Gigamon Deep Dive - ACW Group · Gigamon® Deep Dive Tixon Law ... (Admin or Provider) Private...
-
Upload
nguyencong -
Category
Documents
-
view
217 -
download
1
Transcript of Gigamon Deep Dive - ACW Group · Gigamon® Deep Dive Tixon Law ... (Admin or Provider) Private...
Gigamon® Deep Dive
Tixon Law Principal System Engineer
For Consultants and Presales Professionals
2 ©2017 Gigamon. All rights reserved.
Current Network Infrastructures Are Insufficient CHAOTIC, INEFFICIENT AND PERIMETER-LESS
3 ©2017 Gigamon. All rights reserved.
An Effective Visibility Solution
Any Network Data Center and Private Cloud | Public Cloud | Service Provider Networks | Remote Sites
Tools & Applications Security | Experience Management | Monitoring | Analysis
Employees Revenue Customers Partners Unknown IP
Types of Data
Consumers of Data Users | Applications | Devices
4 ©2017 Gigamon. All rights reserved.
An Effective Visibility Solution
Any Network Data Center and Private Cloud | Public Cloud | Service Provider Networks | Remote Sites
Tools & Applications Security | Experience Management | Monitoring | Analysis
Employees Revenue Customers Partners Unknown IP
Types of Data
Consumers of Data Users | Applications | Devices
5 ©2017 Gigamon. All rights reserved.
See what matters.™
Tools & Applications Security | Experience Management | Monitoring | Analysis
Any Network Data Center and Private Cloud | Public Cloud | Service Provider Networks | Remote Sites
Gigamon Visibility Platform
Manage Secure Understand
6 ©2017 Gigamon. All rights reserved.
Gigamon Partner Ecosystem G
iga
mo
n V
isib
ilit
y P
latf
orm
Security and
Vulnerability
Management
Service
Provider
Infrastructure Infrastructure
Network &
Application
Performance
Management
8 ©2017 Gigamon. All rights reserved.
9 ©2017 Gigamon. All rights reserved.
INLINE BYPASS
Active Security Remediation with Inline Bypass Inline
Bypass
Maximize tool
efficacy and scale
Add, remove, and upgrade tools
seamlessly with no downtime
Increase performance and
agility of infrastructure
Integrate Inline, Out-of-Band, and Flow-based
tools via this same platform
Simplify
architecture
SiSi SiSi
First-tier FW1
Switch x 2
Switch x 2
Switch x 2
IPS1
WAF1
First-tier FW2
IPS2
WAF2
NGFW1
Switch x 2
NGFW2
SiSi SiSi
heartbeats
heartbeats heartbeats
heartbeats
40G
WAF IPS NGFW1 NGFW2
First-tier FW1
Switch x 2
First-tier FW2
10 ©2017 Gigamon. All rights reserved.
1. Security no longer an after-thought during virtualization
2. Increasing VM density with mission-critical workloads
3. Visibility into VM-VM traffic needed for security, APM
4. Creating new virtual instances of tools affects workload performance
5. Automated visibility after VM migration
Virtual Visibility: More Important Than Ever
5 REASONS WHY YOU MUST CARE
HYPERVISOR
SERVER
VIRTUAL
IDS VM1
VIRTUAL
ANTI-
MALWARE
VIRTUAL
APM VM
HYPERVISOR
SERVER
GigaVUE-VM
IDS
ANTI-MALWARE
FORENSICS
Tunneling
GigaVUE-VM and
GIgaVUE® Nodes
11 ©2017 Gigamon. All rights reserved.
* Planned for 2017. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
Comprehensive Visibility for the Cloud
Use Case VMware
ESX
VMware
NSX
OpenStack
+ agents
OpenStack +
TaaS* AWS
Private Cloud
(Admin or Provider)
Private Cloud - Tenant
Hybrid Cloud
(Admin + Tenant)
Public Cloud - Tenant
GigaVUE-VM and
GIgaVUE® Nodes
12 ©2017 Gigamon. All rights reserved.
