Packet Boi and WTH is a Network Packet Broker?
2020-08-27 | 4 min read
We are pragmatic folks here at Keysight. We are in the business of helping our customers get things done and part of that sometimes involves ramping up on new technologies. We understand that network visibility is a new thing for many, even experienced IT pros, so we took a swing at breaking things down into bite sized chunks and making them easy to understand and, god forbid, perhaps even a little fun.
NPBs you say?
Not too long ago we had a session with Steve Foskett (@SFoskett) and the Tech Field Day Team. One of the revelations from that session was that for many seasoned IT pros network packet brokers and the network visibility that they provide were relatively new topics – perhaps a bit of a specialty niche in networking. We live and breathe this stuff every day so NPBs are a given, but for many they are not and that is why we have Packet Boi breaking it down.
Getting to the point here, a network packet broker is a special kind of network switch that is primarily used to take network traffic from one or more places on the network and supply it to one or more tools such as firewalls, WAFs, IPS/IDS or monitoring tools.
Network packet brokers can help streamline and smooth the flow of traffic they supply to these tools in a number of ways. They can aggregate traffic from multiple sources and filter it based on a number of different criteria. They also deduplicate and provide centralized decryption.
Due to the critical nature of the traffic an NPB supplies to security and other tools on the networks, you generally want an NPB that is not going to drop traffic (unless you tell it to). One way of achieving that goal is by using hardware acceleration like we do, leveraging the power of FPGAs, which while expensive and hard to program, provide a considerable advantage when performance counts.
Software-based packet broker architectures, while simpler, are prone to issues with dropping traffic as well as challenges around trying to use multiple filters and features at the same time. Remember – do in hardware what you can and in software what you must.
Zooming out a bit, if we look at the larger network, NPBs are part of what we call a visibility fabric, which consists of network packet brokers fed by taps and bypass switches. Taps are a way of cloning or duplicating traffic without impacting your existing infrastructure – a very good way to send a pure and unmolested copy of traffic, errors and all, to the tools that you have that rely on having the full picture. Sure, most switches will support some form of port mirroring or SPAN, but often strip out errors the switch doesn’t recognize and if the switch gets busy mirrored traffic is usually the first thing to drop – not ideal if you are doing security, lawful intercept or anything important.