Modern Packet Recorder: Enhancing Data ... - Big Switch Networks

WHITEPAPER

Modern Packet Recorder: Enhancing Data Security and Privacy Compliance

OVERVIEW In response to the stringent corporate governance and compliance requirements for how IT data is secured, controlled, and kept private, all industries need a network packet recording strategy. Network packet recording offers rich information on who, what, why, and how IT data is being consumed. Security, forensic, and troubleshooting teams rely on recorded data captured from the network for researching and solving corporate fraud, data privacy, security intrusion, and employee misconduct. And as businesses continue down the path of a digital transformation—whether it be with on-line retailing, cars, IoT devices, smartphones, fitness devices, or any of the multitude of other connected devices—recording will only grow in importance. How application data is shared, secured, and consumed needs to be tightly audited. Further, security attacks can happen anywhere, on any edge device; as such, almost every device needs to be observed. This requires a strategy where all devices can be monitored and recorded. The network offers the best location for monitoring and recording, especially within the data center, as the data center is ground zero for data breaches, security intrusions, and application misbehaviors. Today’s data centers are on steroids compared to 10 years ago. Traffic is measured in terabits with server connections on average being 10 or 25 Gbps based, and network uplinks being 100 Gbps based. And newer uplink speeds are on the horizon at 400 Gbps. This raises the bar in terms of recording and retrieving data, at wire rate.

Packet Recording: Doing More with Less

WHITEPAPER

PACKET RECORDING CHALLENGES It is unrealistic to permanently record every packet that crosses the wire within the data center. The resources required here are simply cost prohibitive, moreover, most of this data is already being stored at the application level within storage systems. On the other hand, it is imperative to detect and record any and all suspicious activities, and/or activities required for auditing, accounting and compliance. Furthermore, it is important to be able to rapidly query recorded data concurrently, while recording the data, based on many real time security and operations requirements. Many of these challenges include the following: 1. How does recording scale as the network bandwidth increases? When recording, there should be no packet drops, or the data becomes compromised. 2. How do you filter out the good traffic from the bad and only record the bad? The good traffic can easily overconsume the bad, and oversubscribe the recorder where it quickly has no more capacity. 3. How do you interpret and feed the recorded data into various different analytic tools, again while concurrently recording? Forwarding data while recording can easily oversubscribe this resource. 4. How do you protect your investment in the packet recorders, where every year your operations team requests upgrades? Operations teams are having to constantly refresh their recording appliances, as the volume and speed of traffic grows 2X per year.

A SCALABLE PACKET RECORDING ARCHITECTURE An SDN-powered visibility fabric, where recording policies are programmed centrally, and the recorder nodes are fully integrated as part of the policy definitions and are managed by the controller, addresses the above recording challenges. With this approach, security, compliance and network operation teams can choose the traffic they want filtered and forwarded to the recorder. This is centrally administered, via the SDN controller, leveraging production-grade open networking switches as well as industry-standard x86 servers. Further, an SDN-powered visibility fabric can horizontally scale and load-balance the traffic to the recorder nodes attached to the fabric. The replay of packets back out of the recorder is handled with very little overhead as the fabric takes care of the distribution to a single tool or multi-tools, again controlled by the controller.

Big Mon Recorder Node Benefits Feature-rich querying and replay functions

BIG MON CONTROLLERS

BIG MON ANALYTICS NODE

TAP/SPAN Remote Remote Location

TAP/SPAN Remote

Scale-out to Multi-Terabytes L2-GRE

Any Vendor Any Topology Any Virtual Machine Any Container

1/10/25/40/100G ETHERNET SWITCH FABRIC

Tap & SPAN

Scale-out for Petabyte recording Easy to use, High-Performance

CENTRALIZED TOOLS

Network Perf Monitoring App Perf Monitoring

Traffic

Security Tools

PRODUCTION NETWORK

VOIP Monitoring

DC/CAMPUS NETWORK

Traffic Recorders

De-duplication Packet Slicing Packet Masking Header Stripping

Regex Match Netflow Generation Timestamping (SW based)

GTP Correlation UDP Replication

Optional

BIG MON SERVICE NODES

Figure 1: Big Mon Recorder Node Architecture

PAGE 22

3rd Party Service Nodes (Optional)

BIG MON RECORDER NODE

Scale-out to Multi-Petabytes

Integrated / centralized configuration and operational workflows Works on an Open Vendor, x86 serverbased appliance

ADVANTAGES OF AN SDN-POWERED VISIBILITY FABRIC FOR PACKET RECORDING Beyond offering better feeds and speeds, and a horizontally scale-out solution as mentioned above, the SDN approach offers the following: Immense Simplicity: IT teams can add switches and monitoring tools without the hassle of another piece of equipment to manage because all the orchestration, configuration, and troubleshooting—including cloud-based and remote locations—is done through the single-pane-of-glass dashboard. On the Fly, Traffic Steering Based on Real Time threats: From the SDN controller, traffic from any edge point can

Packet Recording: Doing More with Less

WHITEPAPER

be steered towards the recorder, within seconds, for recording real time security events. Removing the Payloads and Recording only Header Data: The SDN fabric can address bandwidth and storage scalability by filtering out traffic payload—which isn’t needed unless the IT team is searching for signatures for malware attacks, for instance. Stripping it out saves on storage space, increases security compliance, and helps with bandwidth demands. Closed Loop Machine Learning and Autonomous Control: The SDN fabric has a centralized “brain” where network policies are programmed and acted upon by the controller. Included within this brain is an analytics node that can detect traffic anomalies. The analytics node can send triggers to the controller, to automatically forward networks packets associated with these anomalies to the recorder node. This automates what is typically an event/alert driven workflow, where a network operator receives an SMS message to start recording packets and goes into firefighting mode.