Visibility into Public Clouds
The industry’s first
pervasive visibility
platform for public, private
and hybrid clouds
Gigamon Visibility Platform enables consistent
and elastic visibility into data-in-motion across
the entire enterprise
AWS
Now Generally Available
13 ©2017 Gigamon. All rights reserved.
Deployment Examples: Hybrid Cloud Visibility PRESERVE TOOL INVESTMENT FOR ‘LIFE-AND-SHIFT’ CUSTOMERS
Elastic Load Balancing (ELB) Subnet Amazon Relational Database Service (RDS) Availability Zone (AZ)
Tool Instances
VPN Gateway VPN Connection Router Data Center
Tool
Tier RDS
Web Tier
App Tier
ELB
ELB
Tool Tier
Region
AZ
AWS
VPC
RDS
Web Tier
App Tier
ELB
ELB
Region
AZ
AWS
VPC
Visibility Tier
Tool
Tier
GigaVUE-FM
On-premise Data Center
Amazon EC2 APIs
Amazon CloudWatch
Tunneling
1
2 3
3 4 4
Integrate with Amazon APIs 1
Deploy Visibility Tier 2
Copy EC2 instance traffic 3
Aggregate and distribute
customized traffic to tools 4
14 ©2017 Gigamon. All rights reserved.
Case Study: Sample Web Application AWS REFERENCE ARCHITECTURE
Tunneling
Reference Picture: AWS Best Practices
GigaVUE-FM
Configure Policies
GigaVUE® V Series
Amazon EC2 APIs
Amazon CloudWatch
On-Premise or
Cloud Tools
REST APIs
15 ©2017 Gigamon. All rights reserved.
4G/LTE Networks
PDN Subscriber
Devices
Access
Network
Evolved
Packet Core
eNodeB
eNodeB CDMA 2000
PDSN / FA
S-GW
P-GW
MME
S3
S4
3G SGSN
UE
UE
X1 / X2
HHS
S2 Customer
Experience
Management
Security
Application
Performance
Management
Network
Performance
Management
17 ©2017 Gigamon. All rights reserved.
Gigamon Subscriber-Aware Visibility Solution USER AND DATA PLANE CORRELATION
PDN Subscriber
Devices
Access
Network
Evolved
Packet Core
eNodeB
eNodeB CDMA 2000
PDSN / FA
S-GW
P-GW
MME
S3
S4
3G SGSN
UE
UE
X1 / X2
HHS
S2
Application
Performance
Management
Network
Performance
Management
Customer
Experience
Management
Centralized
Tools
Security
GTP
Correlation
Flow Mapping®
18 ©2017 Gigamon. All rights reserved.
Gigamon Subscriber-Aware Visibility Solution
Users
Trouble-ticket
System
GTP
Correlation FlowVUE™
Fabric
Manager
GTP Correlation Engine
Identify
populations
of interest
GTPU User Plane
Forwarding
RAN
EPC GigaVUE®
Network
Ports
…
EPC
Monitor Tools
GigaVUE®
Tool
Ports
GTPC +
GTPU
GTPC +
GTPU
GTP Control
Plane Packets
GTP User
Plane Packets
GTP Session
Table
Subscriber
Table
GTP Session
Tracking
Filtering
Load Balancing
Traffic Scaling
Whitelist
GTP Control
Plane Packets
Configuration
Policy
Subscribers
IMSI Subscriber
Session Info
GTP User
Plane Packets
GTPU TEID
Lookup
19 ©2017 Gigamon. All rights reserved.
GigaSMART® – Traffic Intelligence
Traffic
Intelligence FlowVUE™
Packet Slicing
De-duplication
Masking
GTP Correlation
Header Stripping
NetFlow Generation
Application Session
Filtering
SSL Decryption
Adaptive Packet
Filtering
20 ©2017 Gigamon. All rights reserved.
Application Session Filtering GIGAMON VERSION OF DPI FILTERING
21 ©2017 Gigamon. All rights reserved.
