Gigamon Deep Dive - ACW Group · Gigamon® Deep Dive Tixon Law ... (Admin or Provider) Private...

Gigamon® Deep Dive

Tixon Law Principal System Engineer

[email protected]

For Consultants and Presales Professionals

mailto:[email protected]

2 ©2017 Gigamon. All rights reserved.

Current Network Infrastructures Are Insufficient CHAOTIC, INEFFICIENT AND PERIMETER-LESS


An Effective Visibility Solution



Employees Revenue Customers Partners Unknown IP

Types of Data

Consumers of Data Users | Applications | Devices


See what matters.™



Gigamon Visibility Platform

Manage Secure Understand


Gigamon Partner Ecosystem G

iga

mo

n V

isib

ilit

y P

latf

orm

Security and

Vulnerability

Management

Service

Provider

Infrastructure Infrastructure

Network &

Application

Performance

Management


INLINE BYPASS

Active Security Remediation with Inline Bypass Inline

Bypass

Maximize tool

efficacy and scale

Add, remove, and upgrade tools

seamlessly with no downtime

Increase performance and

agility of infrastructure

Integrate Inline, Out-of-Band, and Flow-based

tools via this same platform

Simplify

architecture

SiSi SiSi

First-tier FW1

Switch x 2

Switch x 2

Switch x 2

IPS1

WAF1

First-tier FW2

IPS2

WAF2

NGFW1

Switch x 2

NGFW2

SiSi SiSi

heartbeats

heartbeats heartbeats

heartbeats

40G

WAF IPS NGFW1 NGFW2

First-tier FW1

Switch x 2

First-tier FW2


1. Security no longer an after-thought during virtualization

2. Increasing VM density with mission-critical workloads

3. Visibility into VM-VM traffic needed for security, APM

4. Creating new virtual instances of tools affects workload performance

5. Automated visibility after VM migration

Virtual Visibility: More Important Than Ever

5 REASONS WHY YOU MUST CARE

HYPERVISOR

SERVER

VIRTUAL

IDS VM1

VIRTUAL

ANTI-

MALWARE

VIRTUAL

APM VM

HYPERVISOR

SERVER

GigaVUE-VM

IDS

ANTI-MALWARE

FORENSICS

Tunneling

GigaVUE-VM and

GIgaVUE® Nodes


* Planned for 2017. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

Comprehensive Visibility for the Cloud

Use Case VMware

ESX

VMware

NSX

OpenStack

+ agents

OpenStack +

TaaS* AWS

Private Cloud

(Admin or Provider)

Private Cloud - Tenant

Hybrid Cloud

(Admin + Tenant)

Public Cloud - Tenant

GigaVUE-VM and

GIgaVUE® Nodes


Visibility into Public Clouds

The industry’s first

pervasive visibility

platform for public, private

and hybrid clouds

Gigamon Visibility Platform enables consistent

and elastic visibility into data-in-motion across

the entire enterprise

AWS

Now Generally Available


Deployment Examples: Hybrid Cloud Visibility PRESERVE TOOL INVESTMENT FOR ‘LIFE-AND-SHIFT’ CUSTOMERS

Elastic Load Balancing (ELB) Subnet Amazon Relational Database Service (RDS) Availability Zone (AZ)

