Top Ten Criteria for Evaluating Network Packet Broker Solutions
SECURITY ARCHITECT EDITION
Most large organizations rely on network packet brokers (NPBs) to provide visibility to network tools and security systems,
as NPBs enable the pervasive, scalable network access that TAPs alone cannot. If your IT group is tasked with evaluating an
NPB solution for security deployments, you need an assessment framework to ensure both business and technical goals are
achieved.
The following ten criteria represent the key requirements of best practice network visibility deployments. Consider these criteria
to help your organization preserve existing tool investments, reduce the costs of new investments, and ease the scale out of
network infrastructure and security systems.
1
Extend visibility across both physical and virtual infrastructure (in traditional and SDN/NFV environments)
to Gartner Research, over 70% of server workloads will be virtualized by 2014 (1), so it’s critical for network
security architects to gain visibility into traffic occurring on virtual servers in order to apply organizational monitoring
and security policies to it—without disrupting or degrading traffic by deploying agents, taxing the hypervisor, or
occupying compute slots.
ƒƒAccording
ƒƒThe
NPB system must also be able to seamlessly scale packet access and delivery across both physical and logical
network boundaries, delivering a fully interconnected mesh architecture over LAN and WAN segments. Such levels of
network reach, resilience, and flexibility—not limited to daisy chain or hub-and-spoke—will ensure continuous uptime
for network security systems.
2
Deliver network traffic to active/inline tools, passive/out-of-band tools, and direct to network attached
storage (NAS)
ƒƒLarge
scale network security deployments are typically designed to inspect data in motion (live traffic), as well as data
at rest (newly copied and historical). Each tool type (active and passive) require unique capabilities in order to ensure
optimization and protection. For instance, inline systems need to be continuously monitored to ensure they’re capable
of remaining a bi-directional link in the monitoring chain. The NPB solution should be able to send traffic to both active
and passive tools, while ensuring 100% network uptime and high-availability monitoring.
ƒƒThe
NPB solution should also be able to accommodate delivery of network data directly to NAS in an open format
(e.g. libpcap). Capturing network traffic in an open format and storing on a high-end server of choice enables flexible
visibility. Continuous capture for compliance can be made more cost effective, and libpcaps stored based on policy or
at the event-driven command of the security systems can be analyzed by one or multiple tools or internally developed
applications.
3
Address traffic microbursts to ensure continuous capture and prevent tools from dropping packets
ƒƒWhen
it comes to security and forensics, most tool vendors recommend copying and forwarding 100% of the network
traffic from SPAN ports or passive TAPs to ensure the tools have full visibility at each access point. When copying 100%
of SPAN/TAP traffic or when using NPBs to perform aggregation from multiple networks, there’s a risk the tools will
suffer packet loss when the network experiences temporary volume spikes.
(1) “Forecast Analysis: Data center, Worldwide, 2010 - 2016,” Gartner Research, 2012.
Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 2
ƒƒIn
any network experiencing microbursts, the NPB vendor must be able to accommodate them in the following ways:
a) Provide buffering to handle microbursts and prevent packet loss to tools
b) Help avoid major network redesign or additional tool costs by precisely identifying and measuring over time where
and to what the degree the microbursts are occurring.
4
Optimize network tools and reduce costs by preprocessing network traffic in hardware
ƒƒWhen
delivering network traffic to the tools, the NPB vendor must be able to accommodate both active and passive
aggregation. In the case of active tools, the aggregation function should support 802.1q and 802.1ad tagging
standards (Q-in-Q), as well as MAC learning (2). These features effectively expand the network range of the security
tools and enable them to analyze asymmetrically routed traffic in both 1G and 10G networks and beyond.
ƒƒFiltering
L2-4 is an essential feature of NPB solutions, but additional L7 filtering can better optimize the network traffic
consumed by security systems, particularly when different types of applications carry different risks. As an example, the
NPB could filter out all Netflix and corporate VoD traffic before sending multi-gigabits of flows to the Advanced Web
Malware Prevention Appliance, preventing the appliance from needlessly processing or analyzing traffic.
ƒƒThis
level of advanced traffic aggregation and filtering will help avoid tool oversubscription (or underutilization),
maximizing the effective throughput for each security and monitoring tool. Throughput optimization can drastically
reduce both initial capital investment and ongoing operating costs.
5
Maintain service assurance for both security operations and network operations
ƒƒNetwork
security operations teams are constantly under pressure to enhance security defenses and forensics
capabilities, while adhering to Service Level Agreements (SLA) and increasing Governance, Risk and Compliance
(GRC) mandates. Teams are often engaged in security system evaluations and proof-of-concept (POC) deployments.
