1© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
VISION ONE
2© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DEPLOYING SECURITY IS NOT EASY
CONSTANT CHANGE
ThreatsLawsApplications
SINGLE PURPOSE TOOLS
EXPENSIVE
3© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
SECURITY IS CONSTANTLY CHANGING
There’s always a lot of ground to cover
4© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
See EverythingIntuitive UI and patented filter
compiler
Look WithinATI for SSL
decryption & App intelligence
VirtualizeManage traffic from physical
and virtual taps
Layered Defense
Flexibly deploy tools inline and
out-of-band
Optimize
ZERO-loss advanced packet
processing
5© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
EVOLUTION OF INTELLIGENT VISIBILITY
All packets
TAP
Raw Packets
Only 10.0.0.0/8 traffic
Only TCP Port 25 traffic
L2-4 Filters
NPB
All unique frames going to 10.0.0.0/8
Only the first 128 bytes of TCP Port 25 frames
Hardware AFM
NPBAdv. Packet Processing
All traffic from Georgia
All voice traffic from HTC Ones
Someone from S. Africa watching House of Cards on Netflix on an iPhone on Vodacom’s network
NPB –App Brokering
Meta Data
App Filtering
6© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
FILTERING: IT’S YOUR CHOICE
The Hard WayThe Easy Way
Using other vendor’s filters “…we spent the better part of four hours and some trial and error to get the map and its filters defined and applied.”
“Ixia's Dynamic Filtering feature, on the other hand, took all of 10 minutes to perform the same task in our tests.”
7© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
VLAN 1-3
VLAN 3-6
TCP
Automatically calculates filter overlaps, and creates rules
3. What Automated Rule Set Compiler does
IXIA’S AUTOMATIC RULE ENGINE COMPILER
7
Network SPAN Port
Tool Port #1
Tool Port #2
Tool Port #3
VLAN 3-6
VLAN 1-3
Traffic multi-casted from one SPAN port to 3 tools
TCP
No. Criteria Action0 VLAN 3 + TCP Tool 1, 2 & 31 VLAN 1-3 + TCP Tool 1 & 22 VLAN 4-6 + TCP Tool 2 & 33 VLAN 3 Tool 1 & 34 VLAN 1-2 Tool 15 VLAN 4-6 Tool 36 TCP Tool 27 Null Drop
Automatically resolves overlapping rules. Greatly simplifies getting to what you need.
Hitless changes – no packets dropped
Concurrent changes by different admin users
Simple to integrate with external provisioning systems – automated service provisioning
4. Why is this a big deal
1. What you wantEnter 3 simple filters in the Network Tool Control Panel
2. What you do
8© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INTELLIGENT PACKET PROCESSING
Dedicated hardware adds info or reduces unnecessary data without information loss on a per packet basis
All unique frames going to 10.0.0.0/8
Only the first 128 bytes of TCP Port 25 frames
Hardware AFM
NPBAdv. Packet Processing
Advanced Packet Processing (AFM) Features
• Deduplication• Header stripping• Trimming• Data Masking• Timestamping• Burst Protection
9© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ADVANCED PACKET PROCESSING IN VISION ONE
Challenge• Need guaranteed packet processing performance,but not on every port
Solution• Hardware-based processing guarantees performance• Allocated to ports in 10G increments• Full performance with multiple features enabled
Benefits• Packet processing reduces tool costs• Reliable operational performance• Any port can have AFM• Maximize ATIP / DPI performance by AFM prefiltering
16x10G Shared AFM
10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DEDUPLICATION
Deduplication – Ensures that one copy of each frame is forwarded to for analysis
How do you get duplicate packets?– Multiple taps are aggregated to the same tool– A single SPAN port commonly generates duplicate packets
(see http://blogs.cisco.com/security/span-packet-duplication-problem-and-solution)
11© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
HEADER STRIPPING
Header Stripping – Detects and removes tunnel protocols from header to format data so it can be analyzed by tools that do not support tunneled protocols.
PayloadIP Header
Header Stripping
MPLS Label
Typical Use Cases• Translation: Strips a protocol header that an analysis tool
doesn’t parse and forwards the packet in a supported format.– MPLS, VNTag, FabricPath, etc.
• vTap Termination: Terminates traffic from Phantom vTap• ERSPAN termination: Terminates traffic from a remote /
branch office switch
12© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PACKET TRIMMING
Packet Trimming – Truncates packets at a certain length and optionally inserts a trailer with the original packet length before forwarding to a tool.
Typical Use Cases• Tool Efficiency: Reduces the average frame length being sent to the tool for analysis.
– Remove SSL-encrypted payloads before analysis– Remove payloads from tools that only analyze headers
• Security: If the packet payload is not needed for analysis then this feature can be used to protect against revealing sensitive information such as Personally Identifiable Information (PII) as required by many mandates such as PCI.
PayloadIP Header
Packet Slicing
13© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DATA MASKING
Data Masking – Allows data at a specific offset in the frame to be set to a fixed value so that
Personally Identifiable Information (PII) is not forwarded to analytics tools.
Typical Use Cases• Protecting PII: Enterprises and carriers often have mandates that require them not to store, forward, or
otherwise expose PII to internal or external users. Examples of such mandates are PCI (Payment Card Industry) or HIPAA for health care in the USA. Violations often result in multi-million dollar penalties.
PayloadIP Header
Data Masking
XXXX
14© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
PACKET TIMESTAMPING
Packet Timestamping – Adds a trailer containing a timestamp to every packet so detailed latency
measurements can be made by the analysis tools.
Typical Use Cases• Latency: A network performance analyzer can determine the latency between any taps in the network
by comparing the timestamps on the same packet from two different locations.