Deep Packet Inspection Filtering DEEP PACKET INSPECTION
Application
Session Filtering
Collector 1 1 2 2
1 1 2 2 3 3 4 4 Email
Monitor
Video
Monitor
3 1 2 4
• DPI/Content-based Filtering of application identification • For example: Email with/without attachments, URLs, BitTorrent Packets, Over-the-Top Applications (e.g.
youtube, facebook, etc…)
• Filter all traffic corresponding to an application session • Flexible Engine. Supports Regular Expression (RegEx)
NETFLIX Exchange NETFLIX NETFLIX NETFLIX Exchange Exchange Exchange
NETFLIX
Exchange
NETFLIX NETFLIX NETFLIX
Exchange Exchange Exchange
NETFLIX Exchange NETFLIX Exchange
1 2 3 4
^rfb 00[1-9]\.00[0-9]\x0a$ MAC LLC IP Data Trailer
22 ©2017 Gigamon. All rights reserved.
Deep Packet Inspection Filtering EXAMPLE: FILTERING A BANK’S ATM TRANSACTIONS
23 ©2017 Gigamon. All rights reserved.
ATM交易 – 以關鍵字“03 06 45 20…9168”辨識及過濾
24 ©2017 Gigamon. All rights reserved.
ATM交易 – 以關鍵字“03 06 45 20…9168”辨識及過濾
25 ©2017 Gigamon. All rights reserved.
SSL Decryption
26 ©2017 Gigamon. All rights reserved.
*Sources: NSS Labs, Pirc, John W. Analyst Brief: SSL Performance Problems. NSS Labs. https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ 2013
SSL DECRYPTION
Existing Security Product Challenges
Anti-malware
Security
Analytics
DLP “Blind” to SSL/TLS Traffic
• DLP, IDS, SIEM & Sandbox and
Security Analytics
Limited SSL/TLS Support (e.g. HTTPS)
✕Costly upgrades: NGFW solutions
suffer up to 80% performance degradation*
✕Limited ports for sharing decrypted traffic
✕Partial crypto suite support
✕Additional complexity—arduous scripting Intrusion
Prevention
App Delivery
Controller /
Load Balancer
Next-Gen
Firewall
27 ©2017 Gigamon. All rights reserved.
1. Tap SSL traffic and deliver to Visibility Fabric™
– Use Flow Mapping® to define flows to be decrypted
– Selected flows sent to GigaSMART®
2. GigaVUE® identifies exchange of public keys
3. Administrator uploads private keys – Up to 4000 private keys are uploaded to each
aggregator (HC, HD), and 2000 to each HB
– Protected by separate password and encrypted locally
– Restricted by Role Based Access Control privileges
4. Apply keys to decrypt traffic – Not restricted to port 443
– Can change port to 80 if desired
5. GigaVUE forwards clear packets to tools –
and/or GigaVUE applies intelligence to decrypted traffic for policy compliance – Packet Slicing
– Masking
SSL Decryption
2
3
4
5
1
28 ©2017 Gigamon. All rights reserved.
Inline Tool Group
(decrypted traffic)
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
Inline SSL Decryption
Highlights
• Servers and clients located internally
or externally
• Private keys not needed
• RSA, DH, PFS can be used
• Supports inline and out-of-band tools
Out-of-Band Tool
(decrypted traffic)
SSL Session
Leg 1
(encrypted)
SSL Session
Leg 2
(re-encrypted)
1
2
2
3
Web Monitor Tool
(decrypted traffic)
Encrypted traffic
Decrypted traffic
30 ©2017 Gigamon. All rights reserved.
Gigamon NetFlow
31 ©2017 Gigamon. All rights reserved.
• Out-of-Band NetFlow Generation
– Transforms packet data across multiple devices into summarized NetFlow records
• Supported NetFlow export formats
– NetFlow v5 and v9, IPFIX
• Ingress Filtering
– Leverages Gigamon patented Flow Mapping® technology to de-duplicate, filter, and consolidate flows BEFORE NetFlow record generated
• Multiple NetFlow exports
– Supports up to 6 NetFlow destinations simultaneously
• High Throughput Solution
– Supports non-sampled 1:1 flow record generation
• Use Cases
– Feed flow-based security solutions such as User Behavior Analysis
– Integrates packet traffic and flow visibility with Logs for SIEM
Gigamon Netflow Generation
32 ©2017 Gigamon. All rights reserved.
