Webinar - Enabling Science DMZ Deployments
-
Upload
big-switch-networks -
Category
Technology
-
view
177 -
download
1
Transcript of Webinar - Enabling Science DMZ Deployments
Big Monitoring FabricEnabling Science DMZ Deployments
WEBINAR PRESENTATION
DECEMBER 02, 2015
WEEKLY Q&A WITH BIG SWITCHHousekeeping
2 © 2015, BIG SWITCH NETWORKS, INC.
When:• Every Wednesday, 10 am PDT• Duration: 30 minutes
Free Online Hands-on Lab: labs.bigswitch.com
Where: • www.bigswitch.com/webinars
ENABLING SCIENCE DMZ DEPLOYMENTS WITH
BIG MON - INLINEPRAFUL BHAIDASNA DIRECTOR, PRODUCT MANAGER
MOSTAFA MANSOURSR. TECHNICAL MARKETING ENGINEER
AGENDA
4 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
• Big Mon Overview
• Science DMZ Use-case
• Demo
• Academic Promotions
HYPERSCALE DATA CENTER R&D LEADERSHIPThey Are Leading the Charge
5 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
Complex (Box-by-Box)
Proprietary
Expensive
Simple, Automated
Open Network HW
Lowest TCO
WHAT DOES BIG SWITCH DO?Help you get from Here to There
6 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
We build SDN Software...
(to reduce Complexity)
Open-networking enables rapid innovation and customer choice eliminating HW/SW vendor lock-in
... To build monitoring fabrics and cloud fabrics
(to deliver cost-effective Production-grade SDN)
Big Monitoring Fabric
Big Cloud Fabric
... That runs on Open Vendor Switch HW
(to reduce cost)
BIG MONITORING FABRICSimple, Scalable, Economical
7 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
• Simple to Provision
• Simple to Troubleshoot
• Simple to Add/Remove
• Programmatic & Automated
Simple
• 1/10/40G Performance
• Monitor Any Rack (1000’s of Links)
• Monitor Any Location
• Elastic Infrastructure
Scalable
• Over 60% Reduction in Total Cost of Ownership
• Reduced CapEx
• Reduced OpEx
Economical
• De-duplication• Packet Slicing• Regex Match
3rd Party SERVICE NODE
3rd Party SERVICE NODENPB
PRODUCTION NETWORK
(any vendor)
BIG MONITORING FABRIC: OUT-OF-BAND
© 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL8
MODERN NEXT-GENERATION VISIBILITY FABRIC ARCHITECTURE
Tap Every Rack
Pervasive Security
Tap Every Location 4G / LTE
The industry’s only open switch SDN data center monitoring fabric
Single “Logical” Switch (Zero-touch, Dramatic TCO reduction)
Switches: 1RU, High-Density – 1G/10G/40G
Simple: Centralized, Single Pane of Glass
Scalable: Any Tap to Any/Every Tool
Resilient: Headless Mode Operations
Flexible: Up to a few thousand ports
Economical, Feature-rich, Programmable
VISIBILITY TOOLS
NETWORK PERF MONITORING
APPLICATION PERF MONITORING
SECURITY TOOLS
VOIP MONITORING
BIG MONITORING FABRIC CONTROLLER
TAP
& S
PAN
PO
RTS
1/10/40/100G* ETHERNET SWITCH FABRIC
FILT
ER P
ORT
S
SERVICE PORTSD
ELIV
ERY
PO
RTS
Big MonSERVICE NODE
3rd Party SERVICE NODE
3rd Party SERVICE NODE
3rd Party SERVICE NODE
CentralizedTool Farm
PERVASIVE SECURITY – TAP/SPAN EVERY RACK
9 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
(actual customer diagram)
Tier-1 US Financial Services Institution
Tier-1 US Financial Services Institution• Centralized tool farm for 120 racks• Mix of 1GE, 10GE and 40GE TAPs, SPANs, and Tools• NPB costs were reduced by more than 60% while
increasing monitoring network capacity multi-fold
CentralizedTool Farm
PERVASIVE SECURITY – TAP/SPAN EVERY RACK
10 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
(actual customer diagram)
Tier-1 US Financial Services Institution
11 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
CUSTOMER VALIDATIONS
Source: http://www.networkworld.com/article/2901382/application-performance-management/when-intuit-s-network-gets-taxed-it-turns-to-riverbed-performance-management-tools.html
