Webinar - Enabling Inline Security with SDN Fabrics

Weekly Q&A Webinar April 29, 2015

WEEKLY Q&A WITH BIG SWITCH Housekeeping

2 © 2015, BIG SWITCH NETWORKS, INC.

When: •  Every Wednesday, 10 am PDT •  Duration: 30 minutes

Free Online Hands-on Lab: labs.bigswitch.com

Where: •  www.bigswitch.com/webinars

Big Tap: Enabling Inline Security with SDN Fabrics

Praful Bhaidasna Dir. Product Management, Big Switch Networks Mostafa Mansour Technical Marketing, Big Switch Networks

BIG TAP MONITORING FABRIC - PASSIVE

© 2015, BIG SWITCH NETWORKS, INC. 4

MODERN NEXT-GENERATION VISIBILITY FABRIC ARCHITECTURE

BIG TAP CONTROLLERS

(HA PAIR)

VISIBILITY TOOLS

NETWORK PERF MONITORING

APPLICATION PERF MONITORING

SECURITY TOOLS

VOIP MONITORING PRO

DU

CTI

ON

NET

WO

RK

TAP

& S

PAN

PO

RTS

WORKLOADS 1/10/40G ETHERNET SWITCH FABRIC

FILT

ER P

OR

TS

SERVICE PORTS

DEL

IVER

Y P

OR

TS

Optional NPB NPB Tap Every Rack

Pervasive Security

Tap Every Location 4G / LTE

The industry’s only open switch SDN data center monitoring fabric

Box by Box

Single “Logical” Switch (Zero-touch, Dramatic TCO reduction)

Switches: 1RU, High-Density – 1G/10G/40G

Simple: Centralized, Single Pane of Glass

Scalable: Any Tap to Any/Every Tool

Resilient: Headless Mode Operations

Flexible: Up to a few thousand ports

Economical, Feature-rich, Programmable

Centralized Tool Farm

AN ENTERPRISE TOOL FARM

5

(actual customer diagram) (Featuring Tap Every Rack use-case)

© 2015, BIG SWITCH NETWORKS, INC.

NPB costs were reduced by more than 60% while increasing monitoring network capacity multi-fold

TOR (x2)

Server Rack


“We do a lot of packet aggregation for our monitoring tools and security stuff. We have a number of packet analysis tools and we were using Gigamon to gather packets, but when you want to gather packets from everywhere that price point gets too high. So we decided to go with a white box solution and Big Tap from Big Switch to gather packets and forward them to the tools as needed. We’re using software-defined networking first in non-production, in our monitoring space, and evaluating where we want to go next. It’s done well for us. We used it through our first peak of tax year 2014, which was in early February...”

-Ted Turner, Sr. Network Engineer

Intuit

CUSTOMER TESTIMONIAL EXCERPT

For complete article visit: http://www.networkworld.com/article/2901382/application-performance-management/when-intuit-s-network-gets-taxed-it-turns-to-riverbed-performance-management-tools.html

- Mentioned In NetworkWorld Article


BIG TAP INLINE – FOR DMZ VISIBILITY & PROTECTION LEGACY Solution CHALLENGES

•  Complex and Expensive •  Complex, error-prone PBRs are needed •  Box-by-box managed configuration •  Utilizes expensive switch/router ports

•  Tool Chaining •  Chain multiple tools together •  Ability to mark certain tools as optional •  Define direction-specific chains, optionally

•  Tool Oversubscription •  Higher data bandwidth to lower bandwidth tools

•  Tool Load Balancing •  Load balance multiple instances of the a tool

•  Tool Performance •  Send only relevant traffic to the tools •  Drop marked flows (e.g. DDoS)

•  Network Availability •  Network up and secure even if a tool goes down •  Unaffected during tool upgrade

INTERNET

DMZ

LEGACY

Trusted

Untrusted

FIREWALL

IPS

INLI

NE

TOO

LS

WEB PROXY


BIG TAP INLINE – FOR DMZ VISIBILITY & PROTECTION LEGACY BIG TAP INLINE

Trusted

Untrusted

Complex & Expensive Limited Tool Optimization

Operational Challenges

✗

✗

✗

Simple & Economical

Enhanced Tool Optimization

Clear Role Separation between network and security admins

ü

ü

ü

1/10/40G

SWITCHES FIREWALL

IPS

WEB PROXY

Untrusted

Trusted

INLINE TOOLS

TRAFFIC DISTRIBUTION / LOAD SHARING

BIG TAP CONTROLLERS

(HA PAIR)

ACL-based SPAN

PASSIVE TOOL FARM

FIREWALL

IPS

INLI

NE

TOO

LS

WEB PROXY

INTERNET

DMZ

ANTIVIRUS

Trusted

Untrusted


BIG TAP INLINE – NETWORK HA Tool Link / Switch / Production Link Failure •  Traffic is forwarded through Switch B

