these materials are the copyright of john wiley & sons ... · understanding taps, i define what...

These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Network Packet Brokers

FOR

DUMmIES‰

VSS MONITORING SPECIAL EDITION

by Steve Piper, CISSP


Network Packet Brokers For Dummies®, VSS Monitoring Special EditionPublished by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com

Copyright © 2012 by John Wiley & Sons, Inc., Hoboken, New Jersey

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. VSS Monitoring and the VSS Monitoring logo are trademarks or registered trademarks of VSS Monitoring, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTA-TIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PRO-MOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFOR-MATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our Business Development Department in the U.S. at 317-572-3205. For details on how to create a custom book for your business or organization, contact [email protected]. For information about licensing the brand for products or services, contact BrandedRights&[email protected].

ISBN 978-1-118-42404-9 (pbk); ISBN 978-1-118-42454-4 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1


http://www.wiley.com

http://www.wiley.com/go/permissions

mailto:[email protected]

mailto:BrandedRights&[email protected]

Publisher’s AcknowledgmentsWe’re proud of this book and of the people who worked on it. For details on how to create a custom book for your business or organization, contact [email protected]. For details on licensing the brand for products or services, contact BrandedRights&[email protected]. Some of the people who helped bring this book to market include the following:

Acquisitions, Editorial, and Vertical Websites

Development Editor: Kathy SimpsonProject Editor: Jennifer BinghamEditorial Manager: Rev MengleBusiness Development Representative:

Kimberley SchumackerCustom Publishing Project Specialist:

Michael Sullivan

Production

Senior Project Coordinator: Kristie ReesLayout and Graphics: Carl ByersProofreader: Dwight RamseySpecial Help from VSS Monitoring:

Gina Fallon, Andy Huckridge, Tony Zirnoon, Cris Dalesio, Rob Markovich

Publishing and Editorial for Technology Dummies

Richard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary Bednarek, Executive Director, AcquisitionsMary C. Corder, Editorial Director

Publishing and Editorial for Consumer Dummies

Kathleen Nebenhaus, Vice President and Executive PublisherComposition Services

Debbie Stailey, Director of Composition ServicesBusiness Development

Lisa Coleman, Director, New Market and Brand Development




mailto:BrandedRights&[email protected]

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

How This Book Is Organized ................................................................................... 1Icons Used in This Book .......................................................................................... 2

Chapter 1: Starting with the Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . .3What You Need to Know about Networks ............................................................ 3

Switch SPAN ports ...................................................................................... 4Popular network interfaces ....................................................................... 4Common network tools .............................................................................. 6

Key Challenges for Distributed Networks ............................................................. 7Lack of tool access points .......................................................................... 7Limited network visibility .......................................................................... 7Tools that can’t keep up ............................................................................ 8Spiraling costs ............................................................................................. 8

Potential Solutions ................................................................................................... 8

Chapter 2: Understanding TAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9What Is a TAP? .......................................................................................................... 9Understanding Types of TAPs .............................................................................. 11

Network TAPs ............................................................................................ 11Aggregation TAPs ...................................................................................... 12Regeneration TAPs ................................................................................... 12

Deploying TAPs ...................................................................................................... 13Inline (or active) versus passive ............................................................. 13Fail open versus fail closed ..................................................................... 14

Common TAP Use Cases ....................................................................................... 15TAPs versus Bypass Switches .............................................................................. 16

Chapter 3: Understanding Network Packet Brokers . . . . . . . . . . . .17What Is a Network Packet Broker? ....................................................................... 17

TAPs versus NPBs ..................................................................................... 18Network intelligence optimization .......................................................... 20Centralized administration ...................................................................... 20

Key NPB Capabilities ............................................................................................. 21Fault tolerance ........................................................................................... 21Traffic grooming ........................................................................................ 23Packet optimization .................................................................................. 26

Common NPB Interconnection Designs .............................................................. 29Daisy chaining ........................................................................................... 29Star or hub-and-spoke .............................................................................. 29Mesh system .............................................................................................. 30

Chapter 4: Use Cases for Network Security . . . . . . . . . . . . . . . . . . . .31Common Network Security Tools ........................................................................ 32

Passive security tools ............................................................................... 32Active security tools ................................................................................. 33

Typical Network Security Deployment Challenges............................................ 36Extending current investment in 1G security tools .............................. 36Safely deploying multiple active security tools in series .................... 36Gaining complete network visibility ....................................................... 37Supporting active–passive network configurations ............................. 37


Network Packet Brokers For Dummies, VSS Monitoring Special Edition viChapter 5: Use Cases for Network Performance . . . . . . . . . . . . . . . .39

Common Network Performance Tools ................................................................ 39Passive performance tools ...................................................................... 40Active performance tools ........................................................................ 42

Typical Network Performance Deployment Challenges ................................... 44Deploying active WAN acceleration tools ............................................. 44Extending current investment in 1G performance tools ...................... 45Gaining complete network visibility ....................................................... 45Optimizing tool throughput for efficiency and scale ........................... 46

Chapter 6: Use Cases for Service Providers . . . . . . . . . . . . . . . . . . . .47Types of Service Providers ................................................................................... 47

Mobile network operators (MNOs) ........................................................ 48Fixed network operators (FNOs) ............................................................ 48Multiple-system operators (MSOs) ......................................................... 48Other service providers ........................................................................... 49

Common Service Provider Traffic Types ............................................................ 49OTT and operator-based video services ............................................... 50IP telephony ............................................................................................... 50

Common Service Provider Use Cases .................................................................. 504G greenfield deployments ...................................................................... 513G ATM-to-IP conversion ......................................................................... 52Fixed-line TDM-to-IP conversion ............................................................. 52Lawful interception / CALEA ................................................................... 53SLA monitoring .......................................................................................... 53

Chapter 7: Selecting the Right NPB Vendor . . . . . . . . . . . . . . . . . . . .55Step 1: Catalog Bandwidth and Connectivity Requirements ............................ 56

Network bandwidth .................................................................................. 56Network connectivity ............................................................................... 56

Step 2: Document Your NPB Feature Requirements.......................................... 56Administration .......................................................................................... 58Fault tolerance ........................................................................................... 58Traffic grooming ........................................................................................ 59Packet optimization .................................................................................. 60NPB interconnection requirements ........................................................ 61Future requirements ................................................................................. 61

Step 3: Evaluate Potential NPB Vendors ............................................................. 62Step 4: Select a Vendor .......................................................................................... 62

Chapter 8: Ten Ways to Lower Your Network’s TCO . . . . . . . . . . . .63Prevent Tool Oversubscription ............................................................................ 63Alleviate SPAN-Port Contention ........................................................................... 64Solve Your Media-Conversion Challenges .......................................................... 64Expand the Network Visibility of Your Existing Tools ...................................... 64Maximize Network Uptime through Fault Tolerance ........................................ 65Increase System Reliability with a Mesh Design ................................................ 65Centralize Network and Security Operations ..................................................... 65Extend the Life of Your Existing Tools ................................................................ 66Increase Tool Selection Flexibility ....................................................................... 66Plan for Future Growth .......................................................................................... 66


Introduction

N etwork security and performance tools undertake critical functions to keep your organization’s networks safe and

performing optimally. They’re the central nervous system of today’s IP networks, but they’re often oversubscribed and/or lack network visibility.

Network packet brokers (NPBs) enable your tools to perform optimally while providing unprecedented network visibility. Unlike their TAP predecessors, NPBs are sophisticated, high-end devices that provide traffic regeneration, aggregation, load balancing, packet de-duplication, and much, much more.

If you’re tasked with deploying network security and/or performance tools on your organization’s complex, distributed network, then this book is for you.

How This Book Is OrganizedThis book is organized so that you don’t have to read it cover-to-cover, front to back. You can skip around and read just the chapters that are of interest.

✓ In Chapter 1, Starting with the Basics, I cover computer network-related topics that are essential to understanding how NPBs work, including switch SPAN ports, popular copper and fiber network interfaces, common network security and performance tools, and key challenges for distributed networks. If any of these topics are foreign to you, then you should definitely start here.

✓ Before there were NPBs, there were TAPs. In Chapter 2, Understanding TAPs, I define what a TAP is and then con-trast the three basic types of TAPs: network, aggregation, and regeneration. I then describe ways in which TAPs are deployed and discuss common TAP use cases. And finally, I end the chapter by contrasting TAPs with bypass switches.

✓ In Chapter 3, Understanding Network Packet Brokers, I get to the heart of the matter by defining NPBs, contrasting


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 2them with basic TAPs, describing the benefits of a network intelligence layer, and exploring key capabilities of today’s leading NPBs.

✓ Chapter 4, Use Cases for Network Security, depicts the most common passive and active network security tools that organizations deploy using NPBs. Here I describe typical network security tool deployment challenges and how NPBs can be used to overcome them.

✓ In Chapter 5, Use Cases for Network Performance, I describe passive and active network performance tools commonly deployed using NPBs. I then discuss typical challenges organizations face when deploying them and how to overcome these challenges using NPBs.

✓ In Chapter 6, Use Cases for Service Providers, I describe different ways service providers can benefit from deploying NPBs to support 3G, 4G, and IP telephony infrastructures.

✓ In Chapter 7, Selecting the Right NPB Vendor, I outline a four-step process you can follow to select an NPB vendor. I also provide a comprehensive checklist you can use to document your NPB requirements.

✓ Chapter 8, Ten Ways to Lower Your Network’s TCO, describes how NPBs can dramatically reduce your capital and operating expenses by interfacing with your mission-critical network security and performance tools.

Icons Used in This BookThis book uses the following icons to indicate special content.

You won’t want to forget the information in these paragraphs.

These paragraphs provide practical advice that will help you craft a better strategy, whether you’re planning a purchase or setting up your software.

Look out! When you see this icon, it’s time to pay attention — you’ll find important cautionary information you won’t want to miss.

Maybe you’re one of those highly detailed people and really need to grasp all the nuts and bolts, even the most techie parts. If so, these tidbits are right up your alley.


Chapter 1

Starting with the BasicsIn This Chapter▶ Getting grounded in network infrastructure▶ Appreciating key challenges with today’s distributed networks▶ Recognizing potential solutions

T oday, computer networks are at the core of modern com-munication. All aspects of telecommunications infrastruc-

ture are computer-controlled, and telephony increasingly runs over Internet Protocol (IP). Cloud computing, Software as a Service (SaaS), Voice over IP (VoIP), virtualization, smart-phones, and tablet computers are among the latest trends facing IT organizations. These technology advancements yield significant business benefits, but also introduce network secu-rity and performance risks.

Before you delve into the primary subject of network packet brokers (and TAPs, which I define in Chapter 2), this chapter level-sets your knowledge of network infrastructure com-ponents and reviews some of the most basic challenges to modern distributed networks.

