IXIA Visibility Fabric Sichere Datenanalyse im Data Center und in der Cloud Christian Reuling | IXIA
IXIA Visibility Fabric
Sichere Datenanalyse im Data Center und in der Cloud
Christian Reuling | IXIA
3© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ISG Keysight (IXIA)
4© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
IXIA’S STRENGTH AND GLOBAL REACH
HISTORYFounded: 1997Publically Traded: XXIAKey Acquisitions:- 2009 Catapult Comm.- 2011 Veriwave- 2012 Anue Systems- 2012 BreakingPoint- 2013 Net Optics- 2017 Ixia part of
Keysight Technologies (Ixia Solutions group)
20+countries
$ 517 Million
1,900+employees100+
countries
11,500employees $ 3.4
Billion
5© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
IXIA SOLUTION PORTFOLIO
Across the Infrastructure
Across ALL Platforms
Flex Taps, iBypass,
Virtual Taps
802.11ac, MU-MIMO
PerfectStormBPS vEPCIxLoad/VE
IxNetwork/VEMultis SDN
ThreatARMOR,
ATI
Mobile Endpoint Network Data Center Cloud
NTO, Vision ONE, Hawkeye,
xStream40, Control Tower
TEST SECURITY VISIBIL ITY
6© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Visibility Fabric
7© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
EXAMPLE NETWORK INFRASTRUCTURE
Switch
Switch
Servers
Router
8© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT DO YOU WANT TO KNOW
Switch
Switch
Servers
Router
How do they make sure that the millions of Dollars that has been spent are paying off in terms of:
➢ Availability: - meet SLAs
➢ Security:- Potential threats, data loss prevention, vulnerabilities
➢ Compliance:- Sarbanes-Oxley, HIPPA, PCI-DDS
➢ Performance:- End user experience, troubleshooting, root cause analysis
➢ Trends:- Capacity planning and scalability
9© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
SOLVE PROBLEMS WHEN USING TOOLS
Tools Farm
How to connect the tools to the network:
➢ Different tools are competing for the data
➢ Poor data quality with SPAN ports
➢ Different link speeds/standards in the network
➢ Possible too much data for the tool
➢ Tunneling protocols maybe in place (VxLan / VnTag)
Switch
Switch
Servers
Router
S S
S S S S
10© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STEP 1: DEPLOY TAPS
Switch
Switch
Servers
Router
Deploy Ixia TAPs within
your network
architecture providing
you full visibility
11© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
TAP VERSUS SPAN
TAP SPAN
➢ Full Duplex Taps
(no packet loss due to aggregation)
➢ Simplest optical TAPs are safe as houses
and grow with the Network from GE to 100GE
➢ Copper TAPs are fail safe even when the power is lost
➢ Available for all media types:
Copper: 10M, 100M & 1G
Optical: Single Mode 1G till 100G
Multi Mode 1G till 100G
Cisco Bidi
➢ Limited number of SPANs leads to compromise
(Multiple tools cannot be used at the same
time)
➢ Have to be configured and maintained
(Danger working on Production Network)
➢ Load depended behavior
(tend to lose packets already at lower
processor load)
12© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STEP 2: DEPLOY CLOUDLENS
Switch
Switch
Servers
Router
S S
S S S S
Deploy Ixia CloudLens private
solution as virtual Tap
Use SPAN ports as needed
13© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Hypervisor
Virtual Switch
VM 1
WEB
VM 2
APP
VM 3
DB
East-West-Traffic
NOT Seen by
Network Monitoring
Tools
VIRTUAL NETWORKS
14© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Monitoring
vSwitch
ESXi
KVM
Monit
Probe
**
(Radcom)
GRE-VLAN-ERSPAN – Custom Tunnel
• Netflow
• Geo-location
• Time Stamping
• Deduplication
• Header Stripping
CloudLens
Mgr.
