example, that YouTube is more
critical to a business than Salesforce.com. (That is, unless
you work for YouTube.) So an organization may assign
YouTube and other streaming-media applications a lower
bandwidth priority while assigning higher bandwidth priority
to Salesforce.com, Oracle, and other business-critical
applications. To take this example a step further, IT may want
to ensure that the chief executive officer has a little more
bandwidth to access Salesforce.com than, say, a junior sales
associate.
Traffic shaping helps organizations get the biggest bang for
the buck out of their existing networking investments.
Vendors in this space include Blue Coat, NetEqualizer,
PacketLogic, and Procera.
WAN optimization controllers (WOCs)
A WAN is the foundation of a globally connected enterprise.
The performance of the WAN is critical to everything the
organization does. WAN optimization controllers (WOCs) can
cut WAN bandwidth use by 60 to 95 percent, often delaying
expensive WAN upgrades.
The primary function of a WOC is to improve the response
time of business-critical applications over WAN links. The
device performs this task by using a series of techniques,
including traffic compression, byte caching, data de-duplication,
traffic shaping, and protocol optimization.
WOCs are deployed symmetrically (in data centers and
remote locations) and typically are connected to the LAN
43
side of WAN routers. They address application performance
problems caused by bandwidth constraints and by latency or
protocol limitations.
Vendors in this space include Blue Coat, Citrix, Riverbed, and
Silver Peak.
Web caching
Web caching is widely recognized as being one of the most
important techniques to reduce bandwidth consumption
caused by the tremendous growth of the World Wide Web.
Enterprises and service providers deploy web-caching
software and appliances to reduce bandwidth requirements
and improve web-browsing response time over existing
connections. Here’s how web caching works:
1. When a user within an organization connects to a
website, such as Facebook or YouTube, unbeknownst
to that user, a web-caching appliance receives the
request and determines whether the requested
content (HTML page, video, PDF file, and so on) is
stored in its local cache.
2. If the requested content is stored in the local cache —
that is, if a cache hit occurs — the content is directed
back to the user’s web browser (immediately after the
web caching appliance has verified the content has
not changed) without ever connecting to an Internet
host.
or
If the requested content isn’t stored in the local
cache — that is, if a cache miss occurs — the user’s
request is forwarded to the originally intended
Internet host.
By implementing web-caching solutions, enterprises can
reduce bandwidth consumption by 40 percent to 90 percent.
Vendors in this space include Blue Coat and Squid.
Application acceleration
Application acceleration speeds the performance of centralized
applications for remote employees, customers, or partners
who access those applications over a network (typically,
44
the Internet). Most solutions require devices at both ends of
the network connection, such as headquarters and a branch
office; others sit in front of servers in a data center to make
access to those servers more efficient. These devices address
the two main factors that impede application performance:
latency and bandwidth.
The three most commonly used application acceleration
techniques are protocol optimization, content caching, and
data compression.
Vendors in this space include Blue Coat, Citrix, F5, and
Riverbed.
Typical Network Performance
Deployment Challenges
Chapter 4 discusses typical challenges that organizations face
in deploying network security tools. This section presents the
challenges of deploying network performance tools, some of
which are identical to those mentioned in Chapter 4.
Deploying active WAN
acceleration tools
Any active tool, whether security- or performance-oriented,
must be deployed with great care. If an active tool requires a
reboot upon receiving software updates, or if it needs to be
taken offline periodically for maintenance, it must have
reliable fail-open technology built into its network interfaces.
Unfortunately, many tools don’t have this technology.
Solution: Select NPBs come equipped with fail-open network
interfaces to ensure that no active tool will ever cause the
network to fail, even when it loses power. Further, better
NPBs offer health-check packets to monitor the state of active
tools, and some feature reboot accelerated failover technology,
which provides additional reliability for 1G copper network
segments. (For details on these features, see Chapter 3.)
45
Extending current investment
in 1G performance tools
Two recurring themes in this book are the dominance of
10G fiber network backbones and the preponderance of
1G monitoring tools. Whether a 1G tool is active or passive,
it simply can’t connect natively to a 10G network, because
the physical interfaces are incompatible. (For illustrations of
common network interface connectors, flip back to Chapter 1.)
