Best Practices for Building Visibility Fabrics in the Enterprise

Similar documents
Cisco Nexus Data Broker

The Next Opportunity in the Data Centre

SIEM Product Comparison


Cisco SAN Analytics and SAN Telemetry Streaming

SharkFest'17 US. Validating Your Packet Capture: How to be sure you ve captured correct & complete data for analysis

INTELLAFLEX. Packet Aggregation Switching Solutions

Simplifying the Branch Network

NFV and SDN what does it mean to enterprises?

Mellanox Virtual Modular Switch

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

SDN, SD-WAN, NFV, VNF I m confused!

Rethinking Security CLOUDSEC2016. Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team

BIG MON CONTROLLERS BIG MON ANALYTICS NODE. Multi-Terabytes L2-GRE 1/10/25/40/100G ETHERNET SWITCH FABRIC. Optional BIG MON BIG MON SERVICE NODES

Load Balancing with McAfee Network Security Platform

Next Generation Hybrid Network Visibility Solution

Business Strategy Theatre

Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances

Cisco Nexus Data Broker for Network Traffic Monitoring and Visibility

Large FSI DDoS Protection Reference Architecture

Networking solution for consolidated IT infrastructure

Rethinking Security: The Need For A Security Delivery Platform

Lessons Learned from SD-WAN Deployments on Six Continents. 21 September 2016 Tim Sullivan Co-founder & CEO

IntellaFlex Packet Aggregation Switching Solutions

The Software Defined Hybrid Packet Optical Datacenter Network BIG DATA AT LIGHT SPEED TM CALIENT Technologies

Integrating NComputing Virtual Desktops with Citrix and VMware. April 21, 2010

SEVONE END USER EXPERIENCE

Cisco ASR 1000 Series Ethernet Line Cards

Cisco HyperFlex Systems

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

SD-WAN Solution How to Make the Best Choice for Your Business

Modular Platforms Market Trends & Platform Requirements Presentation for IEEE Backplane Ethernet Study Group Meeting. Gopal Hegde, Intel Corporation

Markus Kujala, Systems Engineering Manager

Design a Remote-Office or Branch-Office Data Center with Cisco UCS Mini

THE EXPONENTIAL DATA CENTER

Ref: C8-1G. The 8-Link Gigabit Copper TAP is a high density solution, providing 8 TAP links in a 1U rack space

Design a Remote-Office or Branch-Office Data Center with Cisco UCS Mini

THE OPEN DATA CENTER FABRIC FOR THE CLOUD

Service Mesh and Microservices Networking

White Paper. Massive Capacity Can Be Easier with 4G-Optimized Microwave Backhaul

Exam Questions

WHITE PAPER A10 SSL INSIGHT & FIREWALL LOAD BALANCING WITH SONICWALL NEXT-GEN FIREWALLS

Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers

Maximizing visibility for your

White Paper. OCP Enabled Switching. SDN Solutions Guide

Customer Guide to Passive VoIP Recording. March

Cisco ONS Port 10/100 Ethernet Module

Data Center Interconnect Solution Overview

Cisco ASR 1000 Series Ethernet Line Cards

Meraki MX Family Cloud Managed Security Appliances

Meraki MX Family Cloud Managed Security Appliances

Dell EMC Networking: the Modern Infrastructure Platform

Delivering the Wireless Software-Defined Branch

Data center requirements

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

Networking Drivers & Trends

How Smart Networks are changing the Corporate WAN

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Lessons Learned Operating Active/Active Data Centers Ethan Banks, CCIE

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

Qualys Cloud Platform

Ready, Willing & Able. Michael Cover, Manager, Blue Cross Blue Shield of Michigan

Cisco Tetration Platform: Network Performance Monitoring and Diagnostics

Deploy a Next-Generation Messaging Platform with Microsoft Exchange Server 2010 on Cisco Unified Computing System Powered by Intel Xeon Processors

A10 SSL INSIGHT & SONICWALL NEXT-GEN FIREWALLS

Accelerate Your Cloud Journey

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

SECURING THE NEXT GENERATION DATA CENTER. Leslie K. Lambert Juniper Networks VP & Chief Information Security Officer July 18, 2011