What You Need to Know about Networks

Because you’re reading a book on the granular topic of net-work packet brokers, I’m going to assume that you’re gen-erally knowledgeable about the fundamentals of computer networks, including firewalls, routers, and switches. In this section, though, I give you some background on a few con-cepts that appear frequently throughout this book.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 4

Switch SPAN portsModern switches typically come equipped with one or more interfaces (ports), commonly known as SPAN (Switched Port Analyzer) ports or port mirroring interfaces. SPAN ports copy and aggregate network traffic flowing through all of a switch’s networking interfaces and export that traffic to security and/or performance monitoring tools for analysis.

Popular network interfacesNetwork infrastructure, like switches and routers, must sup-port not only the speed of a given network, but also its con-nectivity. The following sections describe some common network interfaces used in today’s network infrastructure.

10/100 and 10/100/1000 copperCopper network interfaces represent the lowest common denominator of networks, supporting Ethernet speeds of 10Mbps, 100Mbps, and 1Gbps (also known as Gigabit Ethernet or GigE). Each network cable (typically, a category 5 cable featuring four copper-wire pairs) comes equipped with plastic RJ-45 couplers.

1G fiberFiber-optic cabling has become the de facto standard back-bone of high-speed networks. 1G fiber is common in small to medium-size businesses and in branch offices of large enter-prises. Figure 1-1 depicts a typical 1G fiber connector.

Figure 1-1: 1G fiber cable connector.


Chapter 1: Starting with the Basics 510G fiber10G fiber supports the 10Gbps Ethernet standard and has rap-idly become the standard for high-speed networking. 10G fiber is commonly available in SR (short-range multimode fiber) and LR (long-range single-mode fiber) options, and the cables often come with SC (see Figure 1-2) or LC connectors.

Figure 1-2: 10G SR fiber with SC cable connectors.

XFP fiberXFP is a standard for transceivers in high-speed computer net-works that use optical fiber. XFP modules are hot-swappable and support 10G Ethernet, 10G Fibre Channel, synchronous optical networking (SONET), and other interfaces. XFP mod-ules often use an LC fiber connector type (see Figure 1-3) to achieve high density.

Figure 1-3: 10G XFP transceiver.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 6SFP/SFP+ fiberSFP is a compact, hot-pluggable transceiver supporting speeds up to 4.25Gbps, typically used for Fast Ethernet or Gigabit Ethernet applications. SFP+ (see Figure 1-4) is an enhanced version of SFP that supports speeds of 1Gbps or 10Gbps. SFP+ is smaller than XFP, enabling greater port density.

Figure 1-4: 10G SFP+ transceiver.

Common network toolsNew network security and performance tools have flooded into the market over the past decade. Following are the tools most commonly used in distributed networks today.

See Chapter 2 for an explanation of active and passive tools. Chapter 4 provides a review of common network security tools, while Chapter 5 does the same for performance tools.

Passive network security tools

✓ Intrusion detection systems (IDS)

✓ Network forensics

✓ Network behavior analysis (NBA)

Active network security tools

✓ Intrusion prevention system (IPS)

✓ Next-generation firewalls (NGFW)


Chapter 1: Starting with the Basics 7 ✓ Advanced malware protection

✓ Secure web gateways (SWG)

✓ Data loss prevention (DLP)

✓ Distributed denial of service (DDoS) prevention

Passive network performance tools

✓ Network performance monitoring (NPM)

✓ Application performance monitoring (APM)

✓ Unified communications monitoring

✓ Network behavior analysis (NBA)

Active network performance tools

✓ Traffic shaping

✓ WAN optimization controllers (WOC)

✓ Web caching

✓ Application acceleration

Key Challenges for Distributed Networks

Now that you’re familiar with common network interfaces and the tools that plug into them, you’re ready to explore some of the key challenges that plague today’s distributed networks.

Lack of tool access pointsModern network switches typically come equipped with one or two SPAN ports. The problem is that several tools typically need to plug into every SPAN port. This dilemma is commonly referred to as SPAN-port contention.

Limited network visibilityEvery network performance and security tool comes equipped with a fixed number of copper and/or fiber inter-faces. Although major advancements have occurred in both


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 8port density and processing power over the years, it doesn’t take long to max out the interfaces on a given tool. As a result, the tool has limited network visibility, and IT may be forced to invest in additional (often very expensive) tool appliances.

Tools that can’t keep upMainstream adoption of 10G fiber has rendered many existing 1G network security and performance tools obsolete — not just because of increased bandwidth requirements, but also because of physically different 1G/10G/40G copper or fiber interfaces. The IT staff is forced to replace perfectly good, functional tools before the end of their useful lives. In other cases, newly acquired tools meet your connectivity needs but not your throughput requirements due to inadequate process-ing power.

Spiraling costsAll three of the aforementioned challenges are causing capital and operating expenses to spin out of control, because they require companies to purchase additional high-cost tools and hire additional IT personnel to manage them.

Potential SolutionsTo solve these challenges, IT departments need intelligent, cost-effective solutions that do all of the following:

✓ Extend the life of existing performance and security tools

✓ Eliminate SPAN-port contention

✓ Expand network visibility and tool availability

✓ Enable 1G tools to interface with 10G networks, and vice versa

I explore such solutions in the next two chapters, starting with basic TAPs in Chapter 2 and moving on to feature-rich network packet broker systems in Chapter 3.


Chapter 2

Understanding TAPsIn This Chapter▶ Getting acquainted with TAPs▶ Exploring common TAP use cases▶ Contrasting TAPs with bypass switches

B efore there were network packet brokers (NPBs), there were TAPs. In fact, until market research firm Gartner

coined the term network packet broker in 2012, the industry collectively referred to these sophisticated devices as TAPs, or sometimes intelligent or smart TAPs. (Many people in the industry still do.) So because TAPs preceded NPBs, and because TAP functionality is a subset of NPB functionality, it’s only fitting to talk about TAPs first, as I do in this chapter.

First, though, a definition.

What Is a TAP?A TAP is a hardware device that provides a way to access the data flowing across a computer network, typically for the benefit of network security and performance monitoring tools. The monitored traffic is referred to as the pass-through traffic, and the ports used for monitoring are called monitor ports.

Although some people have attempted to convert TAP to an acronym, it isn’t one. A TAP is analogous to a phone tap. Also, though the term is sometimes spelled tap, it more frequently appears as TAP, so I follow that convention in this book.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 10Figure 2-1 illustrates the flow of traffic through a TAP. Here, traffic flows in both directions between network ports A and B, while traffic received on network port A is copied to monitoring port A and traffic received on network port B is copied to monitoring port B.

Figure 2-1: TAP conceptual diagram.

TAPs are offered in many form factors with varying port counts and media configurations. Figure 2-2 depicts a selection of TAPs from VSS Monitoring.

Figure 2-2: Sample TAPs.


Chapter 2: Understanding TAPs 11

Understanding Types of TAPsThere are three basic types of TAPs: network, aggregation, and regeneration. Each type performs the basic function of directing copied network traffic to monitoring tools, but the types differ in their ratios of network ports to monitoring ports, as follows:

✓ Network: One-to-one (1:1) relationship

✓ Aggregation: Many-to-one (M:1) relationship

✓ Regeneration: One-to-many (1:M) relationship

In the following sections, I explore these three types in detail.

Network TAPsNetwork TAPs are the most basic TAP devices. All network ports (sometimes labeled A and B) have equivalent monitoring ports (also labeled A and B) — that is, they have a 1:1 ratio of network to monitoring ports (as illustrated in Figure 2-1).

Figure 2-3 depicts a basic four-port copper network TAP. Network TAPs are used to tap into network segments to route copied traffic either to a single passive monitoring tool or, more often, to a high-density network packet broker that services multiple (often several) monitoring tools.

Figure 2-3: A four-port copper network TAP.



Aggregation TAPsAggregation TAPs are similar to network TAPs, but instead of maintaining a 1:1 ratio of network ports to monitor ports, they support a M:1 (many-to-one) ratio, meaning that a single tool can inspect traffic from multiple network segments.

Figure 2-4 displays a basic five-port copper aggregation TAP that’s capable of aggregating traffic from two inline network segments or four SPAN ports for analysis by a single passive monitoring tool. (For details on inline deployment, see “Deploying TAPs,” later in this chapter.) High-density aggregation TAPs can accommodate many more network inputs and tools.

Figure 2-4: A five-port copper aggregation TAP.

At the end of Chapter 1, I discuss the challenge of working with monitoring tools that have limited network visibility. Aggregation TAPs can help you solve that challenge by enabling a single monitoring tool to inspect traffic from many network segments.

Regeneration TAPsA regeneration TAP is basically the opposite of an aggregation TAP, in that it maintains a 1:M (one-to-many) ratio of network to monitoring ports. Instead of directing copied traffic from multiple network segments to a single monitoring tool, a regeneration TAP replicates traffic from one network segment to many monitoring tools. Traffic from a single network segment can be inspected by an intrusion detection system (see the next section), recorded by a network forensics probe, and reviewed by a compliance audit scanning probe, all at the same time.


Chapter 2: Understanding TAPs 13Figure 2-5 displays a 20-port 1G fiber regeneration TAP that’s capable of redirecting copied traffic from one (inline) network segment to up to 12 monitoring tools.

Figure 2-5: A 20-port 1G fiber regeneration TAP.

Deploying TAPsTAPs can be deployed in a variety of ways to support your network security and performance monitoring tools, as I discuss in this section.

Inline (or active) versus passiveSome security and performance tools are deployed inline, meaning that traffic actively flows into and out of the device so that it can actually alter (or block) the traffic. A classic example of an active security tool is an intrusion prevention system (IPS). In this system, traffic flows continuously into and out of the IPS, whereas bad traffic (such as malware and exploits) is blocked.

Other tools are passive, meaning that they monitor traffic without actually altering it, triggering alerts based on predefined search criteria. An example of a passive security tool is an intrusion detection system (IDS). Traffic is copied by the TAP and sent to the IDS for analysis, as shown in Figure 2-1 earlier in this chapter, but that traffic terminates at the IDS and doesn’t proceed onward.

Network TAPs can be deployed inline or passively (with switch SPAN ports as input; refer to Chapter 1), but they support only passive monitoring tools. Thus, a TAP can support passive IDS but not active IPS. To support active tools, you need an NPB, which I cover in detail in Chapter 3, or a simpler bypass switch, which I cover at the end of this chapter.



Fail open versus fail closedAll network TAPs (and NPBs) are designed to fail open in the event that the device loses power (see Figure 2-6), whereas network ports A and B continue to pass traffic almost as though a contiguous network cable were routed right through the box. A delay of a few milliseconds occurs when copper TAPs fail open; fiber TAPs incorporate fiber optic splitters, so the term fail open doesn’t really apply.

Figure 2-6: TAP triggers a fail-open state. Traffic continues to flow.

Although TAPs support only fail-open configurations, NPBs also support fail-closed configurations. When configured as fail-closed (see Figure 2-7), if an NPB loses power, the network connection is effectively broken, potentially affecting dozens or even hundreds of nodes. Fail-closed configurations are often associated with perimeter firewalls and devices connected to highly sensitive government networks.

broken connection

Figure 2-7: NPB triggers a fail-closed state. Traffic ceases.