Tool Instances

VPN Gateway VPN Connection Router Data Center

Tool

Tier RDS

Web Tier

App Tier

ELB

ELB

Tool Tier

Region

AZ

AWS

VPC

RDS

Web Tier

App Tier

ELB

ELB

Region

AZ

AWS

VPC

Visibility Tier

Tool

Tier

GigaVUE-FM

On-premise Data Center

Amazon EC2 APIs

Amazon CloudWatch

Tunneling

1

2 3

3 4 4

Integrate with Amazon APIs 1

Deploy Visibility Tier 2

Copy EC2 instance traffic 3

Aggregate and distribute

customized traffic to tools 4


Case Study: Sample Web Application AWS REFERENCE ARCHITECTURE

Tunneling

Reference Picture: AWS Best Practices

GigaVUE-FM

Configure Policies

GigaVUE® V Series

Amazon EC2 APIs

Amazon CloudWatch

On-Premise or

Cloud Tools

REST APIs


4G/LTE Networks

PDN Subscriber

Devices

Access

Network

Evolved

Packet Core

eNodeB

eNodeB CDMA 2000

PDSN / FA

S-GW

P-GW

MME

S3

S4

3G SGSN

UE

UE

X1 / X2

HHS

S2 Customer

Experience

Management

Security

Application

Performance

Management

Network

Performance

Management


Gigamon Subscriber-Aware Visibility Solution USER AND DATA PLANE CORRELATION

PDN Subscriber

Devices

Access

Network

Evolved

Packet Core

eNodeB

eNodeB CDMA 2000

PDSN / FA

S-GW

P-GW

MME

S3

S4

3G SGSN

UE

UE

X1 / X2

HHS

S2

Application

Performance

Management

Network

Performance

Management

Customer

Experience

Management

Centralized

Tools

Security

GTP

Correlation

Flow Mapping®


Gigamon Subscriber-Aware Visibility Solution

Users

Trouble-ticket

System

GTP

Correlation FlowVUE™

Fabric

Manager

GTP Correlation Engine

Identify

populations

of interest

GTPU User Plane

Forwarding

RAN

EPC GigaVUE®

Network

Ports

…

EPC

Monitor Tools

GigaVUE®

Tool

Ports

GTPC +

GTPU

GTPC +

GTPU

GTP Control

Plane Packets

GTP User

Plane Packets

GTP Session

Table

Subscriber

Table

GTP Session

Tracking

Filtering

Load Balancing

Traffic Scaling

Whitelist

GTP Control

Plane Packets

Configuration

Policy

Subscribers

IMSI Subscriber

Session Info

GTP User

Plane Packets

GTPU TEID

Lookup


GigaSMART® – Traffic Intelligence

Traffic

Intelligence FlowVUE™

Packet Slicing

De-duplication

Masking

GTP Correlation

Header Stripping

NetFlow Generation

Application Session

Filtering

SSL Decryption

Adaptive Packet

Filtering


Application Session Filtering GIGAMON VERSION OF DPI FILTERING


Deep Packet Inspection Filtering DEEP PACKET INSPECTION

Application

Session Filtering

Collector 1 1 2 2

1 1 2 2 3 3 4 4 Email

Monitor

Video

Monitor

3 1 2 4

• DPI/Content-based Filtering of application identification • For example: Email with/without attachments, URLs, BitTorrent Packets, Over-the-Top Applications (e.g.

youtube, facebook, etc…)

• Filter all traffic corresponding to an application session • Flexible Engine. Supports Regular Expression (RegEx)

NETFLIX Exchange NETFLIX NETFLIX NETFLIX Exchange Exchange Exchange

NETFLIX

Exchange

NETFLIX NETFLIX NETFLIX

Exchange Exchange Exchange

NETFLIX Exchange NETFLIX Exchange

1 2 3 4

^rfb 00[1-9]\.00[0-9]\x0a$ MAC LLC IP Data Trailer


Deep Packet Inspection Filtering EXAMPLE: FILTERING A BANK’S ATM TRANSACTIONS


ATM交易 – 以關鍵字“03 06 45 20…9168”辨識及過濾


SSL Decryption


*Sources: NSS Labs, Pirc, John W. Analyst Brief: SSL Performance Problems. NSS Labs. https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ 2013

SSL DECRYPTION

Existing Security Product Challenges

Anti-malware

Security

Analytics

DLP “Blind” to SSL/TLS Traffic

• DLP, IDS, SIEM & Sandbox and

Security Analytics

Limited SSL/TLS Support (e.g. HTTPS)

