33
1 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | VISION ONE

Vision one-customer

Embed Size (px)

Citation preview

Page 1: Vision one-customer

1© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

VISION ONE

Page 2: Vision one-customer

2© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

DEPLOYING SECURITY IS NOT EASY

CONSTANT CHANGE

ThreatsLawsApplications

SINGLE PURPOSE TOOLS

EXPENSIVE

Page 3: Vision one-customer

3© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

SECURITY IS CONSTANTLY CHANGING

There’s always a lot of ground to cover

Page 4: Vision one-customer

4© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

See EverythingIntuitive UI and patented filter

compiler

Look WithinATI for SSL

decryption & App intelligence

VirtualizeManage traffic from physical

and virtual taps

Layered Defense

Flexibly deploy tools inline and

out-of-band

Optimize

ZERO-loss advanced packet

processing

Page 5: Vision one-customer

5© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

EVOLUTION OF INTELLIGENT VISIBILITY

All packets

TAP

Raw Packets

Only 10.0.0.0/8 traffic

Only TCP Port 25 traffic

L2-4 Filters

NPB

All unique frames going to 10.0.0.0/8

Only the first 128 bytes of TCP Port 25 frames

Hardware AFM

NPBAdv. Packet Processing

All traffic from Georgia

All voice traffic from HTC Ones

Someone from S. Africa watching House of Cards on Netflix on an iPhone on Vodacom’s network

NPB –App Brokering

Meta Data

App Filtering

Page 6: Vision one-customer

6© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

FILTERING: IT’S YOUR CHOICE

The Hard WayThe Easy Way

Using other vendor’s filters “…we spent the better part of four hours and some trial and error to get the map and its filters defined and applied.”

“Ixia's Dynamic Filtering feature, on the other hand, took all of 10 minutes to perform the same task in our tests.”

Page 7: Vision one-customer

7© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

VLAN 1-3

VLAN 3-6

TCP

Automatically calculates filter overlaps, and creates rules

3. What Automated Rule Set Compiler does

IXIA’S AUTOMATIC RULE ENGINE COMPILER

7

Network SPAN Port

Tool Port #1

Tool Port #2

Tool Port #3

VLAN 3-6

VLAN 1-3

Traffic multi-casted from one SPAN port to 3 tools

TCP

No. Criteria Action0 VLAN 3 + TCP Tool 1, 2 & 31 VLAN 1-3 + TCP Tool 1 & 22 VLAN 4-6 + TCP Tool 2 & 33 VLAN 3 Tool 1 & 34 VLAN 1-2 Tool 15 VLAN 4-6 Tool 36 TCP Tool 27 Null Drop

Automatically resolves overlapping rules. Greatly simplifies getting to what you need.

Hitless changes – no packets dropped

Concurrent changes by different admin users

Simple to integrate with external provisioning systems – automated service provisioning

4. Why is this a big deal

1. What you wantEnter 3 simple filters in the Network Tool Control Panel

2. What you do

Page 8: Vision one-customer

8© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

INTELLIGENT PACKET PROCESSING

Dedicated hardware adds info or reduces unnecessary data without information loss on a per packet basis

All unique frames going to 10.0.0.0/8

Only the first 128 bytes of TCP Port 25 frames

Hardware AFM

NPBAdv. Packet Processing

Advanced Packet Processing (AFM) Features

• Deduplication• Header stripping• Trimming• Data Masking• Timestamping• Burst Protection

Page 9: Vision one-customer

9© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

ADVANCED PACKET PROCESSING IN VISION ONE

Challenge• Need guaranteed packet processing performance,but not on every port

Solution• Hardware-based processing guarantees performance• Allocated to ports in 10G increments• Full performance with multiple features enabled

Benefits• Packet processing reduces tool costs• Reliable operational performance• Any port can have AFM• Maximize ATIP / DPI performance by AFM prefiltering

16x10G Shared AFM

Page 10: Vision one-customer

10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

DEDUPLICATION

Deduplication – Ensures that one copy of each frame is forwarded to for analysis

How do you get duplicate packets?– Multiple taps are aggregated to the same tool– A single SPAN port commonly generates duplicate packets

(see http://blogs.cisco.com/security/span-packet-duplication-problem-and-solution)

Page 11: Vision one-customer

11© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

HEADER STRIPPING

Header Stripping – Detects and removes tunnel protocols from header to format data so it can be analyzed by tools that do not support tunneled protocols.