This incompatibility often forces the early retirement of
perfectly good monitoring tools before the end of their useful
life, which requires IT to invest in new 10G tools earlier than
planned (and budgeted).
Solution: Any guess? That’s right — as long as 1G tools have
the horsepower to inspect the organization’s volume of
traffic, its network interfaces aren’t the limiting factor any
more, thanks to NPBs. In this solution, 10G traffic comes into
an NPB via its network ports and then is directed to one or
more monitoring ports for inspection by the 1G tool(s).
By now, I hope you know the difference between 10G throughput
and 10G connectivity. A 10G network is equipped to connect
with myriad 10G devices, but that doesn’t mean it’s actually
pumping out 10G worth of data. In theory, you could have
just 750Mbps of average throughput on a 10G network, which
could easily be inspected by a single 1G tool.
Gaining complete
network visibility
Another recurring theme in this book is the inability of any
given tool to inspect more network segments than it has
interfaces for. An eight-port IPS, for example, can inspect up
to eight network segments in passive IDS (alerting) mode or
up to four network segments in active IPS (blocking) mode.
Solution: Network aggregation is one of the most common
reasons why organizations turn to NPBs. When you leverage
NPBs, that same eight-port IPS can inspect traffic from over
a dozen network segments, making its processing power the
limiting factor — not its interfaces.
46
Optimizing tool throughput
for efficiency and scale
Tools are limited by their processing power (CPU, memory,
disk capacity, and so on). In many cases, however, tools
frequently inspect traffic that doesn’t pertain to them, thus
consuming precious resources unnecessarily. Then
organizations retire these tools in favor of new, upgraded
tools with higher bandwidth capacity — purchases that eat
into their precious IT budgets.
Solution: Because NPBs are almost always less expensive
than high-end performance tools, and certainly are more
versatile, an NPB can be used to strip away unnecessary
traffic through its packet filtering capability (see Chapter 3).
This solution ensures that only traffic of interest flows into
the tool, thereby extending its useful life.
NPBs school a university
Typical university networks pose
a huge challenge for network
operations. Their users are the
highest consumers of bandwidth on
the planet, frequently connecting
to sites such as YouTube, Netflix,
Facebook, and Skype, as well as
doing online research for their
coursework.
Also, a university network can comprise tens of thousands of student,
faculty, and staff workstations, as
well as hundreds of servers and
network infrastructure devices.
Monitoring the performance of such
a network and its mission-critical
applications is quite a challenge.
One U.S. university was experiencing
two dilemmas with its performance
monitoring tools: The tools didn’t
have enough interfaces to monitor
the entire network, and they were
unable to monitor the corporate
backbone following a 10G upgrade.
Its IT department selected NPBs
from VSS Monitoring (w w w .
vssmonitoring.com) to solve
the problem. When the NPBs were
up and running, the university’s 1G
performance monitoring tools were
inspecting 10G traffic through a loadbalanced configuration while gaining
complete network visibility through
traffic aggregation.
Chapter 6
Use Cases for
Service Providers
In This Chapter
▶Distinguishing among types of service providers
▶Exploring common service provider traffic types
▶Examining service provider use cases for NPBs
C
hapters 3 and 4 describe NPB use cases for network
security and network performance tools, respectively.
These use cases apply to virtually all enterprises, government
agencies, and especially to service providers — the latter in
more ways than one.
For the purposes of this book, service provider is a generic term
that applies to companies that provide telecommunications,
broadband, television, application hosting, and other
IT services.
In this chapter, I discuss the most common types of service
providers and then explore their most frequent use cases for
NPB solutions. I then describe how one of America’s largest
mobile service operators leveraged NPBs to simplify its 4G
performance monitoring architecture and lower costs within
its newest network operations center.
Types of Service Providers
Dozens of types of service providers operate across the
telecommunications, television, and IT industries. This section
explores those that are most likely to benefit from NPB solutions.
48
Mobile network operators (MNOs)
A mobile network operator (MNO) — also known as a wireless
service provider, cellular company, or mobile network
carrier — is a provider of wireless communications services
that owns or controls all the elements necessary to sell and
deliver services to an end user, including radio-spectrum
allocation, wireless network infrastructure, back-haul
infrastructure, billing, and customer care.
Vendors in this space include AT&T, Sprint, Verizon Wireless,
and Vodafone.