✕Costly upgrades: NGFW solutions

suffer up to 80% performance degradation*

✕Limited ports for sharing decrypted traffic

✕Partial crypto suite support

✕Additional complexity—arduous scripting Intrusion

Prevention

App Delivery

Controller /

Load Balancer

Next-Gen

Firewall

https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/ 2013










1. Tap SSL traffic and deliver to Visibility Fabric™

– Use Flow Mapping® to define flows to be decrypted

– Selected flows sent to GigaSMART®

2. GigaVUE® identifies exchange of public keys

3. Administrator uploads private keys – Up to 4000 private keys are uploaded to each

aggregator (HC, HD), and 2000 to each HB

– Protected by separate password and encrypted locally

– Restricted by Role Based Access Control privileges

4. Apply keys to decrypt traffic – Not restricted to port 443

– Can change port to 80 if desired

5. GigaVUE forwards clear packets to tools –

and/or GigaVUE applies intelligence to decrypted traffic for policy compliance – Packet Slicing

– Masking

SSL Decryption

2

3

4

5

1


Inline Tool Group

(decrypted traffic)

Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

Inline SSL Decryption

Highlights

• Servers and clients located internally

or externally

• Private keys not needed

• RSA, DH, PFS can be used

• Supports inline and out-of-band tools

Out-of-Band Tool

(decrypted traffic)

SSL Session

Leg 1

(encrypted)

SSL Session

Leg 2

(re-encrypted)

1

2

2

3

Web Monitor Tool

(decrypted traffic)

Encrypted traffic

Decrypted traffic


Gigamon NetFlow


• Out-of-Band NetFlow Generation

– Transforms packet data across multiple devices into summarized NetFlow records

• Supported NetFlow export formats

– NetFlow v5 and v9, IPFIX

• Ingress Filtering

– Leverages Gigamon patented Flow Mapping® technology to de-duplicate, filter, and consolidate flows BEFORE NetFlow record generated

• Multiple NetFlow exports

– Supports up to 6 NetFlow destinations simultaneously

• High Throughput Solution

– Supports non-sampled 1:1 flow record generation

• Use Cases

– Feed flow-based security solutions such as User Behavior Analysis

– Integrates packet traffic and flow visibility with Logs for SIEM

Gigamon Netflow Generation


* Planned

Gigamon NetFlow/IPFIX Enhancements

Uncover Denial of Service & compromise of internal web servers

HTTP Response Codes

Discover malicious communications to C&C servers using DNS transactions

DNS Discovery*

DNS C&C

Bots

Analyze HTTPS certificates to discover bad/suspicious certificates

HTTPS Certificate Anomalies*

Correlate Kerberos and DHCP logs to map “who” (user) with “what” (hostname and IP)

Mapping User, Hostname & IP Address*

Metadata

User

Machine IP



METADATA

DNS PERFORMANCE IMPACT WITH LOGGING

• High impact on DNS Server

• Impact on network

performance

• Lots of logs to index,

high costs USERS WITHIN THE ORGANIZATION

SIEM

DNS LOGGING

Local

DNS

Server

Low

Performance

High

Costs



METADATA

DNS Metadata HIGH PERFORMANCE

1. No impact on DNS Server

2. Original authoritative request

USERS WITHIN THE ORGANIZATION

SIEM

Local

DNS

Server

DNS

Metadata

High

Performance

Low

Costs



METADATA

DNS Architecture LOSS OF FIDELITY

• SIEM does not see original DNS request

• Logs from proxies reduce visibility of actual

DNS transactions


SIEM

Internet

2.2.2.2

1.1.1.1

Local

Network

DMZ

Root DNS Server

DNS Server

Low Visibility

Poor Security

Domain

Controller + DNS

2.2.2.2 → www.evil.com

www.evil.com

Lookup requests



METADATA

DNS Metadata HIGH FIDELITY & BETTER SECURITY


SIEM

Internet

2.2.2.2

1.1.1.1

Local

Network

DMZ

Root DNS Server

DNS Server

Domain

Controller + DNS

www.evil.com

Lookup requests

DNS

Metadata

Full Visibility

Better Security

Gigamon captures original DNS request and

infected endpoint is identified


De-duplication


• The most common source of packet duplication originates from how traffic is captured.

• Assume a simple 3-tier application. – Configure the switch to send a copy of all traffic for three

servers over to a monitoring tool.

– SPAN or Mirror ports 1-3 to an analyzer.

