Webinar - Enabling Science DMZ Deployments

Big Monitoring FabricEnabling Science DMZ Deployments

WEBINAR PRESENTATION

DECEMBER 02, 2015

WEEKLY Q&A WITH BIG SWITCHHousekeeping

2 © 2015, BIG SWITCH NETWORKS, INC.

When:• Every Wednesday, 10 am PDT• Duration: 30 minutes

Free Online Hands-on Lab: labs.bigswitch.com

Where: • www.bigswitch.com/webinars

ENABLING SCIENCE DMZ DEPLOYMENTS WITH

BIG MON - INLINEPRAFUL BHAIDASNA DIRECTOR, PRODUCT MANAGER

MOSTAFA MANSOURSR. TECHNICAL MARKETING ENGINEER

AGENDA

4 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL

• Big Mon Overview

• Science DMZ Use-case

• Demo

• Academic Promotions

HYPERSCALE DATA CENTER R&D LEADERSHIPThey Are Leading the Charge


Complex (Box-by-Box)

Proprietary

Expensive

Simple, Automated

Open Network HW

Lowest TCO

WHAT DOES BIG SWITCH DO?Help you get from Here to There


We build SDN Software...

(to reduce Complexity)

Open-networking enables rapid innovation and customer choice eliminating HW/SW vendor lock-in

... To build monitoring fabrics and cloud fabrics

(to deliver cost-effective Production-grade SDN)

Big Monitoring Fabric

Big Cloud Fabric

... That runs on Open Vendor Switch HW

(to reduce cost)

BIG MONITORING FABRICSimple, Scalable, Economical


• Simple to Provision

• Simple to Troubleshoot

• Simple to Add/Remove

• Programmatic & Automated

Simple

• 1/10/40G Performance

• Monitor Any Rack (1000’s of Links)

• Monitor Any Location

• Elastic Infrastructure

Scalable

• Over 60% Reduction in Total Cost of Ownership

• Reduced CapEx

• Reduced OpEx

Economical

• De-duplication• Packet Slicing• Regex Match

3rd Party SERVICE NODE

3rd Party SERVICE NODENPB

PRODUCTION NETWORK

(any vendor)

BIG MONITORING FABRIC: OUT-OF-BAND

© 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY AND CONFIDENTIAL8

MODERN NEXT-GENERATION VISIBILITY FABRIC ARCHITECTURE

Tap Every Rack

Pervasive Security

Tap Every Location 4G / LTE

The industry’s only open switch SDN data center monitoring fabric

Single “Logical” Switch (Zero-touch, Dramatic TCO reduction)

Switches: 1RU, High-Density – 1G/10G/40G

Simple: Centralized, Single Pane of Glass

Scalable: Any Tap to Any/Every Tool

Resilient: Headless Mode Operations

Flexible: Up to a few thousand ports

Economical, Feature-rich, Programmable

VISIBILITY TOOLS

NETWORK PERF MONITORING

APPLICATION PERF MONITORING

SECURITY TOOLS

VOIP MONITORING

BIG MONITORING FABRIC CONTROLLER

TAP

& S

PAN

PO

RTS

1/10/40/100G* ETHERNET SWITCH FABRIC

FILT

ER P

ORT

S

SERVICE PORTSD

ELIV

ERY

PO

RTS

Big MonSERVICE NODE




CentralizedTool Farm

PERVASIVE SECURITY – TAP/SPAN EVERY RACK


(actual customer diagram)

Tier-1 US Financial Services Institution

Tier-1 US Financial Services Institution• Centralized tool farm for 120 racks• Mix of 1GE, 10GE and 40GE TAPs, SPANs, and Tools• NPB costs were reduced by more than 60% while

increasing monitoring network capacity multi-fold

CentralizedTool Farm

PERVASIVE SECURITY – TAP/SPAN EVERY RACK


(actual customer diagram)

Tier-1 US Financial Services Institution


CUSTOMER VALIDATIONS

Source: http://www.networkworld.com/article/2901382/application-performance-management/when-intuit-s-network-gets-taxed-it-turns-to-riverbed-performance-management-tools.html

“…We have a number of packet analysis tools and we were usingGigamon to gather packets, but when you want to gather packetsfrom everywhere that price point gets too high…

So we decided to go with a white box solution and Big Tap from BigSwitch to gather packets and forward them to the tools as needed.We’re using software-defined networking first in non-production, in ourmonitoring space, and evaluating where we want to go next. It’s donewell for us. We used it through our first peak of tax year 2014, which wasin early February…