Fixed network operators (FNOs)
A fixed network operator (FNO) — also known as a telephone
company, telco, telephone service provider, or fixed line
operator — provides wired telecommunications services
such as telephony and data communications access. In the
United States, FNOs include regional Bell operating companies
(RBOCs), incumbent local exchange carriers (ILECs), and
competitive local exchange carriers (CLECs). At one time,
FNOs in the United States were state-regulated monopolies.
Vendors in this space include AT&T, BT, and Verizon.
Multiple-system operators (MSOs)
A multiple-system operator (MSO) — also known as a multisystem
operator or multiple service operator — is a company that
has acquired multiple cable television (CATV) systems and
brought them under the control of a single corporate entity.
The individual CATV systems may have been combined into a
single network, combined at a regional or metropolitan level,
or not combined at all. MSOs typically provide television,
telephone, and Internet broadband services to businesses and
consumers.
Vendors in this space include Comcast, Time Warner, and
Virgin Media.
Chapter 6: Use Cases for Service Providers
49
Other service providers
Many more types of service providers exist, and frankly, I
don’t have enough space in this book to write about them.
Here, however, are a few worth mentioning:
✓
Application service providers
✓
Managed service providers
✓
Storage service providers
✓
Cloud service providers
You may have noticed that up until now, I haven’t used the
term Internet service provider (ISP), which refers to a company
that provides broadband Internet connectivity to businesses,
government agencies, and consumers. That’s because virtually
all the service providers mentioned in this section offer
broadband Internet services and, thus, can be considered to
be ISPs.
Common Service Provider
Traffic Types
Before you delve into common service provider use cases,
review this section, which explores common traffic types
deployed by today’s service providers.
Video streaming: The world’s
biggest bandwidth hog
No matter how you slice it, video
is the leading bandwidth hog on
mobile and fixed access networks.
According to the 2012 Sandvine
Global Internet Phenomena Report
(www.sandvine.com), YouTube
is the world’s biggest consumer of
mobile data, taking up 27 percent
of mobile data in North America,
and Netflix is far and away the
largest single source of traffic on
fixed access networks, representing
24 percent of total volume in North
America — well ahead of BitTorrent,
at 14 percent.
50
OTT and operator-based
video services
Mobile and network service providers are finding it challenging
to maintain acceptable levels of service performance in the
face of rising demand for streaming video. That video comes
in two varieties:
✓
OTT (over-the-top) video is streamed without the ISP’s
involvement in the control and distribution of the content,
such as video streamed from YouTube, Hulu, and Netflix.
The provider may be aware that its infrastructure is
streaming OTT video, but it isn’t responsible for, or able
to control, the technical quality, copyrights, or
redistribution of the content.
✓
Operator-based video is delivered by the provider
through purchase or rental agreements, such as
Comcast’s On Demand and AT&T’s U-verse.
IP telephony
IP telephony is the area of communications that involves
digital phone systems based on IP standards. This technology
makes a phone system digital in such a way as to take
advantage of the Internet and of any hardware and applications
attached to it. IP telephony providers leverage NPBs to
optimize delivery quality of their IP telephony services.
Most people use the terms VoIP and IP telephony interchangeably, but VoIP is a subset of IP telephony. Think of IP telephony
as being the overall concept and VoIP as being a means of
transmitting voice to implement this concept. An IP telephony
system can, for example, be an IP PBX, which incorporates
VoIP and other standards.
Common Service Provider
Use Cases
Unlike most enterprises, service providers must satisfy the
needs of both internal users and — perhaps more important —
external customers. Chapters 4 and 5 describe how service
51
providers can leverage NPBs to optimize their internal
networks. This section describes how they can use NPBs to
optimize service delivery for external customers.
As you can imagine, the number of performance and security
tools that it takes to monitor, maintain, and protect the
myriad services discussed in this section is far too great to
cover in this book, so I refer to these systems collectively as
tools. To find out how NPBs can interface with your specific
tools, contact your preferred NPB vendor.