CLOUDLENS PRIVATE
Virtual Traffic Visibility
• Inter-VM Traffic Monitoring
• Multiple Hypervisor Support (ESXi, KVM,
Hyper-V)
• GRE – VLAN – ERSPAN Protocols
• Centralized Management
Virtual Datacenter Visibility
Traffic Analysis
Physical End Point Tools
IPS/IDS DLP
vTAP
Service
vGSC
Netflow / Full Packets
FireEye
SPLUNK
**
Scrutinizer
**
NTOP
HYPER-V
Monitoring Host
vSwitch
vCenter
Server
15© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STEP 3: SOLVE ANOTHER PROBLEM
Switch
Switch
Servers
Router
S S
S S S S
Granularity can become very costly due to:
> Every TAP requires two tool ports
(A>B & B>A)
> Link speed dictates tool speed and
performance (very costly for 40G/100G)
> Different tools are competing against the
same TAP or SPAN port
> If not as much tool ports as TAP or SPAN
are available engineers need to change
ports. (Problems with access control/rights
& distance)
> Tools are flooded with unnecessary data
Tools Farm
16© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STEP 4: ADD A PACKET BROKER
Tools Farm
Switch
Switch
Servers
Router
S S
S S S S
1G
10G
100G
17© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
SecureStack
• Passive SSL
Decryption (ATIP)
• Active SSL (Q2 2018)
NetStack
(Standard)
• 3 Stages of Filtering
• Dynamic Filter
Compiler
• Double your Ports
• VLAN Tagging
• Aggregation &
Replication
• Load Balancing
PacketStack
(AFM)
• Deduplication
• Header Stripping &
Protocol Trimming
• Timestamping
• Data Masking
• GRE Tunneling
• Burst Protection
AppStack
(ATIP)
• Application & RegEx
filtering
• Geolocation & Tagging
• Real-time Dashboard
• NetFlow & IxFlow
• Data Masking
• PCAP
MobileStack –
(GSC)
• GTP Session
Correlation
• GTP Load Balancing
• Subscriber sampling
• Subscriber filtering
• EPC filtering
VISIBILITY INTELLIGENCE STACKS
18© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHO IS WHO OF IXIA PACKET BROKER
19© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
GRAPHICAL USER INTERFACE
The Hard Way (Other)The Easy Way (Ixia NTO)
Java
HTML 5
20© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
USE CASE 1: ENTRY LEVEL PACKET BROKER
Switch
Switch
Router
S S
Customer requirements
➢ Network core with 8 x 10G connections➢ Internet breakout with 2 x 1G➢ 1 x 10G MM Dynatrace tool for APM➢ SPAN ports for trouble shooting 2 x 10G
➢ Basic Filtering➢ Dedupliction
21© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Switch
Switch
Router
S S
USE CASE 1: ENTRY LEVEL PACKET BROKER
Ixia VisionEdge 10S
• 48 x Ports 1G/10G
• NetStack
• PacketStack (Dedup)
• Attractive per port pricing
22© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
USE CASE 2: 40G NETWORK CORE - AGGREGATION
Customer requirements
➢ Network core with 30 x 40G connections➢ Firewall connections 8 x 10G➢ 4 x 10G MM Extrahop for DPI
➢ Advanced Filtering➢ Load Balancing➢ Header Stripping➢ Dedupliction➢ Ixia Fabric controller (IFC)
Switch
Switch
Router
23© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
USE CASE 2: 40G NETWORK CORE - AGGREGATION
Switch
Switch
Router
Ixia VisionEdge Series
• Ports from 1G till 100G
• NetStack
• Attractive per port pricing
VisionOne
• Standard and Advanced Filtering
• PacketStack (Dedup/Stripping)
• IFC
24© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Customer requirements
➢ Customer wants to feed a Splunk system withwire data
➢ Splunk license for direct feed is expensive➢ Extrahop solution can process the wire data
and present only important metrics to Splunk➢ Ixia can provide the access points in the
network and a packet broker to connect all thedevices
USE CASE 3:IXIA – EXTRAHOP - SPLUNK
Switch
Switch
Router
25© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Packet Capture
Appliance
USE CASE 3:IXIA – EXTRAHOP - SPLUNK
26© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