(assuming the tool is mandatory), if: •  Either of links to the tool fails (from Switch A)

or

•  Switch A fails or •  Tool health check from Switch A fails

Controller Failure •  No adverse impact to forwarding traffic

even when one or both the controllers fail

Maintain Network Security •  Since traffic through Switch B goes

through the tool, the network continues to be secure. (Security is not bypassed)

LAG (active-active load balancing)


INLINE TOOL

INLINE

INLINE

1/10/40G

BIG TAP INLINE SWITCH B

1/10/40G

BIG TAP INLINE SWITCH A

BIG TAP CONTROLLERS

(HA PAIR)

INTERNET

DMZ


BIG TAP INLINE – TOOL HA / LB / OVERSUBSCRIPTION

Tool Investment Protection •  Traffic may be load-balanced across

multiple, older lower-bandwidth tools (resolving over-subscription issues).

Tool Instance Failure •  Traffic is load-balanced through the

remaining instances if one tool instance fails

•  Supports marking a tool as optional. An optional tool gets automatically skipped if it goes down.

ANTIVIRUS

Trusted

Untrusted



INLINE TOOLS

INLINE

INLINE

1/10/40G

SWITCHES

1/10/40G

SWITCHES

BIG TAP CONTROLLERS

(HA PAIR) INTERNET

DMZ


BIG TAP INLINE – TOOL CHAINING

•  Supports chaining of multiple security tools inline in the production network

•  Support Multiple “chains”

•  Support different tools in the chain in the reverse direction

•  Support unidirectional / bidirectional chain

Trusted

Untrusted



INLINE TOOLS

INLINE

INLINE

1/10/40G

SWITCHES

1/10/40G

SWITCHES

BIG TAP CONTROLLERS

(HA PAIR) INTERNET

DMZ


BIG TAP INLINE – FEATURE HIGHLIGHTS

Single Pane of Glass •  Single Controller manages Big Tap and Big

Tap Inline

SPAN user-defined flows •  Supports selective SPAN on ingress to Big

Tap Passive

Improves Tool performance •  Supports enhanced filtering (DPM)

•  Drop marked flows

Tool Health •  Supports inline Tool Health check

1/10/40G

SWITCHES FIREWALL

IPS

WEB PROXY

Untrusted

Trusted

INLINE TOOLS

TRAFFIC DISTRIBUTION / LOAD SHARING

INTERNET

DMZ

CENTRALIZED PASSIVE TOOL FARM FI

LTER

PO

RTS

SERVICE PORTS

DEL

IVER

Y

POR

TS

BIG TAP

PASSIVE

ACL-based SPAN

BIG TAP CONTROLLERS

(HA PAIR)

DEMO

Mostafa Mansour Technical Marketing, Big Switch Networks

Trusted

Untrusted

1/10/40G

BIG TAP INLINE SWITCH A

BIG CHAIN – DEMO TOPOLOGY

2.  Create a SPAN (optional)

1.  Create Service/Tool Profile

3.  Create a Chain & Assign Services/Spans

Big Tap Controller Cluster


Trusted

Untrusted


1st STEP:

•  Define Service profile -  Traffic Rules -  Health Check

INLINE TOOL ANTIVIRUS



Trusted

Untrusted


2nd STEP:

Insert More services/Tools

INLINE TOOL

ANTIVIRUS

IPS



Trusted

Untrusted


3rd STEP:

•  Add ACL Based Span Service

INLINE TOOL

ANTIVIRUS

IPS



Trusted

Untrusted


4th STEP: Create a chain with two

end-points

Create service Instances

Attach Service Instance

& Span

eth 12

Port-channel 1



Trusted

Untrusted



end-points



& Span

eth 12

Port-channel 1



ANTIVIRUS

eth 22

eth 21

eth 16

eth 15

Trusted

Untrusted



end-points



& Span

eth 12

Port-channel 1



ANTIVIRUS

eth 22

eth 21

eth 16

eth 15

eth 47 SPAN Instance

Trusted

Untrusted


5th STEP:

Repeat the same configuration to the other switch

INLINE TOOL

LAG (active-active or active standby)

LAG (active-active or active standby)


ANTIVIRUS

IPS


WEEKLY Q&A WITH BIG SWITCH Wrap-Up

22

Product Launch Webinars – Watch your email for details

Watch: Past Webinars

Free Trial: Online Lab

Deploy: Starter Kits

© 2015, BIG SWITCH NETWORKS, INC.

Thank You

Webinar - Enabling Inline Security with SDN Fabrics

Technology

Transcript of Webinar - Enabling Inline Security with SDN Fabrics