Integrated Analytics. A Key Element of Security-Driven Networking

Transcription

1 Integrated Analytics A Key Element of Security-Driven Networking What if your network offered monitoring and visibility into both the overlay and the underlay? What if you could monitor all application flows, handing off those deemed suspicious to your existing security tools? What if you had real-time insight to network performance, helping you to guarantee application SLAs and assisting with capacity planning? And what if this network could perform this without the need for additional taps and matrix switches, saving capital and operational expenses, and offered this capability with tools familiar to your network operations team? pluribusnetworks.com Page 1

2 Today Separate Fabrics IT organizations need to ensure the Application Quality of Experience, which includes ease of application deployment and operation, application performance, and making sure the application makes optimal use of compute, storage, network, and virtualization resources. Traditional approaches to network analytics have had limitations and drawbacks. One of which is expense as it has usually been necessary to build a second monitoring network to aggregate and filter traffic. The expense of this additional networwedgek has also lead to tough choices as it has not always been possible to provide coverage for the entire network, leading to the selective placement of taps and mirroring ports. Additionally, a lack of visibility into overlay traffic has made supporting and troubleshooting virtualized environments difficult. And with security concerns top-of-mind, these limitations in visibility are of increasing concern. Production* Network Visibility*Fabric 3 rd Party*Tools Legacy Tap and Matrix Switch Architecture A Better Way Pluribus Integrated Analytics Netvisor, the Pluribus network operating system, creates an Ethernet fabric where all serverswitches are managed as a single entity, even across 3 rd party spines. This fabric integrates analytics capability, offering a real-time view into all application flows at the host and VM level. Latency, packet loss, and connection durations are all available, and if one or more flows warrant closer investigation, the solution supports full packet capture at tens-of-gigabits a second due to the distributed architecture. pluribusnetworks.com Page 2

3 Ideally, the Pluribus fabric is deployed in a leaf-spine topology, at either L2 or L3, as part of a new DC buildout, an extension Pod, or even a new rack in an existing Pod. Alternatively, you may deploy server-switches at either the TOR or the spine, still gaining full visibility for all traffic flows, or as bumps-in-the-wire. This is a function of Netvisor s standards-based L2/L3 capabilities. Where none of this is possible, we can deploy in tap mode, still taking advantage of full flow analytics and setting the stage for future migration of production traffic onto the Pluribus nodes. This investment protection is unequaled. Pluribus( Integrated(Analytics: Visibility( and(production 3 rd Party(Tools Full Fabric Pod or Rack full switch bandwidth for analytics Production* Network Netvisor Integrated*Analytics 3 rd party*tools Network Monitoring Span/ Taps Application Monitoring Security Tools UC/VoIP Monitoring Tap-Mode full switch bandwidth for analytics Pluribus Integrated Analytics Capabilities: Application-aware Flow Analytics o The network manager is first presented with a dashboard depicting current network topology. Note that this is a view of the entire fabric, and not just pluribusnetworks.com Page 3

4 o o individual switches. If the fabric extends across another vendor s spine switch, the view is still intact. In the upper right is the Time Machine. More on that in a bit. Click on any link, host, or switch for a real-time view as to every connection, including open ports, traffic volume, latency, and duration. Link colors change based on loading. These same statistics are also available via the CLI and via programmatic interfaces for handoff to external tools. Client-Server Connection Flow Analytics o You can now drill-down on any connection, as well as looking at individual hosts and identifying their top destinations. This is useful for capacity planning and identifying unexpected traffic volumes. SYN Flood attack monitoring is all part of this o A powerful source-destination matrix view is also available, highlighting networkwide traffic patterns and also offering a view into anomalies when compared to past patterns. pluribusnetworks.com Page 4

5 Example of Top Talkers Matrix to identify anomalies VM/Overlay visibility o A powerful connection analytics capability is being able to look into the individual VMs along with associated VLANs and VXLAN tunnels. o This includes the status of all connections and any VM migration including updates, movements between ports across the fabric, and number of times a VM is dropped due to loop-detection. VLAN, VXLAN, and VM Migration statistics pluribusnetworks.com Page 5

6 Time Machine o Time Machine provides one of the most powerful fabric capabilities, the ability to view flows over time. This aids forensic analysis, compliance, capacity planning, and troubleshooting. o The Time Machine can use the switch s onboard SSDs, but for additional capacity, the solution supports an optional Sandisk flash drive supporting flow statistics going back a week or even a month (or more) in time. o The top window reflects the current topology. For the bottom view, the administrator has turned the clock back by two weeks. The view now reflects the topology at that time, along with link loading. As with the current view, clicking on any link, host, or switch brings up all associated connections. o The administrator may offload the flow statistics into external databases (i.e., PCAP) for powerful trend analysis. Topology View, Current pluribusnetworks.com Page 6

7 Topology View, 2 weeks ago can click on any link, host, or switch for full connection statistics Real-time flow programmability o Another powerful capability is fabric-wide flow programmability. A flow is defined by fabric ports, MAC, Ether Type, IP, TCP/UDP ports, VLAN, VXLAN, and Class/DSCP/TOS. A rich set of actions that may be applied include dropping the packet, copying the packet for further analysis, modifying the packet header, and other flow-based operations based on real-time traffic patterns. pluribusnetworks.com Page 7

