Seminar: IT Security Design der neuen Art...(Radcom) GRE-VLAN-ERSPAN – Custom Tunnel •Netflow •Geo-location •Time Stamping •Deduplication •Header Stripping CloudLens Mgr

1 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

Seminar:

IT Security Design der neuen Art


2005 July 2012

2002 June 2012

1996 Oct. 2013

Ixia:

> Founded in 1997

> Active testing of

> IP networks,

> Wifi

> 3G/LTE

Anue Systems:

> Network Visibility:

> Packet Brokers (NTO)

> Network Testing:

> Impairment Generator

BreakingPoint:

> Security testing

> Attack analytics

NetOptics:

> Network Visibility:

> Packet Brokers (xStream)

> Inline Security (BypassTap)

> Network Taps

OUR HISTORY AND COMPETENCE

Keysight Technolgies:

> April 2017

Ixia part of Keysight Technologies

(ixia solutions group)


Visibility Portfolio

(offline)


How do they make sure that the millions of Dollars that has been spent are paying off in terms of: Availability:

- meet SLAs

Security: - Potential threats, data loss prevention, vulnerabilities

Compliance: - Sarbanes-Oxley, HIPPA, PCI-DDS

Performance: - End user experience, troubleshooting, root cause analysis

Trends: - Capacity planning and scalability

QUESTION


HERE IS THE SOLUTION

S S S

Deploy Ixia TAPs within

your network

architecture providing

you full visibility

Internet

Step 1: Deploy Ixia TAPs


TAP VERSUS SPAN

TAP SPAN

Full Duplex Taps

(no packet loss due to aggregation)

Simplest optical TAPs are safe as houses

and grow with the Network from GE to 100GE

Copper TAPs are fail safe even when the power is lost

Available for all media types:

Copper: 10M, 100M & 1G

Optical: Single Mode 1G till 100G

Multi Mode 1G till 100G

Cisco Bidi

Limited number of SPANs leads to compromise

(Multiple tools cannot be used at the same time)

Have to be configured and maintained

(Danger working on Production Network)

Load depended behavior

(tend to lose packets already at lower processor load)


VIRTUAL NETWORKS

Problem: East-West traffic never leaves the physical server and so it does lead again into:

Security, Monitoring and Compliance Risks

No Visibility

No Audit Trail

No Utilization Insight

Hypervisor

Virtual Switch

VM 1

WEB

East-West

(green arrows)

Traffic NOT Seen

by Network

Monitoring Tools

VM 2

APP

VM 3

DB


VIRTUAL TAP

Cloudlens vTap is capable of capturing and then sending

inter-VM traffic of interest to the tools that are already

monitoring your physical network. Plus it can perform

basic filtering.

Monitoring

vSwitch

ESXi

KVM

GRE-VLAN-ERSPAN – Custom Tunnel

vTAP

Service

HYPER-V

vSwitch



S S S

Internet

Ixia Cloudlens vTaps

providing access to

east-west traffic

within the same

hypervisor

Step 2: Deploy Ixia Cloudlens vTAP


PROBLEM WITH THE GRANULARITY

Granularity can become very costly due to:

> Every TAP requires two tool ports

(A>B & B>A)

> Link speed dictates tool speed and

performance (very costly for 40G/100G)

> Different tools are competing against the

same TAP or SPAN port

> If not as much tool ports as TAP or SPAN

are available engineers need to change

ports. (Problems with access control/rights

& distance)

> Tools are flooded with unnecessary data

Finally a project is dead already before it started



S S S

Internet

Ixia Vision Packet Broker:

> aggregate SPAN,& TAP & tools

> filter & forward only relevant data

> Providing Advanced and ATIP features

> optimizing tool performance

Step 3: Deploy Ixia Packet Broker


CENTRALIZED SOLUTION


DISTRIBUTED SOLUTION WITH CLUSTERING


USE CASE – VISIBILITY PER TOP OF RACK

S S

Tools Farm

VisionEdge

Series

Ixia VisionEdge Series

• Ports from 1G till 100G

• Filtering till L4

• Single or multiple tools to be connected

• Tap top of rack switches with a few taps

Internet


USE CASE – HIGH DENSITY LEAF-SPINE

S S S

Tools Farm

Fabric Controller

VisionEdge




• Clustering support to move network traffic to central tools

• Medium scale data center

• Multiple racks and leaf-spine topology

• Redundant paths to tap

Internet


VISIBILITY INTELLIGENCE STACKS

SecureStack

• Passive SSL

Decryption

• Active SSL (Q2 2017)