EXAMPLE NETWORK INFRASTRUCTURE
Switch
Switch
Servers
Router
27© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT HAPPENS IN THE CLOUD
28© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INTRODUCING CLOUDLENSVisibility across all your cloud environments - public, private, and hybrid clouds
CloudLens Private
CloudLens
vTap
CloudLens
vPB
CloudLens
vATIP
CloudLens
Branch Office Virtual DC Private Cloud
CloudLens Public
Public Cloud
29© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PURPOSE BUILT FOR CLOUD
CloudLens has two components
• A SaaS web-interface where cloud visibility
is managed – the management layer
o Allows access anywhere
o Easy to setup and manage
• Docker based component that sits within
source and tool instances in a customers
environment
o Sits behind customers security structure,
maintaining privacy and compliance
o Metadata access, which allows for
scalability
o More intelligent filtering
1
2
A Cloud-Native, Serverless Design
30© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Secure Visibility Path
HOW CLOUDLENS WORKS
IXIA CloudLens Public Management Layer
Filtering at source Filtered Traffic securely sent from Instance to Tool
Monitoring
ToolsSecurity
ToolsPerformance
Tools
31© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STEP 5: ADD CLOUDLENS PUBLIC
Tools Farm
Switch
Switch
Servers
Router
S S
S S S S
1G
10G
100G
P
u
bl
ic
C
lo
u
d
Public Cloud
32© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INLINE
How to deploy inline
tools like an
IPS
Switch
Switch
Servers
Router
IPS Inline:
• In case IPS fails the link to the WAN will be disrupted:
> No communication from & to the internet
> Online Banking or any Online Shopping will be disrupted too
> Huge impact on business
• Link load dictates tool performance:
> Large spending on high performance hardware
> Possibility of data loss because link load is higher than tool
performance
33© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Switch
Switch
Servers
Router
Use a Bypass Switch
INLINE
34© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Switch Internal SwitchInternet
Security Tools
MOST ADVANCED NPB FOR SECURITY DEPLOYMENTS
Powerful encryption + flexible traffic handling + advanced services
Powerful SSL
✓ Up to 10Gb SSL
✓ Decrypt once, inspect many
✓ Offload decryption from
multiple tools
✓ No impact on other
services
Advanced inline support
✓ Heartbeat
✓ Service Chaining
✓ Load Balancing / HA
✓ Active/Active resiliency
Vision ONE core features
✓ Rich Netflow
✓ Data Masking
✓ App ID / filtering
✓ 1/10/40Gb interfaces
✓ Filter compiler / best UI
35© 2018 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
I X I A S E C U R I T Y F A B R I C
Highly Available
Security
Architecture for
Tools
High
Performance,
High Availability
Security
High Availability Inline
Standalone Bypass
High MTBF (A-S)
NPB (Active-Active)
Incredibly simple inline design and deployment
High Performance,
Complete PlatformsVision ONE
Full HA inline, AFM and ATIP
Vision Edge
Software Defined NPBVision 7300
7U High Capacity
100G to 10G
288 10G ports
Physical Data
Centers, BranchBypass for HA inline
Bypass VHD, HD
Full line of
Secure Taps
and Virtual
Sensors
Mirrored, Raw Data
High Density TapsPervasive
AccessBranch Site Data Center Private and Public
Complete
Access to
Virtual
Environments
Private Cloud
DC and Public
CloudLens Public
Container based sensor
Pre-filtered for optimized traffic
Cloud-native scale-out
CloudLens Private
Instant access to guest
Integrated orchestration
Software
Defined
Architecture
Best of Breed
Technologies
Patented Filtering
Drag-n-drop UI IFCTrue SDN Fabric Controller
Distributed & Resilient
Scalable
Purpose Built
High Performance
Terabits/sec
IXIA’S COMPLETE MONITORING SOLUTION
Vielen Dank für Ihre Aufmerksamkeit