PayloadIP Header
Packet Timestamping
Timestamp
Vision ONE chassis uses PTP or NTP to obtain time reference
15© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
BURST PROTECTION
Burst Protection – Adds extra buffering to 1G interfaces to provide protection from
microburst events and avoid data loss.
Typical Use Cases• Aggregation: When aggregating traffic from multiple locations in the network to a single 1G
tool, it is possible to momentarily exceed 1Gbps of traffic.• Speed Translation: When filtering a sub 1G flow from a single 10G link, burst protection can
prevent a momentary burst in the 10G flow from creating loss in the 1G analysis tool.
16© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
IXIA – ALWAYS FULL RATE ADVANCED PACKET PROCESSING
The Bottom Line Ixia always supports full rate processing Independent of frame size Independent of number of functions enabled
See Tolly Test Report #216100
Full Rate Advanced Packet Processing
17© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ENTERPRISE – INTELLIGENT APPLICATION PROCESSING
• ATI Processor (ATIP) - Context-rich Application Visibility• Application forwarding based on application, geography, and RegEx matching
• Real-time dashboard• Rich NetFlow / IPFIX generation
– Device OS– Browser– Carrier BGP AS#– Geolocation
• Data Masking• Stateful SSL decryption
All traffic from Georgia
All voice traffic from HTC Ones
Someone from S. Africa watching House of Cards on Netflix on an iPhone on Vodacom’s network
NPB –App Brokering
Meta Data
App Filtering
18© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATIP – DEEP PACKET INSPECTION
Reuses ATI engine to perform Deep Packet Inspection
Identifies Applications Application events Handset OS Browser Geolocation
Subscription Profiles update every 3 weeks
19© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
APPLICATION FILTERING
Point and ClickFilter settings
Geographic MatchingClick map or country name
App MatchingStatic, dynamic, customApp Groups
Category, OS, etc.
20© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
REGEX SEARCHING & DATA MASKINGEasy Setup
Add to any filterPredefined Patterns
Email, credit cards, SSN, etc.Custom Patterns
Built in UIOptional Masking
Partial or complete stringFixed Offset
L2-L4 Header offset
21© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
FLEXIBLE TRAFFIC HANDLING
Easy SetupForward, NetFlow, or both
Real-time StatsFor all filters
22© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
RICH NETFLOW / IPFIX GENERATION
Easy SetupOne-click enable
Standard FieldsIncluding router offload IxFlow Extensions
Handset, browser, geo, SSL
High performanceSupports up to 10 collectors
23© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATIP ENABLES SSL INSIGHT Passive decryption – no impact on application performance
Fully compatible with all other ATIP features: Rich Netflow/IPFIX Data Masking Geolocation
Easy setup – just import server certificate & key
All popular key exchange & ciphers: RSA & DH Key Exchange SHA1/521/384/256/224 MD5
• Application Filtering• Handset/workstation type• Browser identification
• 3DES• RC4
• AES• ECC (Elliptic Curve)
• Encryption details reported over NetflowHardware Encryption Offload
24© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ATIP USE CASES
SaaS Issue Correlation to Service Provider Granular VoIP Filtering
25© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
TWO MAIN VISIBILITY TOPOLOGIES
Monitoring (out-of-band) Analytics tools terminate the traffic and do
not forward back to the network. Typical analytics tools:
Application Performance Monitoring (APM) Network Performance Monitoring (NPM) Intrusion Detection System Data recording
Inline (inband) Tools analyze and selectively drop traffic
or forward it back to the network. Typical inline tools
Intrusion Prevention System (IPS) Data Loss Prevention (DLP) Web Cache SSL encrypt / decrypt Firewall
26© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
INLINE & MONITORING TOGETHER
Inline Monitoring
Inline• IPS (multiple vendors)
Out-of-band Monitoring• Data logging
27© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
SERIAL INLINE DEPLOYMENT
Switch
1 2 3
28© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
EXTERNAL BYPASS
Why use External vs Integrated Bypass?
1. External reliability is 5 times better! MTBF (Mean Time Between Failure in Hours)
External Bypass: 450,000 Integrated Bypass: 80,000
2. Easier to replace failed devices No risk of taking network down
3. Same system size as integrated bypass 2U
29© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
EASY TO CONFIGURE
Create complex topologies in minutes Inline serial Parallel load balanced Inline serial & Parallel load balance together
30© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
N+M REDUNDANCY
Supports any combination of N+M tool redundancy N+M Redundancy: M warm standby tools to protect
N active tools N+1 Redundancy: a single warm standby tool to
protect N active tools
Behavior under tool failure Standby tool takes over traffic from failed tool Active tool traffic again when it recovers Failure detected via use of heartbeats
31© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
DETECT FAILURES QUICKLY - RICH HEARTBEATSDetecting failures Heartbeats exist between bypass switch & NPB
Heartbeats exist between NPB & tool
Absence of heartbeats indicates failure
Key capabilities Predefined heartbeats to match different tools
Highly customizable heartbeats for tricky situations
Supports single-stage (blue) or multistage (red) heartbeats
32© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
VISION ONE – SECURITY WITHOUT SACRIFICE
Intelligent• ATIP: DPI for app awareness• SSL decryption• Reliable adv. packet processing• Supports inline & monitoring• Terminates physical & vTap traffic
Compact• 1U high• Connectivity
• 48 SFP+ for 1G or 10G• 4 QSFP+ for 4x40G or 16x10G
• Growth via expansion slot
Reliable• Based on NVOS 4.x• Redundant, hot swappable power supplies & fans• NEBs capable
Multiuser ready• Extensive role-based access control• Automatic Filter Rule Compiler• Intuitive GUI• RESTful API
33© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
#securitywithoutsacrifice
Amplify security without ever changing a cable. See everything. Miss Nothing.
Top Related