© 2014 gigamon. all rights reserved. 1 it’s what you can’t see that will sink you enhance...
TRANSCRIPT
© 2014 Gigamon. All rights reserved.© 2014 Gigamon. All rights reserved. 1
It’s What You Can’t See That Will Sink YouEnhance Network Security and Increase Your Visibility
© 2014 Gigamon. All rights reserved. 2
Quotation
"We have to build our systems on the assumption that adversaries will get in.”
~Deborah Plunkett, Head of the US National Security Agency’s
Information Assurance Directorate
© 2014 Gigamon. All rights reserved. 3
You can’t find what
you can’t see…
Improving Network Security
© 2014 Gigamon. All rights reserved. 4
Application Performance
Network Management
SecurityLEG
EN
D
Improving Network SecurityImproved Reliability for Out-of-Band Monitoring and Analysis
Network Management
SecurityCENTRALIZEDTOOLS
ApplicationPerformance
© 2014 Gigamon. All rights reserved. 5
Inline Device Vendors:
Improving Network SecurityImproved Reliability for Inline Protection
© 2014 Gigamon. All rights reserved. 6
Out-of-Band Device Vendors:
Improving Network SecurityImproved Reliability for Out-of-Band Monitoring and Analysis
© 2014 Gigamon. All rights reserved. 7
Improving Network SecurityBest Practices:
Conventional Best Practice
Protect with Inline Security
Aggregate from SPAN / Mirror Ports
Monitor Critical Links
Provide All Traffic to All Tools
Analyze Traffic at Edge with Distributed Tools
Replace All Tools with Every Network Speed Upgrade
Limit Access Via Login Restrictions to Ensure Compliance & Confidentiality
Inline Security with Bypass Protection
Aggregate from TAPs
Aggregate Entire NetworkSend Critical Traffic Flows to Monitors
Deliver Only Relevant Traffic Flows to Each Monitoring Device
Aggregate Low Utilization Edge Links to Centralized High Performance Tools
Load-Balance Traffic to Existing Tools, Adding or Upgrading Where Needed
Use Packet Slicing and Data Masking to Sanitize Traffic Before Reaching Tools
© 2014 Gigamon. All rights reserved. 8
Improving Network SecurityImportant Questions
Could your inline security become a point of failure? Are all critical paths monitored? Does each solution owner know about network topology changes? Can suspicious traffic be forwarded to analyzers rapidly enough?
© 2014 Gigamon. All rights reserved. 9
Replace SPAN Connections with TAPsAnother reason to use TAPs over SPANs is that many Switches rate limit the SPAN port as utilization increases. This is especially prevalent at 10Gb link speeds, where SPAN traffic can be throttled by as much as 85%.
To illustrate this, here are quotes from the user manuals of two popular switches:
If you are relying on SPAN ports to feed your security devices, you may be missing as much as 85% of the traffic!
Improving Network SecurityImproved Reliability for Out-of-Band Monitoring and Analysis
“Use SPAN for troubleshooting. Except in carefully planned topologies, SPAN consumes too many switch and network resources to enable permanently.”
“[Switch Vendor] recommends that you do not mirror more than 15% of your total transit traffic. On Ten Gigabit Ethernet interfaces or bundle interfaces there is a limit of 1.5G on each ingress amount to be mirrored and 1.5G on each egress amount to be mirrored.”
© 2014 Gigamon. All rights reserved.
Security Infrastructure you deploy today must be strong, resilient and adaptable to the dynamic threats
which confront your business on a continual basis.
The deeper the visibility you have, the greater your ability to defend cyber-attacks.
Gigamon – Enabling a Security Visibility Fabric™
10
Gigamon refers to this as a Visibility Fabric
© 2014 Gigamon. All rights reserved.
Enabling Best of Breed Security & Monitoring
11
Improves the solutions you are already selling
Analytics NetworkPerformanceManagement
NetworkForensics
Security
Router/Switch & Server Farm
ApplicationPerformanceManagement
© 2014 Gigamon. All rights reserved. 13
Threat Detection: Two Architectures, Two Approaches“Inline and Out of Band”
“Out of Band”“In Band”
Stop at the front door Intrusion Prevention (IPS) Data Loss Prevention (DLP) Block the known attacks Monitor traffic profiles Alert to anomalies
Passive Monitoring Forensics / Recorders / Analytics Broader scale Longer time Leverage multiple measures
Limitations
Single point of failure Potential bottleneck Dependent upon “Maintenance windows”
Risk of over-subscription Famine or Feast: SPAN or TAP Increasing tooling demand & expanding
network scale
Limitations
Highly available architecture Line-rate performance Infrequent configuration changes
Requirements Powerful filtering capability Multi-point triangulation The more pervasive, the greater the value
Requirements
© 2014 Gigamon. All rights reserved. 14
Threat Detection: Two Architectures, Two Approaches“In-Band and Out of Band”
“Out of Band”“Inline”
Highly available architecture Line-rate performance Infrequent configuration changes
Requirements
Powerful filtering capability Multi-point triangulation, greater visibility The more pervasive, the greater
the value
Requirements
Single point of failure Potential bottleneck Dependent upon “Maintenance windows”
Limitations
Risk of over-subscription (dropped packets, loss of visibility)
Detection & Remediation is after the fact Increasing tool demand & expanding
network scale
Limitations
© 2014 Gigamon. All rights reserved. 15
Threat Detection: Two Architectures, Two Approaches“Inline and Out of Band”
“Out of Band”“Inline”
Single point of failure Potential bottleneck Dependent upon “Maintenance windows”
Limitations Limitations
Risk of over-subscription (dropped packets, loss of visibility)
Detection & Remediation is after the fact Increasing tool demand & expanding
network scale
© 2014 Gigamon. All rights reserved.