Although the tools used by the service providers in the
following use cases vary greatly, NPBs were employed to do
the following things:
✓
Selectively aggregate traffic from many network segments
and route it to one or more tools
✓
Enable tools to be deployed and maintained without
potential for unplanned network downtime
✓
Filter packets so that only traffic of interest is sent to
each specific tool
✓
Load-balance traffic to a group of tools to maximize their
performance
✓
Overcome SPAN-port contention
✓
Extend the life of 1G tools on 10G networks
✓
Leverage deep packet inspection to comply with lawfulinterception mandates (discussed later in this chapter)
4G greenfield deployments
MNOs commonly deploy NPBs to support new, or greenfield,
4G deployments. 4G is the fourth generation of cellphone
mobile communications standards and the successor to the
third-generation (3G) standard. A 4G system provides mobile
ultrabroadband Internet access to mobile devices such as
laptops and smartphones. Typical 4G applications include
mobile web access, IP telephony, gaming services, highdefinition mobile TV, and videoconferencing.
Following are the most common cellphone mobile
communications standards, up to and including 4G LTE:
52
✓
3.5G systems, often marketed as “4G” today
✓
HSPA+ (High Speed Packet Access Evolution), from the
UMTS family
✓
EV-DO Rev B (Evolution Data Only), from the CDMA family
✓
3.9G systems, often referred to by the telecom industry
as first-generation 4G systems
✓
802.16e / Mobile WiMAX
✓
LTE (Long Term Evolution)
✓
LTE-Advanced
3G ATM-to-IP conversion
MNOs with longstanding 3G infrastructures are finding
themselves migrating from costly ATM (asynchronous
transfer mode) to cheaper IP infrastructure components such
as concentrators and multiplexors to routers and switches,
and from CLASS-level switches to simpler soft switches. But
the biggest transformation is the way that data is trunked
back to the central office — which is where the real need for
monitoring tools and NPBs comes in.
As the traditional bombproof legacy infrastructure is
upgraded to all-IP, fixed container lengths are being replaced
with variable packet lengths. This change causes many
problems for real-time communication services, such as voice
and video. Factors such as delay, jitter, latency, packet loss,
fragmentation, and packet duplication replace older issues
such as clock drift and correct configuration of central-office
and concentrator switches.
Indeed, the cost of the backbone carriage for an all-IP
infrastructure has decreased markedly, but without a new
layer to connect the network segments correctly to the
monitoring layer, the advantages aren’t worthwhile.
Fixed-line TDM-to-IP conversion
FNOs are replacing time-division multiplexing (TDM) infrastructure with IP-based components to deliver telecom services
as IP-based systems that are significantly more cost-effective
53
and versatile than their legacy TDM-based counterparts. New
services being offered — such as VoIP, Voice over Packet,
IPTV, and video on demand — are critically dependent on
packets turning up with minimum delay, little jitter, and zero
packet loss.
IP networks were originally designed for “best effort” transport
for non-time-critical data, such as e-mail. With the correct
tools, however, distributed VoIP MOS (Mean Opinion Score),
MDI (Media Delivery Index), and VMOS (Video Mean Opinion
Score) services can be carried over IP networks successfully.
A packet loss of less than 1 percent can render a video
stream unwatchable in practice. Such is the need for real-time
monitoring solutions, such as NPBs and associated analytic
tools.
NPBs fill in the missing piece of the puzzle. They allow what
could be an expensive monitoring-tools layer to become an
efficient way of monitoring a network through the collection
of relevant data packets from multiple places or even across
several network segments through a network intelligence
optimization layer, as described in Chapter 3.
Lawful interception / CALEA
The Communications Assistance for Law Enforcement Act (CALEA)
is a 1994 U.S. wiretapping law that requires telecommunications
carriers and manufacturers of telecom equipment to modify
and design their equipment, facilities, and services to provide
built-in surveillance capabilities, allowing federal agencies to
monitor all telephone, broadband Internet, and VoIP traffic in
real time.
Leading NPB devices offer deep packet inspection that helps
carriers comply with CALEA and its international counterparts
by extracting network traffic pertaining to specific IP, MAC,
and e-mail addresses; instant-messaging communications; and
more.
SLA monitoring
Most service providers publish service-level agreements (SLAs)
that define key performance indicators (KPIs) for minimally
54
acceptable levels of service performance. An ISP may
guarantee “five nines” (99.999 percent) of uptime to a certain
tier of customers, for example, or an FNO may guarantee that
a customer’s WAN connection will never fall below a certain
bandwidth threshold.
