sharkfest '08 | foothill college | march 31 - april 2, 2008 non-intrusive out-of-band network...
TRANSCRIPT
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access SwitchApril 1, 2008
Patrick P. LeongCTO | Gigamon Systems LLC
SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Agenda
• Recent changes in the network monitoring
• Issues with traditional network tapping
• Data Access Network (DAN)
• Functions of a Data-Access Switch
• Example applications
• Summary
• Q & A
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Recent Changes in Network Monitoring
9/11 spawned new security and lawful intercept requirements
Enron spawned new auditing and monitoring laws
New tools optimize E-commerce and internet applications
VoIP and media convergence make the network more strategic
Network is more valuable; Downtime is unacceptable
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Result: Proliferation of Tools
New SOX compliance transaction monitors ---Keep your boss out of jail!
IDS Sensors detect external hacker attacks
NAC Appliance protects networks from inside ---From your own people!
Forensic recorders capture events and how the network being used!
Configuration monitoring tools watch over network resources
Application and Network troubleshooting
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Proliferation Causes Contention for Span Ports
Security and IT
Engineers seen
here
“Negotiating” Over
a SPAN Port
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Other Issues
Packets belonging to the same flow may go through multiple parallel links e.g. Etherchannel
Difficulty in monitoring asynchronously routed mesh topologies
The tool cannot keep up with the incoming bandwidth --- many tools are software based e.g. Wireshark
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Solution?
Data-Access Network (DAN)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
What’s a DAN?
It’s a out-of-band monitoring network! Includes Passive Tools like:
Sensors,
Probes,
Monitors,
Recorders,
Analyzers,
and Access Switching
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example of a DAN
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
What’s new?
A new “Best Practice”
Part of the network infrastructure
Facilitates instrumentation of a network
Enterprise or Telco
What’s new is how data is fed to the tools
By a Data-Access Switch
Unobtrusive to the primary network
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
What problems do DANs solve?
Too Many Power Tools?Not Enough Sockets?
?
?
??
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
For Power Tools, use a Power Strip
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Too Many Monitoring Tools? Not Enough Span Ports?
?
?
?
?
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
For Sensors/Monitors/Analyzers,Use a Data Access Switch
One Span port serves Many tools
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Monitoring a Mesh Network?
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
If we deploy one tool per span port --- Lots of Hardware and Expensive !!!
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Better to Distribute Connections with a DAN
Aggregate and filter flows to consolidated tools
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
DAN is out-of-band “Data Socket”Part of the Reliable Network Infrastructure
• Plug-in multiple out-of-band tools – any tool to any data• Unobtrusive tool changes – never touch the network• Do moves, adds, changes at any convenient time• Eliminates RSPAN
Performance Monitor
Security IDS
Transaction Auditor
ForensicRecorder
Protocol Analyzer
Switch
StorageArea Network
Switch
Server Farm
Consolidated Tool Farm
Config Monitor
“Data Socket”
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
DAN Solves Access Problems By
• Aggregating many links to any tool
• Multicasting any link to many tools
• Filtering data to map packets to tools
• Saving $$ Cap Ex and Op Ex budget$
Any to Any Any to ManyMany to Any Bit-Mask Filtering
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example application: Telco Core
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example application: Telco Edge
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example Application: 10G Monitoring
3
5
4
MonitoringAppliances
1
Filter Rule #1
Filter Rule #2
Filter Rule #3
Data Access Switch
10G
CoreSwitches
1G
1G
1G
2
Filter Rule #1
Filter Rule #2
Filter Rule #3
10G
3
5
4
MonitoringAppliances
1
Filter Rule #1
Filter Rule #2
Filter Rule #3
Data Access Switch
10G
CoreSwitch
1G
1G
1G
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Summary
A Data-Access Switch forms a Data-Access Network that:
•Provides non-intrusive, out-of-band network monitoring
•Resolves the insufficient span ports issue
•Reduces the number of tools deployed
•Can intelligently spread the network traffic to various tools
•Reduces the load of a particular tool via intelligent hardware-based filtering
•Provides a “Big Pipe” view of the mesh network