Gigamon & Maximum Visibility
16
How Does Gigamon enable Maximum Visibility into the Network?
© 2014 Gigamon. All rights reserved. 17
Without Gigamon…Many links to monitor; many tools required
VirtualServers
Physical Server
Core Network
$ $ $ $ $ $
No Aggregation: Many tools requiredCapital investment in tools increases
IDS (Intrusion Detection System)
PerimeterNetworkServer
Farm
Hypervisor
$
DMZ
© 2014 Gigamon. All rights reserved. 18
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
With Gigamon…Simplicity. Efficient. Scalable.
$ $
With Aggregation: Many links to fewer toolsCapital investment in tools decreases
© 2014 Gigamon. All rights reserved. 19
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
Without Gigamon…All packets to all tools; tools are over oversubscribed or provisioned.
$ $ $ $ $ $$
all p
acke
ts
all p
acke
ts
all p
acke
ts
all p
acke
ts
all p
acke
ts
all p
acke
ts
all p
acke
ts
DLP(Data Loss Prevention)
Without Filtering: All packets are sent for inspectionCapital investment in tools increases
© 2014 Gigamon. All rights reserved. 20
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
With Gigamon…Simplicity. Efficient. Scalable.
$ $
With Aggregation: Many links to fewer toolsCapital investment in tools decreases
© 2014 Gigamon. All rights reserved. 21
With Gigamon…Simplicity. Efficient. Scalable.
Em
ail
pa
ckets
Em
ail
pa
ckets
With Filtering: Only email traffic is sent for inspectionCapital investment in tools decreases
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
$ $
© 2014 Gigamon. All rights reserved. 22
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
Without Gigamon…Span Port Contention…
APM IDS APM IDS NEWNEW
SPAN Port Contention: 2 ports to 2 tools SPAN port not available for new tool—Visibility decreases
© 2014 Gigamon. All rights reserved. 23
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
With Gigamon…Simplicity. Efficient. Scalable.
Eliminate SPAN Port Contention: Replicate SPAN ports to new tools —Visibility Increases
APM IDS APM IDS NEWNEW
© 2014 Gigamon. All rights reserved. 24
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
Without Gigamon…10 Gb Network with 1 Gb Tools…
APM IDS APM IDS
1 Gb Tools 1 Gb Tools
10Gb Core or Perimeter: 1Gb tools won’t work Expensive Tool Upgrades Necessary
10 Gb10 Gb
© 2014 Gigamon. All rights reserved. 25
With Gigamon…Extend the life of your 1 Gb tools
10Gb Core or Perimeter: Convert 10Gb to 1Gb Expensive Tool Upgrades Avoided
VirtualServers
Physical Server
Core Network
PerimeterNetworkServer
Farm
Hypervisor
DMZ
10Gb10Gb
APM IDS APM IDS
1 Gb Tools 1 Gb Tools
© 2014 Gigamon. All rights reserved.
Packet Modification
GigaSMART®
The Fabric Intelligence
26
Extending Visibility across Networks
Packet Identification, Filtering, and Forwarding
ToolsNetwork Flow Mapping®
Phy
sica
lV
irtua
l
Application Performance
Network Management
Security
Deduplication
ABACCABACB ABC
Packet Slicing
A B C A B C
Header Stripping
Time Stamp
Tunneling
© 2014 Gigamon. All rights reserved.
Use 1Gb monitoring tools on 10Gb links Filter traffic on inline tool to avoid oversubscription Do maintenance on monitoring tool without disrupting production links Bi-directional heartbeat to insure monitoring tool is active Replicate traffic from production link to other monitoring tools
Inline Bypass for Inline Security ToolsWhy use Gigamon for Inline Bypass?
1Gb or 10Gb Network Link1Gb or 10Gb Inline Monitoring Tools
1Gb or 10Gb Network Link8 x 1Gb Inline Monitoring Tools
1Gb CopperA/B
1Gb OpticalA/B
WAFIDS DLPIDS
G-Secure-0216
© 2014 Gigamon. All rights reserved. 29
“Inline”
In SummaryAddressing the Limitations
Single point of failure Potential bottleneck Dependent upon “Maintenance windows”
Limitations
“Out of Band”
Risk of over-subscription Famine or Feast: SPAN or TAP Increasing tooling demand and
expanding network scale
Limitations
Heartbeat monitoring Intelligent traffic distribution Establishes a ‘Dynamic DMZ’
enabling rapid response
Flow Mapping™ Selective traffic forwarding Scalability to serve some of the largest
networks on the planet
© 2014 Gigamon. All rights reserved. 31© 2014 Gigamon. All rights reserved.
Thank you