* Planned
Gigamon NetFlow/IPFIX Enhancements
Uncover Denial of Service & compromise of internal web servers
HTTP Response Codes
Discover malicious communications to C&C servers using DNS transactions
DNS Discovery*
DNS C&C
Bots
Analyze HTTPS certificates to discover bad/suspicious certificates
HTTPS Certificate Anomalies*
Correlate Kerberos and DHCP logs to map “who” (user) with “what” (hostname and IP)
Mapping User, Hostname & IP Address*
Metadata
User
Machine IP
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
33 ©2017 Gigamon. All rights reserved.
METADATA
DNS PERFORMANCE IMPACT WITH LOGGING
• High impact on DNS Server
• Impact on network
performance
• Lots of logs to index,
high costs USERS WITHIN THE ORGANIZATION
SIEM
DNS LOGGING
Local
DNS
Server
Low
Performance
High
Costs
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
34 ©2017 Gigamon. All rights reserved.
METADATA
DNS Metadata HIGH PERFORMANCE
1. No impact on DNS Server
2. Original authoritative request
USERS WITHIN THE ORGANIZATION
SIEM
Local
DNS
Server
DNS
Metadata
High
Performance
Low
Costs
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
35 ©2017 Gigamon. All rights reserved.
METADATA
DNS Architecture LOSS OF FIDELITY
• SIEM does not see original DNS request
• Logs from proxies reduce visibility of actual
DNS transactions
USERS WITHIN THE ORGANIZATION
SIEM
Internet
2.2.2.2
1.1.1.1
Local
Network
DMZ
Root DNS Server
DNS Server
Low Visibility
Poor Security
Domain
Controller + DNS
2.2.2.2 → www.evil.com
www.evil.com
Lookup requests
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
36 ©2017 Gigamon. All rights reserved.
METADATA
DNS Metadata HIGH FIDELITY & BETTER SECURITY
USERS WITHIN THE ORGANIZATION
SIEM
Internet
2.2.2.2
1.1.1.1
Local
Network
DMZ
Root DNS Server
DNS Server
Domain
Controller + DNS
www.evil.com
Lookup requests
DNS
Metadata
Full Visibility
Better Security
Gigamon captures original DNS request and
infected endpoint is identified
37 ©2017 Gigamon. All rights reserved.
De-duplication
39 ©2017 Gigamon. All rights reserved.
• The most common source of packet duplication originates from how traffic is captured.
• Assume a simple 3-tier application. – Configure the switch to send a copy of all traffic for three
servers over to a monitoring tool.
– SPAN or Mirror ports 1-3 to an analyzer.
– On Port 1 the User query is seen inbound. Then the Web Server sends an outbound query to the Application Server.
– On Port 2 the same Web Server query is seen again inbound. The Application Server sends an outbound query to the Database Server.
– On Port 3 the same query is seen again inbound.
– In this five-packet example, there are two duplicates.
De-duplication
Packet 1 (in)
Packet 2 (out)
Packet 2 (in)
Packet 3 (out)
Packet 3 (in)
40 ©2017 Gigamon. All rights reserved.
Before De-duplication After De-duplication
De-duplication REDUCED BY 50% OF TRAFFIC
Customer needs large storage space due to duplicate capturing of same packets
Traffic reduced by nearly 50% after de-duplication, saving expensive storage space of IPS
41 ©2017 Gigamon. All rights reserved.
Slicing Masking Header Stripping
42 ©2017 Gigamon. All rights reserved.
• Identify the fixed or variable offset for slicing by protocol or source.
• Apply slicing rules to network traffic ingress ports
Slizing
43 ©2017 Gigamon. All rights reserved.
• Define the characteristics or location of sensitive traffic within certain protocols.