NetStack(~NPB Basics)

• 3 Stages of Filtering

• Dynamic Filter

Compiler

• Double your Ports

• VLAN Tagging

• Aggregation &

Replication

• Load Balancing

PacketStack (~AFM)

• Deduplication

• Header Stripping &

Protocol Trimming

• Timestamping

• Data Masking

• GRE Tunneling

• Burst Protection

AppStack (~ATIP)

• Application & RegEx

filtering

• Geolocation &

Tagging

• Real-time Dashboard

• NetFlow & IxFlowReg

• Data Masking +

• PCAP


PACKETSTACK (AFM)

All unique frames going to 10.0.0.0/8

Only the first 128 bytes of TCP Port 25 frames

Hardware AFM

NPB Adv. Packet Processing

Advanced Packet Processing (AFM) Features

• Deduplication

• Header stripping

• Packet Trimming

• Data Masking

• Tunnel Termination

• Timestamping

• Burst Protection


PACKETSTACK (AFM)

1. Assign AFM bandwidth

> Network- ToolPort

> Dynamic Filter

2. Configure & combine

> Multiple functions at the same


APPSTACK (ATIP)

• ATI Processor (ATIP) - Context-rich Application Visibility

• Application forwarding based on application, geography, and RegEx matching

• Real-time dashboard

• Rich NetFlow / IPFIX generation

> Device OS

> Browser

> Geolocation

• Data Masking

> Dynamic (RegEx)

All traffic from Georgia

All voice traffic from HTC Ones Someone from S. Africa watching House of Cards on Netflix on an iPhone on Vodacom’s network

NPB – App Brokering

Meta Data

App Filtering


SECURE STACK - SPYGLASS

Challenge: It is extremely expensive to inspect

encrypted traffic at volume and speed!

Encrypted traffic is expected to be

75% of all traffic by the end of 2017


HIGH PERFORMANCE ACTIVE SSL INSPECTION

• New high-performance Application Module for

Vision ONE and Vision 7300

• Dedicated cryptographic processor

• Integrated with Inline support on NTO

• Both inline and passive tool support

• Policy-based SSL inspection URL categorization


USE CASE – HIGH DENSITY WITH ADVANCED PACKET PROCESSING FOR TOOL OPTIMIZATION

S S S

Tools Farm Vision ONE/7300 VisionEdge

Series

VisionOne-ControlTower Benefits

• Advanced Packet Processing

> De-duplication, Trimming, Stripping

> L7 filtering, SSL decryption, Netflow gen.

• Single pane of glass UI with Ixia Fabric

Controller (IFC)

• Medium scale data center

• Multiple racks and leaf-spine topology




• Aggregating lot of ports

Internet


USE CASE – ULTRA SCALE WITH ADVANCED PACKET PROCESSING FOR TOOL OPTIMIZATION

S S S

Tools Farm Vision 7300 VisionEdge

Series

VisionOne-ControlTower Benefits

• Advanced Packet Processing (Terabits/s)

> De-duplication, Trimming, Stripping

> L7 filtering, SSL decryption, Netflow gen.

• Single pane of glass UI with Ixia Fabric

Controller (IFC)

• Massive scale data center

• 100s of 10/40/100G taps required




• Aggregating lot of ports

Internet


Security Portfolio

(inline)


Inline

INLINE VERSUS OUT OF BAND

Out of Band

- Tool does receive only copies from the link

- Defective tool does not take the link down

- Tools are: APM, NPM, VoIP Analyzer, DLP,

SIEM, IDS, Sandboxing

- TAP: electrical or optical 10M-100G

- Tool goes into the link

- Defective tool does take the link down

- Tools are: NGFW, IPS


BYPASS REGULAR OPERATION (BYPASS=OFF)

Bypass Tap (1)

• Heartbeat packet preserves

the link state towards IPS

• Protects against power, link,

and application failure

• Provides flexibility for

upgrades, moves, etc.


