Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
www.networkcritical.com
Welcome
Bart Pellegrom Sales Director EMEA
Howtogainsecurenetwork
access
forsecurityandmonitoring
The Need for Access
Lets imagine you have acquired your shiny new monitoring or
expensive security appliance.
The Need for Access
You have done all the hard work and you are so proud that you
have maneged to utilize all your skills to get the best solution
possible.
The Need for Access
Then the next morning you open the BOX of your
new appliance and you start wondering!
How do I get my network traffic safely in to this appliance?
All kinds of questions start running
true your brain
• Maybe I need to monitor more links with one appliance
• Maybe I need only specific information out of the traffic
• Maybe I need the same traffic for more then one monitoring
tool
• Maybe I have multiple 1GIG liks and your tool is 10GIG
• How do I keep my network up and running when my
monitoring applaince fails or need to be serviced or updated?
Confident as you are you quickly think of a
solution
The best briljant idea you got is lets use a span/mirror port of a switch to
get the data to my appliance.
Then you start thinking again - (yes, you are very smart)
Wait a second, this is wrong because a switch is made for switiching so if
the switch is to bussy the first thing it will do is drop my monitoring data.
No good data no good monitoring outcome!
I only have one or 2 dedicated ports on a switch for this
There must be a better way!!
Then you remember the story of the Dutchman
about Network TAPs and Packet Brokers
What are TAPs
The highest priority we have is always make sure your main
link is up and running. Even if we fail we make sure your
main link is uninterrupted.
We can give you all the data where you want it and how
you want it. under all circumstances, even at high utilized
links
Filtered, non filtered, aggregated, multiplied and more.
LNK LNKACT ACT
A B
LNK LNKACT ACT
C D
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
Router
Switch
LNK LNKACT ACT
A B
LNK LNKACT ACT
C D
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
Router
Switch
LNK LNKACT ACT
A B
LNK LNKACT ACT
C D
Switch
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
How safely connect your monitoring appliances
TAP MODES
Break-Out Aggregation Regeneration
Applications That Require Access
• Network Monitoring Solutions
- Netscout (Network General) Sniffer, Astellia,
- Compuware Network Vantage, Fluke – Visual Networks
- Niksun, Agilent, Tektroniks, Tekelec etc.
• IDS/IPS Security Solutions
- ISS/IBM, McAfee, TippingPoint
- FireEye
- Enterasys Dragon
- Sourcefire, Juniper
- Computer Associates
• VOIP Monitoring
- Witness Systems
• Content Filtering
- SurfControl, Websense
• Band Width & Traffic Management
- Packeteer
Smart Network Access (SmartNA-X™)
• The Smart Network Access (SmartNA-X™) chassis and module
based system is the most flexible and customizable TAP solution
available on the market today.
• All SmartNA-X™ Chassis are built to hold any SmartNA-X™ TAP
module. This flexibility allows you to customize your TAP solution to
your exact specifications, while still leaving room for expansion.
• All TAP modules are hot-swappable, fully configurable and available
with Copper, Single mode Fiber, Multi-mode Fiber or SFP cage ports.
SmartNA-X™
• World First easy to use web UI with click-n-drag port
mappings.
• Fail-safe ports
• Traffic replication and aggregation capabilities
• Flexible port maps
• Advanced packet filtering capabilities, including ability
to filter 10G traffic to continue using 1G tools
• Ability to aggregate 1G links to a 10G port
• SSL secured management interfaces
SmartNA-X 10G Network Access is a fully configurable filtering 10G TAP device that provides the following
advanced TAP features:
• SNMP remote status monitoring and alert notifications
• Local or external authentication and authorization via
RADIUS and TACACS+
• Hot-swappable TAP modules
• Optional dual independent PSUs for redundancy protection
against single point power failure
• Three user access levels: Administrator, Operator and
Auditor
SmartNA-X Intelligent Packet Processor (IPP) Card Module
Powerful and flexible Ethernet packet slicing, header stripping and payload
masking module.
• Remove any tunneling protocol to obtain
the un-tunneled traffic for further (filtering) Processing
• Such as GRE, GTP(U/C), RTP, VN-Tag, MPLS,
VX Lan, R-SPAN, VLAN
• Modify any bit or byte in the payload of a packet
• Automatically Recalculation of CRC
Traffic flows are internal to the SmartNA-X
and maps are created to and from other ports
in the system in the usual way.
Simply use the SmartNA-X filtering modules to filter the traffic after
modification
2 x 10GIG
Module
4 x 1G
Module
Simple the best GUI in the industry
Every king of the jungle can use it!
