SHARKFEST '09 | Stanford University | June 15–18, 2009 Fundamentals of Passive Monitoring Access...
-
Upload
steven-gibbs -
Category
Documents
-
view
215 -
download
2
Transcript of SHARKFEST '09 | Stanford University | June 15–18, 2009 Fundamentals of Passive Monitoring Access...
SHARKFEST '09 | Stanford University | June 15–18, 2009
Fundamentals of Passive Monitoring AccessJune 16, 2009
Dennis CarpioDirector of Product Innovation
SHARKFEST '09Stanford UniversityJune 15-18, 2009
SHARKFEST '09 | Stanford University | June 15–18, 2009
Agenda
Goal:Goal: Present an overview of Tap technology and Present an overview of Tap technology and how network and security monitoring become morehow network and security monitoring become more efficient and productive.efficient and productive.
• Technology DriversTechnology Drivers• Network considerations for a Tap deploymentNetwork considerations for a Tap deployment• Innovations in Tap technologyInnovations in Tap technology• Taps in your networkTaps in your network• Thank you and contact infoThank you and contact info
SHARKFEST '09 | Stanford University | June 15–18, 2009
Technology Drivers
The increasing complexity of networks, proliferation of applications and the development of new technologies such as 10 Gigabit Ethernet are driving the demand for increased monitoring. Source: Frost & Sullivan
Forensics• Compliance• Lawful Intercept
Security• Growing Threats• Need for Stealth Monitoring
Analysis• Convergence of Voice/Video/Data• Demand for 10G
SHARKFEST '09 | Stanford University | June 15–18, 2009
Traditional Access Methods
Method Risks
Span Ports • Can drop packets when switch is busy• Does not pass critical Layer 1 and 2 errors• Costs time and resources for switch reconfiguration
In-line • Potential point of failure• Expensive one-tool-to-one-link deployment• Relocating the tool means link downtime
Hubs • Not passive (power failure link down)• Half-duplex only• No Gigabit or 10 Gigabit hubs
Switch
SwitchSwitch
Switch Switch
Hub
SHARKFEST '09 | Stanford University | June 15–18, 2009
Passive Tap Technology
•Access 100% of your Access 100% of your
network trafficnetwork traffic
•Passive fail-safe operationPassive fail-safe operation
• Intelligent failure-overIntelligent failure-over
•Deployed as infrastructureDeployed as infrastructure
•Recommended by allRecommended by all
leading tool vendorsleading tool vendors
Net Optics Tap Span Port In-line Device Hub
Handles High Traffic Loads?
Yes No Maybe No
Invisible to Attacks? Yes No No No
Remote Configuration? Yes Yes Yes No
100% Traffic Visibility? Yes No Yes No
Full-Duplex Traffic? Yes Limited Yes No
Point of Failure? No No Yes Yes
SHARKFEST '09 | Stanford University | June 15–18, 2009
The Passive Monitoring Solution
SHARKFEST '09 | Stanford University | June 15–18, 2009
Passive Access Devices• One monitoring tool has passive access to one network link.
• Multiple groups and tools can share access to a network link.
• Tools can be assigned to any link or automatically scan all links.
• Tools can view traffic from multiple full-duplex links at one time.
• Prevent link downtime by connecting in-line appliances through fail-open Bypass Switches.
• View link utilization, traffic statistics, and alarms via front panel displays and remote interfaces even when a monitoring tool is not connected.
• Match traffic of interest to appropriate monitoring resources.
Network Taps
Regeneration Taps
Matrix Switches
Port & Link Aggregator Taps
Bypass Switches
Intelligent Tap Technology
Filtering Appliances
SHARKFEST '09 | Stanford University | June 15–18, 2009
Features:•Fiber Taps available in multiple split ratios No power needed• Fiber available for ATM / OC3, OC12, GigaBit and 10 GigaBit• Support full-duplex monitoring• Copper available in 10/100, 1G and 10/100/1G • Zero Delay on 10/100BaseT Tap• Rack-mountable (with the purchase of rack panels)
Secure, passive network access for monitoring devices on any network topology.
10 GigaBit SR Tap
10/100/1000BaseT Tap
Copper & Fiber Taps
Benefits:• Network traffic flows regardless of power
availability to the Tap• Monitoring devices can be used across multiple
network links, preserving existing network connections• Hardware becomes hidden from potential attackers
providing premium network security • Access to all packet types on a link and errors
from all layers• Access to all packets on a full-duplex link, in real-time
SHARKFEST '09 | Stanford University | June 15–18, 2009
What is a Split Ratio? A split ratio is the amount of light a Tap re-directs from the network to the monitor ports.