– On Port 1 the User query is seen inbound. Then the Web Server sends an outbound query to the Application Server.

– On Port 2 the same Web Server query is seen again inbound. The Application Server sends an outbound query to the Database Server.

– On Port 3 the same query is seen again inbound.

– In this five-packet example, there are two duplicates.

De-duplication

Packet 1 (in)

Packet 2 (out)

Packet 2 (in)

Packet 3 (out)

Packet 3 (in)


Before De-duplication After De-duplication

De-duplication REDUCED BY 50% OF TRAFFIC

Customer needs large storage space due to duplicate capturing of same packets

Traffic reduced by nearly 50% after de-duplication, saving expensive storage space of IPS


Slicing Masking Header Stripping


• Identify the fixed or variable offset for slicing by protocol or source.

• Apply slicing rules to network traffic ingress ports

Slizing


• Define the characteristics or location of sensitive traffic within certain protocols.

• Select the data pattern used to overwrite portions of the packet

• Apply masking rules to network traffic ingress ports

Masking

fffffffffffffffffffffffff


• Various routing and traffic segregation actions require tags, labels and other such packet additions. When traffic is collected from inter-switch links these additions can prevent monitoring tools from reading the traffic.

VLAN Tags MPLS Labels VNTags (Cisco Nexus) VXLAN (VMware)

GTP tunnels ISL tunnels (Cisco) FibrePath

• Tag stripping operations allow tools access to otherwise unreadable traffic.

Header Stripping


GTP Correlation FlowVUE


• Real-time GTP session correlation for LTE and 3G networks

• Advanced subscriber-based, session-aware filtering, forwarding, load balancing, and replication across one or multiple billing / monitoring tools

GTP Correlation 4

G

3G

Flow

Mapping® GTP

Correlation

APM / NPM

CEM

Billing


Ente

rprise

• Tools simply unable to keep up with ultra high volume of traffic (40Gb, 100Gb)

• FlowVUE™ which allows you to sample a specific subset of traffic flows and then be able to send all of the traffic related to those conversations out to the monitoring tools

FlowVUE™ T

ELC

O FlowVUE™

Source

IP/User/Subscribe

r ID

IP address 1.0.0.1

IP address 1.0.0.2

….etc…

IMSI:

404685505601234

IMSI:

310150123456789

…..etc…

Total Subscribers:

1,000,000

Flow

Mapping®

APM / NPM

CEM

Billing

Sample 10%

Intelligently filter

and send all flows

associated with

sampled set of

Subscribers

Total Subscribers

Sampled:

100,000

Gigamon Ties It All Together Building A Solutions Approach

APM / NPM


• NPM / APM is always a must-have in every Data Center

• For end-to-end analysis purpose, need to cover all network segments

• Many choices in 10G or slower speed.

• Choices for 40G, 100G is rising, but very expensive.

Market Dynamics

APM / NPM RESPONSE TIME ANALYSIS, TROUBLESHOOTING, CAPACITY PLANNING


Gigamon + Riverbed RPM

Switch Load Balancer

SPAN/Mirror

Web Servers

Web1 x.x.x.x

Web2…N

x.x.x.x …

Web VIP

x.x.x.x

AP Servers

Web1 x.x.x.x

Web2…N

x.x.x.x …

DB Servers

Web1 x.x.x.x

Web2…N x.x.x.x …

Web based Management and Analysis Console

AP VIP

x.x.x.x

DBVIP

x.x.x.x

SPAN/Mirror


• Business Intelligence / Analytics

• Virtualization

• Digitalization

• Data Center / Infrastructure Evolution

• Three-tier architecture.