These POCs might be pilot deployments of next generation firewall or IPS solutions, or the evaluations of best-ofbreed advanced malware tools or SSL decryption appliances to help protect against hidden threats. Each POC, along
with other ongoing projects and fire drills, involve change management requests and collaboration with the network
operations team. The network security design team and the network engineering team each has its own challenges and
pressures, particularly around migration and service assurance.
ƒƒIt’s
critical that the NPB solution offer failsafe assurance both on the network and the tool side. For the security team
in particular, it must provide active, failsafe bypass capability to simulate bump-in-the-wire functionality, replicating
the link state on both sides to allow the network’s link aggregation and redundancy to work. In other words, it should
ensure that both east and westbound switches see any link failure state and fail traffic over to backup links accordingly
(HSRP, active/active fail over design). The NPB system must make each of the POCs simpler to bring up and deploy.
ƒƒThe
NPB solution must maintain network service assurance (99.999% uptime) while providing fault tolerance and High
Availability (HA) for each active security and passive forensics and monitoring tool. This level of service assurance to
both teams will enable the entire IT organization to rapidly evaluate and deploy best-in-class security solutions without
the need for re-instrumenting the network or negatively impacting network services and SLAs.
6
Enhance & expand security service chaining to achieve “defense in depth”
ƒƒService
chaining allows security teams to effectively scale defense depth and proactively mitigate against evolving
advanced targeted attacks, malware and zero day exploits—but it’s imperative the NPB vendor have a proven
reference architecture for service chaining with both inline and passive security and monitoring tools.
ƒƒIn
addition to active failsafe bypass features, the NPB solution needs to perform customizable tool health checks and
event triggers to check both the software stack and the heartbeat (power or link up state) for each tool in the security
service chain. Health check monitoring enables the flexibility and confidence needed to add best-in-class inline and
passive security tools as needed. Ensure health checks can be performed not just by each tool’s NPB device but across
all NPB devices, and that they can monitor tool or link failures on local and remote NPB devices before redirecting
traffic or sending copies of actionable traffic to them.
(2) “MAC learning,” uses a learning algorithm based on MAC addressing to map traffic from multiple network links with their respective internal aggregated
network identifier. Contact VSS for additional detail: http://www.vssmonitoring.com/corporate/info.asp?subject=question&src=10crit
Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 3
7
Integrate network tools with NPBs to intelligently define capture controls in real time
ƒƒSome
NPBs promise to improve continuous monitoring initiatives, but most do not leverage the intelligence of the
security systems to determine capture parameters in real time. The following features can greatly enhance the
relevance of captured traffic to enable proactive and intelligent monitoring:
ƒƒRESTful
API that can be configured & invoked via XML
ƒƒTriggers
for traffic filtering, full or selective packet capture and/or traffic flow redirection based on known intelligence
(e.g. L2-L7 information like IP, MAC, URL, specific Hex value in header section)
ƒƒTargeted,
tool directed capture and store, where security systems initiative a command to the NPBs to send traffic to
tools, or libpcaps to NAS, for further analysis/troubleshooting
ƒƒValidated
8
reference architecture for integrating with security and forensic vendors.
Optimize and scale bi-directional SSL visibility to monitor encrypted applications (e.g. social media) and
protect against hidden malware
ƒƒMany
security and forensics tools are rapidly losing traffic visibility due to widespread adoption of cloud based
services and social media applications which use SSL/TLS to meet privacy requirements. Promised ROI from existing
IPS and Security Gateway solutions, as well as new Advanced Malware Prevention tools, are simultaneously
diminishing, along with the ability to defend against advanced targeted attacks leveraging SSL/TLS channels for spear
phishing, command and control communications, and data exfiltration. Relying on onboard tool decryption may not
be the answer, as the associated performance costs and overall limitations are high. This assessment is shared by
Security Analysts, such as John Pirc and Dave Shackleford (3).
ƒƒA
proven alternative to onboard tool decryption is the use of NPBs that are capable of both inline active and passive
packet delivery and load balancing in conjunction with dedicated, transparent SSL proxies. This combined solution will
enable the security tools to monitor and protect Gmail, Facebook and other social media applications that are using
advanced public key encryption and key exchange standards like DHE, ECDHE, and DSA.
ƒƒThe
need to provide 100% network visibility (including inside SSL/TLS tunnels) to your inline IPS solutions is clear, but
it may also be advantageous to offer similar (SSL inclusive) visibility to passive forensics, monitoring and full packet
analytic tools. These tools may not be in close proximity to your inline tools, so the NPB solution needs to be able to
deliver copies of decrypted traffic in a reliable and secure manner (e.g. encapsulated over TCP/IP with support for
AES 128 or better) across LAN or WAN network boundaries.