• For correct split ratio, a Loss (power) Budget should be calculated
Fiber Tap Split Ratios
What is a Loss (power) Budget and how do I calculate this? A Loss (power) Budget is the amount of attenuation that can be tolerated on the network and monitor links before the end-to-end data is corrupted.
To calculate, you must determine the following: Link Distance, Fiber Type, Launch Power, Receiver Sensitivity, number of interconnects and splices.
Optical Power = X
Fiber Tap50/50 Split Ratio
Optical Power = X/2
Optical Power = X/2
X/2 > Receiver Threshold Sensitivity
RouterSwitch
Monitoring Device
SHARKFEST '09 | Stanford University | June 15–18, 2009
Emerging 10 GigaBit technology may require upgrades to existing networks.
1 GigaBit 10 GigaBit
1GB-SX• 62.5µ or 50µ multimode fiber• 850nm wavelength• 220m distance with 62.5µ fiber, up to 550m with 50µ fiber
10GB-SR• 62.5µ or 50µ multimode fiber• 850nm wavelength• 33m distance with 62.5µ fiber, up to 300m with 50µ laser-optimized fiber
1GB-LX• G.652 fiber• 1310 nm wavelength• Up to 15 kilometers
10GB-LR• G.652 fiber• 1310 nm wavelength• Up to 10 kilometers
1GB-ZX• G.652 fiber• 1550 nm wavelength• Up to 70 kilometers
10GB-ER• G.652 fiber• 1550 nm wavelength• Up to 40 kilometers
Fiber Specifications
SHARKFEST '09 | Stanford University | June 15–18, 2009
Technology that eliminates the 10 ms delay added to traffic in other Taps when power is lost.
This short delay can cascade into longer delays if routers and switches need to renegotiate the link.
Zero Delay ensures:•No dropped packets•No latency is introduced•Power loss to the Tap undetectable to network
Net Optics Products with Zero Delay•10/100BaseT Taps•10/100BaseT Regeneration Taps•10/100BaseT Link Aggregator Taps
10/100 Zero Delay Technology
SHARKFEST '09 | Stanford University | June 15–18, 2009
Typically, full-duplex monitoring with a network tap requires two NICs (or a dual channel NIC) – one interface for each side of the tapped full-duplex connection. A port aggregator Tap combines these streams, sending all aggregated data out a single passive monitoring port.
Features:• Available for 10/100BaseT, GigaBit copper
and GigaBit fiber monitoring devices • Supplies full-duplex traffic to a single NIC
on the monitoring device • DIP switch sets auto-negotiation or fixed
speed duplexing• 256MB buffer memory controls traffic bursts• Available with 2 monitor port option
Port Aggregator Taps
Benefits:• Zero network data stream interference • Network Traffic flows regardless of power
availability to the tap • Hardware becomes hidden from potential attacks
providing premium network security• Access to all packet types on a link and errors
from all layers• Enable 24/7 passive monitoring
SHARKFEST '09 | Stanford University | June 15–18, 2009
Benefits:• Network traffic flows regardless of power
availability to the Tap• Hardware is hidden from potential attackers,
providing premium network security• Access to all packet types on a link
and errors from all layers
Maximize resources and save on access points when multiple devices can monitor link traffic simultaneously through a Regeneration Tap. Secure, passive access for multiple devices means a better return on monitoring investments.
In-Line Regeneration Taps
Features:• 10/100Mbps auto-sensing, GigaBit or 10GigaBit
speeds available• DIP switch controlled duplex and speed settings
(copper)• Redundant power supplies• Available in 2, 4, and 8 monitor port models, copper
and fiber
SHARKFEST '09 | Stanford University | June 15–18, 2009
Link Aggregator Taps extend the reach of GigaBit monitoring devices to traffic from multiple Span ports. Aggregating the traffic from multiple switch Span ports greatly increases the coverage of monitoring devices.
Features:• Use 1G tools on 10G Links• Aggregate 1G Links to 10G Tools• Monitor up to 10 Network Links• Replicate Traffic to 4 Tools
Link Aggregator
Benefits: • Increase Tool ROI• Use 10G Tools Efficiently• Monitor More Links Simultaneously• Share Traffic Access
SHARKFEST '09 | Stanford University | June 15–18, 2009
iTap Technology
Benefits:
• Centralized and remote management
• Enhanced capability
• Better resource utilization
• Increased network visibility
Information
Control
Access
Features:
•SNMP integration
•Passive monitoring / invisible to attacks
•Utilization statistics
SHARKFEST '09 | Stanford University | June 15–18, 2009
Data Monitoring SwitchValue - Any-to-Any / Many-to-Many connectivity, filtering to enhance tool performance and speed problem solving.