PayloadIP Header

Header Stripping

MPLS Label

Typical Use Cases• Translation: Strips a protocol header that an analysis tool

doesn’t parse and forwards the packet in a supported format.– MPLS, VNTag, FabricPath, etc.

• vTap Termination: Terminates traffic from Phantom vTap• ERSPAN termination: Terminates traffic from a remote /

branch office switch

Page 12: Vision one-customer

12© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

PACKET TRIMMING

Packet Trimming – Truncates packets at a certain length and optionally inserts a trailer with the original packet length before forwarding to a tool.

Typical Use Cases• Tool Efficiency: Reduces the average frame length being sent to the tool for analysis.

– Remove SSL-encrypted payloads before analysis– Remove payloads from tools that only analyze headers

• Security: If the packet payload is not needed for analysis then this feature can be used to protect against revealing sensitive information such as Personally Identifiable Information (PII) as required by many mandates such as PCI.

PayloadIP Header

Packet Slicing

Page 13: Vision one-customer

13© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

DATA MASKING

Data Masking – Allows data at a specific offset in the frame to be set to a fixed value so that

Personally Identifiable Information (PII) is not forwarded to analytics tools.

Typical Use Cases• Protecting PII: Enterprises and carriers often have mandates that require them not to store, forward, or

otherwise expose PII to internal or external users. Examples of such mandates are PCI (Payment Card Industry) or HIPAA for health care in the USA. Violations often result in multi-million dollar penalties.

PayloadIP Header

Data Masking

XXXX

Page 14: Vision one-customer

14© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

PACKET TIMESTAMPING

Packet Timestamping – Adds a trailer containing a timestamp to every packet so detailed latency

measurements can be made by the analysis tools.

Typical Use Cases• Latency: A network performance analyzer can determine the latency between any taps in the network

by comparing the timestamps on the same packet from two different locations.

PayloadIP Header

Packet Timestamping

Timestamp

Vision ONE chassis uses PTP or NTP to obtain time reference

Page 15: Vision one-customer

15© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

BURST PROTECTION

Burst Protection – Adds extra buffering to 1G interfaces to provide protection from

microburst events and avoid data loss.

Typical Use Cases• Aggregation: When aggregating traffic from multiple locations in the network to a single 1G

tool, it is possible to momentarily exceed 1Gbps of traffic.• Speed Translation: When filtering a sub 1G flow from a single 10G link, burst protection can

prevent a momentary burst in the 10G flow from creating loss in the 1G analysis tool.

Page 16: Vision one-customer

16© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

IXIA – ALWAYS FULL RATE ADVANCED PACKET PROCESSING

The Bottom Line Ixia always supports full rate processing Independent of frame size Independent of number of functions enabled

See Tolly Test Report #216100

Full Rate Advanced Packet Processing

Page 17: Vision one-customer

17© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

ENTERPRISE – INTELLIGENT APPLICATION PROCESSING

• ATI Processor (ATIP) - Context-rich Application Visibility• Application forwarding based on application, geography, and RegEx matching

• Real-time dashboard• Rich NetFlow / IPFIX generation

– Device OS– Browser– Carrier BGP AS#– Geolocation

• Data Masking• Stateful SSL decryption

All traffic from Georgia

All voice traffic from HTC Ones

Someone from S. Africa watching House of Cards on Netflix on an iPhone on Vodacom’s network

NPB –App Brokering

Meta Data

App Filtering

Page 18: Vision one-customer

18© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

ATIP – DEEP PACKET INSPECTION

Reuses ATI engine to perform Deep Packet Inspection

Identifies Applications Application events Handset OS Browser Geolocation

Subscription Profiles update every 3 weeks

Page 19: Vision one-customer

19© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

APPLICATION FILTERING

Point and ClickFilter settings

Geographic MatchingClick map or country name

App MatchingStatic, dynamic, customApp Groups

Category, OS, etc.

