BU-3 (Carpio) Fundamentals Of Passive Monitoring
Download
Report
Transcript BU-3 (Carpio) Fundamentals Of Passive Monitoring
Fundamentals of Passive Monitoring Access
June 16, 2009
Dennis Carpio
Director of Product
Innovation
SHARKFEST '09
Stanford University
June 15-18, 2009
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Agenda
Goal: Present an overview of Tap technology and
how network and security monitoring become more
efficient and productive.
• Technology Drivers
• Network considerations for a Tap deployment
• Innovations in Tap technology
• Taps in your network
• Thank you and contact info
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Technology Drivers
Forensics
• Compliance
• Lawful Intercept
Security
• Growing Threats
• Need for Stealth Monitoring
Analysis
• Convergence of Voice/Video/Data
• Demand for 10G
The increasing complexity of networks, proliferation of applications and the
development of new technologies such as 10 Gigabit Ethernet are driving
the demand for increased monitoring.
Source: Frost & Sullivan
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Traditional Access Methods
Method
Risks
Span Ports
• Can drop packets when switch is busy
• Does not pass critical Layer 1 and 2 errors
• Costs time and resources for switch reconfiguration
Switch
In-line
Switch
Switch
Hubs
Hub
Switch
Switch
• Potential point of failure
• Expensive one-tool-to-one-link deployment
• Relocating the tool means link downtime
• Not passive (power failure link down)
• Half-duplex only
• No Gigabit or 10 Gigabit hubs
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Passive Tap Technology
• Access 100% of your
network traffic
• Passive fail-safe operation
• Intelligent failure-over
• Deployed as infrastructure
• Recommended by all
leading tool vendors
Net Optics Tap
Span Port
In-line Device
Hub
Handles High Traffic
Loads?
Yes
No
Maybe
No
Invisible to Attacks?
Yes
No
No
No
Remote
Configuration?
Yes
Yes
Yes
No
100% Traffic Visibility?
Yes
No
Yes
No
Full-Duplex Traffic?
Yes
Limited
Yes
No
Point of Failure?
No
No
Yes
Yes
SHARKFEST '09 | Stanford University | June 15 –18, 2009
The Passive Monitoring Solution
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Passive Access Devices
• One monitoring tool has passive access to one network link.
Network Taps
• Multiple groups and tools can share access to a network link.
Regeneration Taps
• Tools can view traffic from multiple full-duplex links at one time.
Port & Link Aggregator Taps
• Prevent link downtime by connecting in-line appliances through
fail-open Bypass Switches.
Bypass Switches
• Tools can be assigned to any link or automatically scan all links.
Matrix Switches
Intelligent Tap Technology
• View link utilization, traffic statistics, and alarms via front panel
displays and remote interfaces even when a monitoring tool is
not connected.
• Match traffic of interest to appropriate monitoring resources.
Filtering Appliances
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Copper & Fiber Taps
Secure, passive network access for monitoring devices on any network topology.
10/100/1000BaseT Tap
10 GigaBit SR Tap
Features:
• Fiber Taps available in multiple split ratios
No power needed
• Fiber available for ATM / OC3, OC12,
GigaBit and 10 GigaBit
• Support full-duplex monitoring
• Copper available in 10/100, 1G and 10/100/1G
• Zero Delay on 10/100BaseT Tap
• Rack-mountable (with the purchase of rack panels)
Benefits:
• Network traffic flows regardless of power
availability to the Tap
• Monitoring devices can be used across multiple
network links, preserving existing network connections
• Hardware becomes hidden from potential attackers
providing premium network security
• Access to all packet types on a link and errors
from all layers
• Access to all packets on a full-duplex link, in real-time
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Fiber Tap Split Ratios
What is a Split Ratio? A split ratio is the amount of light a Tap re-directs from the
network to the monitor ports.
• For correct split ratio, a Loss (power) Budget should be calculated
Fiber Tap
50/50 Split Ratio
Optical Power = X
Optical Power = X/2
Router
Switch
Optical Power = X/2
X/2 > Receiver Threshold Sensitivity
Monitoring Device
What is a Loss (power) Budget and how do I calculate this?