Most SLAs outline financial penalties to be incurred by
service providers in the event that they fall short of their
obligations. These penalties usually take the form of service
credits toward current and future customer invoices and can
amount to hundreds of thousands of dollars.
Don’t knock this 4G NOC
One of the largest carriers in the
United States, serving more than 100
million people, recently constructed
a network operations center (NOC) to
monitor the performance of its 4G LTE
network. The company understood
the strategic importance of network
packet broker technology and began
evaluating leading vendors.
After a rigorous selection process,
the carrier chose VSS Monitoring
(www.vssmonitoring.com)
based on its impressive lineup of
feature-rich, fault-tolerant NPB
devices. VSS offered key capabilities,
such as deep packet inspection,
fragment reassembly, session-based
load balancing, and a scalable mesh
NPB system design.
By selecting NPBs from VSS
Monitoring for its new NOC, the
carrier was able to reduce the
required number of 4G performance
probes from nine to just one, and to
monitor seven additional 4G network
rollouts without adding a single extra
probe. This solution streamlined the
NOC’s performance-monitoring
architecture while simultaneously
lowering total cost of ownership.
Capital expenses were reduced
by up to 80 percent, with operating
expenses reduced by up to 50
percent.
Chapter 7
Selecting the Right
NPB Vendor
In This Chapter
▶Determining what you need
▶Calculating your bandwidth and connectivity needs
▶Documenting your system requirements
▶Choosing the best vendor for your requirements and budget
S
electing a network packet broker vendor can be a
daunting task, especially if you’re new to NPB technology.
You may be tempted to make a decision based on the knowledge you gain from the first vendor you meet, or you might
assume that a friend’s vendor is right for you. Either path
could prove costly without proper due diligence.
Whether you’re a newcomer to NPB technology or an
experienced hand, you should evaluate NPB vendors as a
methodical four-step exercise:
1. Catalog your bandwidth and connectivity
requirements.
2. Document your feature requirements.
You can use the checklist later in this chapter to
compile your requirements.
3. Evaluate potential vendors.
4. Select a vendor.
I walk you through all four steps in this chapter.
56
Step 1: Catalog Bandwidth and
Connectivity Requirements
To begin the process, you must catalog your organization’s
bandwidth requirements and connectivity types. Without all
this information, you can’t determine which NPB models are
suitable for your network.
Network bandwidth
Ever hear the adage “Don’t kill a fly with a sledgehammer”?
Well, this expression applies perfectly to NPBs. Unless you
know your peak bandwidth utilization at points on the network
where you plan to place NPBs, you may be oversizing or even
undersizing your NPBs. If your NPB’s maximum throughput is
too small, your monitoring tools can’t do their job, and if it’s
too large, you’re pouring money down the drain.
Network connectivity
Every NPB offers different quantities and types of network
interfaces, so it’s important to know the types of interfaces
you have on both the network interface side (switches and
routers) and the network monitoring tool side (security and
performance tools).
Better NPBs allow you to configure any interface as a network
or monitoring port, but you still need to determine what types
of interface connectors you need.
Step 2: Document Your NPB
Feature Requirements
NPB capabilities vastly differ from one vendor to another.
Even the capabilities of NPB models offered by a single
vendor can vary greatly, because the vendor attempts to
package its NPB offerings to meet each organization’s needs
(and budget).
Chapter 7: Selecting the Right NPB Vendor
57
In this step, consider which NPB features are most important
to you and best meet the needs of your network. (For a quick
refresher on NPB features, flip back to Chapter 3.)
As you work through this step, the “NPB requirements checklist”
presented in Figure 7-1 can help you organize your thoughts.
Figure 7-1: NPB requirements checklist.
58
Administration
Start by considering these administration features:
✓
On-box interface: Every NPB device provides a means
for you to configure it remotely — rather than manually setting dip switches or rotary dials found on typical
network TAPs. Although better NPBs offer centralized
administration (see the next item), some old-school IT
administrators prefer an old-fashioned CLI or an overly
simplified GUI.
✓
Centralized administration: Top-tier NPB vendors enable
you to connect your NPBs to a fault-tolerant system (see
“NPB interconnection requirements,” later in this chapter). Those that do often offer comprehensive centralized
administration software, usually encompassing a web-based
interface, which allows you to configure and monitor all
NPBs from one central console. This option is almost
always preferable to an on-box-configuration CLI or GUI.