The terms fail open and fail closed have opposite definitions within the realm of electrical engineering. When you’re speaking with IT colleagues, don’t assume that these terms have the same meaning to them.

Be sure to weigh the pros and cons of fail-open and fail-closed conditions with your team to minimize the potential for unwanted consequences.


Chapter 2: Understanding TAPs 15

Common TAP Use CasesThis section explores how TAPs are commonly used in the context of network security and performance monitoring. As you may recall from earlier in this chapter, basic TAPs support only passive monitoring tools, such as IDSs and network probes. Thus, the following TAP use cases apply to passive monitoring tools only:

✓ Creating access points: A monitoring tool can’t inspect what it can’t see. As available SPAN ports may be limited on network switches, network engineers often turn to TAPs to create access points for their security and performance tools. A TAP is strategically placed in the network where maximum network visibility can be achieved, often between a router and a switch. Tools can be plugged into and removed from the TAP’s monitoring ports without affecting the network adversely.

✓ Expanding network visibility: Although a TAP can provide network visibility to a given monitoring tool, an aggregation TAP can provide even greater network visibility by aggregating traffic from several network segments and forwarding it to a single monitoring (port) tool, thus vastly improving that tool’s view of the network. This type of TAP is especially useful when the number of network segments to be monitored exceeds the number of ports on the monitoring tool.

When you’re aggregating traffic from multiple network segments to a single monitoring tool, be careful not to exceed the processing capacity of that tool. If you have a 4Gbps IDS, for example, aggregating traffic from ten network segments may result in 10Gbps of traffic, exceeding the capacity of the IDS.

✓ Replicating traffic to multiple tools: Your organization may want to deploy multiple tools to monitor a single (critical) network segment. A regeneration TAP can help by replicating traffic from one network segment to an IDS, network forensics probe, and an application analysis probe — all from one device.

A TAP is designed to either aggregate traffic or replicate (regenerate) traffic — not both. You need an NPB if you wish to perform both functions using the same device, as I discuss in the next chapter.



TAPs versus Bypass SwitchesAs I discuss earlier in this chapter, TAPs are designed to serve passive monitoring tools only. Two types of alternative devices can serve the needs of active (inline) network security and performance tools: bypass switches and NPBs.

A bypass switch is a hardware device that provides a fail-safe access port for an inline monitoring tool, such as an IPS, firewall, wide-area network (WAN) optimization controller, or unified threat management (UTM) appliance. The bypass switch’s sole purpose is to maintain the flow of network traffic flow in the event that the attached active tool is no longer functional for any reason (such as power loss or software failure) and can’t continue to process or pass traffic.

An NPB can also redirect traffic in the event that a connected active tool ceases to function, and it offers a far richer feature set to boot — which is a nice segue to the next chapter.


Chapter 3

Understanding Network Packet Brokers

In This Chapter▶ Comparing NPBs with TAPs▶ Exploring NPB capabilities▶ Contrasting three types of NPB interconnection designs

G artner first coined the term network packet broker in 2012. Before then, the industry collectively referred to

these very sophisticated devices as TAPs, or sometimes as Intelligent or Smart TAPs. I agree that such a sophisticated category of network devices deserves a more-impressive name — so much, in fact, that I decided to write this book!

This chapter introduces you to the features and capabilities of network packet brokers — starting with a definition.

What Is a Network Packet Broker?

A network packet broker (NPB) is a network device (typically, a rack-mount appliance) with copper and/or fiber interfaces that directs network traffic from switch SPAN ports (passive configuration) and/or between two connected routers and/or switches (inline configuration) and then manipulates that traffic to allow the more efficient use of network security and performance tools, both inline and passive. (For a refresher on inline and passive configurations, see Chapter 2.)


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 18Every NPB must provide many-to-many port mapping of network ports to monitoring ports and must provide the following basic features (which I describe in detail later in this chapter):

✓ A configuration interface, such as a graphical user interface (GUI) or command-line interface (CLI)

Leading NPB providers generally offer a web-based interface that allows you to centrally configure and monitor NPB devices via a web browser. HTTPS (HTTP with SSL encryption) is often used between the web browser and the NPBs that it configures.

✓ Packet filtering, slicing, and de-duplication

✓ Traffic aggregation, regeneration, and load balancing

✓ Time-stamping

NPB market leaders provide numerous additional capabilities, such as deep packet inspection, port-stamping, conditional packet slicing/masking, and high data-burst buffering. These capabilities are described in detail later in this chapter.

Figure 3-1 depicts a 24-port NPB appliance. Each SFP port can be configured as a network port or monitoring port.

Figure 3-1: Sample NPB appliance.

TAPs versus NPBsIf a TAP were an airplane, it would be a Cessna. If an NPB were an airplane, it would be a Boeing 747. Both single-engine aircraft and jumbo jets get you from point A to point B, but their capabilities, their costs, and even their use cases differ greatly (to say the least).

This analogy, although extreme, helps distinguish a TAP from an NPB. Each type of device takes traffic in and redirects (or


Chapter 3: Understanding Network Packet Brokers 19copies) that traffic out its monitoring ports, but NPBs are far more sophisticated (and more expensive) than common, everyday TAPs.

Table 3-1 compares the capabilities of TAPs and NPBs. Chapter 2 covers TAPs; for detailed information on NPB features, see “Key NPB Capabilities,” later in this chapter.

Table 3-1 TAP and NPB CapabilitiesKey Capabilities TAPs NPBs

Supports passive monitoring tools ✓ ✓

Full traffic aggregation ✓ ✓

Traffic regeneration ✓ ✓

Supports inline monitoring tools ✓

Centralized administration ✓

Power-loss traffic-flow policies ✓

Link state mirroring ✓

Reboot accelerated failover ✓

Health-check packets ✓

Selected traffic aggregation ✓

Hardware-based packet filtering ✓

Session-aware load balancing ✓

High data-burst buffering ✓

Deep packet inspection ✓

Packet ordering ✓

Time- and port-stamping ✓

Packet de-duplication ✓

Packet fragment reassembly ✓

Conditional packet slicing/masking ✓

Protocol stripping ✓

From this point forward, I focus mainly on NPBs rather than TAPs. Although an NPB can do everything that a TAP can do, an NPB may be overkill for some applications, making a basic TAP far more cost-effective. (See Chapter 2 for common network TAP use cases.)



Network intelligence optimizationAs enterprise IT migrates to new technologies ranging from virtualization to cloud computing, the focus increases on making networks faster, more efficient, and more nimble. NPBs add what leading vendors call a network intelligence optimization layer. This layer resides between the network intelligence tools layer (containing network security and performance tools) and the network/cloud switching layer (containing routers and switches), as shown in Figure 3-2.

Figure 3-2: Network intelligence optimization layer.

NPBs in the network optimization layer provide critical mediation functions between security and performance tools and the underlying network infrastructure to make these tools more efficient and effective, and to extend their useful life.

Centralized administrationAs I mention in “What Is a Network Packet Broker?” earlier in this chapter, an NPB should offer a GUI or CLI to perform basic device configuration. Leading NPB vendors also provide the ability to centrally administer a system of NPBs from one unified (usually web-based) management console. This setup makes it easier to monitor, manage, and report on your NPBs — individually and/or in hierarchical groups — across the entire organization.


Chapter 3: Understanding Network Packet Brokers 21

Key NPB CapabilitiesTable 3-1, earlier in this chapter, lists the key capabilities of leading NPBs. This section describes those not-yet-discussed capabilities in detail.

Don’t assume that all network packet brokers are created equal. Capabilities vary by manufacturer and also by model. Certain classes of NPBs may be specifically designed to support one or more active tools; others may be designed to support dozens of passive tools. It’s important to select your NPB vendor carefully (see Chapter 7) and to work with your chosen vendor to design the network intelligence optimization solution that’s right for you.

Fault toleranceFault-tolerance capabilities help minimize unwanted network downtime in the event of power loss or a malfunction of the NPB and/or the devices connected to it.

Power-loss packet-flow policiesIn Chapter 2, I mention that TAPs are configured to fail open only when they’re deployed inline. Some NPB models are different, however, in that the user can determine — through policy settings — whether the NPB device should fail open or fail closed, depending on the desired outcome after power loss.

Link state mirroringIn the event that an NPB passes traffic between a router and a switch, and the connection to the router goes down, the switch may never know; it’s connected to the NPB, not the router. In this case, the switch would continue to attempt to pass traffic back to the router (through the NPB) without success — a situation commonly known as asymmetric routing.

Better NPB devices can prevent this problem through link state mirroring, in which the NPB mirrors (emulates) the state of the down interface to the up interface of an interface set. In the preceding example, the switch would recognize that the connection to the NPB was down and then reroute traffic through a redundant path.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 22Reboot accelerated failover (1G copper only)As I mention in Chapter 2, inline NPB devices are commonly configured to fail open in the event of a power loss, thereby maintaining network connectivity. In fiber and 10/100 copper NPBs, network connectivity is maintained constantly, regardless of the power state of the NPB. The 1G copper NPBs are unique, however, in that they leverage a magnetic relay to physically connect the inline interfaces of a network interface set during power loss.

As power is restored to a 1G copper NPB, the magnetic (fail-open) relay lifts; then each network interface must negotiate speed, duplex, MDI/MDIX, and time variables with the router or switch to which it’s connected. This rebooting process can be long enough to cause the router or switch to see a down state and potentially initiate a spanning tree protocol, which could lengthen network downtime from 200 milliseconds to a full 3 seconds, thereby adversely affecting the applications communicating over the network.

Leading NPB vendors have responded to this 1G copper dilemma by implementing technology that accelerates the rebooting of 1G copper NPBs. This technology reduces network interruption time between the NPB and its connected switches and routers to just 30 to 60 milliseconds, which prevents connected routers and switches from triggering a spanning tree protocol.

Health-check packetsLeading vendors enable NPBs to know not only when connected tools are accepting packets, but also when they’re actively doing the job that they’re intended to do, such as inspecting and blocking traffic in the case of an intrusion prevention system (IPS; see Chapter 2). To accomplish this task, the NPB can periodically send out positive and/or negative health-check packets that are custom-configured for each tool.

Health-check packets designed to be “allowed” to pass the active tool’s security check verify the state of the tool’s hardware, ensuring that it’s powered and linked. Health-check packets designed to be “blocked” by the tool verify the tool’s software state, ensuring that an IPS, for example, is blocking bad packets and protecting the live network.



Traffic groomingTraffic grooming capabilities ensure that the NPB routes only relevant traffic to connected tools, thereby facilitating the reliability, efficiency, and effectiveness of each tool.

Traffic regenerationIn Chapter 2, I discuss regeneration TAPs, which allow traffic from one network segment to be regenerated (or copied) to one or more monitoring ports. NPBs offer the same capability.

TAPs have pre-assigned (fixed) network and monitoring ports, which can’t be changed. Better NPBs, however, have ports that can be configured as either network or monitoring ports, thereby offering maximum device flexibility.

Selective aggregationTraffic aggregation pertains to aggregation TAPs (see Chapter 2), which route traffic from all network ports to attached monitoring tools. Selective aggregation (see Figure 3-3) takes this capability one step further by enabling the user to direct traffic from specific network ports to specific monitoring ports, or to direct traffic from any single network port to multiple monitoring ports. This setup is almost like squeezing several aggregation TAPs into one NPB device.

Hardware-based packet filteringToday’s NPBs feature purpose-built hardware that can filter packets based on user-defined criteria. A negative filter drops unwanted packets, whereas a positive filter extracts only desired packets.

Most NPBs can filter packets based on the following criteria:

✓ MAC address (source, destination)

✓ IP address (source, destination, range)

✓ UDP, TCP, and ICMP (port, range)

✓ VLAN, QoS, and IP service type

✓ Even and odd ports for RTP and RTCP

✓ Custom 127-byte filter offset for tunneled applications



Figure 3-3: Performing selective aggregation.

Hardware-based packet filtering can be performed at line-rate speeds up to 10Gbps. It helps minimize oversubscription of monitoring tools by eliminating traffic that the tool was never designed (or intended) to inspect.

Session-aware load balancingSession-aware load balancing enables traffic from one or more network ports to be evenly distributed to two or more monitoring ports (see Figure 3-4), while all packets from a unique TCP session are routed through the same monitoring port to the same monitoring tool, ensuring the effectiveness of traffic inspection.



Figure 3-4: Session-aware load balancing, illustrated.

Load balancing prevents tool oversubscription and adds a layer of fault tolerance to tool deployments. If the NPB detects a failed tool (through the aforementioned health-check packets), it ceases to pass traffic to that monitoring port and spreads the workload to the remaining load-balanced tools.

Leading NPB vendors provide even more alternatives to recover from a failed tool participating in a load-balanced group. Better NPBs can direct traffic bound to the failed tool to a hot standby tool, or even redirect all traffic to a secondary (backup) group of load-balanced tools. Be sure to work with your NPB vendor to determine which option is best for you.

High data-burst bufferingHigh data-burst buffering is a feature of advanced NPB devices that solves problems caused by microbursts — consistent or intermittent traffic data bursts of up to 100 percent of network capacity that occur at submillisecond speeds. Microbursts are often associated with the delivery of multimedia (such as movies and music) over HTTP.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 26In a common scenario associated with microbursts, network switch port-utilization readings may be at 30 to 50 percent, but dropped packets are being registered in the dropped-packet counter. Capturing data in these environments requires NPBs to buffer microbursts to help smooth out captured packet delivery so that passive monitoring tools can perform at acceptable levels.

Packet optimizationPacket optimization capabilities modify captured packets to make network security and performance tools connected to NPBs more efficient and effective.

Time- and port-stampingTime-stamping allows users to append a time stamp to each captured packet relative to the time it entered the NPB for the benefit of network and application latency measurement, forensic evidence, and transaction-based application reconciliation (such as stock-market transactions). The time stamp is inserted as an 8-byte stamp after the payload and before the cyclic redundancy check (CRC; see Figure 3-5). The first four bytes indicate seconds, and the second four bytes indicate nanoseconds. After the stamp is applied, the CRC is recalculated and forwarded to the monitor ports as a standard Ethernet frame.

Figure 3-5: Time-stamping packets.

When traffic from more than one network port is captured and directed to one or more (load-balanced) monitoring tools, no record exists of which network port each packet flowed through. Port-stamping overcomes this problem by stamping the port (interface) number on each packet. This feature is


Chapter 3: Understanding Network Packet Brokers 27also useful for latency measurement, network forensics applications (that collect packets for evidentiary purposes), and trading transaction reconciliation.

Packet de-duplicationPlanned redundancies in network design, monitoring-tool access, and overlapping filters during traffic capture and aggregation are typical situations that cause security and performance tools to receive multiple duplicate packets. Duplicate packets create challenges for IT and security personnel, including monitoring-tool oversubscription, false positives, and inaccurate performance reporting. Packet de-duplication reduces the volume of traffic to monitoring tools, increasing tool efficiency while reducing false-positive errors and reporting.

Conditional packet slicing/maskingPacket slicing discards the latter part of a packet from the copy of traffic before the tool receives it, thereby allowing the tool to process and store more relevant data or only data of interest. Conditional packet slicing takes packet slicing a step further by enabling users to set slice points at different offsets for each type of traffic to be sliced, such as HTTP, SMTP, and the VoIP protocols RTP and RTCP.

Conditional packet slicing helps you ensure compliance with regulations that mandate privacy best practices, such as the Payment Card Industry Data Security Standard (PCI DSS), which requires providing access to cardholder information only on a need-to-know basis.

Packet fragment reassemblyPackets can become fragmented when maximum transmission unit (MTU) size is exceeded due to tunneling, encapsulating, and/or tagging traffic, creating mismatches with different routers as packets traverse one or more networks. Fragmented packets create difficult obstacles for IT personnel because tools can’t inspect them properly.

Packet fragment reassembly reassembles fragments into their original form before forwarding them to tools (see Figure 3-6), thereby restoring the efficacy of monitoring tools and allowing them to inspect previously fragmented packets.



Figure 3-6: Reassembling packet fragments.

Protocol strippingMany monitoring tools aren’t designed, at either the hardware or software level, to handle traffic with certain protocols, labeling, or encapsulation. Perhaps the tool wasn’t meant to be used with certain protocols. Take MPLS tagging, for example. Some security or performance tools either can’t handle MPLS or can handle only a limited number of MPLS tags.

Protocol stripping allows you to remove a specific protocol header, such as GTP, MPLS, VLAN, or VN-tag (VMware virtual network tag). Stripping protocol headers from the packets sent out the monitor ports means that the monitoring tools no longer have to handle these headers and load balancing can be performed on the stripped packets.

Leading NPB vendors offer generic user-defined offset configurations that can strip any protocol heading information that exists today and in the future.



Common NPB Interconnection Designs

NPBs are designed to interconnect to improve scalability and increase fault tolerance. When configured optimally, monitoring tools located in New York can monitor traffic generated in London!

Three common types of NPB interconnection designs are available, although only one of these designs is acceptable to most organizations.

Daisy chainingIn daisy chaining (see Figure 3-7), multiple devices of the same type are connected in sequence, with traffic flowing through them in one long chain. Daisy chaining is often implemented with network switches, but it leaves much to be desired when it comes to NPBs, because any NPB in the chain is a single point of failure that can leave some of the devices stranded from the stack. Also, daisy chaining usually requires proprietary cabling, which negates the possibility of having geographically dispersed NPBs participating in the same system.

Figure 3-7: Daisy-chaining design.

Star or hub-and-spokeA star or hub-and-spoke design (see Figure 3-8) is more advantageous than daisy chaining because participating


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 30NPBs can be placed in different locations. The NPB in the middle (hub) still provides a single point of failure for the capturing infrastructure, however, providing no means for path redundancy or failover.

Figure 3-8: Star or hub-and-spoke design.

Mesh systemA mesh system design (see Figure 3-9) is the most optimal configuration for multiple-NPB deployments because it offers the greatest flexibility and maximum fault tolerance. In a mesh design, NPBs are interconnected, and traffic can be directed to any port on any NPB regardless of location — across the data center or around the globe.

Figure 3-9: Mesh design.

Better NPBs that support mesh design incorporate automatic failover. If an NPB’s mesh link (interface and/or cable) were to fail, captured traffic would automatically be redirected through functioning NPB links, maintaining monitoring-tool data feeds without network disruption.


Chapter 4

Use Cases for Network Security

In This Chapter▶ Comparing active and passive security tools▶ Examining typical network security challenges and solutions

W ith cloud computing and virtualization on the rise, today’s computer networks are increasingly vulnerable

and constantly evolving, bringing new risks and uncertainties. Long gone are the days of hacking for fun: Hackers are financially motivated and more sophisticated than ever. Some have formed hacking groups, such as LulzSec and Anonymous, to share intelligence and gain economies of scale.

Nation-states are now employing hackers to commit so-called advanced persistent threats (such as Internet espionage) against foreign governments and corporations for political gain. Examples include the Stuxnet and Flame malware (a new breed of cyberwarfare) that targeted Iranian nuclear reactors and China’s attack on Google to uncover the communications and identities of Chinese dissidents.

IT security professionals struggle to keep up. Although vendors do well providing network security tools to defend against the latest cyberthreats, implementing those tools is an ongoing challenge — for various reasons.

In this chapter, I describe some network security tools that combat cyberthreats and explore typical challenges in deploying them.



Common Network Security ToolsFor every kind of cyberthreat, there’s a network security tool designed to detect it (passive) and even block it (active). The next two sections describe the most common passive and active security tools in use today.

Passive security tools

Passive security tools merely inspect network traffic, typically from switch SPAN ports, inline TAPs, or NPBs.

Intrusion detection system (IDS)An intrusion detection system (IDS) is designed to monitor network traffic for malware, exploits, and other cyberthreats by leveraging thousands of threat signatures (sometimes called rules). IDS software can be deployed on purpose-built appliances; on user-provided hardware; and, in some cases, as virtual appliances for VMware, Xen, and other virtualization platforms.

Today, IDS is a mode of operation on intrusion prevention system (IPS) appliances. In other words, you can no longer purchase appliances that are capable only of performing passive IDS monitoring. IPS appliances with high port densities, however, typically support active IPS and passive IDS configurations in the same box. It’s also common for organizations to deploy an IPS for passive IDS monitoring only, especially within the network core.

Vendors in this space include Check Point, Cisco, HP, IBM, Juniper, McAfee, and Sourcefire.

Network forensicsThe term network forensics refers to technology that monitors, records, and analyzes computer network traffic for the purposes of information gathering, collecting legal evidence, and detecting and analyzing network security threats. This technology is often described as a network VCR that records (literally) all packets that traverse your network.

Network forensics software is most often deployed on vendor-supplied network appliances with large storage


Chapter 4: Use Cases for Network Security 33capacities, but some vendors supply it as a software-only solution so that customers can hand-select the hardware to support it.

Vendors in this space include AccessData, NetScout, NIKSUN, RSA (NetWitness), and Solera Networks.

Network behavior analysisMost network security devices are placed at the perimeter (behind the firewall) to inspect threats coming in from the Internet. Mobile devices that are hand-carried into the office, however, may contain malware that perimeter defenses may never see.

Network behavior analysis (NBA) detects threats facing your network from the inside by leveraging NetFlow and other flow standards (such as cFlow, sFlow, and jFlow) to get a baseline reading on normal network traffic and detect anomalies such as malware propagation.

Vendors in this space include Arbor Networks, Lancope, and Riverbed.

Active security toolsActive security tools do more than just detect threats; they also block threats without affecting network performance.

Be sure to implement active security tools with best-in-class NPBs to maximize scalability, increase fault tolerance, and reduce packet latency to achieve security service assurance.

Intrusion prevention system (IPS)IPS is the logical evolution of IDS. If you can detect threats, why not block them? If, however, an IPS blocked good traffic that it suspected to be bad (a false positive) or crashed without failing open (a topic discussed in Chapter 2), it could significantly disrupt business operations. Thus, organizations must select and deploy IPS technology with great care.

Vendors in this space include Check Point, Cisco, HP, IBM, Juniper, McAfee, and Sourcefire.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 34Next-generation firewall (NGFW)Next-generation firewall (NGFW) is the evolution of typical stateful firewalls. These devices combine firewall technology with IPS and application-control capabilities in a purpose-built hardware platform to increase network security and lower total cost of ownership. NGFWs are often chosen over stand-alone firewalls and IPS devices because they provide granular control of application access by users and groups.

Some NGFWs also offer URL filtering, virtual private network (VPN) capabilities (through SSL and IPSec), and malware detection as optional components. NGFWs can replace traditional firewalls or augment them by performing intrusion prevention and application control both at the perimeter and inside the network.

Vendors in this space include Check Point, Fortinet, McAfee, Palo Alto Networks, and Sourcefire.

Advanced malware protectionTraditional security solutions — such as IPS, antivirus products, and secure web gateways — are designed to detect known threats and exploits that target known operating system and application vulnerabilities. Today, however, zero-day exploits — attacks targeting newly discovered vulnerabilities not yet patched or detected by an IPS — and advanced persistent threats cause enterprises and government agencies the most concern. A new category of signatureless network security solutions called advanced malware protection has emerged to defend against these threats.

Vendors in this space include Damballa, FireEye, and Palo Alto Networks.

Secure web gateway (SWG)A secure web gateway (SWG), also known as a web filter, is software typically installed on rack-mount appliances, designed and optimized to enforce your company’s web security policies and control user access to websites. Websites that are known to contain malware or inappropriate content (such as pornography or gambling) are blocked at the gateway, thereby improving employee productivity, limiting the organization’s liability, and keeping users’ computing devices safe from harm.


Chapter 4: Use Cases for Network Security 35SWG vendors group websites into categories and issue secu-rity updates, typically on a daily basis. SWG users can create access policies based on website categories and assign them to individual users and groups of users.

Vendors in this space include Blue Coat, Cisco, McAfee, Trustwave, and Websense.

Data loss prevention (DLP)Data loss prevention (DLP), also known as data leakage prevention, is software typically installed on rack-mount appliances. DLP software is designed to detect and prevent potential breaches of sensitive data and personally identifiable information (credit card numbers, Social Security numbers, hospital patient records, and so on) by monitoring data in several states:

✓ In use (endpoint actions)

✓ In motion (network traffic)

✓ At rest (data storage)

Vendors in this space include Blue Coat, Check Point, Cisco (IronPort), Fidelis, McAfee, RSA, Symantec, and Websense.

Distributed denial of service (DDoS) preventionA denial of service (DoS) attack is an attempt by one computer to make another computer unavailable to its intended users by flooding its bandwidth and/or its computing resources, often through a flood of SYN or ICMP packets. A distributed denial of service (DDoS) is a DoS attack initiated by a botnet (a collection of computers called bots that are infected with zombie agents or Trojans), typically used to target high-profile websites. All the bots in a given botnet are programmed to take action at a precisely coordinated time, as instructed by a central command-and-control (CnC) system operated by the perpetrator.

On-premises DDoS prevention systems can help detect and prevent DDoS attacks through proprietary algorithms and rate-based protection mechanisms.

Vendors in this space include Arbor Networks, Cisco, Corero, and VeriSign.



Typical Network Security Deployment Challenges

IT organizations face numerous challenges in deploying network security devices, especially in large, complex, geographically dispersed networks that change frequently. (Sound familiar?) Following are just a few of those challenges, all of which can be solved by using NPBs.

Extending current investment in 1G security toolsThe 10-gigabit Ethernet (10GbE, or 10G for short) computer networking standard was first published in 2002 but didn’t reach critical mass until 2007, when 1 million 10G ports were shipped. Since then, 10G has become the standard-bearer for larger computer network backbones.

Virtually every large computer network has dozens, if not hundreds, of 1G fiber network security monitoring tools. These appliances may have the capacity to inspect more than 1Gbps of traffic — or up to 4Gbps or 5Gbps, depending on the model — but 1G tools can’t physically connect to 10G networks because they’re equipped with 1G fiber interfaces. For sample photos of 1G and 10G fiber interfaces, see Chapter 1.

Solution: NPBs can help by aggregating, load-balancing, and optimizing traffic from 10G networks to existing 1G security tools. This solution not only extends the useful life of existing 1G tools, which postpones the expense of replacing them, but also maximizes their performance and fault tolerance.

Safely deploying multiple active security tools in seriesAs I mention in Chapter 2, active tools do more than just monitor traffic; they can manipulate it as well. Active tools pose network availability risks, because if such a tool loses power or otherwise becomes disabled, an entire network segment could be affected.


Chapter 4: Use Cases for Network Security 37Many organizations deploy multiple active security tools in series to achieve defense in depth. Traffic may flow from the Internet through a firewall, an IPS, and an SWG before it’s allowed on the network. Organizations need a way to deploy these active security tools in succession while minimizing risk of network downtime.

Solution: NPBs can route traffic effectively through each active tool (or active load-balanced tool group) in sequence. If any given tool fails, the interface set on the NPB associated with that tool can fail open or to a secondary active tool (or load-balanced tool group).

Gaining complete network visibilityTypical network security appliances come with multiple interfaces to monitor multiple network segments simultane-ously. After those interfaces are fully populated, however, organizations typically buy more security tools, which often are quite expensive.

Organizations need a cost-effective solution to enable their security tools to monitor more network segments than their existing interfaces allow.

Solution: NPBs can aggregate traffic from several network segments and then optimize that traffic before routing it to active and passive security tools. NPBs are typically less expensive than security tools, enabling organizations to save precious budget resources while maximizing fault tolerance and tool performance.

Supporting active–passive network configurationsMost organizations can’t afford prolonged periods of Internet downtime. Therefore, they often deploy redundant paths to the Internet, in which the primary link is active and a secondary link is passive, or on warm standby. The secondary link is automatically engaged in the event that the primary link fails. This design is commonly referred to as active–passive network design.


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 38Although active–passive network architectures require redundant network infrastructure components, such as firewalls and routers, common network security tools can often be shared — with the right network design.

Solution: By incorporating an NPB into both the active and passive Internet paths, you can use one set of network security tools to monitor traffic on both sides. (The tools connect to both NPBs at the same time, although they’re analyzing traffic from only one NPB at a time.) This solution eliminates the need to purchase twice as many network security tools just to support an active–passive network configuration.

Biotech company prescribes VSS Monitoring to safely deploy its security tools

A leading California-based biotech-nology company has provided medi-cines to treat patients with serious life-threatening medical conditions for over thirty years. Its networks support daily operations for over 10,000 medical, research, and admin-istrative personnel globally.

The company’s IT security team sought a solution to deploy two sets of load-balanced 1G active (inline) security tools in sequence — advanced mal-ware protection appliances and secure web gateways — safely and cost-effectively while supporting a high-availability design. After evaluating several leading NPB solutions, it selected NPBs from VSS Monitoring (www.vssmonitoring.com).

The biotech company was able to meet their challenges by deploying

one NPB in each of their primary and secondary gateway network segments. Each security tool was connected to both of the VSS NPBs allowing each tool to protect both the primary and secondary gateway segments.

Custom health-check triggers were configured to monitor the health of the security tools before redirect-ing live traffic. Deploying the VSS NPBs enabled the company to use existing 1G security tools to protect 10G links while reducing the number of security tools needed by utilizing the same security devices for both the primary and secondary gateway network segments. This helped the company surpass its 99.999 percent uptime objective while significantly reducing capital expenses.


Chapter 5

Use Cases for Network Performance

In This Chapter▶ Reviewing common network performance tools▶ Exploring challenges with and solutions for deploying network

performance tools

A t its most basic level, a computer network keeps a business running and growing. It’s where business

applications are hosted and where mission-critical customer, product, and business information is stored. When you have a resource this valuable, ensuring its performance is essential.

In Chapter 4, I review common types of passive and active network security tools and discuss typical challenges that organizations face in attempting to deploy them. This chapter is laid out very similarly, but instead of talking about network security, I discuss topics related to network performance.

The term network performance is incredibly broad and means many things to different people. For the purposes of this book, I use it simply to refer to the universe of tools that help IT professionals monitor, troubleshoot, and accelerate the speed of a network and its applications.

Common Network Performance Tools

Just like network security tools, network performance tools are designed for passive or active deployments. I cover the differences in the following sections.



Passive performance tools

Passive network performance tools merely listen to network traffic, typically from SPAN ports and/or from network flows generated by network infrastructure devices such as routers and switches.

Network performance monitoring (NPM)The network performance monitoring (NPM) industry is quite mature, having been around for more than a decade. In 2012, market research firm Gartner amended its name for this category of products to application-aware NPM. In either case, these tools monitor the health and performance of a network through passive packet capture and analysis.

NPM solutions receive and process flow data (NetFlow, cFlow, sFlow, jFlow, IPFIX, and so on) from network routers and switches and provide dashboards to display business-relevant views of network and application performance. Alarms can be configured to alert IT when minimum thresholds of acceptable performance have been broken.

Vendors in this space include CA, Cisco, Fluke, OPNET, and Riverbed.

Application performance monitoring (APM)A typical enterprise application relies on dozens or even hundreds of separate hardware and software components to deliver the business service for which it’s deployed. These components include web servers, application servers, data-bases, network devices, load balancers, and storage devices.

Checking the functions of business applications — a task performed by application performance monitoring (APM) solutions — is a critical task performed by every enterprise IT organization. It’s so important, in fact, that according to Gartner, organizations spend $2 billion globally on APM solutions alone.

APM solutions track real-time execution of all application components, measuring and reporting on the hardware resources consumed by application components, as well as the speed and latency with which applications are delivered. These solutions also determine why an application failed to execute successfully or why resource consumption and latency levels departed from expectations.


Chapter 5: Use Cases for Network Performance 41

Don’t confuse APM with end-user experience monitoring solutions, which tell you only whether you have an application performance problem (from an end-user’s perspective) — not the cause of that problem.

Vendors in this space include CA, Compuware, HP, IBM, OPNET, and Quest Software.

Unified communications monitoringUnified communications (UC) is a new technological architecture whereby communication tools are integrated so that business and individual users can manage all their communications — VoIP, instant messaging, IP telephony, videoconferencing, electronic whiteboards, and so on — in one entity instead of separately. In short, UC bridges the gap between VoIP and other computer-related communications technologies.

UC allows an individual user to receive a message in one medium and access it on another. He could receive a voice-mail message and choose to access it through e-mail or a cellphone, for example. If the sender is online (according to her presence information) and currently accepting calls, the recipient can send his response to her immediately through a text chat or video call, or he could send it as a non-real-time message that she can access later through a variety of media.

New tools in this emerging market also allow monitoring of UC infrastructure performance.

Vendors in this space include Anritsu, Empirix, EXFO, and JDSU.

Network behavior analysis (NBA)In Chapter 4, I discuss NBA in the context of network security. When this market niche was founded (originally as network behavioral anomaly detection, or NBAD), its use cases were all about security. Since then, nearly half the organizations that purchased NBA solutions have done so for network-performance-monitoring reasons, as they’ve discovered new applications for network flow analysis.

Organizations can use NBA solutions to troubleshoot network outages and performance degradations, and to link application performance to individual users and groups.

Vendors in this space include Arbor Networks, Lancope, and Riverbed.



Active performance tools

Passive network performance monitoring tools measure performance, whereas their active counterparts actually affect performance through a variety of methods, as described in the following sections.

Traffic shapingTraffic shaping — also known as packet shaping and quality of service (QoS) policing — has been around for more than a decade. This technology enables IT professionals to increase or decrease bandwidth priority by application and even by user.

Few people would argue, for example, that YouTube is more critical to a business than Salesforce.com. (That is, unless you work for YouTube.) So an organization may assign YouTube and other streaming-media applications a lower bandwidth priority while assigning higher bandwidth priority to Salesforce.com, Oracle, and other business-critical applications. To take this example a step further, IT may want to ensure that the chief executive officer has a little more bandwidth to access Salesforce.com than, say, a junior sales associate.

Traffic shaping helps organizations get the biggest bang for the buck out of their existing networking investments.

Vendors in this space include Blue Coat, NetEqualizer, PacketLogic, and Procera.

WAN optimization controllers (WOCs)A WAN is the foundation of a globally connected enterprise. The performance of the WAN is critical to everything the organization does. WAN optimization controllers (WOCs) can cut WAN bandwidth use by 60 to 95 percent, often delaying expensive WAN upgrades.

The primary function of a WOC is to improve the response time of business-critical applications over WAN links. The device performs this task by using a series of techniques, including traffic compression, byte caching, data de-duplication, traffic shaping, and protocol optimization.

WOCs are deployed symmetrically (in data centers and remote locations) and typically are connected to the LAN


Chapter 5: Use Cases for Network Performance 43side of WAN routers. They address application performance problems caused by bandwidth constraints and by latency or protocol limitations.

Vendors in this space include Blue Coat, Citrix, Riverbed, and Silver Peak.

Web cachingWeb caching is widely recognized as being one of the most important techniques to reduce bandwidth consumption caused by the tremendous growth of the World Wide Web. Enterprises and service providers deploy web-caching software and appliances to reduce bandwidth requirements and improve web-browsing response time over existing connections. Here’s how web caching works:

1. When a user within an organization connects to a website, such as Facebook or YouTube, unbeknownst to that user, a web-caching appliance receives the request and determines whether the requested content (HTML page, video, PDF file, and so on) is stored in its local cache.

2. If the requested content is stored in the local cache — that is, if a cache hit occurs — the content is directed back to the user’s web browser (immediately after the web caching appliance has verified the content has not changed) without ever connecting to an Internet host.

or

If the requested content isn’t stored in the local cache — that is, if a cache miss occurs — the user’s request is forwarded to the originally intended Internet host.

By implementing web-caching solutions, enterprises can reduce bandwidth consumption by 40 percent to 90 percent.

Vendors in this space include Blue Coat and Squid.

Application accelerationApplication acceleration speeds the performance of centralized applications for remote employees, customers, or partners who access those applications over a network (typically,


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 44the Internet). Most solutions require devices at both ends of the network connection, such as headquarters and a branch office; others sit in front of servers in a data center to make access to those servers more efficient. These devices address the two main factors that impede application performance: latency and bandwidth.

The three most commonly used application acceleration techniques are protocol optimization, content caching, and data compression.

Vendors in this space include Blue Coat, Citrix, F5, and Riverbed.

Typical Network Performance Deployment Challenges

Chapter 4 discusses typical challenges that organizations face in deploying network security tools. This section presents the challenges of deploying network performance tools, some of which are identical to those mentioned in Chapter 4.

Deploying active WAN acceleration toolsAny active tool, whether security- or performance-oriented, must be deployed with great care. If an active tool requires a reboot upon receiving software updates, or if it needs to be taken offline periodically for maintenance, it must have reliable fail-open technology built into its network interfaces. Unfortunately, many tools don’t have this technology.

Solution: Select NPBs come equipped with fail-open network interfaces to ensure that no active tool will ever cause the network to fail, even when it loses power. Further, better NPBs offer health-check packets to monitor the state of active tools, and some feature reboot accelerated failover technology, which provides additional reliability for 1G copper network segments. (For details on these features, see Chapter 3.)


Chapter 5: Use Cases for Network Performance 45

Extending current investment in 1G performance toolsTwo recurring themes in this book are the dominance of 10G fiber network backbones and the preponderance of 1G monitoring tools. Whether a 1G tool is active or passive, it simply can’t connect natively to a 10G network, because the physical interfaces are incompatible. (For illustrations of common network interface connectors, flip back to Chapter 1.) This incompatibility often forces the early retirement of perfectly good monitoring tools before the end of their useful life, which requires IT to invest in new 10G tools earlier than planned (and budgeted).

Solution: Any guess? That’s right — as long as 1G tools have the horsepower to inspect the organization’s volume of traffic, its network interfaces aren’t the limiting factor any more, thanks to NPBs. In this solution, 10G traffic comes into an NPB via its network ports and then is directed to one or more monitoring ports for inspection by the 1G tool(s).

By now, I hope you know the difference between 10G throughput and 10G connectivity. A 10G network is equipped to connect with myriad 10G devices, but that doesn’t mean it’s actually pumping out 10G worth of data. In theory, you could have just 750Mbps of average throughput on a 10G network, which could easily be inspected by a single 1G tool.

Gaining complete network visibilityAnother recurring theme in this book is the inability of any given tool to inspect more network segments than it has interfaces for. An eight-port IPS, for example, can inspect up to eight network segments in passive IDS (alerting) mode or up to four network segments in active IPS (blocking) mode.

Solution: Network aggregation is one of the most common reasons why organizations turn to NPBs. When you leverage NPBs, that same eight-port IPS can inspect traffic from over a dozen network segments, making its processing power the limiting factor — not its interfaces.



Optimizing tool throughput for efficiency and scaleTools are limited by their processing power (CPU, memory, disk capacity, and so on). In many cases, however, tools frequently inspect traffic that doesn’t pertain to them, thus consuming precious resources unnecessarily. Then organizations retire these tools in favor of new, upgraded tools with higher bandwidth capacity — purchases that eat into their precious IT budgets.

Solution: Because NPBs are almost always less expensive than high-end performance tools, and certainly are more versatile, an NPB can be used to strip away unnecessary traffic through its packet filtering capability (see Chapter 3). This solution ensures that only traffic of interest flows into the tool, thereby extending its useful life.

NPBs school a universityTypical university networks pose a huge challenge for network operations. Their users are the highest consumers of bandwidth on the planet, frequently connecting to sites such as YouTube, Netflix, Facebook, and Skype, as well as doing online research for their coursework.

Also, a university network can com-prise tens of thousands of student, faculty, and staff workstations, as well as hundreds of servers and network infrastructure devices. Monitoring the performance of such a network and its mission-critical applications is quite a challenge.

One U.S. university was experiencing two dilemmas with its performance monitoring tools: The tools didn’t have enough interfaces to monitor the entire network, and they were unable to monitor the corporate backbone following a 10G upgrade. Its IT department selected NPBs from VSS Monitoring (www.vssmonitoring.com) to solve the problem. When the NPBs were up and running, the university’s 1G performance monitoring tools were inspecting 10G traffic through a load-balanced configuration while gaining complete network visibility through traffic aggregation.


Chapter 6

Use Cases for Service Providers

In This Chapter▶ Distinguishing among types of service providers▶ Exploring common service provider traffic types▶ Examining service provider use cases for NPBs

C hapters 3 and 4 describe NPB use cases for network security and network performance tools, respectively.

These use cases apply to virtually all enterprises, government agencies, and especially to service providers — the latter in more ways than one.

For the purposes of this book, service provider is a generic term that applies to companies that provide telecommunications, broadband, television, application hosting, and other IT services.

In this chapter, I discuss the most common types of service providers and then explore their most frequent use cases for NPB solutions. I then describe how one of America’s largest mobile service operators leveraged NPBs to simplify its 4G performance monitoring architecture and lower costs within its newest network operations center.

Types of Service ProvidersDozens of types of service providers operate across the telecommunications, television, and IT industries. This section explores those that are most likely to benefit from NPB solutions.



Mobile network operators (MNOs)A mobile network operator (MNO) — also known as a wireless service provider, cellular company, or mobile network carrier — is a provider of wireless communications services that owns or controls all the elements necessary to sell and deliver services to an end user, including radio-spectrum allocation, wireless network infrastructure, back-haul infrastructure, billing, and customer care.

Vendors in this space include AT&T, Sprint, Verizon Wireless, and Vodafone.

Fixed network operators (FNOs)A fixed network operator (FNO) — also known as a telephone company, telco, telephone service provider, or fixed line operator — provides wired telecommunications services such as telephony and data communications access. In the United States, FNOs include regional Bell operating companies (RBOCs), incumbent local exchange carriers (ILECs), and competitive local exchange carriers (CLECs). At one time, FNOs in the United States were state-regulated monopolies.

Vendors in this space include AT&T, BT, and Verizon.

Multiple-system operators (MSOs)A multiple-system operator (MSO) — also known as a multisystem operator or multiple service operator — is a company that has acquired multiple cable television (CATV) systems and brought them under the control of a single corporate entity. The individual CATV systems may have been combined into a single network, combined at a regional or metropolitan level, or not combined at all. MSOs typically provide television, telephone, and Internet broadband services to businesses and consumers.

Vendors in this space include Comcast, Time Warner, and Virgin Media.


Chapter 6: Use Cases for Service Providers 49

Other service providersMany more types of service providers exist, and frankly, I don’t have enough space in this book to write about them. Here, however, are a few worth mentioning:

✓ Application service providers

✓ Managed service providers

✓ Storage service providers

✓ Cloud service providers

You may have noticed that up until now, I haven’t used the term Internet service provider (ISP), which refers to a company that provides broadband Internet connectivity to businesses, government agencies, and consumers. That’s because virtually all the service providers mentioned in this section offer broadband Internet services and, thus, can be considered to be ISPs.

Common Service Provider Traffic Types

Before you delve into common service provider use cases, review this section, which explores common traffic types deployed by today’s service providers.

Video streaming: The world’s biggest bandwidth hog

No matter how you slice it, video is the leading bandwidth hog on mobile and fixed access networks. According to the 2012 Sandvine Global Internet Phenomena Report (www.sandvine.com), YouTube is the world’s biggest consumer of mobile data, taking up 27 percent

of mobile data in North America, and Netflix is far and away the largest single source of traffic on fixed access networks, representing 24 percent of total volume in North America — well ahead of BitTorrent, at 14 percent.



OTT and operator-based video servicesMobile and network service providers are finding it challenging to maintain acceptable levels of service performance in the face of rising demand for streaming video. That video comes in two varieties:

✓ OTT (over-the-top) video is streamed without the ISP’s involvement in the control and distribution of the content, such as video streamed from YouTube, Hulu, and Netflix. The provider may be aware that its infrastructure is streaming OTT video, but it isn’t responsible for, or able to control, the technical quality, copyrights, or redistribution of the content.

✓ Operator-based video is delivered by the provider through purchase or rental agreements, such as Comcast’s On Demand and AT&T’s U-verse.

IP telephonyIP telephony is the area of communications that involves digital phone systems based on IP standards. This technology makes a phone system digital in such a way as to take advantage of the Internet and of any hardware and applications attached to it. IP telephony providers leverage NPBs to optimize delivery quality of their IP telephony services.

Most people use the terms VoIP and IP telephony interchange-ably, but VoIP is a subset of IP telephony. Think of IP telephony as being the overall concept and VoIP as being a means of transmitting voice to implement this concept. An IP telephony system can, for example, be an IP PBX, which incorporates VoIP and other standards.

Common Service Provider Use Cases

Unlike most enterprises, service providers must satisfy the needs of both internal users and — perhaps more important — external customers. Chapters 4 and 5 describe how service


Chapter 6: Use Cases for Service Providers 51providers can leverage NPBs to optimize their internal networks. This section describes how they can use NPBs to optimize service delivery for external customers.

As you can imagine, the number of performance and security tools that it takes to monitor, maintain, and protect the myriad services discussed in this section is far too great to cover in this book, so I refer to these systems collectively as tools. To find out how NPBs can interface with your specific tools, contact your preferred NPB vendor.

Although the tools used by the service providers in the following use cases vary greatly, NPBs were employed to do the following things:

✓ Selectively aggregate traffic from many network segments and route it to one or more tools

✓ Enable tools to be deployed and maintained without potential for unplanned network downtime

✓ Filter packets so that only traffic of interest is sent to each specific tool

✓ Load-balance traffic to a group of tools to maximize their performance

✓ Overcome SPAN-port contention

✓ Extend the life of 1G tools on 10G networks

✓ Leverage deep packet inspection to comply with lawful-interception mandates (discussed later in this chapter)

4G greenfield deploymentsMNOs commonly deploy NPBs to support new, or greenfield, 4G deployments. 4G is the fourth generation of cellphone mobile communications standards and the successor to the third-generation (3G) standard. A 4G system provides mobile ultrabroadband Internet access to mobile devices such as laptops and smartphones. Typical 4G applications include mobile web access, IP telephony, gaming services, high- definition mobile TV, and videoconferencing.

Following are the most common cellphone mobile communications standards, up to and including 4G LTE:


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 52 ✓ 3.5G systems, often marketed as “4G” today

✓ HSPA+ (High Speed Packet Access Evolution), from the UMTS family

✓ EV-DO Rev B (Evolution Data Only), from the CDMA family

✓ 3.9G systems, often referred to by the telecom industry as first-generation 4G systems

✓ 802.16e / Mobile WiMAX

✓ LTE (Long Term Evolution)

✓ LTE-Advanced

3G ATM-to-IP conversionMNOs with longstanding 3G infrastructures are finding themselves migrating from costly ATM (asynchronous transfer mode) to cheaper IP infrastructure components such as concentrators and multiplexors to routers and switches, and from CLASS-level switches to simpler soft switches. But the biggest transformation is the way that data is trunked back to the central office — which is where the real need for monitoring tools and NPBs comes in.

As the traditional bombproof legacy infrastructure is upgraded to all-IP, fixed container lengths are being replaced with variable packet lengths. This change causes many problems for real-time communication services, such as voice and video. Factors such as delay, jitter, latency, packet loss, fragmentation, and packet duplication replace older issues such as clock drift and correct configuration of central-office and concentrator switches.

Indeed, the cost of the backbone carriage for an all-IP infrastructure has decreased markedly, but without a new layer to connect the network segments correctly to the monitoring layer, the advantages aren’t worthwhile.

Fixed-line TDM-to-IP conversionFNOs are replacing time-division multiplexing (TDM) infra-structure with IP-based components to deliver telecom services as IP-based systems that are significantly more cost-effective


Chapter 6: Use Cases for Service Providers 53and versatile than their legacy TDM-based counterparts. New services being offered — such as VoIP, Voice over Packet, IPTV, and video on demand — are critically dependent on packets turning up with minimum delay, little jitter, and zero packet loss.

IP networks were originally designed for “best effort” transport for non-time-critical data, such as e-mail. With the correct tools, however, distributed VoIP MOS (Mean Opinion Score), MDI (Media Delivery Index), and VMOS (Video Mean Opinion Score) services can be carried over IP networks successfully.

A packet loss of less than 1 percent can render a video stream unwatchable in practice. Such is the need for real-time monitoring solutions, such as NPBs and associated analytic tools.

NPBs fill in the missing piece of the puzzle. They allow what could be an expensive monitoring-tools layer to become an efficient way of monitoring a network through the collection of relevant data packets from multiple places or even across several network segments through a network intelligence optimization layer, as described in Chapter 3.

Lawful interception / CALEAThe Communications Assistance for Law Enforcement Act (CALEA) is a 1994 U.S. wiretapping law that requires telecommunications carriers and manufacturers of telecom equipment to modify and design their equipment, facilities, and services to provide built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband Internet, and VoIP traffic in real time.

Leading NPB devices offer deep packet inspection that helps carriers comply with CALEA and its international counterparts by extracting network traffic pertaining to specific IP, MAC, and e-mail addresses; instant-messaging communications; and more.

SLA monitoringMost service providers publish service-level agreements (SLAs) that define key performance indicators (KPIs) for minimally


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 54acceptable levels of service performance. An ISP may guarantee “five nines” (99.999 percent) of uptime to a certain tier of customers, for example, or an FNO may guarantee that a customer’s WAN connection will never fall below a certain bandwidth threshold.

Most SLAs outline financial penalties to be incurred by service providers in the event that they fall short of their obligations. These penalties usually take the form of service credits toward current and future customer invoices and can amount to hundreds of thousands of dollars.

Don’t knock this 4G NOCOne of the largest carriers in the United States, serving more than 100 million people, recently constructed a network operations center (NOC) to monitor the performance of its 4G LTE network. The company understood the strategic importance of network packet broker technology and began evaluating leading vendors.

After a rigorous selection process, the carrier chose VSS Monitoring (www.vssmonitoring.com) based on its impressive lineup of feature-rich, fault-tolerant NPB devices. VSS offered key capabilities, such as deep packet inspection, fragment reassembly, session-based

load balancing, and a scalable mesh NPB system design.

By selecting NPBs from VSS Monitoring for its new NOC, the carrier was able to reduce the required number of 4G performance probes from nine to just one, and to monitor seven additional 4G network rollouts without adding a single extra probe. This solution streamlined the NOC’s performance-monitoring architecture while simultaneously lowering total cost of ownership. Capital expenses were reduced by up to 80 percent, with operating expenses reduced by up to 50 percent.


Chapter 7

Selecting the Right NPB Vendor

In This Chapter▶ Determining what you need▶ Calculating your bandwidth and connectivity needs▶ Documenting your system requirements▶ Choosing the best vendor for your requirements and budget

S electing a network packet broker vendor can be a daunting task, especially if you’re new to NPB technology.

You may be tempted to make a decision based on the knowl-edge you gain from the first vendor you meet, or you might assume that a friend’s vendor is right for you. Either path could prove costly without proper due diligence.

Whether you’re a newcomer to NPB technology or an experienced hand, you should evaluate NPB vendors as a methodical four-step exercise:

1. Catalog your bandwidth and connectivity requirements.

2. Document your feature requirements.

You can use the checklist later in this chapter to compile your requirements.

3. Evaluate potential vendors.

4. Select a vendor.

I walk you through all four steps in this chapter.



Step 1: Catalog Bandwidth and Connectivity Requirements

To begin the process, you must catalog your organization’s bandwidth requirements and connectivity types. Without all this information, you can’t determine which NPB models are suitable for your network.

Network bandwidthEver hear the adage “Don’t kill a fly with a sledgehammer”? Well, this expression applies perfectly to NPBs. Unless you know your peak bandwidth utilization at points on the network where you plan to place NPBs, you may be oversizing or even undersizing your NPBs. If your NPB’s maximum throughput is too small, your monitoring tools can’t do their job, and if it’s too large, you’re pouring money down the drain.

Network connectivityEvery NPB offers different quantities and types of network interfaces, so it’s important to know the types of interfaces you have on both the network interface side (switches and routers) and the network monitoring tool side (security and performance tools).

Better NPBs allow you to configure any interface as a network or monitoring port, but you still need to determine what types of interface connectors you need.

Step 2: Document Your NPB Feature Requirements

NPB capabilities vastly differ from one vendor to another. Even the capabilities of NPB models offered by a single vendor can vary greatly, because the vendor attempts to package its NPB offerings to meet each organization’s needs (and budget).


Chapter 7: Selecting the Right NPB Vendor 57In this step, consider which NPB features are most important to you and best meet the needs of your network. (For a quick refresher on NPB features, flip back to Chapter 3.)

As you work through this step, the “NPB requirements checklist” presented in Figure 7-1 can help you organize your thoughts.

Figure 7-1: NPB requirements checklist.



AdministrationStart by considering these administration features:

✓ On-box interface: Every NPB device provides a means for you to configure it remotely — rather than manu-ally setting dip switches or rotary dials found on typical network TAPs. Although better NPBs offer centralized administration (see the next item), some old-school IT administrators prefer an old-fashioned CLI or an overly simplified GUI.

✓ Centralized administration: Top-tier NPB vendors enable you to connect your NPBs to a fault-tolerant system (see “NPB interconnection requirements,” later in this chap-ter). Those that do often offer comprehensive centralized administration software, usually encompassing a web-based interface, which allows you to configure and monitor all NPBs from one central console. This option is almost always preferable to an on-box-configuration CLI or GUI.

Fault toleranceYour fault-tolerance checklist should include the following items:

✓ Power-loss packet-flow policies: If you’re deploying only passive network security and/or performance tools, ignore this feature. If you’re deploying active tools, however, this feature enables you to determine whether you want the NPB to fail open or fail closed, depending on the desired outcome upon NPB power loss. (I discuss this topic in detail in Chapter 2.)

✓ Link state mirroring: As I discuss in Chapter 3, this feature helps you overcome potential problems related to asymmetric routing. If your inline NPB detects that one of the two devices to which it’s connected is down, the device on the other side knows it, and traffic gets routed through a redundant path.

✓ Reboot accelerated failover (1G copper only): You may recall from Chapter 2 that 1G copper networks are unique, in that inline NPBs that are configured to fail open use a magnetic relay to connect the two inline


Chapter 7: Selecting the Right NPB Vendor 59interfaces during power loss. This feature accelerates the NPB rebooting process from 200 milliseconds to 30-60 milliseconds, which prevents connected routers and switches from triggering a spanning tree protocol.

✓ Health-check packets: This nifty feature enables NPBs to monitor the status of active network security or performance tools that are connected to them. If a tool hangs (stops inspecting traffic, for example), the NPB can initiate a fail-open or fail-closed sequence, or redirect traffic to a standby tool, depending on the intended consequence of a failed active tool.

Traffic groomingNext, consider your traffic-grooming needs:

✓ Traffic regeneration: This feature (see the discussion of regeneration TAPs in Chapter 2) enables traffic from one network segment to be duplicated, or regenerated, for the benefit of multiple monitoring tools.

✓ Selective traffic aggregation: This extremely useful feature could be your primary motivation for acquiring NPBs. With selective traffic aggregation, you can aggregate traffic from multiple segments and direct them to one or more tools for inspection.

✓ Hardware-based packet filtering: This feature enables you to strip off traffic that doesn’t pertain to your monitoring tool, freeing the tool to inspect only traffic of interest. It also frees your monitoring tools’ resources and prevents oversubscription.

✓ Session-aware load balancing: Virtually every organization that has deployed NPBs uses them to load-balance traffic to a group of monitoring tools. This feature prevents oversubscription of your tools and adds a layer of fault tolerance to those tools. It also enables your 1G monitoring tools to inspect traffic on 10G networks (assuming that they have ample processing resources to collectively handle the increased traffic).

✓ High data-burst buffering: In Chapter 3, I discuss problems associated with microbursts. This feature helps you overcome these problems by buffering microbursts to smooth out delivery of captured packets so


Network Packet Brokers For Dummies, VSS Monitoring Special Edition 60that the packets aren’t dropped. It’s particularly useful in environments that have large amounts of multimedia traffic (movies, music, live video streams, and so on).

Packet optimizationReview the following packet-optimization features:

✓ Time- and port-stamping: Both the time and port can be stamped into packets as they enter the NPB device. Time-stamping is useful for transaction-based applications, such as those that process stock-market transactions. Port-stamping is useful for network forensics applications that collect packets for evidentiary purposes.

✓ Packet de-duplication: Network and security tools sometimes receive duplicate packets from the same traffic source, due to redundancies in network design and/or monitoring-tool access. This feature prevents monitoring-tool oversubscription, false positives, and inaccurate performance reporting by detecting and discarding duplicate packets.

✓ Conditional packet slicing/masking: Is your organization affected by Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), or other regulations? If so, this feature can help by slicing off parts of a packet that are unrelated to the monitoring tool’s job, such as payload data containing credit card numbers, Social Security numbers, and other personally identifiable information.

✓ Packet fragment reassembly: Fragmented packets prevent certain traffic from being inspected properly by monitoring tools. This feature reassembles packet fragments into their original form before forwarding them to monitoring tools for inspection.

✓ Protocol stripping: Some monitoring tools aren’t designed to handle traffic with certain protocols, labeling, or encapsulation, perhaps because the tools weren’t designed to handle such traffic or the hardware can’t process certain protocols. Protocol stripping enables the NPB to strip off things like GTP headers, MPLS labels, VLANs, and VN-Tags, enabling monitoring tools to operate more efficiently and effectively.


Chapter 7: Selecting the Right NPB Vendor 61

NPB interconnection requirementsConsider the following requirements for connecting NPBs:

✓ Daisy chaining: Daisy chaining is the simplest way to connect and share traffic between NPBs. As I discuss in Chapter 3, however, this design is sub-optimal as each NPB in the chain represents a single point of failure and a potential system bottleneck.

✓ Star or hub-and-spoke: A star or hub-and-spoke design offers an improved architecture over daisy chaining, but the hub (the central NPB that connects to all other NPBs) still represents a single point of failure.

✓ Mesh: A mesh design is optimal for larger NPB systems, as no single NPB is a single point of failure. Not all NPBs support mesh architectures, however. This feature should be weighted heavily by organizations that have numerous and/or geographically dispersed NPB devices.

Future requirementsDon’t fall into the trap of designing your NPB system to accommodate only your immediate needs. Save yourself considerable money and headaches by building in additional capacity to accommodate future growth.

To help yourself predict the future, answer these questions:

✓ Network growth: Are you planning to upgrade any 1G network segments to 10G? Do you foresee an increase in average bandwidth use? Is your organization expanding into new branch offices?

✓ Network tools: Are you already allocating funds for new security and/or performance tools in next year’s budget? Do you expect, in the years ahead, to acquire any new monitoring tools that have just hit the market?



Step 3: Evaluate Potential NPB Vendors

Now it’s time to find candidate vendors. This process has three substeps:

1. Create a short list.

I recommend that you work with Gartner or your preferred IT research firm to create a short list of two or three preferred NPB vendors. As your job is on the line, select only vendors with proven track records.

2. Perform on-site evaluations.

Don’t buy before you try, no matter what. Every vendor thinks that its NPBs are the greatest, but you need to find out for yourself. Test at least one unit in your production environment, as opposed to just lab-testing, and find an excuse to contact the vendor’s customer support team to gauge response time and quality of problem resolution.

3. Request proposals.

After you complete your on-site evaluation, request formal proposals from your top two vendors.

Work carefully with the vendor’s sales engineers to design your NPB system. They are well equipped to guide you to the NPB models that match your specific requirements.

Step 4: Select a VendorNow it’s up to you to make the right choice. Selecting an NPB vendor is just as important as selecting the actual NPB models — if not more important. Price is a major factor to consider, of course, but you also need a partner you can trust — one that has the vision to deliver as your needs evolve and that will fully support you every step of the way as you solve your network security and performance tool deployment challenges.

Just follow your instincts. You’ll do great!


Chapter 8

Ten Ways to Lower Your Network’s TCO

In This Chapter▶ Getting the most out of your existing monitoring tools▶ Maximizing network uptime▶ Centralizing operations

R egardless of whether you work for a Global 2000 enterprise or a small government agency, I guarantee

that your chief information officer and/or chief information security officer is always looking for ways to lower operating expenses and stretch his or her budget as far as it can go. This chapter presents ten ways that NPBs can help lower your network’s total cost of ownership (TCO).

Prevent Tool OversubscriptionLike all computing devices, every network security and performance tool has a fixed amount of processing power. When that amount is exceeded, the tool becomes oversubscribed; it either stops monitoring portions of traffic (in a passive configuration) or potentially starts dropping packets (in an active configuration). NPB features such as hardware-based filtering, load balancing, packet de-duplication, packet slicing, and protocol stripping can optimize tool performance and prevent oversubscription.

TCO benefit: NPB features can help you delay purchasing additional tools and/or upgrading existing ones.



Alleviate SPAN-Port ContentionA network switch’s SPAN port is a limited resource. NPBs can alleviate SPAN-port contention by tapping links between net-work devices and/or aggregating traffic from multiple SPAN ports and regenerating (duplicating) its traffic for the benefit of multiple passive tools.

TCO benefit: NPBs improve the access of tools, thereby maintaining network security and performance.

Solve Your Media-Conversion Challenges

Have you ever faced the challenge of connecting a 1G fiber monitoring tool to a copper switch — or trying to interface that same 1G tool with a 10G network? NPBs help you solve both media-conversion problems by enabling virtually any monitoring tool to interface with virtually any network.

TCO benefit: NPBs save you money by eliminating the need to swap out perfectly good monitoring tools for tools with different media interfaces — and potentially higher costs.

Expand the Network Visibility of Your Existing Tools

A single tool is limited to inspecting the network traffic for which it has available interfaces. To repeat an example from Chapter 5, an eight-port IPS can natively inspect only eight passive network segments or four active network segments — two interfaces for each active segment. What if you need your IPS to inspect twice as many network segments? NPBs can help by aggregating traffic from many segments and directing that traffic to one or more IPS appliances.

TCO benefit: Selective network aggregation can negate the need to acquire additional (often very expensive) security and performance tools by expanding the network visibility of your existing tools.


Chapter 8: Ten Ways to Lower Your Network’s TCO 65

Maximize Network Uptime through Fault Tolerance

Advanced NPB fault-tolerance features — such as power-loss packet-flow policies, link state mirroring, reboot accelerated failover, and health-check packets (refer to Chapter 3) — can prevent costly downtime in the event that an NPB and/or a network security or performance tool fails.

TCO benefit: You tell me! What’s your cost of downtime for network failure? Whatever that number may be, you can potentially save that amount by implementing the key fault-tolerance capabilities of preferred NPBs.

Increase System Reliability with a Mesh Design

In Chapter 3, I compare mesh designs with daisy-chaining and star or hub-and-spoke designs. Mesh designs are the best choice, because no single NPB is a single point of failure. Also, better NPBs systems configured in a mesh design can route traffic automatically in the event that an NPB fails.

TCO benefit: Again, the TCO benefit is directly related to your network’s cost of downtime. Mesh designs offer the greatest configuration flexibility and fault tolerance.

Centralize Network and Security Operations

Every global organization wants to empower its IT staff to manage and monitor its networks locally, but many organizations also want the ability do so globally — often in a network operations center (NOC) and/or security operations center (SOC).

TCO benefit: NPBs can simplify complex network designs to accommodate centrally located NOCs and SOCs, saving your organization the considerable cost of creating a new or expanded network infrastructure.



Extend the Life of Your Existing Tools

Aside from media conversion, you have many ways to extend the useful life of your existing security and performance tools, including selective traffic aggregation, packet filtering, load balancing, packet slicing/masking, and protocol stripping. All these features enable you to reduce the resource utilization of your existing tools, thereby extending their useful life.

TCO benefit: Getting the most mileage out of your existing security and performance tools postpones the need to replace them with higher-capacity models.

Increase Tool Selection FlexibilityAll the features in the preceding section that help reduce resource use of your existing tools also increase your flexibility in acquiring new tools. Packet filtering alone, for example, may reduce your average bandwidth use enough that you don’t have to purchase the next-higher capacity (and more expensive) model of tool.

TCO benefit: Save money by selecting more-cost-effective monitoring tool models for lower inspected throughputs.

Plan for Future GrowthIn Chapter 7, I talk about the importance of planning for future growth. The adage “An ounce of prevention is worth a pound of cure” certainly applies here. In the long run, it’s far more cost-effective to select higher-end, mesh-capable NPBs today than to purchase lower-end NPBs (or chassis-based NPBs) that support only daisy-chaining or hub-and-spoke interconnection designs for one NPB model at a time.

TCO benefit: By spending a little more now to future-proof your NPB investment, you save money by minimizing the need to acquire additional tools in the near future.


these materials are the copyright of john wiley & sons ... · understanding taps, i define what...

Documents