ƒƒSelect
9
an NPB vendor that has proven reference designs for joint deployments with transparent SSL proxies.
Use Deep Packet Inspection (DPI) to capture flows containing keywords or email targets
ƒƒMost
NPB vendors offer L2-L4 filtering; however, there are many use cases such as lawful interception (LI), forensic
analysis, and DPI enabled performance monitoring for video and VoIP analytics, where more advanced filtering is
required. Consider NPB systems that can filter based on payload content. Look for NPB vendors that offer deep packet
filtering, e.g. Regular Expression (RegEx) based, so you can gain flexibility to perform custom searches across packet
boundaries and identify specific network flows.
ƒƒIn
some use cases (e.g. LI), specific flows need to be identified with a very high assurance level before they are
forwarded to an analytics or forensics tool. In other cases, specific flows need to be filtered out from large volumes
of traffic before forwarding the remainder traffic to security tools—this may be required to ensure compliance with
stringent legislative or risk mandates.
ƒƒAn
NPB capable of deep traffic grooming before data comes to rest (stored in disk) will uniquely optimize the toolsets
(including those leveraging DPI), and enable considerable CAPEX and OPEX savings.
(3) “The Elephant in the Room” by John Pirc. <https://www.nsslabs.com/blog/ssl-decryption-elephant-room>
“Blind as a Bat” by Dave Shackleford. SANS <http://www.sans.org/reading-room/analysts-program/vss-BlindasaBat?ref=117957>
Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 4
Preserve 1G tool investments and maximize ROI on expensive 10G systems
10
ƒƒAlthough
many security tools offer 10G sensors today, these tools come at a premium. They also only offer limited port
density (typically a pair of ports for inline tools such as IPS). To operate efficiently and to control costs, existing 1G
tools must continue to be leveraged, and 10G tools need to be maximized. Both of these goals can be accomplished
using preprocessing on NPBs. Traffic operating at 10G, 40G, and even 100G, can be intelligently load balanced
across multiple 1G (or 10G) tools. Individual segment traffic can also be optimized using filters to ensure only relevant,
“actionable” data is sent to each tool, particularly those operating at a premium. In addition to features such as filtering
and load balancing, the NPB system should be able to support the full spectrum of speeds and feeds operating in
Ethernet networks.
Summary
Using the above criteria to select the right NPB system for your network will enable you to effectively secure your infrastructure
and maintain regulatory compliance, while drastically reducing capital and operational expenditures. Be sure to confirm
vendors under consideration can meet each of these best practice criteria.
In sum, any considered NPB vendor should at a minimum offer the following capabilities:
ƒƒFailsafe
capture for both copper and fiber networks
ƒƒVisibility
ƒƒTraffic
delivery to active and passive network tools and direct to storage
ƒƒScalable
ƒƒTraffic
into physical and virtual network traffic
interconnection/stacking between NPBs for high availability monitoring
aggregation (active, inline and copied packets)
ƒƒFiltering,
L2-7
ƒƒFlow-based
ƒƒProtocol
ƒƒTag
de-encapsulation
stripping
ƒƒPacket
ƒƒIn
load balancing
slicing
series chaining for multiple inline security tools
ƒƒDPI
filtering
ƒƒSSL
de-encryption
ƒƒSingle
ƒƒAPIs
pane management for entire NPB infrastructure
for tool-driven capture
ƒƒValidated
ƒƒHigh
integration with SDN controllers
densities for datacenter deployments
ƒƒBlade/slot
in chassis and fixed port options
Today, these capabilities are required to roll out large scale security systems, whether those systems include passive tools (IDS,
forensics), active tools (IPS), and/or sustained packet capture for compliance.
About VSS Monitoring
VSS Monitoring is the industry leader in network packet brokers (NPB), providing a unique Unified Visibility Plane for network
tools and security systems, enabling network-wide and link-layer visibility. Deployed globally by 80% of the world’s tier 1
service providers, F500 corporations and major government agencies, VSS Monitoring packet brokers improve tool usage
and efficiency, simplify IT operations, and greatly enhance tool ROI.
VSS Monitoring is a world leader in network packet brokers (NPB), providing a visionary, unique systems approach to integrating
network switching and the broad ecosystem of network analytics, security, and monitoring tools.
VSS Monitoring, the VSS Monitoring logo, vBroker Series, Distributed Series, vProtector Series, Finder Series, TAP Series, vMC, vAssure,
LinkSafe, vStack+, vMesh, vSlice, vCapacity, vSpool, vNetConnect and PowerSafe are trademarks of VSS Monitoring, Inc. in the United
States and other countries. Any other trademarks contained herein are the property of their respective owners.
www.vssmonitoring.com
© Copyright 2003 – 2014. VSS Monitoring Inc. All rights reserved.