Fault tolerance
Your fault-tolerance checklist should include the following
items:
✓
Power-loss packet-flow policies: If you’re deploying
only passive network security and/or performance tools,
ignore this feature. If you’re deploying active tools,
however, this feature enables you to determine whether
you want the NPB to fail open or fail closed, depending
on the desired outcome upon NPB power loss. (I discuss
this topic in detail in Chapter 2.)
✓
Link state mirroring: As I discuss in Chapter 3, this
feature helps you overcome potential problems related
to asymmetric routing. If your inline NPB detects that
one of the two devices to which it’s connected is down,
the device on the other side knows it, and traffic gets
routed through a redundant path.
✓
Reboot accelerated failover (1G copper only): You
may recall from Chapter 2 that 1G copper networks are
unique, in that inline NPBs that are configured to fail
open use a magnetic relay to connect the two inline
59
interfaces during power loss. This feature accelerates
the NPB rebooting process from 200 milliseconds to
30-60 milliseconds, which prevents connected routers
and switches from triggering a spanning tree protocol.
✓
Health-check packets: This nifty feature enables NPBs
to monitor the status of active network security or
performance tools that are connected to them. If a tool
hangs (stops inspecting traffic, for example), the NPB can
initiate a fail-open or fail-closed sequence, or redirect
traffic to a standby tool, depending on the intended
consequence of a failed active tool.
Traffic grooming
Next, consider your traffic-grooming needs:
✓
Traffic regeneration: This feature (see the discussion of
regeneration TAPs in Chapter 2) enables traffic from one
network segment to be duplicated, or regenerated, for
the benefit of multiple monitoring tools.
✓
Selective traffic aggregation: This extremely useful
feature could be your primary motivation for acquiring
NPBs. With selective traffic aggregation, you can aggregate
traffic from multiple segments and direct them to one or
more tools for inspection.
✓
Hardware-based packet filtering: This feature enables
you to strip off traffic that doesn’t pertain to your
monitoring tool, freeing the tool to inspect only traffic of
interest. It also frees your monitoring tools’ resources
and prevents oversubscription.
✓
Session-aware load balancing: Virtually every organization
that has deployed NPBs uses them to load-balance
traffic to a group of monitoring tools. This feature prevents
oversubscription of your tools and adds a layer of fault
tolerance to those tools. It also enables your 1G monitoring
tools to inspect traffic on 10G networks (assuming that
they have ample processing resources to collectively
handle the increased traffic).
✓
High data-burst buffering: In Chapter 3, I discuss
problems associated with microbursts. This feature
helps you overcome these problems by buffering
microbursts to smooth out delivery of captured packets so
60
that the packets aren’t dropped. It’s particularly useful
in environments that have large amounts of multimedia
traffic (movies, music, live video streams, and so on).
Packet optimization
Review the following packet-optimization features:
✓
Time- and port-stamping: Both the time and port can be
stamped into packets as they enter the NPB device.
Time-stamping is useful for transaction-based applications,
such as those that process stock-market transactions.
Port-stamping is useful for network forensics applications
that collect packets for evidentiary purposes.
✓
Packet de-duplication: Network and security tools
sometimes receive duplicate packets from the same
traffic source, due to redundancies in network design
and/or monitoring-tool access. This feature prevents
monitoring-tool oversubscription, false positives, and
inaccurate performance reporting by detecting and
discarding duplicate packets.
✓
Conditional packet slicing/masking: Is your organization
affected by Payment Card Industry (PCI), Health
Insurance Portability and Accountability Act (HIPAA), or
other regulations? If so, this feature can help by slicing
off parts of a packet that are unrelated to the monitoring
tool’s job, such as payload data containing credit card
numbers, Social Security numbers, and other personally
identifiable information.
✓
Packet fragment reassembly: Fragmented packets
prevent certain traffic from being inspected properly
by monitoring tools. This feature reassembles packet
fragments into their original form before forwarding
them to monitoring tools for inspection.
✓
Protocol stripping: Some monitoring tools aren’t
designed to handle traffic with certain protocols, labeling,
or encapsulation, perhaps because the tools weren’t
designed to handle such traffic or the hardware can’t
process certain protocols. Protocol stripping enables
the NPB to strip off things like GTP headers, MPLS labels,
VLANs, and VN-Tags, enabling monitoring tools to
operate more efficiently and effectively.