SHARKFEST '09 | Stanford University | June 15–18, 2009
Director™
Benefits:• Relieve Oversubscribed Tools • Centralize Data Monitoring• Leverage Tool Investments • Increased Network Visibility
Features:• TapFlow™ Multi-Layer Filtering • Industry's Highest Port Density• Passes all errors including CRC • High-speed 10 & 1 Gigabit Ports
SHARKFEST '09 | Stanford University | June 15–18, 2009
CLI
System Manager
Web Manager
Management Software Options• Web - single device mgmt• GUI - MAP wide visibility• Command Line Interface
Track Link Information • Identify bandwidth utilization peaks• Baseline traffic statistics
Control Access to the Data• Enable/disable monitor ports• Reset alarm triggers
Security (Q2 09’)• SNMPv3• RADIUS/TACACS+
System Manager, Web Manager & CLI
Software Management
SHARKFEST '09 | Stanford University | June 15–18, 2009
Financial Case StudyMulti-station Taps
Industry: Finance
Objective: Provide non-intrusive, zero-latency visibility into network traffic enabling trading transactions to be captured and network issues to be resolved quickly and accurately
Approach: Tap into the network with Net Optics multi-station fiber and copper Taps
Technology Improvements:• 100 percent direct in-line traffic visibility in real time without latency or impact on real-time applications• Ability to record transactions for event reconstruction to resolve differences between the Exchange and its members
• Ability to analyze traffic from multiple vantage points throughout the network simultaneously
Business Outcomes:• Improved network reliability from “four nines” (99.99% up time) to five nines (99.999% up time) in first year• Achieved virtually 100% up time by the end of the third year• Improved end user satisfaction by consistently providing more reliable low-latency access into equities, equity options, and futures markets
SHARKFEST '09 | Stanford University | June 15–18, 2009
Financial Solution
SHARKFEST '09 | Stanford University | June 15–18, 2009
Multi-station Taps
Industry: Government
Objective: Provide non-intrusive visibility into network traffic to support remote diagnostics
Approach: Tap into the network with Net Optics multi-station fiber and copper Taps
Technology Improvements: • 100 percent direct in-line traffic visibility in real time without latency or traffic impact• Deployment of automated tools and control mechanisms• Ability to troubleshoot and develop solutions remotely
Project Outcomes: • Frequent resolution of issues before users are impacted• Reduction in number of field services calls dispatched• Significantly lowered MTTR• Improved end user satisfaction
Government Case Study
SHARKFEST '09 | Stanford University | June 15–18, 2009
Government Solution
SHARKFEST '09 | Stanford University | June 15–18, 2009
InteropNet Case StudyDirector™
Industry: Information Technology
Objective: Provide pervasive monitoring access for InteropNet, the high‑performance network serving the Interop Las Vegas and New York conferences
Approach: Tap into the InteropNet with an expanded multi-unit system of Net Optics Director Data Monitoring Switches
Technology Improvements:• Ability to connect any feed to any monitoring tool• Reduced access solution footprint• Aggregation of feeds down to a single pair• Remote visibility and control
Business Outcomes:• Confident of delivering “101” uptime at Interop• Number of help desk tickets reduced• Tickets closed faster (MTTR lowered)• No open tickets or unsolved cases
SHARKFEST '09 | Stanford University | June 15–18, 2009
InteropNet production network (orange and dotted lines) and SpyNet (purple lines) with five Net Optics Director Data Monitoring Switches
InteropNet Solution
SHARKFEST '09 | Stanford University | June 15–18, 2009
A Monitoring Access Platform
Core
Workgroup
EdgeData Center
Build an infrastructure with a strong platform
SHARKFEST '09 | Stanford University | June 15–18, 2009
Net Optics OverviewCustomers• 82% of the Fortune 100
• 45% of the Fortune 500• 5700 Global Customers• 5 New Customers Every Week
Fortune 100
82%45%
Fortune 500
Highlights• Founded in 1996 by Eldad Matityahu• 50 Quarters of Growth & Profitability
• 40K Sq. Ft. Santa Clara, CA Corporate HQ and Manufacturing Facility• Private Company No VC funding and 90 Employees
SHARKFEST '09 | Stanford University | June 15–18, 2009
Thank You
www.netoptics.com(408)737-7777