In summary a Software Defined Controller-based Network offers Six Significant Benefits: 1. Simplicity 2. Scale-out architecture that the customer can continually add to without increasing management touch points 3. Controller is REST API-driven, allowing customers the flexibility to add or enhance per their needs/systems 4. Agility in orchestration, troubleshooting, deployment, and upgrade scenarios 5. Cost savings because there is just one infrastructure enterprise-wide 6. Increased options for performance-level equipment that doesn’t need to be replaced every two years even with cloud and DevOps as the big disrupters

BIG MON RECORDER NODES: AN INTEGRATED SOLUTION THAT OFFERS SCALABILITY, AGILITY, AND INNOVATION This controller-based architecture is inspired by the design principles that hyperscale organizations like Google and Facebook pioneered to implement a logical, scale-out open-vendor switch architecture that leverages intentbased principles to deliver simplicity and agility at an unprecedented scale. But enterprise data centers can also take advantage of this architecture. Big Switch Network’s Big Monitoring Fabric is a highly scalable monitoring fabric built with white-box switches, an open operating system, and an intelligent controller layer. Then, multiple Big Mon Recorder Nodes can be attached to the unified fabric for high performance packet recording, querying, and replay functions.

PAGE 3

Packet Recording: Doing More with Less

WHITEPAPER

Each recorder node is essentially an open-hardware x86 server. The IT team can define a policy through the controller dictating that traffic from a particular interface or IP address should be sent to the recorder—with the option of stripping off the payload before it’s sent. More data can be stored and stored faster—at line rate—with faster access to the recorded data, with results correlated for the user so that it presents as one unified data packet. The first phase of the Big Mon Recorder Node offers 160TB of storage and 1x10G interface. Similar to a home security camera, the Big Mon Recorder Node keeps information from defined events separate and then recursively overwrites the remainder of the recording, lessening the need for data centers to buy more storage. The end result is that the recorder node in this SDN architecture delivers scalability, ease of management, and cost savings in operations and equipment. This configuration gives another benefit: Not only is the Big Mon Recorder Node integrated with the controllers, but it’s also integrated with the Big Mon Analytics Node, giving the IT team a launching point for analytics.

Benefits of an integrated Big Mon Recorder Node: 1. Easy to use, easy to scale out, and high performing 2. Integrated/centralized configuration and operational workflows 3. Feature-rich querying and replay functions 4. High performance, line-rate recorder using an optimized x86 server architecture 5. Auto discovery of recorder by controller 6. Integration with the analytics node 7. Line-rate capture performance 8. High-performance querying 9. NTP/PTP based 10. Programmable/scriptable since the recorder supports REST API

CONCLUSION Nearly every part of your enterprise needs network packet recording for performance, compliance, and security needs. But that doesn’t mean you have to waste budget and resources on redundant equipment. An open-vendor SDN architecture can unite your entire network under one fabric and overcome the common scalability, management, and price obstacles, while leveraging the systems currently in place. It overcomes the common pain points associated with current approaches to deploying packet recorders while offering a complete, network-wide view for the packet recorder, optimizing the effectiveness of that monitoring tool. It’s a system that provides the scalability, ease of management, and value that data centers need now and into the future. To learn more about a single-fabric solution with integrated recorder node for your network, call 650-332-6510 or visit www.bigswitch.com

PAGE 44

ABOUT BIG SWITCH NETWORKS Big Switch Networks is the Next-Generation Data Center Networking Company. We disrupt the status quo of networking by designing intelligent, automated and flexible networks for our customers around the world. We do so by leveraging the principles of software-defined networking (SDN), coupled with a choice of industrystandard hardware. Big Switch Networks has two solutions: Big Monitoring Fabric, a Next-Generation Network Packet Broker, which enables pervasive security and monitoring of data center and cloud traffic for inline or out-of-band deployments and Big Cloud Fabric, the industry’s first Next-Generation switching fabric

Packet Recording: Doing More with Less

WHITEPAPER

that allows for choice of switching hardware for OpenStack, VMware, Container and Big Data use cases. Big Switch Networks is headquartered in Santa Clara, CA, with offices located in Tokyo, Melbourne, London and Istanbul. For additional information, email [email protected], follow @bigswitch, or visit www.bigswitch.com. Big Switch Networks, Big Cloud Fabric, Big Monitoring Fabric, Big Mon Recorder Packet, and Big Mon Analytics Node are trademarks or registered trademarks of Big Switch Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.

Headquarters 3965 Freedom Circle, Suite 300, Santa Clara, CA 95054

+1.650.322.6510 TEL +1.800.653.0565 TOLL FREE

www.bigswitch.com [email protected]

Copyright 2018 Big Switch Networks, Inc. All rights reserved. Big Switch Networks, Big Cloud Fabric, Big Monitoring Fabric, Switch Light OS, and Switch Light VX are trademarks or registered trademarks of Big Switch Networks, Inc. All other trademarks, service marks, registered marks or registered service marks are the property of their respective owners. Big Switch Networks assumes no responsibility for any inaccuracies in this document. Big Switch Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice. BSN_WP_Analytics_Node_v1 (April 2018)

PAGE 5