• Select the data pattern used to overwrite portions of the packet
• Apply masking rules to network traffic ingress ports
Masking
fffffffffffffffffffffffff
44 ©2017 Gigamon. All rights reserved.
• Various routing and traffic segregation actions require tags, labels and other such packet additions. When traffic is collected from inter-switch links these additions can prevent monitoring tools from reading the traffic.
VLAN Tags MPLS Labels VNTags (Cisco Nexus) VXLAN (VMware)
GTP tunnels ISL tunnels (Cisco) FibrePath
• Tag stripping operations allow tools access to otherwise unreadable traffic.
Header Stripping
45 ©2017 Gigamon. All rights reserved.
GTP Correlation FlowVUE
46 ©2017 Gigamon. All rights reserved.
• Real-time GTP session correlation for LTE and 3G networks
• Advanced subscriber-based, session-aware filtering, forwarding, load balancing, and replication across one or multiple billing / monitoring tools
GTP Correlation 4
G
3G
Flow
Mapping® GTP
Correlation
APM / NPM
CEM
Billing
47 ©2017 Gigamon. All rights reserved.
Ente
rprise
• Tools simply unable to keep up with ultra high volume of traffic (40Gb, 100Gb)
• FlowVUE™ which allows you to sample a specific subset of traffic flows and then be able to send all of the traffic related to those conversations out to the monitoring tools
FlowVUE™ T
ELC
O FlowVUE™
Source
IP/User/Subscribe
r ID
IP address 1.0.0.1
IP address 1.0.0.2
….etc…
IMSI:
404685505601234
IMSI:
310150123456789
…..etc…
Total Subscribers:
1,000,000
Flow
Mapping®
APM / NPM
CEM
Billing
Sample 10%
Intelligently filter
and send all flows
associated with
sampled set of
Subscribers
Total Subscribers
Sampled:
100,000
Gigamon Ties It All Together Building A Solutions Approach
APM / NPM
50 ©2017 Gigamon. All rights reserved.
• NPM / APM is always a must-have in every Data Center
• For end-to-end analysis purpose, need to cover all network segments
• Many choices in 10G or slower speed.
• Choices for 40G, 100G is rising, but very expensive.
Market Dynamics
APM / NPM RESPONSE TIME ANALYSIS, TROUBLESHOOTING, CAPACITY PLANNING
51 ©2017 Gigamon. All rights reserved.
Gigamon + Riverbed RPM
Switch Load Balancer
SPAN/Mirror
Web Servers
Web1 x.x.x.x
Web2…N
x.x.x.x …
Web VIP
x.x.x.x
AP Servers
Web1 x.x.x.x
Web2…N
x.x.x.x …
DB Servers
Web1 x.x.x.x
Web2…N x.x.x.x …
Web based Management and Analysis Console
AP VIP
x.x.x.x
DBVIP
x.x.x.x
SPAN/Mirror
52 ©2017 Gigamon. All rights reserved.
• Business Intelligence / Analytics
• Virtualization
• Digitalization
• Data Center / Infrastructure Evolution
• Three-tier architecture.
• Access tier: GigaVUE-TA10, GigaVUE-VM
• Core tier: GigaVUE-HD4. One in each Data Center
• Tool tier: Security Management, Performance Analysis, Operation Tools
• Capacity and scale to manage large volumes of high-speed data
• Full transparency into virtualized infrastructure and potential malware to mitigate threats
• Access and control of all traffic – including SSL/TLS encrypted communications – regardless of TCP port or application
• Consistent traffic management and orchestration throughout the banking network
Nationwide China Bank Case Study GIGAMON HELPS PERVASIVE VISIBILITY
BACKGROUND
& CHALLENGE
SOLUTION
RESULTS &
KEY BENEFITS
53 ©2017 Gigamon. All rights reserved.
Cluster
Cluster
Cluster
Cluster
Cluster Cluster
Cluster
Cluster
Cluster
Cluster
Access Layer
Core Layer
Centralized Tools Rack
Virtual Network Data
Virtual Network Data
GigaVUE-HD4
GigaVUE-HD4
Cluster Data Center A Data Center B
GigaVUE-VM
• Virtual TAP
H Series: Core Tier
• Advanced data
manipulation
• Connect to tools
GigaVUE-VM
• Virtual TAP
TA Series: Access Tier
• Aggregation
• Flow Maps
54 ©2017 Gigamon. All rights reserved.
