Active Visibility for Multi-Tiered Security. Juergen Kirchmann Director Enterprise Sales EMEA

Transcription

1 Active Visibility for Multi-Tiered Security Juergen Kirchmann Director Enterprise Sales EMEA

2 Billions are Spent on Security Annually $18.4B SPENT BY ENTERPRISES WORLD-WIDE ON SECURITY IN 2014 ENTERPRISE SECURIY NETWORK EQUIPMENT $9,209M FIREWALL/VPN EQUIPMENT $6,721M SECURE ROUTERS $968M INTRUSION PROTECTION SYSTEMS (IPS) $1,520M Source: Gartner Trends Telecom Forecast (March 2014) 2

3 yet Breaches Continue to Proliferate 3

4 Why Are Secured Networks So Exposed? Reactive vs. proactive security Attacks from multiple sources Threats from inside and at perimeter Advanced tools needed to meet advanced threats 4

5 Visibility Is the Key to Comprehensive, Cost-effective Network Security YOU CAN T SECURE WHAT YOU CAN T SEE 5

6 Multi-Tiered Security Specialized security tools Analytics and Heuristics Backed by Signatures and Policies Parallel deployments Inline, Out-of-band, Flow-based Protect against known attacks (signatures) Detect potential unknown threats (heuristics) Deployed throughout the network Not just at the edge (castle-moat is dead) Security tools externalize network complexity Risk-driven, maps into corporate risk and compliance frameworks Security Analytics and Heuristics Governance Risk and Compliance Inline: Firewall, WAF, IPS, Proxy, Anti-Malware, Anti-DDoS, DLP OOB: DLP, SIEM, DAM, FAM, IDS 6

7 Multi-Tiered Security Challenges Inline tools can be a single point-of-failure or bottleneck Critical links have tight maintenance windows Edge Router High-end tools require high-end processing Inline (Firewall, IPS, etc.) SPAN ports limit tool access and visibility Security tools are expensive Out-of-Band (IDS, anti-malware, etc.) Core Switch 7

8 Active Visibility for Multi-Tiered Security BEST PRACTICES Manage Unified Visibility Fabric with GigaVUE-FM Add non-security tools to maximize ROI Connect out-of-band security tools & leverage GigaSMART Connect inline security tools TAP all critical links (including virtualized infrastructure) 8

9 Active Visibility for Multi-Tiered Security Intrusion Prevention Systems Internet NetFlow Collector Intrusion Detection System Edge Routers NetFlow Generation SSL Decryption GigaStream Inspection Data Loss Prevention Core Switches Out-of-Band Malware 9

10 Inline Bypass Options: Physical & Logical GIGAVUE-HC2 Physical Bypass Protection Physically forwards packets in the event of a Gigamon power failure Can also be triggered with software command Ideal for deployments without redundant network paths Requires BPS module Logical Bypass Protection Inline tool failure detection: Loss of Link: the inline tool goes offline Loss of Heartbeat: the inline tool stops forwarding traffic Software Control: safely remove or upgrade inline tool without disrupting network Bypass options: Fail close: drop packets Fail open: forward traffic to network Failover to redundant network path: bring down network links Works with any standard interface module X24, GigaSMART-Front, Q06, and the BPS module Not supported on TAP modules (which can only receive traffic) 10

11 Active Visibility for Multi-Tiered Security ONE-TO-ONE AND ONE-TO-MANY Port A1 Port B1 Increase scale by distributing load across multiple inline tools Inline traffic can also be inspected by out-of-band tools 11

12 Active Visibility for Multi-Tiered Security MANY-TO-ONE AND MANY-TO-MANY TRAFFIC CONSOLIDATION Port A1 Port B1 Port A2 Port B2 VLAN 101 VLAN 101 VLAN 102 VLAN 102 Consolidate traffic from multiple network links to one (or more) inline security appliances VLAN tagging used to return packet to correct network link 12

13 Active Visibility for Multi-Tiered Security APPLICATION AWARE BYPASS AND SERIAL INLINE TOOLS Application Aware Bypass Serial Inline Tools A1 B1 A2 B2 A3 B3 A1 B1 A2 B2 A3 B3 Select traffic to be sent to inline security tools based on applications of interest Apply Flow Mapping to inline traffic Create L2-L4 profiles for each type of tool Bypass traffic that does not need inspection Improve network latency, app performance Send traffic to multiple serially connected tools Bypass unhealthy tools without bringing down network All serial tools are bypassed if one goes down Add/Remove/Upgrade tools easily 13

14 Active Visibility for Multi-Tiered Security INLINE TOOL GROUPS AND N+1 REDUNDANCY Inline Tool Groups Distribute traffic across multiple tools Parallel processing: Improved performance, inherent protection If inline tool goes down, traffic is redistributed across group If entire group goes down, bypass traffic (fail open / fail closed) Inline Tool Redundancy: N+1 Reserve tool in standby mode When a tool goes down, traffic is redirected to standby tool Maintains sessions across tool group 14

15 BPS Module for the GigaVUE-HC2 PROTECTING THE GATES Physical Bypass Protection for inline tool deployments 3 Models: Multimode 50 µm Multimode 62.5 µm Singlemode 10 µm 24 total ports 4 BPS port pairs supporting 4 inline network links 16 SFP/SFP+ cages 1Gb and 10Gb supported on all models Selectable per network link 15