Network Virtualization

Cisco Start. IT solutions designed to propel your business

16GFC Sets The Pace For Storage Networks

Pass-Through Technology

Data Center Applications and MRV Solutions

Cisco 4000 Series Integrated Services Routers: Architecture for Branch-Office Agility

OPEN COMPUTE PLATFORMS POWER SOFTWARE-DRIVEN PACKET FLOW VISIBILITY, PART 2 EXECUTIVE SUMMARY. Key Takeaways

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Juniper Virtual Chassis Technology: A Short Tutorial

NOAA TICAP. Robert Sears NOAA/OCIO/SDD/N-Wave

Cisco Powered Cloud Solutions. Vladimir Joshevski

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

PassReview. PassReview - IT Certification Exams Pass Review

SIEM (Security Information Event Management)

Public Cloud Leverage For IT/Business Alignment Business Goals Agility to speed time to market, adapt to market demands Elasticity to meet demand whil

Dynamic Network Segmentation

Real-time Communications Security and SDN

How to solve your backup problems with HP StoreOnce

Local Area Network Overview

Port Tapping Session 2 Race tune your infrastructure

Cisco Extensible Network Controller

Cisco Wide Area Application Services and Cisco Nexus Family Switches: Enable the Intelligent Data Center

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Cisco FirePOWER 8000 Series Appliances

Equipment Policies. Chassis/FEX Discovery Policy

How Cisco IT Deployed Enterprise Messaging on Cisco UCS

Why can t I just do that with a switch? Joseph Magee Chief Security Officer Top Layer Networks

Cisco UCS Central Software

Technology Trends You Cannot Afford to Ignore

SDWAN: Re-architecting WAN with Software Defined Networking

Cisco UCS Performance Manager

Virtualizing Managed Business Services for SoHo/SME Leveraging SDN/NFV and vcpe

Transcription:

Best Practices for Building Visibility Fabrics in the Enterprise J. Scott Haugdahl Principal Architect, Blue Cross Blue Shield MN Formerly Asst. VP, Architect, and Network Application Analysis (NAA) founder at US Bank

The US Bank Experience Who is US Bank (symbol: USB)? 5 th largest U.S. commercial bank, 3,176 branches, 67,000 employees, $403B assets Recognized for its strong financial performance and prudent risk management What is Network Application Analysis (NAA)? Founded in 2008 as part of US Bank s Network Planning and Engineering to adapt new thinking around methods, tools, process, and collaboration in order to focus on resolving potential or chronic application performance problems Solutions oriented, not only layers 1 3 (i.e. network infrastructure) Gained credibility during pre-migration analysis to a new data center and created a unique opportunity to architect a large Shared Data Access Network (SDAN) Why the SDAN? The only solution able to collect and aggregate multiple streams simultaneously from several tiers in real-time to feed Application Performance Monitoring (APM), fraud detection, IDS, and sniffer tools

The Blue Cross Blue Shield Experience Who is Blue Cross Blue Shield of Minnesota? The first Blue health plan in the nation & the largest insurer in Minnesota 2.6 million members across all 50 states, 3,500 employees, nonprofit Administrative cost less than 10 cents on the dollar, among lowest in the country What is Enterprise Systems Management (ESM)? A group that collectively manages enterprise wide performance metrics and reporting from system level to multi-tier application performance Built up in recent years with strong support from senior leadership Owns event monitoring and reporting, capacity planning, Shared Visibility Fabric (SVF), packet level analysis tools, Application Performance Monitoring (APM) Why the SVF? Created a third generation and scalable packet collection, aggregation, and distribution system with flexible mapping rules, fabric services, end-to-end single plane connectivity, and scalability for new data center growth

Passive Packet Collection, Aggregation, & Distribution a.k.a. the Visibility Fabric Is comprised of 1. Passive packet sourcing via taps and SPANs Physical in-line media taps (fiber and copper) Switch mirror ports (SPAN), blade chassis mirror ports (blade mirroring), firewall mirror ports, etc. 2. Switching fabric of intelligent packet aggregation matrix switches 3. Configuration and control software (typically command line and/or browser) Is NOT Sniffers, APM, IDS/IPS appliances, fraud monitoring tools, etc. These are the packet consumers! Referred to as a Visibility Fabric, Data Access Network, Network Packet Broker, Network Monitoring Switch, Packet Flow Switch, Network Visibility Architecture, etc.

