Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008
description
Transcript of Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008
![Page 1: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/1.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access SwitchApril 1, 2008
Patrick P. LeongCTO | Gigamon Systems LLC
SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008
![Page 2: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/2.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Agenda
• Recent changes in the network monitoring
• Issues with traditional network tapping
• Data Access Network (DAN)
• Functions of a Data-Access Switch
• Example applications
• Summary
• Q & A
![Page 3: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/3.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Recent Changes in Network Monitoring
9/11 spawned new security and lawful intercept requirements
Enron spawned new auditing and monitoring laws
New tools optimize E-commerce and internet applications
VoIP and media convergence make the network more strategic
Network is more valuable; Downtime is unacceptable
![Page 4: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/4.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Result: Proliferation of Tools
New SOX compliance transaction monitors ---Keep your boss out of jail!
IDS Sensors detect external hacker attacks
NAC Appliance protects networks from inside ---From your own people!
Forensic recorders capture events and how the network being used!
Configuration monitoring tools watch over network resources
Application and Network troubleshooting
![Page 5: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/5.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Proliferation Causes Contention for Span Ports
Security and IT
Engineers seen
here
“Negotiating” Over
a SPAN Port
![Page 6: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/6.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Other Issues
Packets belonging to the same flow may go through multiple parallel links e.g. Etherchannel
Difficulty in monitoring asynchronously routed mesh topologies
The tool cannot keep up with the incoming bandwidth --- many tools are software based e.g. Wireshark
![Page 7: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/7.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Solution?
Data-Access Network (DAN)
![Page 8: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/8.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
What’s a DAN?
It’s a out-of-band monitoring network! Includes Passive Tools like:
Sensors,
Probes,
Monitors,
Recorders,
Analyzers,
and Access Switching
![Page 9: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/9.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example of a DAN
![Page 10: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/10.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
What’s new?
A new “Best Practice”
Part of the network infrastructure
Facilitates instrumentation of a network
Enterprise or Telco
What’s new is how data is fed to the tools
By a Data-Access Switch
Unobtrusive to the primary network
![Page 11: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/11.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
What problems do DANs solve?
Too Many Power Tools?Not Enough Sockets?
?
?
??
![Page 12: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/12.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
For Power Tools, use a Power Strip
![Page 13: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/13.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Too Many Monitoring Tools? Not Enough Span Ports?
?
?
?
?
![Page 14: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/14.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
For Sensors/Monitors/Analyzers,Use a Data Access Switch
One Span port serves Many tools
![Page 15: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/15.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Monitoring a Mesh Network?
![Page 16: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/16.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
If we deploy one tool per span port --- Lots of Hardware and Expensive !!!
![Page 17: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/17.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Better to Distribute Connections with a DAN
Aggregate and filter flows to consolidated tools
![Page 18: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/18.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
DAN is out-of-band “Data Socket”Part of the Reliable Network Infrastructure
• Plug-in multiple out-of-band tools – any tool to any data• Unobtrusive tool changes – never touch the network• Do moves, adds, changes at any convenient time• Eliminates RSPAN
Performance Monitor
Security IDS
Transaction Auditor
ForensicRecorder
Protocol Analyzer
Switch
StorageArea Network
Switch
Server Farm
Consolidated Tool Farm
Config Monitor
“Data Socket”
![Page 19: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/19.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
DAN Solves Access Problems By
• Aggregating many links to any tool
• Multicasting any link to many tools
• Filtering data to map packets to tools
• Saving $$ Cap Ex and Op Ex budget$
Any to Any Any to ManyMany to Any Bit-Mask Filtering
![Page 20: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/20.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example application: Telco Core
![Page 21: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/21.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example application: Telco Edge
![Page 22: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/22.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Example Application: 10G Monitoring
3
5
4
MonitoringAppliances
1
Filter Rule #1
Filter Rule #2
Filter Rule #3
Data Access Switch
10G
CoreSwitches
1G
1G
1G
2
Filter Rule #1
Filter Rule #2
Filter Rule #3
10G
3
5
4
MonitoringAppliances
1
Filter Rule #1
Filter Rule #2
Filter Rule #3
Data Access Switch
10G
CoreSwitch
1G
1G
1G
![Page 23: Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008](https://reader036.fdocuments.in/reader036/viewer/2022070407/5681433e550346895dafb425/html5/thumbnails/23.jpg)
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Summary
A Data-Access Switch forms a Data-Access Network that:
•Provides non-intrusive, out-of-band network monitoring
•Resolves the insufficient span ports issue
•Reduces the number of tools deployed
•Can intelligently spread the network traffic to various tools
•Reduces the load of a particular tool via intelligent hardware-based filtering
•Provides a “Big Pipe” view of the mesh network