16 1Gb Copper Bypass Directions BYPASS PROTECTION FOR 1000BASE-T NETWORK LINKS Software Upgrade to Existing 1Gb Copper Tap Module (TAP-HC0-G100C0) No license required just upgrade to v4.3 Same Module, Same SKU, Same Price Up to 12 Inline Networks Individually configure ports as TAP or BPC (BPS has 4 fixed Inline Networks per module) Tools Require Separate Module: X24 or X16 GigaSMART Tools 16

17 Active Visibility to Any Traffic Anywhere INLINE With Bypass module Inline Tools IPS Remote Site Leaf Core Spine Leaf Core Spine Leaf Leaf OUT-OF-BAND Deduplication Masking NetFlow Generation Header Adaptive Stripping Packet Filtering GigaVUE-OS on white box Anti- Malware Out-of-Band Tools File Activity CEM SIEM DLP NPM GigaVUE-VM GigaVUE-VM GigaVUE-VM GigaVUE-VM APM 17

18 Use Cases: Decrypt Anywhere for Any Tool ONE COMMON VISIBILITY FABRIC SERVING MULTIPLE USE CASES IDS at the Perimeter Router Firewall with SSL Proxy TAP Switch Server Rack APM at the Server Rack Router Firewall with SSL Proxy Switch SSL Decryption IDS SSL Decryption APM Anti-Malware for Web Apps SSL Decryption Anti- Malware DLP at Remote Sites Router SSL Decryption DLP Firewall with SSL Proxy LAN Workstations HQ TAP Database Router Branch 18

19 SSL Decryption on GigaSMART: How It Works SSL DECRYPTION FOR OUT OF BAND MONITORING 1 1. Tap SSL traffic and deliver to Visibility Fabric Use Flow Mapping to define flows to be decrypted Selected flows sent to GigaSMART 2. GigaVUE identifies exchange of public keys 3. Administrator uploads private keys Up to 64 private keys are encrypted locally Protected by separate password Restricted by RBAC privileges 4. Apply keys to decrypt traffic Not restricted to port 443 Can change port to 80 if desired 5. GigaVUE forwards clear packets to tools and/or GigaVUE applies intelligence to decrypted traffic Flow Mapping Other GigaSMART operations

20 Service Chain with Other GigaSMART Apps DELIVER RELEVANT TRAFFIC AFTER DECRYPTION Physical Web Server Connect Requests to NPM / CEM Virtual GigaVUE-VM GigaVUE-VM Tunnel Termination Flow Mapping SSL Decryption Adaptive Packet Filtering Remote site traffic to DLP East-West traffic between virtual workloads to IDS Service chain multiple GigaSMART applications before / after SSL decryption Flexible definition of service chains based on flows of interest Benefit: multiple operational and security tools can share common access to the Visibility Fabric ; each can customize flows of interest to that tool 20

21 Service Chain with Other GigaSMART Apps MASK / SLICE OFF SENSITIVE DATA TO ENSURE VISIBILITY WITH CONFIDENTIALITY Physical Virtual GigaVUE-VM GigaVUE-VM Tunnel Termination Flow Mapping SSL Decryption Packet Slicing Packet Masking Web Server Connect Requests to NPM / CEM Remote site traffic to DLP East-West traffic between virtual workloads to IDS Use Packet Slicing to deliver only portion of traffic without sensitive information Use Packet Masking to mask out sensitive information in a packet - for example: credit card info, called party, etc. Supports PCI compliance in e-commerce without compromising visibility for security 21

22 Unified Visibility Fabric Applications Third Party Applications, SDN Controller Integration, etc Applications & Tools Infrastructure, User Community API API API Fabric Control (Management) GigaVUE-FM API API Fabric Services Flow Mapping Traffic Intelligence FlowVUE De-duplication GTP Correlation NetFlow Generation SSL Decryption Clustering Inline Bypass Packet Slicing Masking Header Stripping Tunneling Adaptive Packet Filtering Visibility Fabric Nodes (Pervasive visibility across physical, virtual, remote sites, and future SDN production networks) H Series GigaVUE-HC2 GigaVUE-HD8 GigaVUE-HD4 GigaVUE-HB1 TA Series GigaVUE-TA1 GigaVUE-OS on white box Virtual Visibility GigaVUE-VM TA Ps G-TAP G-TAP BiDi G-TAP A Series Embedded TAPs G Series GigaVUE-2404 GigaVUE-420 G-SECURE-0216 * APIs: Future 22

23 Bridging the Gap 23

24 Build from Previous Slide VISIBILITY FABRIC ECOSYSTEM PARTNERS Network Security and Vulnerability Management 24

25 Summary: Best-in-Class Security Deployment RECOMMENDATIONS TO MAXIMIZE ENVELOPE OF THREAT PROTECTION Maximize tool efficacy Increase scale of security monitoring Add, Remove, and Upgrade tools seamlessly Consolidate multiple points of failure into a single, bypass-protected solution Integrate Inline, Out-of-Band, and Flow-based tools into a multi-tiered, zero-trust security strategy 25

26 Active Visibility for Multi-Tiered Security The changing nature of cyber threats requires a fundamentally new security delivery architecture GigaVUE-TA + GigaVUE-VM for reach and location independence SSL to decrypt masquerading malware NetFlow to reduce large volumes of traffic to intelligent data Inline bypass for actionable security Gigamon provides a security delivery platform that is essential for comprehensive security! 26