Best Practices Include the word shared when branding your monitoring fabric from the start Using Shared Data Access Network, Shared Visibility Fabric, etc. sends a strong message across the enterprise & leads to collaboration Separate out the consumers when budgeting and forecasting Adding costs of large capacity packet capture appliances can skew your capital expenditure (CAPEX) and long term maintenance (OPEX) which may be perceived as a visibility fabric cost Create an NAA group or deep ESM team to make the visibility fabric a success Need to bridge the gap between network and app teams for problem determination and resolution Tough politically as managers tend to protect the status quo Requires recognition and strong support from senior leadership Required unless you own all of the capacity and performance tools Need to understand how application architecture overlays network infrastructure Determining the right methods to capture and process packet flows is critical and tool dependent

Some Early Challenges Just 5 years Ago Applications growing in number and complexity Myriad of infrastructure and application tiers often require multiple simultaneous data stream capture points. First generation physical layer matrix switches simply not suitable for emerging technology Basic layer 1 A-B switch How do you scale to 10 Gbps with only layer 1 control (i.e. need visibility in the fabric above the physical layer)? 10 Gbps adoption exploding How to handle all that data? Sharing Cisco SPANs (or R/ER RSPANs) a big problem Contention, prioritizing, and managing across multiple teams and analysts Limited SPAN ports, typically 2 max per switch SPAN technology has not kept up with switching technology, such as port channels Security using dedicated taps and mirror ports Blade servers quickly emerging lack of visibility

Solution: The Visibility Fabric Visibility Fabric SPAN/Mirror Tap Multi-tier Infrastructure

A 60 Second Tap Primer Fiber taps are passive and split the light into two paths Most are a 50:50 split ratio & thus distances are halved Copper taps are regenerative and thus require power Internal mechanical relays provide power fail pass through Many options like link-state propagation, packet aggregation (with buffering), statistics, manageability Fiber Copper RX RX A TX TX B A B RX+TX RX+TX A B A B

Shared Visibility Fabric The Big Three Benefits Stream Sharing Stream sources (ingress or network ports) can service many consumers (egress or tool ports) critical to protecting your customers and improving the end-user experience. Multi-tier Stream Aggregation Several streams from multiple tiers can be aggregated to one or more outputs, in order to monitor complex applications and save on tool ports the so-called one to many and many to one. Filtering Streams can be filtered by MAC, VLAN, IP, port, or other criteria, allowing focused analysis or specific web front ends with a significant drop in resource requirements on the tool or appliance. Deduping may also be required in a multi-tier tapped infrastructure. Offer value-added services!

The Modern Shared Visibility Fabric (SVF) Tapped Media Load Balancers Firewalls Mainframe Packet Sources Mirror Ports Switches Blade Chassis UCS or SDN Fabric Intelligent Matrix Switching, Filtering, Aggregation, Slicing, Deduplication, etc. the Shared Visibility Fabric Consumers Intrusion Detection Fraud Threat Analysis Data Loss Prevention APM Sniffer 10

Best Practices Set goals up front such as Ease demand for SPAN ports Allow for ad-hoc as well as permanent monitoring Share packet streams with analysis, security, compliance tools, and? Architect from the ground up for a new data center or migration or? Define specific requirements for a POC such as Handle a variety of physical media types (copper and fiber) and data rates (1, 10, 40, 100 Gbps?) Able to aggregate streams to higher speed or load balanced output ports Filter streams by MAC, IP, IP + Ports, VLAN, pattern match, etc. Able to stack or cluster the matrix switches to work and manage as a unified fabric Provide a central point of management and access control Grow to scale up to 1,000 ports, roughly 10:1 network:tool port ratio (target some numbers) Desired in-fabric services such as deduplication, time-stamping, data masking, etc. Derive a lab test plan for cross-blade, cross-chassis, and cross-cluster high volume traffic

