ixia visibility architecture - cisco.com · •gui © 2016 ixia and/or its affiliates. all rights...
TRANSCRIPT
1 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
IXIA VISIBILITY ARCHITECTURE Eliminating Blind spots
Юлий Явич, IXIA
2 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
of the Fortune 100
of the top 50 carriers
of the top 15 NEMs
74
45
15
Customer Focused
Innovation
Enterprise
Carriers/
Service Providers
NEMs
2014 Industry-first ATI security solution
2014 Industry-first virtual tap
2014 Industry-first 400GbE test solution
3 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
IXIA SOLUTION PORTFOLIO
Across the Infrastructure
Across ALL Platforms
Flex Taps, iBypass,
Virtual Taps
802.11ac, MU-MIMO
PerfectStorm BPS vEPC IxLoad/VE
IxNetwork/VE Multis SDN
Threat ARMOR,
ATI
Mobile Endpoint Network Data Center Cloud
NTO, Vision ONE, Hawkeye,
xStream40, Control Tower
TEST SECURITY VISIBIL ITY
6 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 6 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INTELLIGENT VISIBILITY
7 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Clients
INTELLIGENT VISIBILITY - CHALLENGES
Server
Network
Tap Switch Switch
How to:
• Get data access for tools?
• Network taps instead of SPAN
ports?
Network
Tap Network
Tap
Tool 1 Tool 2 Tool N
How to:
• Deal with limited tool ports?
• Scale tool capacity?
• Filter traffic to tools?
• Manage access for each tool?
8 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Network
Operations
Application
Operations
Security
Admin
Forensics
INTELLIGENT VISIBILITY End-to-End Data Access and Distribution
Switch
Switch
Servers
THE DATA CENTER
Taps
Taps
Taps
Network
Packet
Brokers
• Aggregation
• Filtering
• Load Balancing
• SSL Decryption
• NetFlow
1G
10G
40G
9 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
APPLICATIONS AND NETWORK PERFORMANCE TOOLS
13 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INTELLIGENT PACKET PROCESSING
All unique frames going to 10.0.0.0/8
Only the first 128 bytes of TCP Port 25 frames
Hardware AFM
NPB Adv. Packet Processing
Advanced Packet Processing (AFM) Features
• Deduplication
• Header stripping
• Trimming
• Tunnel Termination
• Data Masking
• Timestamping
• Burst Protection
21 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ENTERPRISE – INTELLIGENT APPLICATION PROCESSING
• ATI Processor (ATIP) - Context-rich Application Visibility
• Application forwarding based on application, geography, and RegEx matching
• Real-time dashboard
• Rich NetFlow / IPFIX generation – Device OS
– Browser
– Carrier BGP AS#
– Geolocation
• Data Masking
• Stateful SSL decryption
All traffic from Georgia
All voice traffic from HTC Ones
Someone from remote office Skype for business monitor
NPB – App Brokering
Meta Data
App Filtering
26 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATIP ENABLES SSL INSIGHT
• Passive decryption – no impact on application performance
• Fully compatible with all other ATIP features: Rich Netflow/IPFIX
Data Masking
Geolocation
• Easy setup – just import server certificate & key
• All popular key exchange & ciphers: RSA & DH Key Exchange
SHA1/521/384/256/224
MD5
• Application Filtering
• Handset/workstation type
• Browser identification
• 3DES
• RC4
• AES
• ECC (Elliptic Curve)
• Encryption details reported over Netflow Hardware Encryption Offload
28 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
NTO FAMILY NTO 7300
Vision ONE
• 48x1/10G & 4x40G
• Advanced Features
• ATI Processor
> Application layer filtering
> SSL Encryption
> Netflow Generation
• Inline Support
• Load Balancing
• GUI
• 1/10/40/100G Interfaces
• Advanced Features
• ATI Processor
> Application layer filtering
> SSL Encryption
> Netflow Generation
• Packet Capture
• Load Balancing
• GUI
31 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
General Features > Full Duplex Mode
> Passes all traffic (including errors) from all
layers for comprehensive Troubleshooting
> Regeneration TAP
> No IP address is needed
> Redundant power ensures monitoring uptime
TP-CU3; TP-CU3-ZD
Network A Network B
Mon A
Mon B
TX
TX RX
RX
TX
TX
FULL DUPLEX COPPER TAP
32 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
- 1G/10G/40G/100G (LR & ER)
> Single Mode with LC Connector
-
1G (SX)
> Multi Mode with LC Connector
-
10G (SR)
> Multi Mode with LC Connector
- 40G (SR4 / Cisco Bidi/ MR4)
- 100G (SR10)
> Multi Mode with MTP Connector
IXIA FLEXTAP
34 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
GETTING VIRTUAL TRAFFIC TO MONITORING TOOLS
38 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
CUSTOMER CASE STUDY International Bank
Customer
• Leading International Bank
Need
• Massive volumes or raw application traffic to monitor
• Control traffic inspection costs
• Improve overall Incident Response Team effectiveness
Results
• Deployed Ixia Intelligent Visibility solutions including NTO 7300
• Reduced monitored traffic using advanced filters of deduplication, packet slicing, IPs, VLANs
• VLAN marking and Time stamping to monitoring tools
• Reduced planned CapEx investments
39 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
CUSTOMER CASE STUDY Large Hi-tech Company
Customer
• Large L2/3 manufacturer
Need
• Control traffic inspection costs
• Layer 7 filtering to Nectar tool
Results
• Deployed Ixia Intelligent Visibility solution including Vision One
• Reduced monitored traffic using deduplication
• Provided Skype for business specific traffic to Nectar tool
• Reduced planned CapEx investments
40 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
TECHNOLOGY ECOSYSTEM
TrafficREWIND is a unique patent pending solution that uses NetFlow metadata to regenerate the
dynamics of production networks within BreakingPoint test beds
Solution Overview
42 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 42 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESILIENT SECURITY
43 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RESILIENT SECURITY Serial Deployments of Inline Security Tools is Dangerous
Switch Server
Server Switch
Switch
Switch
Very complex operationally
Single points of failure
Administrative tension
Expensive to scale
44 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Inline
Security
Tool Farm
RESILIENT SECURITY A More Detailed View of a Resilient Security Framework
Switch Server
Switch
Inline Security
Tool Farm
Server Switch Switch
Bypass Switch
Bypass Switch
Network Packet
Brokers (HA)
Out of Band
Sandboxing
Monitored Tool Links via Heartbeat Packets
Threat Intelligence
Gateway
46 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INLINE & MONITORING TOGETHER
Inline Monitoring
Inline
• IPS (multiple vendors)
Out-of-band Monitoring
• Data logging
49 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WORLD-CLASS GLOBAL SUPPORT
Expert team of >100 engineers
Proven track record of superior support
Always-on 24x7 coverage
Best-in-class support tools