61
NPB interconnection requirements
Consider the following requirements for connecting NPBs:
✓
Daisy chaining: Daisy chaining is the simplest way to
connect and share traffic between NPBs. As I discuss in
Chapter 3, however, this design is sub-optimal as each
NPB in the chain represents a single point of failure and a
potential system bottleneck.
✓
Star or hub-and-spoke: A star or hub-and-spoke design
offers an improved architecture over daisy chaining, but
the hub (the central NPB that connects to all other NPBs)
still represents a single point of failure.
✓
Mesh: A mesh design is optimal for larger NPB systems,
as no single NPB is a single point of failure. Not all NPBs
support mesh architectures, however. This feature
should be weighted heavily by organizations that have
numerous and/or geographically dispersed NPB devices.
Future requirements
Don’t fall into the trap of designing your NPB system to
accommodate only your immediate needs. Save yourself
considerable money and headaches by building in additional
capacity to accommodate future growth.
To help yourself predict the future, answer these questions:
✓
Network growth: Are you planning to upgrade any 1G
network segments to 10G? Do you foresee an increase in
average bandwidth use? Is your organization expanding
into new branch offices?
✓
Network tools: Are you already allocating funds for new
security and/or performance tools in next year’s budget?
Do you expect, in the years ahead, to acquire any new
monitoring tools that have just hit the market?
62
Step 3: Evaluate Potential
NPB Vendors
Now it’s time to find candidate vendors. This process has
three substeps:
1. Create a short list.
I recommend that you work with Gartner or your
preferred IT research firm to create a short list of two
or three preferred NPB vendors. As your job is on the
line, select only vendors with proven track records.
2. Perform on-site evaluations.
Don’t buy before you try, no matter what. Every
vendor thinks that its NPBs are the greatest, but you
need to find out for yourself. Test at least one unit
in your production environment, as opposed to just
lab-testing, and find an excuse to contact the vendor’s
customer support team to gauge response time and
quality of problem resolution.
3. Request proposals.
After you complete your on-site evaluation, request
formal proposals from your top two vendors.
Work carefully with the vendor’s sales engineers to
design your NPB system. They are well equipped to
guide you to the NPB models that match your specific
requirements.
Step 4: Select a Vendor
Now it’s up to you to make the right choice. Selecting an
NPB vendor is just as important as selecting the actual NPB
models — if not more important. Price is a major factor to
consider, of course, but you also need a partner you can
trust — one that has the vision to deliver as your needs
evolve and that will fully support you every step of the way
as you solve your network security and performance tool
deployment challenges.
Just follow your instincts. You’ll do great!
Chapter 8
Ten Ways to Lower Your
Network’s TCO
In This Chapter
▶Getting the most out of your existing monitoring tools
▶Maximizing network uptime
▶Centralizing operations
R
egardless of whether you work for a Global 2000
enterprise or a small government agency, I guarantee
that your chief information officer and/or chief information
security officer is always looking for ways to lower operating
expenses and stretch his or her budget as far as it can go.
This chapter presents ten ways that NPBs can help lower your
network’s total cost of ownership (TCO).
Prevent Tool Oversubscription
Like all computing devices, every network security and
performance tool has a fixed amount of processing power.
When that amount is exceeded, the tool becomes
oversubscribed; it either stops monitoring portions of traffic
(in a passive configuration) or potentially starts dropping
packets (in an active configuration). NPB features such as
hardware-based filtering, load balancing, packet de-duplication,
packet slicing, and protocol stripping can optimize tool
performance and prevent oversubscription.
TCO benefit: NPB features can help you delay purchasing
additional tools and/or upgrading existing ones.
64
Alleviate SPAN-Port Contention
A network switch’s SPAN port is a limited resource. NPBs can
alleviate SPAN-port contention by tapping links between network devices and/or aggregating traffic from multiple SPAN
ports and regenerating (duplicating) its traffic for the benefit
of multiple passive tools.
TCO benefit: NPBs improve the access of tools, thereby
maintaining network security and performance.