-Ted Turner, Sr. Network Engineer

BIG MONITORING FABRIC: INLINE


MODERN NEXT-GENERATION DMZ SECURITY ARCHITECTUREThe industry’s only open switch

SDN inline security solution

Switches: 1RU, High-Density – 1G/10G/40G

Support tool load-balancing, chaining

Resilient: Headless Mode, Tool failures

Clear role separation (NetOps, SecOps)

Economical, Feature-rich, Programmable

INTERNET

DMZ

BIG MON INLINE Switches

(1/10/40G)FIREWALL

IPS

WEB PROXY

Untrusted

Trusted

INLINE TOOLSTRAFFIC DISTRIBUTION

/ LOAD SHARING

BIG MONITORING FABRIC CONTROLLERS

(HA PAIR)

ACL-based SPAN

OUT-OF-BANDTOOL FARM

DMZ / ExtranetSecurity

Science DMZ


INLINE – FEATURE HIGHLIGHTSSingle Pane of Glass• Single Controller manages Big Mon Out-of-Band

as well as Inline

SPAN user-defined flows• Supports selective SPAN on ingress to Big Mon

Out-of-band

Improves Tool performance• Supports enhanced filtering (DPM) • Drop marked flows

Tool Health• Supports inline Tool Health check

Fail Open / Fail Close• Skip Tool if down

Symmetric / Asymmetric Tools• Different Tools in the chain in reverse direction

BIG MON INLINE Switches

(1/10/40G)FIREWALL

IPS

WEB PROXY

Untrusted

Trusted

INLINE TOOLSTRAFFIC DISTRIBUTION /

LOAD SHARING

INTERNET

DMZ

CENTRALIZEDOUT-OF-BAND TOOL FARM

FILT

ER

PORT

S

SERVICE PORTS

DEL

IVER

Y

PORT

S

BIG MONOUT-OF-BAND

ACL-based SPAN


(HA PAIR)

SWITCH HARDWARE SUPPORT


Open Switch Vendor

1G

10G Trident

/Trident+

10G Trident-

II40G Trident-

II100G*

Tomahawk

Dell S4810-ON S4048-ON S6000-ON Z9100-ON

Accton AS4600-54T AS5610-52X AS5710-54XAS5712-54X

AS6700-32XAS6712-32X AS7712

Quanta T1048-LB9 T3048-LY2

* 100G based switches coming soon – Q1CY16

100G SWITCH SUPPORT


• Open vendor, low cost, High-density, 1RU (32 x 100G) switches

• Cut-through, non-blocking, line-rate switching fabric with sub usec latency

• Supports Port-side Intake/Egress airflow

• Uses BRCM Tomahawk ASIC

• Supports 10G/25G/40G/50G/100G

Capable break-out options :

• 32 ports of 100G (no breakout)

• 64 ports of 50G

• 32 ports of 40G

• 128 ports of 25G

• 128 ports of 10G

Accton AS7712-32X Dell Z9100-ON

* 100G based switches coming soon – Q1CY16

SCIENCE DMZ USE-CASE

Trusted

SCIENCE DMZ USE-CASE

INTERNET

DMZ

BIG MON INLINESWITCHES 15

16

17

18Tool 2 - IPS


Untrusted

Tool 3 - IDS

1 Whitelisted Traffic Notification

REST API

2 Invoke Big Mon Controller REST API


(HA PAIR)

Tool 1 - FirewallBypass Whitelisted

Traffic

3 Auto-program whitelist rules on the switches

INLINE – SERVICE INTERFACE SHARING


Untrusted

Trusted

INTERNET

DMZ

BIG MON INLINESWITCHES

Lower CAPEX, Improve Tool Utilization• Allows sharing of the

same service/tool interfaces across multiple chains.

• Packets will be QinQtagged to determine which chain the packet came from.