8 Fabric Sniffer o Using flow programmability, timestamped flows are identified for full flow capture with filtering. These are stored in PCAP format, with decoding via an on-board Wireshark or external tools. Inspect the content of each packet, timestamping included. Can look at entire packet. Offload to external storage. pluribusnetworks.com Page 8

9 How does Integrated Analytics relate to your security concerns? Traditionally, enterprises have spent a great deal of effort protecting their perimeters, placing large firewalls in their DMZs. These have grown in performance, and are now capable of protecting against increasingly sophisticated attacks. And more recently, they ve secured their virtual machines at the vswitch with technologies like vshield and when deploying overlays, solutions from Palo Alto and others. Good for virtualized hosts, but what about bare-metal?! North&South) Traditional)Security)Perimeter! As)low)as)~20%)of)the)traffic! Network)Fabric:) Limited/No)security)for)East&West)traffic As#high#as#~80%#of#traffic! Fabric#value#in#monitoring#and#visibility! but#a#separate#monitoring#fabric#is#required! Secure)VMs! Limited/no)security)for)mare)metal)compute Bare%Metal Existing Architectures There is a third part of the network the Ethernet fabric that is left unprotected with existing approaches. And with the growing percentage of east-west traffic, up to 80%, vulnerability is only increasing. If the attack gets through the DMZ due to social engineering, phishing or an interior attack, and if the virtual machines are compromised, the network is left wide open. pluribusnetworks.com Page 9

10 ! E"W/N"S'visibility'of'services/apps'! Forensic'analysis,'auditing,'security'(flow'filtering' w/'packet' capture)! Capacity'planning'(network' utilization,'traffic' patterns,'hot"spots )! Optional'addition'of'virtual'firewalls'within'fabric' for'east"west'and'in"rack'security! Eliminate)taps)and)separate)visibility)fabric! Bare%Metal Pluribus Integrated Analytics This is where Pluribus Integrated Analytics comes into play, complementing existing security hardware and software, and helping protect the network itself. Given the amount of damage that can occur in a very short time, CIOs are recognizing that security must be embedded within the Ethernet fabric. The switches and routers can no longer operate as just dumb packet switching devices, incapable of detecting, acting upon, and recording anomalies. You require a more intelligent network. Conclusion While much attention has been paid to network features and performance, analytics has been somewhat overlooked and even when addressed has been addressed not in a systemic, whole fabric way but rather with a series of bolt-on TAPs and supporting visibility fabrics. Because of the unique fusion of server, switch and storage capabilities supported by Pluribus Netvisor, we are able to integrate sophisticated analytics into the network. This integration enables better visibility into both underlay and overlay traffic while also aiding troubleshooting and security efforts as well. The flexibility of the Pluribus architecture means that not only do greenfield networks benefit, but many of these advantages are applicable to brownfield environments with pluribus at the ToR. pluribusnetworks.com Page 10

11 Features Fabric-wide VM/Host locator Fabric-wide application flow statistics (includes TCP connection latency, time-stamping, top talkers, application, etc.) Fabric-wide port statistics, congestion, latency Fabric-wide vport analytics with OpenStack including host network stats, CPU, mem, disk, OS Fabric-wide sniffer/full packet or flow capture and NFS export (ASDF package) Time Machine Analytics Forensic Network Recorder (ASDF package) Format and save output of connection analytics in parsable file formats (i.e., CSV) VM/Host migration history vflow (capture, drop, re-write, mirror any flow Fabric-wide) sflow (agent, collector, and analyzer) Precision Time Protocol (PTP) version 2 (IEEE ): Transparent Clock and Boundary Clock modes Port mirror to local VM with storage (ASDF package) Mirroring Aggregation with vflow filtering Mirroring/tap aggregation of multiple inputs to 4 output groups F-series only Application flow-based mirror SPAN SSD storage and NFS export; PCIe flash storage (F64-FL1T only) Performance 1G/10G/40G tap aggregation Netvisor fabric operates at the full-switch rate with integrated analytics 1.36 to 2.24 Tbps depending upon platform. All data flows across the fabric are recorded. Real-time analysis of millions of flows; historical analysis of hundreds of millions of flows Record up to 1+ million connections/second (F-series) Storage R/W 130 MB/s SSD and 2,200 MB/s PCIe flash PCIe control plane performance for TCP flow analytics 200 Kpps on E-series and 3 Mpps on F-series Full packet capture at control plane bandwidth, from 4 to 40 Gbps depending upon platform. Orderability Netvisor Integrated Analytics for E68 Leaf Node Netvisor Integrated Analytics for F64M Leaf Node Netvisor Integrated Analytics for F64L Spine Node Netvisor Integrated Analytics for F64XL Spine Node Netvisor Integrated Analytics for F64FL1T Spine Node Netvisor Integrated Analytics for E28Q Spine Node Netvisor Forensic Data Recording Kit (1x800G SSD) NVOS-E68M-A NVOS-F64M-A NVOS-F64L-A NVOS-F64XL-A NVOS-F64FL1T-A NVOS-E28QL-A FDR-KIT pluribusnetworks.com Page 11