The High Performance Security Delivery Platform

This past week has been a busy one.  As I wrote in my previous blog, I was SCinet-Racka part of SCinet security team at SC15 in Austin, TX and on Monday we finished 3 weeks of work to bring the network up and while my SCinet security coworkers used the monitoring tools to keep the network safe during the conference, I worked the Gigamon booth on the show floor and visited with current and future Gigamon customers who were either exhibitors or attendees at SC15.

What is a Visibility Fabric?

During my time in the Gigamon SC15 booth, I was asked quite often what our product does?  Some think we are a part of the network infrastructure, and many times we are when our inline solution is deployed, but we are not a Firewall, server load balancer, switch or router.  Others think that we do data analytics, but we are not a malware detection, intrusion detection or prevention, SEIM, Data Loss Prevention, Application Performance Management or Network Performance Management tool.  After I tell them that we don’t do any of these things, then they ask, well what do you do?

We provide a high speed, reliable, configurable pipeline to all of areas of your computing infrastructure where you desire to see the traffic flowing across your network.  Think of it like being in a large room with multiple obstructions preventing you from seeing all areas of that room.  If I stand in one part of the room I can clearly see what is going on around me, but I have limited visibility into the entire room due to obstructions or people standing in the way.  I can observe and attest to what is going on in the area where I am currently located, I can even describe the safety and capacity of the area.  But if I wish to see into other areas, I will need to setup some sort of video camera and a local monitor to provide me with additional visibility.

Where Gigamon Fits in Your Network

A visibility network is pretty similar to the example I provided above.  The security or network performance tool is me standing in the room and can only see the traffic where it is plugged into the network.  In order for that tool to see any other part of the network (room) it needs remote data gathering instruments (TAPs or SPANs) to see the other parts of the network.  If you don’t setup remote data gathering devices then you won’t have visibility to that part of our computing environment.

Most Security, Application and Performance management tools today thrive on access to the actual traffic that is flowing through your network.  The more packets you get to these tools the better analysis they will provide.  Gigamon is the means to get your tools the visibility they need.

Visibility is Key to Security

Being able to see the traffic traveling across your network is key to detecting malicious activity.  Maybe you don’t need to see all parts of your network, so just setup monitoring for those areas of your network where the interesting traffic is traveling across.  Most security and network managers would agree that the links to the Internet should be monitored and the second most common area is your data center.  A good way to determine where to setup your TAPs or SPANs is ask yourself where your traffic flows and secondly, where are my most valuable assets located.  That is where you should be watching.

You can’t protect against what you can’t see.  I may have some outstanding security tools, but unless they get a copy of network traffic from the key areas of my network, they won’t be able see if a malicious actor is trying to steal the valuable information.

The other major threat to visibility is encryption.  While encryption is a very useful technology that protects our valuable data from prying eyes, anything that is used for good can also be used for ill.  Hackers are increasingly using encryption methods to hide their activities within your network.  Having the ability to decrypt encrypted traffic in your network is a valuable tool to consider adding to your security delivery platform.

Security Doesn’t Have to affect Performance

The number one reason why many network and computing professionals resist adding security measures to their network is that they believe it will adversely affect their ability to get their job done or it will degrade the performance of the computing network and thus impacts their end users.

During a time of employment at a major computer manufacturer and software development company, I recall many times when a fellow employee in the company would decide that they wanted to check out the new version of our network management tool and since it was available as a free download to all employees, it would be downloaded and installed.  Then during the initial configuration, the tool would  discover the topolgy of the network, which would interrogate every router and switch asking for SNMP data and for the names and addresses of all routers or switches that router or switch knew of.  This single action would bring the network down.

Luckily great strides have been made to prevent a monitoring tool from

The SCinet Security T-shirt

interfering in the network it is supposed to be helping.  In the SCinet network at SC15, Gigamon provided a critical component of the security monitoring of the network.  The Gigamon visibility fabric acts as a shield to keep the security tools from impacting the performance of the network.  Through the use of four 100 Gig TAPs, thirty two 10 Gig TAPS and one SPAN port, Gigamon obtained a copy of the traffic flowing across all links from the show floor (also known as the commodity network) to the network core as well as the links to the Internet providers.  Based on the path of the movement of data through the SCinet network infrastructure, the data flowing across these links provided the Reservoir Labs RSCOPE Bro servers and the Dell Firewall Sandwich with all the data necessary to  monitor the security of the network.

SCInet-Security-data-flowThe security tools received data that was deduplicated (ensuring only one copy of a given packet made it to the tool) and on selected links, we selected only IPv4 and IPv6 packets and dropped everything else.  We replicated the stream of data and sent an identical copy to the Reservoir Labs Bro servers and the Dell Firewall Sandwich.  Since there was such a large amount of traffic to be analyzed, we load balanced the single stream of data across 24 interfaces on the six Reservoir Labs Bro servers and 12 interfaces on the 6 Dell Sonic Wall Super Massive Firewalls.

Each year one of the most powerful networks in the world, SCinet, is designed to be very fast and support high performance computing for one week out of the year.  Ensuring that SCinet is used for its intended purposes and not compromised or used for illegitimate purposes is an essential task.  The SCinet security team did an amazing job pulling together the best products and the best engineers to accomplish this goal without sacrificing performance.  Looking forward to doing it again next year.