ANY ADVANTAGE BY ADDING A PACKET BROKER?

Spare Unit

• “Jumps” in if any of the

production units has an issue

• Keeps security index up

(no more 100% or nothing)

Load Balancing

• Load balance link bandwidth between one tool

load balance group

• Cost effective solution

(multiple 1G IPS are cheaper than a single

10G IPS)


AND EVEN MORE ADVANTAGES BY ADDING A PACKET BROKER

Redirect packets

• Traffic that does not need to be

inspected by the inline tools

can be redirected back into the

link

• Offload security tools from

unwanted traffic

• Better resource management

Inline SSL decryption

• Powerful 10Gbit/s bidirectional

inline SSL decryption

• Offload decryption from tools

(better performance and less delay at less

cost)


SEAMLESS INTEGRATION OF NEW SECURITY TOOLS

Phase 1

• New security tools are

receiving only copies of the

link packets

• Security teams can get

familiar with the behavior

Phase 2

• Seamless inline integration

once Security teams are

confided with the new tool


WHAT IF I HAVE MULTIPLE LINKS TO THE WORLD?

Packet Broker does:

• Maintain link affinity. Packets

from each link are assured to

be delivered back to that link.

• Load balance all packets with

session affinity through the

individual tools in the LBG

• Switch to standby units in

case of an issue with the

production units


OK, BUT WHAT IF I HAVE INLINE AND OFFLINE SECURITY TOOLS?

We are happy to help

• Internally tap whatever out of band tool (Sandboxing, Data Recorder, IDS) you want to the Packet Broker

• In this case the Packet Broker will send packet copies from the internally tapped links to the OOB tools

• Use Advanced Features (Deduplication, Packet Trimming, Header Stripping ) or

ATIP features (Application layer filtering, SSL decryption or Netflow generation) to your advantage


BUT AN IPS DECIDES WHAT A SANDBOXING UNIT NEED TO CHECK

Still not an issue

• Let the IPS manage filter settings of the Packet Broker programmatically through RESTful API


SINGLE POINT OF FAILURE? NOT WITH HA?

Here is the solution:

• Use BypassVHD switches supporting High Availability (HA) and double up the Packet Broker and Tool

infrastructure for 100% redundancy

• The advantage of a HA Bypass is that it has two links down to the Packet Broker. If one of the links fails the

Bypass will switch traffic to the other Bypass. Only if both links down do not work anymore the Bypass will fail the

links open


AND HERE IS THE FULL PICTURE

• A single ixia Packet Broker can handle inline as well as offline applications.


CloudLens


INTRODUCING CLOUDLENS Visibility across all your cloud environments - public, private, and hybrid clouds

CloudLens Private

CloudLens

vTap

CloudLens

vPB

CloudLens

vATIP

CloudLens

Branch Office Virtual DC Private Cloud

CloudLens Public

Public Cloud


Monitoring

vSwitch

ESXi

KVM

Monit

Probe

**

(Radcom)

GRE-VLAN-ERSPAN – Custom Tunnel

• Netflow

• Geo-location

• Time Stamping

• Deduplication

• Header Stripping

CloudLens

Mgr.

VIRTUAL DATACENTER VISIBILITY

Virtual Traffic Visibility

• Provides Visibility into Data

Center Network (Inline/ Out of Band)

• Inter-VM Traffic Monitoring

• Multiple Hypervisor Support

(ESXi, KVM, Hyper-V, OpenStack)

• vSwitch/Router Agnostic

(VSS, vDS, Cisco Nexus)

