Technical Insights > Network Visibility + Security

Not everything is always as it seems….

2020-09-07  |  8 min read 

There are many things that at first glance look the same. They may have the same primary function or provide you with the same service, but when you delve a bit deeper the similarities can be quite different. To coin the phrase, you are “Comparing Apples with Pears”.

A good example of this are flights. A flight can be booked enabling travel between two cities, they both get you from A-to-B and the headline price may be very similar, but the number of stops, baggage allowance, the total journey time along with environmental factors such as comfort, legroom, meals, etc… can vary a lot.

The same applies with Next Generation Network Packet Brokers (NGNPB), they can all help your monitoring and security tools have improved visibility of the traffic flowing over the network. They will likely all have the same core feature set of Link Aggregation, Traffic Filtering and Session Aware Load Balancing for distribution of the traffic to the connected tools.

Like with our flight example, each NGNPB provides a very similar basic function, but the service – the delivery of packets in this case, and the capability of those core features can be very different. It is important when you are selecting a NGNPB vendor for your organization, that you take the time to establish how each of the core features performs in a real-world environment. It is essential to understand the limitations and ensure the flexibility you need not only now but future proof.

A few points I would recommend you consider:

  1. Can I have overlapping filtering rules? Allowing each tool to receive the traffic it requires without the need to consider the filtering needs of other tools connected to the NGNPB. Overlapping filters are where you have multiple tools or tool groups which require the same subset of the source traffic, for example you want to send all HTTPS traffic to your WAF and VLAN 100 to your NPM tool, the HTTPS traffic could exist in both rules. Overlapping filters allow both destinations receive any traffic that matches each filter. Many NPBs operate a hierarchical filter ruleset where once the traffic is matches it is no longer available to other tools or tool groups further down the ruleset.
     
  2. Is this a platform designed to be an NGNPB? There are lots of vendors claiming to have NPB functionality in the market, but the NPB function very much a secondary mode for the device. Its essentially a switch that happens to have some limited NGNPB functionality. Will this functionality be good enough as you expand your deployment use cases?
     
  3. Can join multiple NGNPB be connected together in a Visibility Architecture mesh, allowing traffic to be sent between nodes? Will the capacity of the solution scale as the requirements for the number of ports and the speed of those ports grow as the network evolves? Can I utilise the NGNPB functions that exist in my Visibility Architecture for traffic that originated on a device without those features?
     
  4. Is the solution easy to use? Do I need to get a manual out and lookup usage notes at 3am in the morning whilst I am investigating a major network outage or does it have an easy to use, intuitive drag and drop Web Based UI? Is it clear where the traffic is coming from and which tools its being sent to?

Another important consideration point is the growing use of Advance Features, which pre-process the network traffic to take load off tools, by carrying out tasks which need to be repeated multiple times. A few good examples of these features are,

  1. Packet Deduplication. Only the first instance of the packet is sent to the tool, if the same packet is seen again it is dropped. Often an issue if span ports are being used or multiple optical taps end up taking two copies of the same traffic.
     
  2. Header or Tag Stripping. Removes any encapsulation or tags added to the packet to aid the transit though the network.
     
  3. Packet Trimming. Slices the packet to remove any sensitive or encrypted data to ensure regulatory compliance criteria is met, or to optimize the storage available and processing capacity on your tool.

The Keysight Ixia Vision series of NGNPBs have been designed from the ground up as a Next Generation Network Packet Broker, to meet the needs of networks however large or small. Some of the key features include:

  • Three Stage and Dynamic Filter Engine.
    Ensures your monitoring and security tools always receive the traffic they require, regardless of the needs of other tools. The same traffic can be replicated to as many destinations as you need, including individual tools or Load Balance Groups.
     
  • PacketStack Advance Packet Processing Engine.
    An FPGA based engine which provides De-Duplication, Header/Tag Stripping, GRE Tunnel Termination/Origination, Packet Trimming and Data Masking will not slow or drop packets underload like CPU based equivalents will. CPU based equivalents regularly quote processing capacity based upon ideal conditions with only one of the multiple features enabled.
     
  • Active SSL/TLS 1.3 Decryption.
    Eliminates blind spots caused by SSL/TLS encryption by decrypting SSL/TLS traffic flows for sessions where you do not have the private certificate with industry-leading capacity for throughput, handshakes and concurrent sessions.
  • Ixia Fabric Controller Clustering.
    Places multiple Vision Packet Brokers into a single pane of glass visibility architecture, the ability to drag and drop traffic flows between nodes at a click. Nodes can either be connected directly or via IP based connections.

There are many other items I could list here, you can easily research for yourself by visiting: https://www.keysight.com/gb/en/products/network-visibility/network-packet-brokers.html

If you would like to discuss your traffic delivery requirements or find out how Keysight can help you more effectively monitor and secure your network please get in touch with me at joel.rudman@keysight.com