A Loss (power) Budget is the amount of attenuation that can be tolerated on the network and monitor
links before the end-to-end data is corrupted.
To calculate, you must determine the following: Link Distance, Fiber Type, Launch Power, Receiver
Sensitivity, number of interconnects and splices.
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Fiber Specifications
Emerging 10 GigaBit technology may require upgrades to
existing networks.
1 GigaBit
10 GigaBit
1GB-SX
• 62.5µ or 50µ multimode fiber
• 850nm wavelength
• 220m distance with 62.5µ fiber, up to 550m
with 50µ fiber
10GB-SR
• 62.5µ or 50µ multimode fiber
• 850nm wavelength
• 33m distance with 62.5µ fiber, up to 300m with
50µ laser-optimized fiber
1GB-LX
• G.652 fiber
• 1310 nm wavelength
• Up to 15 kilometers
10GB-LR
• G.652 fiber
• 1310 nm wavelength
• Up to 10 kilometers
1GB-ZX
• G.652 fiber
• 1550 nm wavelength
• Up to 70 kilometers
10GB-ER
• G.652 fiber
• 1550 nm wavelength
• Up to 40 kilometers
SHARKFEST '09 | Stanford University | June 15 –18, 2009
10/100 Zero Delay Technology
Technology that eliminates the 10 ms delay added to traffic in
other Taps when power is lost.
This short delay can cascade into longer delays if routers and switches
need to renegotiate the link.
Zero Delay ensures:
• No dropped packets
• No latency is introduced
• Power loss to the Tap undetectable to network
Net Optics Products with Zero Delay
• 10/100BaseT Taps
• 10/100BaseT Regeneration Taps
• 10/100BaseT Link Aggregator Taps
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Port Aggregator Taps
Typically, full-duplex monitoring with a network tap requires two NICs (or a dual
channel NIC) – one interface for each side of the tapped full-duplex connection. A
port aggregator Tap combines these streams, sending all aggregated data out a
single passive monitoring port.
Benefits:
• Zero network data stream interference
• Network Traffic flows regardless of power
availability to the tap
• Hardware becomes hidden from potential attacks
providing premium network security
• Access to all packet types on a link and errors
from all layers
• Enable 24/7 passive monitoring
Features:
• Available for 10/100BaseT, GigaBit copper
and GigaBit fiber monitoring devices
• Supplies full-duplex traffic to a single NIC
on the monitoring device
• DIP switch sets auto-negotiation or fixed
speed duplexing
• 256MB buffer memory controls traffic bursts
• Available with 2 monitor port option
SHARKFEST '09 | Stanford University | June 15 –18, 2009
In-Line Regeneration Taps
Maximize resources and save on access points when multiple devices can monitor
link traffic simultaneously through a Regeneration Tap. Secure, passive access for
multiple devices means a better return on monitoring investments.
Benefits:
• Network traffic flows regardless of power
availability to the Tap
• Hardware is hidden from potential attackers,
providing premium network security
• Access to all packet types on a link
and errors from all layers
Features:
• 10/100Mbps auto-sensing, GigaBit or
10GigaBit speeds available
• DIP switch controlled duplex and speed
settings (copper)
• Redundant power supplies
• Available in 2, 4, and 8 monitor port models,
copper and fiber
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Link Aggregator
Link Aggregator Taps extend the reach of GigaBit monitoring devices to traffic from
multiple Span ports. Aggregating the traffic from multiple switch Span ports greatly
increases the coverage of monitoring devices.
Benefits:
• Increase Tool ROI
• Use 10G Tools Efficiently
• Monitor More Links Simultaneously
• Share Traffic Access
Features:
• Use 1G tools on 10G Links
• Aggregate 1G Links to 10G Tools
• Monitor up to 10 Network Links
• Replicate Traffic to 4 Tools
SHARKFEST '09 | Stanford University | June 15 –18, 2009
iTap Technology
Information
Control
Benefits:
Features:
• Centralized and remote management
• SNMP integration
• Enhanced capability
• Passive monitoring / invisible to attacks
• Better resource utilization
• Utilization statistics
• Increased network visibility
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Access
Data Monitoring Switch
Value - Any-to-Any / Many-to-Many connectivity, filtering to enhance
tool performance and speed problem solving.