• Mass migrations to NGFW
• Deployed at perimeter & second skin
• Performance constrained
• Little viz to endpoint or clouds
• Typically in active/standby pairs
• Expensive to deploy everywhere
Market Dynamics
Next Generation Firewall ACCESS CONTROL + IPS + APPLICATION CONTROL + USER AWARENESS
55 ©2017 Gigamon. All rights reserved.
GigaSECURE with NGFW FAULT TOLERANCE, SCALING, HIGHER ROI FROM FIREWALLS
High Value Use Cases
• Fail Closed Protection
• Traffic Visibility ex. East-west
• Load Distribution / Scaling
• Managing Asymmetric Routing
• Agile Deployment
56 ©2017 Gigamon. All rights reserved.
• Purchased 6 Palo Alto Networks NGFW (PA-5000) series
• Wanted to reduce risk of network outage inline and reduce load to NGFW
• Stringent POC tested: Power loss at GigaVUE-HC2, Pull BPS module from chassis, Manual BPS mode during flows, Link-State Failure on PAN devices, 2 VLANs NO Q in Q, 2 VLANs with Q in Q, PAN Simulating Two tools in serial, Application Filtering – sending only selected traffic to PAN.
• ALL TESTING WAS 100% SUCCESSFUL! NO MAJOR COMPLICATIONS!
• BOM Included: 8 x GigaVUE-HC2
• Customer has 100% confidence in deployment of Palo Alto Networks appliances with Bypass Protection and no oversubscription.
Energy / Utility Company Case Study PALO ALTO NETWORKS + GIGAMON
BACKGROUND
& CHALLENGE
SOLUTION
RESULTS &
KEY BENEFITS
SIEM
58 ©2017 Gigamon. All rights reserved.
• Security “monitoring” is in again
• Stalled and failed deployments very common
• Near defacto technology for security monitoring
& compliance
• Needs context & right data to work
• Can make IPSes and other security more useful
Market Dynamics
SIEM SECURITY ANALYTICS THROUGH CORRELATION OF EVENTS, LOGS, TRAFFIC
59 ©2017 Gigamon. All rights reserved.
Gigamon and Splunk FASTER TIME TO DISCOVERY AND RESPONSE, HIGHER ROI FROM SIEM AND IPS
High Value Use Cases
• NetFlow
• Extended metadata
• Complete visibility
• Manage from Splunk
• Filtering means only high-
value data sent to Splunk
60 ©2017 Gigamon. All rights reserved.
Customer Win – SLED
• Customer building a new data-center wants to design visibility in from the start
• Needs inline (future) and out-of-band tool ports
• Needs modular design that can grow
• Needs to integrate with Splunk
• 3 x GigaVUE-HC2
• 10Gb and 40Gb TAPs and SFPs
• Modular, scalable design
• Gigamon Visibility for Splunk App
• Deduplication and traffic filtering to minimize traffic to Splunk
• Evaluating metadata engine
HOW WE WON
DEAL
TECHNICAL
DIFFERENTIATORS
Advanced Threat Detection
62 ©2017 Gigamon. All rights reserved.
• Made popular by FEYE, most advanced
• Heavy price pressure
• Many vendors and feature options
• Privacy concerns with cloud sandbox
• Performance is key i.e. objects analyzed by per hour
• Integration with forensics gives real impact analysis
Market Dynamics
Advanced Threat Detection MALWARE & APT DETECTION BY ANALYSIS OF PAYLOAD (EX. FILES, .EXE) IN A SANDBOX
Sandboxing Deployment Options
63 ©2017 Gigamon. All rights reserved.
