Post on 17-Jan-2015
description
Network Forensics for Splunkers
Matt Walmsley, EMEA MarketingTom Jones, Sales Engineer
Emulex, Endace Division
2 Emulex Confidential - © 2013 Emulex Corporation
Today’s Topics
Time to Resolutio
n
Network Recording
Splunk Connector Q&A
3 Emulex Confidential - © 2013 Emulex Corporation
The Networking Wheel of Life!
APMNPM
IPS / IDS
FirewallWAN Op
QoS
Recording &Forensics
Analysis & Intervention
Time to Resolution
# E
ven
ts
Savings
• Reduce Slow To Fix Items
• Identify Root Cause & Fix
Time is… Money / Safety / Advantage / Reputation
5 Emulex Confidential - © 2013 Emulex Corporation
The 3 E of Great Interventions
Skills & Knowledge
Experience & Context
Evidence
Understanding
Decision Making
Intervention
• Efficient• Economic• Effective
6 Emulex Confidential - © 2013 Emulex Corporation
Collecting Evidence - Recording Evolution
Interesting Vs. Important Specialised Vs. Generalised
7 Emulex Confidential - © 2013 Emulex Corporation
Intelligent Network Recording
National Security
Banking & Trading
Enterprise
Specialised
Generalised
8 Emulex Confidential - © 2013 Emulex Corporation
Endace – The Packet Capture Experts
World leader in network recording
10+ years selling security solutions to global clients
– Govt, Traders, Telco & Enterprise
Reputation for accuracy, scalability & performance
A division of Emulex
9 Emulex Confidential - © 2013 Emulex Corporation
Intelligent Network Recording - Use Cases
Application Performance Management
Security Operations
Network Infrastructure Operations
Audit & Compliance
Legal Intercept
Custom
10 Emulex Confidential - © 2013 Emulex Corporation
Intelligent Network Recording - Deployment
Intelligent Network Recorder “Probe”
• High Speed, High Fidelity Packet Capture Appliance
• Packet Processing and Indexing• Storage and Retrieval
Network Traffic Analysis App
• Traffic Profiling & Visualisation• Packet Analysis• Integration with other
networking tools
11 Emulex Confidential - © 2013 Emulex Corporation
Endace Network Recording - Infrastructure
High Performance Intelligent Network Recording
Up to 64 TB storageMix of 1 and 10GbE ports
EndaceProbe™ INR
Network Visibility Headend
Allows EndaceProbe INRs/ODE to scale to 40 and
100GbE
EndaceAccess™Endace NetFlow
Generator
High-Speed NetFlow Generation for 10GbE
Networks
4x10GbE Ports
Endace OpenHosting Platform(ODE)
Hosting Platform for Monitoring Apps
8x1GbE or 4x10GbE PortsUp to 16 TB internal storage;
FC support for SAN
12 Emulex Confidential - © 2013 Emulex Corporation
Low Definition• The visibility most solutions provide
How Much Network Visibility Do You Need?
High Definition – Endace Vision• See microbursts
• Know exactly what data has been compromised
• Identify issues impacting services and security application performance
13 Emulex Confidential - © 2013 Emulex Corporation
EndaceVision - Actionable Insight
Bandwidth Over Time
Traffic breakdown and analysis
TCP/IP Conversations
Traffic over time Top Talkers Workflow
14 Emulex Confidential - © 2013 Emulex Corporation
EndaceVision - Integrated and Open
Integration with “best of breed” solutions– API and hypervisor
– All tools share data from same secure location in datacenter
– Automated workflow, “pivot to packets” speeds up issue resolution
Lower Investment While Increasing ROI– Reduce device count
– Plan and train staff on the tools that fit customer situation best
EndaceProbe
EndaceFusion
APM NPM IDS HFT
15 Emulex Confidential - © 2013 Emulex Corporation
Endace Solution - Key Features
• Market Leading Performance• 100% High fidelity packet capture • 10/100/1G/10G/40G/100GbE• 64TB on board storage
• FC SAN offload• Multi-unit “Sledging”
• Distributed Recording Fabric• Multiple EndaceProbe INRs, single recording
fabric• Traffic search and visualisation• Diverse, concurrent multiple uses
• Open and Flexible Integration• Endace dock hypervisor• RESTfull API• Endace Fusion solution ecosystem
16 Emulex Confidential - © 2013 Emulex Corporation
Splunk & Endace – Macro and Micro
Log lines are a summary or interpretation of an event
Packets are the ground truth from which these are derived
Fusion connector links the two with a single click
Endace’s depth complements Splunk’s breadth
17 Emulex Confidential - © 2013 Emulex Corporation
Feeding and Enabling Splunk
EndaceProbe INR Generated
Logs and Netflow Events
Splunk Generated Enquiries
18 Emulex Confidential - © 2013 Emulex Corporation
Optimising Event Management Workflow
Event OccurrencePacket drill down and inspection
Traffic Analysis and Visualisation
Click to Traffic Search
Request Splunk Alert
!
19 Emulex Confidential - © 2013 Emulex Corporation
Example Case – Finance / Trading Solution
Context• Network performance is critical to
$ services• Latency and outage intolerant• Multiple management tools
Solution• Integrated network monitoring and
security for a low latency 10GbE network
Products• Splunk!• EndaceProbe™ INR• Endace Fusion Connector for Splunk• EndaceVision™
Key Benefits• Greater insight into critical
network issues• Reduce time-to-resolution
(TTR)• Lower operational
expenditures (OPEX)
20 Emulex Confidential - © 2013 Emulex Corporation
Real World Feedback
“While consolidating network monitoring and security tools was the primary need for the EndaceProbe INR, it was put to work even before the official deployment. the pilot and immediately discovered a security breach that had gone undetected with their existing tools, providing an immediate return on investment for the EndaceProbe INR 7000.”
“The EndaceProbe INR has been 100% reliable for us and we are impressed with its robust capabilities. We use it extensively and, coupled with the Fusion Connector for Splunk, are extremely happy with the results.” Global Head of Networks
21 Emulex Confidential - © 2013 Emulex Corporation
Endace Helps You Enable the “3 E”
Understand macro and
micro situation
Reduce slow / hard to fix
items
Fix Route Cause
Stop Recurrent
Events
Reduce Time to Resolution Efficient
EconomicEffective
22 Emulex Confidential - © 2013 Emulex Corporation
Which Means You Get…
Less stress, improved results
Uninterrupted weekends and evenings
Happy family, boss and stakeholders
23 Emulex Confidential - © 2013 Emulex Corporation
Resources & Info
Solution Brief
Coming Soon
Testing Brief
Splunk Connector Appwww.emulex.com Blog
Video www.marquest.com
Questions?
Thank you for your attention
25 Emulex Confidential - © 2013 Emulex Corporation