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Director™
Benefits:
• Relieve Oversubscribed Tools
• Centralize Data Monitoring
• Leverage Tool Investments
• Increased Network Visibility
Features:
• TapFlow™ Multi-Layer Filtering
• Industry's Highest Port Density
• Passes all errors including CRC
• High-speed 10 & 1 Gigabit Ports
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Software Management
System Manager, Web Manager & CLI
Management Software Options
• Web - single device mgmt
• GUI - MAP wide visibility
• Command Line Interface
Track Link Information
• Identify bandwidth utilization peaks
• Baseline traffic statistics
Control Access to the Data
• Enable/disable monitor ports
• Reset alarm triggers
Security (Q2 09’)
• SNMPv3
• RADIUS/TACACS+
CLI
Web Manager
System Manager
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Financial Case Study
Multi-station Taps
Industry: Finance
Objective: Provide non-intrusive, zero-latency visibility into network traffic enabling trading transactions to be captured
and network issues to be resolved quickly and accurately
Approach: Tap into the network with Net Optics multi-station fiber and copper Taps
Technology Improvements:
• 100 percent direct in-line traffic visibility in real time without latency or impact on real-time applications
• Ability to record transactions for event reconstruction to resolve differences between the Exchange and its
members
• Ability to analyze traffic from multiple vantage points throughout the network simultaneously
Business Outcomes:
• Improved network reliability from “four nines” (99.99% up time) to five nines (99.999% up time) in first year
• Achieved virtually 100% up time by the end of the third year
• Improved end user satisfaction by consistently providing more reliable low-latency access into equities, equity
options, and futures markets
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Financial Solution
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Government Case Study
Multi-station Taps
Industry: Government
Objective: Provide non-intrusive visibility into network traffic to support remote diagnostics
Approach: Tap into the network with Net Optics multi-station fiber and copper Taps
Technology Improvements:
• 100 percent direct in-line traffic visibility in real time without latency or traffic impact
• Deployment of automated tools and control mechanisms
• Ability to troubleshoot and develop solutions remotely
Project Outcomes:
• Frequent resolution of issues before users are impacted
• Reduction in number of field services calls dispatched
• Significantly lowered MTTR
• Improved end user satisfaction
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Government Solution
SHARKFEST '09 | Stanford University | June 15 –18, 2009
InteropNet Case Study
Director™
Industry: Information Technology
Objective: Provide pervasive monitoring access for InteropNet, the high-performance network serving the Interop
Las Vegas and New York conferences
Approach: Tap into the InteropNet with an expanded multi-unit system of Net Optics Director Data Monitoring
Switches
Technology Improvements:
• Ability to connect any feed to any monitoring tool
• Reduced access solution footprint
• Aggregation of feeds down to a single pair
• Remote visibility and control
Business Outcomes:
• Confident of delivering “101” uptime at Interop
• Number of help desk tickets reduced
• Tickets closed faster (MTTR lowered)
• No open tickets or unsolved cases
SHARKFEST '09 | Stanford University | June 15 –18, 2009
InteropNet Solution
InteropNet production network (orange and dotted lines) and SpyNet (purple lines)
with five Net Optics Director Data Monitoring Switches
SHARKFEST '09 | Stanford University | June 15 –18, 2009
A Monitoring Access Platform
Workgroup
Edge
Data Center
Core
Build an infrastructure with a strong platform
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Net Optics Overview
Customers
•
•
•
•
Fortune 100
82% of the Fortune 100
45% of the Fortune 500
5700 Global Customers
5 New Customers Every Week
Fortune 500
45%
82%
Highlights
•
•
•
•
Founded in 1996 by Eldad Matityahu
50 Quarters of Growth & Profitability
40K Sq. Ft. Santa Clara, CA Corporate HQ and Manufacturing Facility
Private Company No VC funding and 90 Employees
SHARKFEST '09 | Stanford University | June 15 –18, 2009
Thank You
www.netoptics.com
(408)737-7777
SHARKFEST '09 | Stanford University | June 15 –18, 2009