Page 20: Vision one-customer

20© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

REGEX SEARCHING & DATA MASKINGEasy Setup

Add to any filterPredefined Patterns

Email, credit cards, SSN, etc.Custom Patterns

Built in UIOptional Masking

Partial or complete stringFixed Offset

L2-L4 Header offset

Page 21: Vision one-customer

21© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

FLEXIBLE TRAFFIC HANDLING

Easy SetupForward, NetFlow, or both

Real-time StatsFor all filters

Page 22: Vision one-customer

22© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

RICH NETFLOW / IPFIX GENERATION

Easy SetupOne-click enable

Standard FieldsIncluding router offload IxFlow Extensions

Handset, browser, geo, SSL

High performanceSupports up to 10 collectors

Page 23: Vision one-customer

23© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

ATIP ENABLES SSL INSIGHT Passive decryption – no impact on application performance

Fully compatible with all other ATIP features: Rich Netflow/IPFIX Data Masking Geolocation

Easy setup – just import server certificate & key

All popular key exchange & ciphers: RSA & DH Key Exchange SHA1/521/384/256/224 MD5

• Application Filtering• Handset/workstation type• Browser identification

• 3DES• RC4

• AES• ECC (Elliptic Curve)

• Encryption details reported over NetflowHardware Encryption Offload

Page 24: Vision one-customer

24© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

ATIP USE CASES

SaaS Issue Correlation to Service Provider Granular VoIP Filtering

Page 25: Vision one-customer

25© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

TWO MAIN VISIBILITY TOPOLOGIES

Monitoring (out-of-band) Analytics tools terminate the traffic and do

not forward back to the network. Typical analytics tools:

Application Performance Monitoring (APM) Network Performance Monitoring (NPM) Intrusion Detection System Data recording

Inline (inband) Tools analyze and selectively drop traffic

or forward it back to the network. Typical inline tools

Intrusion Prevention System (IPS) Data Loss Prevention (DLP) Web Cache SSL encrypt / decrypt Firewall

Page 26: Vision one-customer

26© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

INLINE & MONITORING TOGETHER

Inline Monitoring

Inline• IPS (multiple vendors)

Out-of-band Monitoring• Data logging

Page 27: Vision one-customer

27© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

SERIAL INLINE DEPLOYMENT

Switch

1 2 3

Page 28: Vision one-customer

28© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

EXTERNAL BYPASS

Why use External vs Integrated Bypass?

1. External reliability is 5 times better! MTBF (Mean Time Between Failure in Hours)

External Bypass: 450,000 Integrated Bypass: 80,000

2. Easier to replace failed devices No risk of taking network down

3. Same system size as integrated bypass 2U

Page 29: Vision one-customer

29© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

EASY TO CONFIGURE

Create complex topologies in minutes Inline serial Parallel load balanced Inline serial & Parallel load balance together

Page 30: Vision one-customer

30© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

N+M REDUNDANCY

Supports any combination of N+M tool redundancy N+M Redundancy: M warm standby tools to protect

N active tools N+1 Redundancy: a single warm standby tool to

protect N active tools

Behavior under tool failure Standby tool takes over traffic from failed tool Active tool traffic again when it recovers Failure detected via use of heartbeats

Page 31: Vision one-customer

31© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

DETECT FAILURES QUICKLY - RICH HEARTBEATSDetecting failures Heartbeats exist between bypass switch & NPB

Heartbeats exist between NPB & tool

Absence of heartbeats indicates failure

Key capabilities Predefined heartbeats to match different tools

Highly customizable heartbeats for tricky situations

Supports single-stage (blue) or multistage (red) heartbeats

Page 32: Vision one-customer

32© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

VISION ONE – SECURITY WITHOUT SACRIFICE

Intelligent• ATIP: DPI for app awareness• SSL decryption• Reliable adv. packet processing• Supports inline & monitoring• Terminates physical & vTap traffic

Compact• 1U high• Connectivity

• 48 SFP+ for 1G or 10G• 4 QSFP+ for 4x40G or 16x10G

• Growth via expansion slot

Reliable• Based on NVOS 4.x• Redundant, hot swappable power supplies & fans• NEBs capable

Multiuser ready• Extensive role-based access control• Automatic Filter Rule Compiler• Intuitive GUI• RESTful API

Page 33: Vision one-customer

33© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

#securitywithoutsacrifice

Amplify security without ever changing a cable. See everything. Miss Nothing.