1

21

2

22

Chain C1Endpoints: 1, 21

Service Ports: 15, 16

Chain C2Endpoints: 2, 22

Service Ports: 15, 16

16

15

Shared Tool The same tool /service interfaces connected to 15, 16 are shared by

both the Chains C1 and C2

Big Mon – Inline Demo For DMZ Security

19

Mostafa Mansour Technical Marketing, Big Switch Networks

20 © 2015, BIG SWITCH NETWORKS, INC. PROPRIETARY

BMF INLINE SETUPUntrusted

Trusted

INTERNET

DMZ



Trusted

INTERNET

DMZ

eth 11

eth 12

Create a chain

(bump-in-the wire)



Trusted

INTERNET

DMZ

eth 11

eth 12

20

21

Service 1 - FWInterested in all traffic Except elephant flows

(whitelist)

Create a Service Profile(Tool)

(Non-whitelisted, mice flows)All Traffic except src-ip 2.2.2.2



Trusted

INTERNET

DMZ

20

21

Create a Service Profile(Tool)

(Whitelisted, elephant flows)Packet with src-ip 2.2.2.2


(whitelist)



Trusted

INTERNET

DMZ

20

21Add more tools


(whitelist)

Service 2 - DDOSOnly interested in

All TRAFFIC



Trusted

INTERNET

DMZ

20

21Add more tools


(whitelist)


All TRAFFIC

OUT-OF-BAND TOOL FARM

i.e., IDS

FILT

ER

PORT

S

SERVICE PORTS

DEL

IVER

Y

PORT

S

eth 30Span

BIG TAPOUT-OF-BAND

Create a ACL-based SPAN



Trusted

INTERNET

DMZ

20

21Add more tools


(whitelist)


All TRAFFIC

OUT-OF-BAND TOOL FARM

i.e., IDS

FILT

ER

PORT

S

SERVICE PORTS

DEL

IVER

Y

PORT

S

eth 30

Span

BIG TAPOUT-OF-BAND

Create a ACL-based SPAN

FILT

ER

PORT

S

SERVICE PORTS

DEL

IVER

Y

PORT

S

BIG TAPOUT-OF-BAND

BMFCONTROLLERS

(HA PAIR)Rest API

With whitelist traffic


BMF INLINE DEMO- SUMMARY

Untrusted

Trusted

INTERNET

DMZ

BMF INLINESWITCHES

Service 1 - FWInterested in All Traffic Except elephant flows

(whitelist)


All TRAFFIC

2. Create a Chain

1. Create “FW” Service Profile skip whitelist traffic (src-ip 2.2.2.2)

4. Create a SPAN (optional)

3. Attach the Service Profiles

NOTE: Whitelist traffic can be configured manually or automatically from Globus or Aspera through RESTAPI


BMF INLINE SETUP

Untrusted

Trusted

INTERNET

DMZ

BMF INLINESWITCHES

Service 1 - FWInterested in All Traffic except

source ip 2.2.2.2

Service 2 - DDOSInterested in

All Traffic

Packet with Source IP 1.1.1.1

Whitelist Packet with Source IP 2.2.2.2

ACADEMIC PROMOTIONS


ACADEMIC PROMOTIONS

CENTRALIZED OUT-OF-BAND TOOL FARM

INLINE TOOL CHAINSTRAFFIC DISTRIBUTION / LOAD

SHARING

BIG MONITORING FABRIC CONTROLLER

PERIMETER FIREWALL

DMZ FIREWALL

1/10/40GETHERNET SWITCH

TRUSTED ZONEDATA CENTER / ENTERPRISE / CAMPUS

UNTRUSTED ZONEACL BASED

SPAN

WEBPROXY

IINTRUSION PREVENTION

SSLDECRYPT

INTERNET DMZ (INLINE) (OUT OF BAND)A Big Mon Starter Kit, specially priced for academic institutions…

HA Pair of Big Mon Controllers (VM)

2 x switches (48x10G + 6x40G)

A subscription for 2 x Switch Light OS licenses, valid for 3 years

A few cables

Applicable for Out-of-Band or Inline deployments

ACADEMIC PROMOTION SPECIAL: STARTING AT $14,999…


Learn: Visit www.bigswitch.com

Try: Big Switch Online Lab @ labs.bigswitch.com Hosted Environment for Instant Access to Customers Over 1000 users since launch! Best next-step to a customer meeting…

Contact: Email [email protected] (for sales enquiries)Email [email protected] (for partner enquiries)Email [email protected] (for general information)

WEEKLY Q&A WITH BIG SWITCHWrap-Up

32

Wednesday (Dec 16th): TBD

Watch: Past Webinars

Free Trial: Online Lab

Deploy: Starter Kits

© 2015, BIG SWITCH NETWORKS, INC.

Thank You

Webinar - Enabling Science DMZ Deployments

Technology

Transcript of Webinar - Enabling Science DMZ Deployments