“…We have a number of packet analysis tools and we were usingGigamon to gather packets, but when you want to gather packetsfrom everywhere that price point gets too high…
So we decided to go with a white box solution and Big Tap from BigSwitch to gather packets and forward them to the tools as needed.We’re using software-defined networking first in non-production, in ourmonitoring space, and evaluating where we want to go next. It’s donewell for us. We used it through our first peak of tax year 2014, which wasin early February…
-Ted Turner, Sr. Network Engineer
BIG MONITORING FABRIC: INLINE
© 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL12
MODERN NEXT-GENERATION DMZ SECURITY ARCHITECTUREThe industry’s only open switch
SDN inline security solution
Switches: 1RU, High-Density – 1G/10G/40G
Support tool load-balancing, chaining
Resilient: Headless Mode, Tool failures
Clear role separation (NetOps, SecOps)
Economical, Feature-rich, Programmable
INTERNET
DMZ
BIG MON INLINE Switches
(1/10/40G)FIREWALL
IPS
WEB PROXY
Untrusted
Trusted
INLINE TOOLSTRAFFIC DISTRIBUTION
/ LOAD SHARING
BIG MONITORING FABRIC CONTROLLERS
(HA PAIR)
ACL-based SPAN
OUT-OF-BANDTOOL FARM
DMZ / ExtranetSecurity
Science DMZ
13 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
INLINE – FEATURE HIGHLIGHTSSingle Pane of Glass• Single Controller manages Big Mon Out-of-Band
as well as Inline
SPAN user-defined flows• Supports selective SPAN on ingress to Big Mon
Out-of-band
Improves Tool performance• Supports enhanced filtering (DPM) • Drop marked flows
Tool Health• Supports inline Tool Health check
Fail Open / Fail Close• Skip Tool if down
Symmetric / Asymmetric Tools• Different Tools in the chain in reverse direction
BIG MON INLINE Switches
(1/10/40G)FIREWALL
IPS
WEB PROXY
Untrusted
Trusted
INLINE TOOLSTRAFFIC DISTRIBUTION /
LOAD SHARING
INTERNET
DMZ
CENTRALIZEDOUT-OF-BAND TOOL FARM
FILT
ER
PORT
S
SERVICE PORTS
DEL
IVER
Y
PORT
S
BIG MONOUT-OF-BAND
ACL-based SPAN
BIG MONITORING FABRIC CONTROLLERS
(HA PAIR)
SWITCH HARDWARE SUPPORT
© 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL14
Open Switch Vendor
1G
10G Trident
/Trident+
10G Trident-
II40G Trident-
II100G*
Tomahawk
Dell S4810-ON S4048-ON S6000-ON Z9100-ON
Accton AS4600-54T AS5610-52X AS5710-54XAS5712-54X
AS6700-32XAS6712-32X AS7712
Quanta T1048-LB9 T3048-LY2
* 100G based switches coming soon – Q1CY16
100G SWITCH SUPPORT
15 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
• Open vendor, low cost, High-density, 1RU (32 x 100G) switches
• Cut-through, non-blocking, line-rate switching fabric with sub usec latency
• Supports Port-side Intake/Egress airflow
• Uses BRCM Tomahawk ASIC
• Supports 10G/25G/40G/50G/100G
Capable break-out options :
• 32 ports of 100G (no breakout)
• 64 ports of 50G
• 32 ports of 40G
• 128 ports of 25G
• 128 ports of 10G
Accton AS7712-32X Dell Z9100-ON
* 100G based switches coming soon – Q1CY16
SCIENCE DMZ USE-CASE
Trusted
SCIENCE DMZ USE-CASE
INTERNET
DMZ
BIG MON INLINESWITCHES 15
16
17
18Tool 2 - IPS
© 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL17
Untrusted
Tool 3 - IDS
1 Whitelisted Traffic Notification
REST API
2 Invoke Big Mon Controller REST API
BIG MONITORING FABRIC CONTROLLERS
(HA PAIR)
Tool 1 - FirewallBypass Whitelisted
Traffic
3 Auto-program whitelist rules on the switches
INLINE – SERVICE INTERFACE SHARING
18 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
Untrusted
Trusted
INTERNET
DMZ
BIG MON INLINESWITCHES
Lower CAPEX, Improve Tool Utilization• Allows sharing of the
same service/tool interfaces across multiple chains.
• Packets will be QinQtagged to determine which chain the packet came from.