• GRE – VLAN – ERSPAN Protocols

• Monitoring Tool Agnostic

• Centralized Management

Inter-VM – East-West Traffic Monitoring – No Blind Spots

Traffic Analysis

Physical End Point Tools

IPS/IDS DLP

vTAP

Service

vGSC

Netflow / Full Packets

FireEye

SPLUNK

**

Scrutinizer

**

NTOP

HYPER-V

Monitoring Host

vSwitch


Secure Visibility Path

HOW CLOUDLENS WORKS

IXIA CloudLens Public Management Layer

Filtering at source Filtered Traffic securely sent from Instance to Tool

Monitoring

Tools Security

Tools Performance

Tools


ARCHITECTURE DESIGN HYBRID CLOUD


IXIA SOLUTIONS FOR THE ARCHITECTURE DESIGN

Ixia Taps are available for all media types:

Copper: 10M, 100M & 1G

Optical: Single Mode & Multi Mode 1G till 100G

Cisco Bidi Ixia FlexTap



• Inter-VM Traffic Monitoring

• Multiple Hypervisor Support (ESXi, KVM, VM, OpenStack)

• vSwitch/Router Agnostic (VSS, vDS, Cisco Nexus)

• GRE-VLAN-ERSPAN Protocols Ixia CloudLens


IXIA SOLUTIONS FOR THE ARCHITECTURE DESIGN • AWS Support

• SaaS Web-Interface where Cloud Visibility is managed

• Docker based component that sits within Source and Tool

Instances in a customers environment

• Filtered traffic securely sent from Instance to Tool

Ixia CloudLens



• Aggregation & Filtering till Application Level

• Packet Processing (Trimming, Stripping, De-Duplication

• SSL-Decryption, Netflow Generation

• Web Based User Interface Ixia Packet Broker


SO WHAT DO I NEED FROM IXIA?

Only four things:

Bypass

Packet Broker

Tap CloudLens


- 1G/10G/40G/100G (LR & ER)

> Single Mode with LC Connector

> Split Ratio 50/50, 60/40, 70/30, 80/20

& 90/10

- 1G (SX)

> Multi Mode with LC Connector

> 62,5 µm

> Split Ratio 50/50, 60/40, 70/30, 80/20

& 90/10

- 1G (SX) & 10G (SR)


> 50 µm

> Split Ratio 50/50, 60/40, 70/30 & 80/20

- 40G (MR4)


> 50 µm

> Split Ratio 70/30

IXIA FLEX TAP

- 40G (SR4)

> Multi Mode with MTP Connector

> 50µm

> Split Ratio 50/50 & 70/30

- 40G (Cisco Bidi)

> Multi Mode

> 50µm

> Split Ratio 50/50

- 100G (SR10)

> Multi Mode with MTP Connector

> 50µm

> Split Ratio 50:50 & 70:30


IXIA BYPASS SWITCH

iBypass 40-10 (4x10G)

iBypass 10G

iBypass 3

iBypass VHD

iBypass HD


WHO IS WHO OF IXIA PACKET BROKER


Break


Front Line Defence

Threat ARMOR


IS A SECURITY TEAM WITH HIGH-QUALITY TOOLS

BEHIND EVERY SECURITY BREACH


BUT ON AVERAGE, ONLY 29% OF ALERTS RECEIVED ARE INVESTIGATED*

WHY?

*Ponemon 2016 State of Malware Detection & Prevention


THE INTERNET IS FULL OF GOOD AND BAD TRAFFIC


HAMMERING YOUR COMPANY’S SECURITY INFRASTRUCTURE


THE CONSTANT BARRAGE OF NETWORK PROBES AND SCANS CREATES A LOT OF NOISE AND HIDES CRITICAL EVENTS


BUT THERE IS A SOLUTION…


NOW YOU CAN FILTER OUT KNOWN BAD IPs


…AND COMPLETELY REMOVE UNTRUSTED COUNTRIES


MAKING YOUR SECURITY TOOLS MORE EFFICIENT


INTRODUCING


ThreatARMOR FROM IXIA

ThreatARMOR is a threat intelligence gateway.

Blocks known-bad IPs and eliminates untrusted countries.

Reduces alert fatigue and false positives.

60


HOW ThreatARMOR COMPLEMENTS YOUR SECURITY DEPLOYMENT


HOW MANY BAD IP’S CAN MY SECURITY DEVICE BLOCK?