• Access tier: GigaVUE-TA10, GigaVUE-VM

• Core tier: GigaVUE-HD4. One in each Data Center

• Tool tier: Security Management, Performance Analysis, Operation Tools

• Capacity and scale to manage large volumes of high-speed data

• Full transparency into virtualized infrastructure and potential malware to mitigate threats

• Access and control of all traffic – including SSL/TLS encrypted communications – regardless of TCP port or application

• Consistent traffic management and orchestration throughout the banking network

Nationwide China Bank Case Study GIGAMON HELPS PERVASIVE VISIBILITY

BACKGROUND

& CHALLENGE

SOLUTION

RESULTS &

KEY BENEFITS


Cluster

Cluster

Cluster

Cluster

Cluster Cluster

Cluster

Cluster

Cluster

Cluster

Access Layer

Core Layer

Centralized Tools Rack

Virtual Network Data

Virtual Network Data

GigaVUE-HD4

GigaVUE-HD4

Cluster Data Center A Data Center B

GigaVUE-VM

• Virtual TAP

H Series: Core Tier

• Advanced data

manipulation

• Connect to tools

GigaVUE-VM

• Virtual TAP

TA Series: Access Tier

• Aggregation

• Flow Maps


• Mass migrations to NGFW

• Deployed at perimeter & second skin

• Performance constrained

• Little viz to endpoint or clouds

• Typically in active/standby pairs

• Expensive to deploy everywhere

Market Dynamics

Next Generation Firewall ACCESS CONTROL + IPS + APPLICATION CONTROL + USER AWARENESS


GigaSECURE with NGFW FAULT TOLERANCE, SCALING, HIGHER ROI FROM FIREWALLS

High Value Use Cases

• Fail Closed Protection

• Traffic Visibility ex. East-west

• Load Distribution / Scaling

• Managing Asymmetric Routing

• Agile Deployment


• Purchased 6 Palo Alto Networks NGFW (PA-5000) series

• Wanted to reduce risk of network outage inline and reduce load to NGFW

• Stringent POC tested: Power loss at GigaVUE-HC2, Pull BPS module from chassis, Manual BPS mode during flows, Link-State Failure on PAN devices, 2 VLANs NO Q in Q, 2 VLANs with Q in Q, PAN Simulating Two tools in serial, Application Filtering – sending only selected traffic to PAN.

• ALL TESTING WAS 100% SUCCESSFUL! NO MAJOR COMPLICATIONS!

• BOM Included: 8 x GigaVUE-HC2

• Customer has 100% confidence in deployment of Palo Alto Networks appliances with Bypass Protection and no oversubscription.

Energy / Utility Company Case Study PALO ALTO NETWORKS + GIGAMON

BACKGROUND

& CHALLENGE

SOLUTION

RESULTS &

KEY BENEFITS


• Security “monitoring” is in again

• Stalled and failed deployments very common

• Near defacto technology for security monitoring

& compliance

• Needs context & right data to work

• Can make IPSes and other security more useful

Market Dynamics

SIEM SECURITY ANALYTICS THROUGH CORRELATION OF EVENTS, LOGS, TRAFFIC


Gigamon and Splunk FASTER TIME TO DISCOVERY AND RESPONSE, HIGHER ROI FROM SIEM AND IPS


• NetFlow

• Extended metadata

• Complete visibility

• Manage from Splunk

• Filtering means only high-

value data sent to Splunk


Customer Win – SLED

• Customer building a new data-center wants to design visibility in from the start

• Needs inline (future) and out-of-band tool ports

• Needs modular design that can grow

• Needs to integrate with Splunk

• 3 x GigaVUE-HC2

• 10Gb and 40Gb TAPs and SFPs

• Modular, scalable design

• Gigamon Visibility for Splunk App

• Deduplication and traffic filtering to minimize traffic to Splunk

• Evaluating metadata engine

HOW WE WON

DEAL

TECHNICAL

DIFFERENTIATORS

Advanced Threat Detection


• Made popular by FEYE, most advanced

• Heavy price pressure

• Many vendors and feature options

• Privacy concerns with cloud sandbox

• Performance is key i.e. objects analyzed by per hour

• Integration with forensics gives real impact analysis

Market Dynamics

Advanced Threat Detection MALWARE & APT DETECTION BY ANALYSIS OF PAYLOAD (EX. FILES, .EXE) IN A SANDBOX

Sandboxing Deployment Options


The FireEye + Gigamon Solution COST COMPETITIVE, SCALABLE, HIGH PERFORMING ATD W/ EASY FORENSICS TIE IN