1
21
2
22
Chain C1Endpoints: 1, 21
Service Ports: 15, 16
Chain C2Endpoints: 2, 22
Service Ports: 15, 16
16
15
Shared Tool The same tool /service interfaces connected to 15, 16 are shared by
both the Chains C1 and C2
Big Mon – Inline Demo For DMZ Security
19
Mostafa Mansour Technical Marketing, Big Switch Networks
20 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
21 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
eth 11
eth 12
Create a chain
(bump-in-the wire)
22 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
eth 11
eth 12
20
21
Service 1 - FWInterested in all traffic Except elephant flows
(whitelist)
Create a Service Profile(Tool)
(Non-whitelisted, mice flows)All Traffic except src-ip 2.2.2.2
23 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
20
21
Create a Service Profile(Tool)
(Whitelisted, elephant flows)Packet with src-ip 2.2.2.2
Service 1 - FWInterested in all traffic Except elephant flows
(whitelist)
24 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
20
21Add more tools
Service 1 - FWInterested in all traffic Except elephant flows
(whitelist)
Service 2 - DDOSOnly interested in
All TRAFFIC
25 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
20
21Add more tools
Service 1 - FWInterested in all traffic Except elephant flows
(whitelist)
Service 2 - DDOSOnly interested in
All TRAFFIC
OUT-OF-BAND TOOL FARM
i.e., IDS
FILT
ER
PORT
S
SERVICE PORTS
DEL
IVER
Y
PORT
S
eth 30Span
BIG TAPOUT-OF-BAND
Create a ACL-based SPAN
26 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUPUntrusted
Trusted
INTERNET
DMZ
20
21Add more tools
Service 1 - FWInterested in all traffic Except elephant flows
(whitelist)
Service 2 - DDOSOnly interested in
All TRAFFIC
OUT-OF-BAND TOOL FARM
i.e., IDS
FILT
ER
PORT
S
SERVICE PORTS
DEL
IVER
Y
PORT
S
eth 30
Span
BIG TAPOUT-OF-BAND
Create a ACL-based SPAN
FILT
ER
PORT
S
SERVICE PORTS
DEL
IVER
Y
PORT
S
BIG TAPOUT-OF-BAND
BMFCONTROLLERS
(HA PAIR)Rest API
With whitelist traffic
27 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE DEMO- SUMMARY
Untrusted
Trusted
INTERNET
DMZ
BMF INLINESWITCHES
Service 1 - FWInterested in All Traffic Except elephant flows
(whitelist)
Service 2 - DDOSOnly interested in
All TRAFFIC
2. Create a Chain
1. Create “FW” Service Profile skip whitelist traffic (src-ip 2.2.2.2)
4. Create a SPAN (optional)
3. Attach the Service Profiles
NOTE: Whitelist traffic can be configured manually or automatically from Globus or Aspera through RESTAPI
28 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY
BMF INLINE SETUP
Untrusted
Trusted
INTERNET
DMZ
BMF INLINESWITCHES
Service 1 - FWInterested in All Traffic except
source ip 2.2.2.2
Service 2 - DDOSInterested in
All Traffic
Packet with Source IP 1.1.1.1
Whitelist Packet with Source IP 2.2.2.2
ACADEMIC PROMOTIONS
30 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL
ACADEMIC PROMOTIONS
CENTRALIZED OUT-OF-BAND TOOL FARM
INLINE TOOL CHAINSTRAFFIC DISTRIBUTION / LOAD
SHARING
BIG MONITORING FABRIC CONTROLLER
PERIMETER FIREWALL
DMZ FIREWALL
1/10/40GETHERNET SWITCH
TRUSTED ZONEDATA CENTER / ENTERPRISE / CAMPUS
UNTRUSTED ZONEACL BASED
SPAN
WEBPROXY
IINTRUSION PREVENTION
SSLDECRYPT
INTERNET DMZ (INLINE) (OUT OF BAND)A Big Mon Starter Kit, specially priced for academic institutions…
HA Pair of Big Mon Controllers (VM)
2 x switches (48x10G + 6x40G)
A subscription for 2 x Switch Light OS licenses, valid for 3 years
A few cables
Applicable for Out-of-Band or Inline deployments
ACADEMIC PROMOTION SPECIAL: STARTING AT $14,999…
© 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL31
Learn: Visit www.bigswitch.com
Try: Big Switch Online Lab @ labs.bigswitch.com Hosted Environment for Instant Access to Customers Over 1000 users since launch! Best next-step to a customer meeting…
Contact: Email [email protected] (for sales enquiries)Email [email protected] (for partner enquiries)Email [email protected] (for general information)
WEEKLY Q&A WITH BIG SWITCHWrap-Up
32
Wednesday (Dec 16th): TBD
Watch: Past Webinars
Free Trial: Online Lab
Deploy: Starter Kits
© 2015, BIG SWITCH NETWORKS, INC.
Thank You