All ports can be set as TAP or in and out
Just Drag and Drop
Easy filtering
Safe access and safely store your config
SmartNA-X-HD Family
1/10/25/40/100GIG•48 Port Advanced Platform
• Mid-span Filtering, Load-balancing, packet slicing, header stripping, Smart Fabric, Single Pane of Glass
Mgmt..
• Hardware based
• Traffic Aggregation & Distribution
• Layer 2/3/4 intelligent filtering (2304 Filters)
• Full Line rate performance
• Software Upgradeable
• Intuitive WEBGUI, and Cisco-style CLI
• TACACS+ and RADIUS Secure Access
Then the story continues
Your boss has again a briljant Idea, he needs to be able to
block the unwanted traffic so he can keep hackers out of the
door. He wants an IPS (Intrusion Prevention System).
Your the man, so again you are in charge.
You start thinking again on what you need, again you find the
your shiny new expensive security appliance.
The story continues
You are more relaxing then last time and learned your lesson.
While relaxing, You start thinking; How do I connect this device.
Then somehow you think of the Dutchman again
SmartNA-X™ V-Line
SmartNA-X™ V-Line (By-Pass) Solutions
SmartNA™ V-Line Solutions provide network uptime
and availability for proactive in-line appliances.
What are In-Line Appliances?
In-line appliances proactively monitor live network traffic. These appliances will change the traffic based
on being a security device, content filtering device, bandwidth shaper, and/or firewall.
Intrusion Prevention
SystemsCisco IPS
Enterasys Dragon
Forescout
IBM: Internet Security
Systems (ISS)
Juniper
McAfee
NitroSecurity
Radware
Reflex
Sourcefire
TippingPoint
Bandwidth / Traffic
ManagementAnagran
Packeteer
Procera
Juniper IDP
Data Leakage PreventionCode Green Networks
Fidelis Security Systems
Reconnex
Tumbleweed
Voltage
Websense: Port Authority
Content/URL Filtering8e6
Surfcontrol
Websense
Proxy ServersBlue Coat
FirewallsCisco
Juniper
Symantec
Palo Alto
• Guaranteed Network Uptime
• NO Network Interruption
• Maintenance / Upgrade without network downtime
– Software Application Upgrades
– Security Patches / Updates
– Operating System (OS) Updates & Patches
Why you should use V-Line Solutions
V-Line Mode
LNK LNKACT ACT
A B
LNK LNKACT ACT
C D
110100101001010
101001010010110
111010101101101
010011011010001
011001011011011
101011
Router
Switch
During normal operation, network traffic is directed
through the In-Line Appliance as if it were installed in-line.
The monitoring ports inject heartbeat packets in between
the 2 monitoring ports, verifying the health of the In-line
appliance. The heartbeat packets are never introduced
into the live network.
V-Line™ mode is a way of safely deploying and
maintaining inline network appliances without risk of
downtime to the Live Network.
The TAP provides extra layers of failsafe for any inline
appliance, by continually checking throughput and
availability it can seamlessly switch the appliance into or
out of the network path; with the appliance now being
“Virtually In-Line” it can be freely reconfigured and
rebooted without affecting the Live Network link
We bring it all together where you
want it and how you want it
SinglePane
EnterpriseDeploymentFabric
1/10Gbps 1/10Gbps 1/10Gbps 1/10Gbps 1/10Gbps 1/10Gbps 1/10Gbps
TAP
IDS Forensic Analyser Analyser
Management
Wide range of solutions available
UniqueandflexibleModularSystem
SmartNA™ Funcionality VersionsSmartNA™ Expansion Control Modules
SmartNA™ Chassis
SmartNA™ TAP Modules
1U chassis ,20 Gigabit Aggregating, Regeneration, Filtering, Routing Backplane
SmartNA TM
SmartNA TM equals:
• Any to any, any to many, many to any, many to many
• 10/100/1000 Mb copper, Fiber and SFP’s
• Dual power supply (-48 Vdc or 110/220 Vac)
• Remote manageable
• Security (i.e. remote enable, disable ports)
• Up to 20 GB backplane, unique filtering possibilities
• Mix and Match – Hot swappable Modules
Fibre OpticalTAPs
• Zero Latency
• No Power
• 100% Safe
• Modular, up to 16 TAPs in a 1U rack
• Breakout Mode only
• Split Ratios: 50/50, 70/30, 60/40, 90/10
• SC and LC Connections
• 850, 1310, 1550 wavelengths
• 1G, 10G, 40G & 100G, OC3 – OC192
When you need the best and smartest way to
connect safely your monitoring and security
solutions call Network Critical
So remember
The Dutch do not have only tall sales guy’s
We also have great cheese and other stuff!!
Also remember
Hvala - Thank You!
Questions?