FireEye Inline

Tool Group

FireEye NX2400 Side A

Side BGigaVUE-HC2

FireEye NX2400

FireEye EX8400


• Bypass

• Load balancing

• Visibility for more centralized deployments

• Handling asymmetric routing

• SSL decryption

• Workflow feed to SIEM


Customer Anecdote – Financial Services

• Gigamon and FireEye collaboration on design

• Efficient design to minimize initial investment in Gigamon and FireEye – with scalable growth plan

• 2 GigaVUE-HC2s

• Resolve asymmetric traffic issues

• Traffic distribution across interfaces

• Feed out-of-band tools same traffic

HOW WE WON

DEAL

TECHNICAL

DIFFERENTIATORS


Today:

• SIEM is at the center of fast detection and response

• Integration with security stack key

• Getting SIEM and IH right is hard

• Needs the right data not all data

The Cyber Security Operations Center FAST INCIDENT DETECTION AND HANDLING THROUGH INTEGRATION


GigaVUE HC2

AT THE HEART OF THE GIGASECURE® SECURITY DELIVERY PLATFORM

SIEM

Collector

NetFlow

Generation

SSL

Decryption

Internet

Edge Routers

Core Switches

FireEye

Malware Detection Systems

Application

Session Filtering

Palo Alto Networks

Next Gen Firewalls


• Large international bank serving around13 million customers

• Multi-phase deployment currently in-progress (phase 1: inline, phase 2: security analytics)

• Supporting multiple security tool deployments including FireEye, TippingPoint, Splunk and Palantir

• Two primary datacenters, multiple facilities both in country and international, cloud strategy

• Phase 1: deployment of Tipping Point (inline) and FireEye (out-of-band) inside bank’s core network. GigaVUE-HC2 with inline bypass.

• Phase 2: Out-of-band Visibility FabricTM into data centers and edge supporting bank’s SoC. HC2 + TA10.

• Phase 3: Visibility for VMware NSX (Ph. 3)

• Realized over $24M in savings with new visibility architecture

• Engagements for future expansions underway: AWS trials, SSL beta

Large International Bank BUILDING AN ENTERPRISE-WIDE SECURITY DELIVERY PLATFORM

BACKGROUND

& CHALLENGE

APPROACH &

SOLUTION

RESULTS &

KEY BENEFITS


Phase 1 Phase 2

Deployment Diagram MORE TO COME

Distribution 1

Hall 1

Cisco 6509

Distribution 2

Hall 2

Cisco 6509

Core 1 - Hall 1

Cisco 6509

Core 2 - Hall 2

Cisco 6509

TIPPINGPOINT

7500NX TIPPINGPOINT

7500NX

FIREEYE

NX10450

FIREEYE

NX10450

Stack link to

Phase 2 Stack link to

Phase 2

Phase 1 FM

(Telstra-run)

DC1 DC2

SPLUNK PALANTIR TACTICAL

G-TAP G’s and A’s in DC1 (Future: NSX and AWS)

Stack

Links

from

Phase 1

ARCSIGHT FPC (TBD) NON-SECURITY

TOOLS

Phase 2 FM

(Bank-run)

Stack

Links

from

Phase 2

G-TAP G’s and A’s in DC (Future: NSX and AWS)

Open Discussions

How to map features to different industries


Gigamon Features

Industries or Use Cases VM

Visibility

Inline

Bypass

SSL

Decrypt

De-

duplication

DPI

Filtering

Netflow

Generation Slicing Masking

FSI

Gov / Public Sector

Education

SPLUNK users (tools that

are volume-based license)

Cloud SP

Cloud Application-based

Billing

Cisco ACI, VMware NSX

Telco Cache Farm

Usage-based Billing

All other industries

Discussion Results

Gigamon Deep Dive - ACW Group · Gigamon® Deep Dive Tixon Law ... (Admin or Provider) Private...

Documents

Transcript of Gigamon Deep Dive - ACW Group · Gigamon® Deep Dive Tixon Law ... (Admin or Provider) Private...