Best Practices SPANs (and mirror ports) usefulness is diminishing, so avoid if possible Easy to over subscribe, especially with port channel or full duplex aggregation Eliminate the old practice of using aggregation taps and use fiber where possible Be mindful that each one tap takes up two monitoring port$ when operating in non-aggregation mode! Tap related network points into high density Traffic Aggregators and send aggregated flows to the Visibility Fabric Core Cluster for tool consumption. Examples: Perimeter Firewall Taps TA Firewall Aggregate Uplink Core IDS Mainframe OSA Taps TA Mainframe Aggregate Uplink Core Auditing Tool For branch WAN connections, consider preserving separate send/receive full duplex tap ports all the way through to your tools Preserving full duplex tapped connections from taps to tools helps to preserve incoming vs. outgoing traffic

Tap Placement Considerations Tap Inside and Outside WAN Routers Outside may be subject to carrier approval Tap Layer 2 to Layer 3 Uplinks Captures packets that needs routing May not scale well Tap Firewalls/Load Balancers/IPS/WAF/Web Proxies Most common & usually a best practice Consider mirror port on device (not switch) if supported Tap Top-of-Rack Line/Port Extender Uplinks End-node physical traffic capture May not scale well Tap High Density Server and MF Interfaces May not scale well for servers May still need a virtual server tap solution Placement is highly dependent on your needs and architecture!

Cascading Fabric vs. One Pane of Glass Cascading Clustering Best Practice! Connections are managed switch-by-switch. The system becomes one pane of glass such that we only need to specify the end ports. A cascaded fabric can get messy very quickly, especially attempts to filter and sort traffic. Adding more uplinks does not scale well. Far easier to manage but still need to be conscious of interconnect bandwidth

Best Practices Use less expensive highly concentrated traffic aggregators to consolidate like packet sources (such as perimeter firewall interfaces, mainframe OSAs, etc.) into a group. Uplink each aggregated group (each gets their own port trunk) to the core Aggregators with built-in fiber taps are good IF you need inline traffic modification (the SVF is no long passive) and you can double the fiber back to the source vs. traditional mid-point tapping Use rules and filtering to greatly reduce load on the appliance APM and security appliances do not need to waste cycles filtering irrelevant data Reducing unnecessary intake can also increase post processing performance Mirror APM appliance flows to permanent data vacuums for tool validation & post mortem analysis Also feed security tool flows to your data vacuums to validate setup and operation

Putting it all Together

Bonus: More Best Practices! Use a naming convention that indicates the names of devices and their exact ports from/to which packets are entering/exiting Ensure that such information is self-evident without consulting an external resource Design to eliminate packet loss in the monitoring fabric Over subscription often due to excessive aggregation or uplink capacity If packets go missing there, you've got an unreliable and potentially misleading view of your network and security risk not to mention credibility! Corollary: monitor for and alert on packet drops and breached utilization thresholds Design to eliminate packet redundancy in the fabric do all tools need above and below tapped firewalls for example? Every vendor's filtering and rules has gotchas. Understand them! Obvious: Always validate that the filtering/dispatching changes you make are working correctly!

Best Poor How do we get packets from VM-to-VM or blade-to-blade? On the server packet capture agent/analyzer* Limited capture throughput and retention Does not enter the monitoring fabric; save it for workstations Blade chassis mirror port Basically the same issues as SPAN; does not address VM s Virtual taps or virtual switch port mirroring Consumes real resources to get packets to the monitoring fabric May require large coverage across platforms and VMs Integrate packet-based APM with agent-based APM Can work extremely well if well integrated & validated Architect your infrastructure to force packets out of the box High capacity bandwidth in the data center is cheap and ultra low latency Requires strong network + server + monitoring team collaboration *Or Wireshark in an analyzer VM if using VMWare VDS

NOT Best Practices!

Thank YOU!

Appendix: Switching Fabric Definition Switching fabric is the combination of hardware and software that moves data coming in to a network node out by the correct port (door) to the next node in the network. Switching fabric includes the switching units (individual boxes) in a node, the integrated circuits that they contain, and the programming that allows switching paths to be controlled. The switching fabric is independent of the bus technology and infrastructure used to move data between nodes and also separate from the router. The term is sometimes used to mean collectively all switching hardware and software in a network. The term uses a fabric metaphor to suggest the possible complexity and web-like structure of switching paths and ports within a node. The switching fabric typically includes data buffers and the use of shared memory. Source: techtarget.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback