Transcript Document
Shared Data Access Network (SDAN)
for Monitoring, Security, Performance
J. Scott Haugdahl
Principal Engineer, Blue Cross Blue Shield
Former Asst. VP & Architect, US Bank
Data Connectors Minneapolis, March 28th, 2013
1
The US Bank Experience
Who is US Bank (Symbol: USB)?
– Part of U.S., a diversified financial services, holding company
– Fifth-largest commercial bank in the U.S with over 3,000 branches
– Recognized for its strong financial performance and prudent risk management, capital
generation, and product quality
What is Network Application Analysis (NAA)?
– Founded in 2008 as part of US Bank’s Network Planning and Engineering to adapt new
thinking methods, tools, process, and collaboration in order to focus on resolving potential or
chronic application performance problems
– Solutions oriented, not only the lower network (i.e. infrastructure) layers
– Gained a high level of visibility and credibility during pre-migration analysis to new data center
– Created the Shared Data Access Network (SDAN) to support security, monitoring, and
analysis tools
Why the SDAN?
– The only solution able to collect and aggregate multiple streams simultaneously from
several tiers in real-time to feed Application Performance Monitoring (APM), fraud
detection, security, and sniffer tools
2
3
The Dark Ages
“Technicians had to physically unplug
and move tools from one tap or SPAN
port to another. That necessitated
change orders and scheduling during
off hours, slowing the group’s agility and
flexibility to monitor effectively.”
- Royal Bank of Canada
4
Is This the Best We Can Do?
5
Sharing SPANs Got Ugly
Hey, It’s
MY SPAN PORT!
(Referee from
Gigamon)
(Dropped Packets)
(Blade Server)
6
Fast Forward
The Shared Data Access Network (SDAN) Collects & Sends Packets to Consumers
Tapped Media
Load Balancers
Firewalls
Mainframe
Mirror Ports
Packet
Sources
Switches
UCS Fabric
Blade Chassis
Gigamon Intelligent Matrix
Switching, Filtering, Aggregation, Slicing, etc.
Intrusion Detection Fraud Threat Analysis Data Loss Prevention APM Sniffer
Consumers
SDAN Value – The Big Three
Collect and Aggregate Packet Flows
Several streams from multiple tiers can be collected and
aggregated to one or more 10 Gbps outputs, in order to
monitor complex applications and save on tool ports
Passively Share Packet Flows
Packet stream sources (network ports) can service many
consumers (tool ports) critical to protecting your customers
and improving the end-user experience
Filter and Preprocess Packet Flows
Flows can be filtered by MAC, VLAN, IP (and sliced, de-duped,
etc.) allowing focused analysis or fraud detection and significant
drop in CPU demand on the tool or appliance
8
Simplified App Mapping & Tapping
Application “X”
Internet Users
Tier 1
Tier 3
Load Balancer
Authentication
“X” Web Servers
Policies
“X” App Servers
“X” DB Servers
Internet Routers
Load Balancer
Tier 2
“DMZ”
Firewalls
Load Balancer
Load Balancer
Access GW
Messaging
Tapping above and below load
balancers are great places to pick up
services to monitor, isolate faults by
domain, troubleshoot, optimize apps
Mainframe
Firewalls
9
Steps to a Successful SDAN Deployment
Document the logical flow of the application
– In complex environments, use application (not network) conceptual flow diagrams
to determine the logical tap points per end-tool requirements (packet analysis,
security, APM, etc.)
– Different applications will have different flows and services, especially customer
facing vs. internal applications
Map the logical flows and devices to physical ports
– Example: Firewalls and where they attach
Tap the physical media into your SDAN network ports
– These comprise the ingress or network ports
Aggregate the packet streams and send to your SDAN tool ports
– Filters may be required to remove irrelevant packets
Feed the security flows to your sniffer to validate your setup
– Don’t forget this important last step!
10
After SDAN
11
Some SDAN Security Tool Best Practices
Tap related network points into a Gigamon 420 or TA1 and send aggregated
flows to 2404/HD4/HD8 for security tool consumption
-
Example: Tier 1 Firewalls and Interfaces -> TA1 -> Tier 1 Firewall Aggregate -> HD8 -> IDS
Example: Nexus 2232/2248’s -> TA1 -> Server Farm Aggregate -> HD8 -> Fraud Detection
Example: Mainframe OSAs -> TA1 -> Mainframe Aggregate -> HD8 -> Data Loss Prevention
Use rules and filtering to greatly reduce load on the security appliance
– Security and APM appliances do not need to waste cycles filtering irrelevant data
– Reducing unnecessary intake can also increase post analysis processing performance
SPANs (and mirror ports) usefulness is diminishing, so avoid if possible
– Easy to over subscribe, especially with port channel or full duplex aggregation
– Eliminate the old practice of using aggregation taps and use fiber where possible
– Be mindful that each tap requires two SDAN ports when operating in non-aggregation mode
Consider preserving separate send/receive full duplex tap ports all the way
through to your tools for certain data center or branch WAN connections
– Preserving full duplex tapped router connections helps to preserve incoming vs. outgoing
Copy your security flows to permanent sniffers for post mortem
analysis
– Data mine stored packet flows for deep dive forensics analysis
12
Not Best Practices!
13
Thank You!
14