ENTRY-LEVEL NGFW HIGH-END NGFW ThreatARMOR

10,000 IP RANGES

40,000 IP RANGES

HIJACKED IP’s

TOP 5 BOTNET COUNTRIES

TOP 10 BOTNET COUNTRIES

ATI RAP SHEETS

BOGONS

4,294,967,296 EVERY IP ON THE INTERNET

INDIVIDUALLY EVALUATED

WITH NO PERFORMANCE HIT

2000

3500

0 1000 2000 3000 4000

NGFW

NGFW+TA

Web Transaction Rate

Next-gen Firewalls are optimized for DPI, threat detection, web security, and user based policies.

They can typically block 10,000 to 40,000 IP ranges. This enough to handle a handful of countries and some manual block rules, but not enough to handle the tens of millions of malicious, hijacked, and unregistered IP addresses without substantial performance degradation.

ThreatARMOR can block over 4 billion IP’s at line rate.

Offloading this large-scale IP blocking to ThreatARMOR increases firewall performance by up to 75%, freeing up resources while enabling more advanced firewall features.


ThreatARMOR BRINGS THREAT INTELLIGENCE TO YOUR NETWORK

Set, Select and Forget.

Auto-updates every 5 min.

Maximum reliability.

ThreatARMOR

Appliance

63

Clear proof for every

blocked site.

ThreatARMOR

Rap Sheets

Professional-grade Threat Intelligence

IXIA ATI

Research Center

64 © 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | 64

HIGH PERFORMANCE

• Purpose-built to hold every IP

address on the Internet

• Guaranteed line-rate performance

blocking full ATI Rap Sheet

database

• Scale with no performance impact

from blocking one, one thousand, or

one billion IP addresses

HIGH RESIL IENCY

• Built for maximum reliability

• Dual-redundant power supplies

• Integrated bypass NIC

• Field-replaceable SSD

• Serial console capability

HOW IS ThreatARMOR DIFFERENT?


1. Connect power and Ethernet cables

2. Pick “Report Only” or “Blocking Mode”

3. Walk away, it updates automatically

• Criminal site blocking is automatic

• Geo-blocking is optional

DEPLOY ThreatARMOR IN 30 MINUTES

EASY TO CONFIGURE


Real-time overview

shows countries

attempting malicious

connections, total

throughput and

blocked connection

stats

Dashboard shows

top blocked

countries, recent

blocked IP and

reason, and top

traffic countries

Bottom allowed

countries are

good candidates

for blocking Log of recent IP

blocks with reason.

Click on any block

for full Rap Sheet

data including local

IP addresses, DNS

info, screen shots

and checksums.


ThreatARMOR cuts intrusions and capex

CHALLENGE: With 3 million attacks on web servers

daily, customer needed a cost-effective, automated

defense strategy

CASE STUDY:

HyperBox

SOLUTION: ThreatARMOR

RESULTS:

• Reduced IDS intrusion detections from 1M to 200K,

saving IT significant time due to fewer alerts

• Deferred new capex purchases by maximizing

existing IDS and firewall tools

Service Provider Sector

Better Visibility

Better Security

CASE STUDY: SECURITY INTRUSION ALERTS REDUCED BY 80%


BLOCK the unwanted from

touching your network

IMPROVES YOUR SECURITY PERFORMANCE — FAST!

GET MORE out of your

security team and tools

ENFORCE Ixia’s professional-grade

Application and Threat Intelligence feed

ThreatARMOR - YOUR THREAT INTELLIGENCE GATEWAY


THANK YOU


SUMMARY

• Ixia Packet Broker

> can be used for inline (security) or offline (visibility) applications at the same time

> allows cost effective usage of any tool

• Ixia Bypass Switch

> prevents companies from being offline due to a security tool issue

• Ixia Tap

> Provides reliable measurement points anywhere in the data center

• Ixia Cloudlens

> Provides packet level access in virtual environment

• Might be installed with a dedicated monitoring or security project but once installed it is the base for

any additional tools (inline or offline) that need to be attached

Documents

Seminar: IT Security Design der neuen Art...(Radcom) GRE-VLAN-ERSPAN – Custom Tunnel •Netflow •Geo-location •Time Stamping •Deduplication •Header Stripping CloudLens Mgr