Solve Your Media-Conversion
Challenges
Have you ever faced the challenge of connecting a 1G fiber
monitoring tool to a copper switch — or trying to interface
that same 1G tool with a 10G network? NPBs help you solve
both media-conversion problems by enabling virtually any
monitoring tool to interface with virtually any network.
TCO benefit: NPBs save you money by eliminating the need
to swap out perfectly good monitoring tools for tools with
different media interfaces — and potentially higher costs.
Expand the Network Visibility
of Your Existing Tools
A single tool is limited to inspecting the network traffic for
which it has available interfaces. To repeat an example from
Chapter 5, an eight-port IPS can natively inspect only eight
passive network segments or four active network segments —
two interfaces for each active segment. What if you need your
IPS to inspect twice as many network segments? NPBs can
help by aggregating traffic from many segments and directing
that traffic to one or more IPS appliances.
TCO benefit: Selective network aggregation can negate the
need to acquire additional (often very expensive) security and
performance tools by expanding the network visibility of your
existing tools.
Chapter 8: Ten Ways to Lower Your Network’s TCO
65
Maximize Network Uptime
through Fault Tolerance
Advanced NPB fault-tolerance features — such as power-loss
packet-flow policies, link state mirroring, reboot accelerated
failover, and health-check packets (refer to Chapter 3) — can
prevent costly downtime in the event that an NPB and/or a
network security or performance tool fails.
TCO benefit: You tell me! What’s your cost of downtime for
network failure? Whatever that number may be, you can
potentially save that amount by implementing the key
fault-tolerance capabilities of preferred NPBs.
Increase System Reliability
with a Mesh Design
In Chapter 3, I compare mesh designs with daisy-chaining
and star or hub-and-spoke designs. Mesh designs are the best
choice, because no single NPB is a single point of failure. Also,
better NPBs systems configured in a mesh design can route
traffic automatically in the event that an NPB fails.
TCO benefit: Again, the TCO benefit is directly related to your
network’s cost of downtime. Mesh designs offer the greatest
configuration flexibility and fault tolerance.
Centralize Network and
Security Operations
Every global organization wants to empower its IT staff to manage
and monitor its networks locally, but many organizations also
want the ability do so globally — often in a network operations
center (NOC) and/or security operations center (SOC).
TCO benefit: NPBs can simplify complex network designs
to accommodate centrally located NOCs and SOCs, saving
your organization the considerable cost of creating a new or
expanded network infrastructure.
66
Extend the Life of Your
Existing Tools
Aside from media conversion, you have many ways to extend
the useful life of your existing security and performance tools,
including selective traffic aggregation, packet filtering, load
balancing, packet slicing/masking, and protocol stripping. All
these features enable you to reduce the resource utilization of
your existing tools, thereby extending their useful life.
TCO benefit: Getting the most mileage out of your existing
security and performance tools postpones the need to replace
them with higher-capacity models.
Increase Tool Selection Flexibility
All the features in the preceding section that help reduce
resource use of your existing tools also increase your flexibility
in acquiring new tools. Packet filtering alone, for example,
may reduce your average bandwidth use enough that you
don’t have to purchase the next-higher capacity (and more
expensive) model of tool.
TCO benefit: Save money by selecting more-cost-effective
monitoring tool models for lower inspected throughputs.
Plan for Future Growth
In Chapter 7, I talk about the importance of planning for
future growth. The adage “An ounce of prevention is worth a
pound of cure” certainly applies here. In the long run, it’s far
more cost-effective to select higher-end, mesh-capable NPBs
today than to purchase lower-end NPBs (or chassis-based
NPBs) that support only daisy-chaining or hub-and-spoke
interconnection designs for one NPB model at a time.
TCO benefit: By spending a little more now to future-proof
your NPB investment, you save money by minimizing the need
to acquire additional tools in the near future.

VSS Network Packet Brokers for Dummies

Transcription

Similar documents

COVER SHEET FOR THE CEMALA FOUNDATION GRANT PACKET

Tools of the Trade: Punching, Crunching, and

Bluman, "Elementary Statistics a Step by Step Approach", 6th Edition

2016 ATHLETE GUIDE - TriWaco Triathlon

It is our pleasure to offer you the position of ______

Frame Collection ``What is your flavor`

View the Makaha Sons press release

Cross-band repeat - ARES/RACES of Delaware County

Military Sealift Command