The FireEye + Gigamon Solution COST COMPETITIVE, SCALABLE, HIGH PERFORMING ATD W/ EASY FORENSICS TIE IN
FireEye Inline
Tool Group
FireEye NX2400 Side A
Side BGigaVUE-HC2
FireEye NX2400
FireEye EX8400
High Value Use Cases
• Bypass
• Load balancing
• Visibility for more centralized deployments
• Handling asymmetric routing
• SSL decryption
• Workflow feed to SIEM
64 ©2017 Gigamon. All rights reserved.
Customer Anecdote – Financial Services
• Gigamon and FireEye collaboration on design
• Efficient design to minimize initial investment in Gigamon and FireEye – with scalable growth plan
• 2 GigaVUE-HC2s
• Resolve asymmetric traffic issues
• Traffic distribution across interfaces
• Feed out-of-band tools same traffic
HOW WE WON
DEAL
TECHNICAL
DIFFERENTIATORS
65 ©2017 Gigamon. All rights reserved.
Today:
• SIEM is at the center of fast detection and response
• Integration with security stack key
• Getting SIEM and IH right is hard
• Needs the right data not all data
The Cyber Security Operations Center FAST INCIDENT DETECTION AND HANDLING THROUGH INTEGRATION
66 ©2017 Gigamon. All rights reserved.
GigaVUE HC2
AT THE HEART OF THE GIGASECURE® SECURITY DELIVERY PLATFORM
SIEM
Collector
NetFlow
Generation
SSL
Decryption
Internet
Edge Routers
Core Switches
FireEye
Malware Detection Systems
Application
Session Filtering
Palo Alto Networks
Next Gen Firewalls
67 ©2017 Gigamon. All rights reserved.
• Large international bank serving around13 million customers
• Multi-phase deployment currently in-progress (phase 1: inline, phase 2: security analytics)
• Supporting multiple security tool deployments including FireEye, TippingPoint, Splunk and Palantir
• Two primary datacenters, multiple facilities both in country and international, cloud strategy
• Phase 1: deployment of Tipping Point (inline) and FireEye (out-of-band) inside bank’s core network. GigaVUE-HC2 with inline bypass.
• Phase 2: Out-of-band Visibility FabricTM into data centers and edge supporting bank’s SoC. HC2 + TA10.
• Phase 3: Visibility for VMware NSX (Ph. 3)
• Realized over $24M in savings with new visibility architecture
• Engagements for future expansions underway: AWS trials, SSL beta
Large International Bank BUILDING AN ENTERPRISE-WIDE SECURITY DELIVERY PLATFORM
BACKGROUND
& CHALLENGE
APPROACH &
SOLUTION
RESULTS &
KEY BENEFITS
68 ©2017 Gigamon. All rights reserved.
Phase 1 Phase 2
Deployment Diagram MORE TO COME
Distribution 1
Hall 1
Cisco 6509
Distribution 2
Hall 2
Cisco 6509
Core 1 - Hall 1
Cisco 6509
Core 2 - Hall 2
Cisco 6509
TIPPINGPOINT
7500NX TIPPINGPOINT
7500NX
FIREEYE
NX10450
FIREEYE
NX10450
Stack link to
Phase 2 Stack link to
Phase 2
Phase 1 FM
(Telstra-run)
DC1 DC2
SPLUNK PALANTIR TACTICAL
G-TAP G’s and A’s in DC1 (Future: NSX and AWS)
Stack
Links
from
Phase 1
ARCSIGHT FPC (TBD) NON-SECURITY
TOOLS
Phase 2 FM
(Bank-run)
Stack
Links
from
Phase 2
G-TAP G’s and A’s in DC (Future: NSX and AWS)
Open Discussions
How to map features to different industries
70 ©2017 Gigamon. All rights reserved.
Gigamon Features
Industries or Use Cases VM
Visibility
Inline
Bypass
SSL
Decrypt
De-
duplication
DPI
Filtering
Netflow
Generation Slicing Masking
FSI
Gov / Public Sector
Education
SPLUNK users (tools that
are volume-based license)
Cloud SP
Cloud Application-based
Billing
Cisco ACI, VMware NSX
Telco Cache Farm
Usage-based Billing
All other industries
Discussion Results