The Data-in-Motion Dilemma
The IT challenge for most organisations involves the rise in volumes of data and fast delivery of data over diverse networks that span physical, virtual and cloud environments to connect to billions of devices. At the same time, they face growing numbers of varied advanced and aggressive threats such as malware and ransomware. The result is an ever-expanding universe of complexity, cost and risk. Current approaches to managing, monitoring and securing critical infrastructure only raises the complexity, cost and risk.
The network is a rich source of data in motion. However, the sheer volume of network traffic is so high that advanced tool sets for security, performance management and analytics that need to inspect the data in motion cannot directly ingest the data without being overwhelmed. In a September 2016 survey conducted by ESG Research*, findings showed:
85% of respondents: complexity of network security operations had increased significantly.
75% of respondents: need better network visibility than what they currently have in place.
*ESG Research Report on Behalf of Gigamon, Sept. 2016
Pervasive traffic visibility is the best solution.
An Innovative Solution:
The Data-in-Motion Visibility Platform
With pervasive traffic visibility, organisations will be much better equipped to meet the requirements of advanced tool sets by delivering the relevant data to cybersecurity, performance management and analytic tools. This is achieved by creating a new pre-processing layer – typically called a monitoring fabric or visibility layer – that sits in the infrastructure between the network and these tools that need to analyse the data in motion. This pre-processing layer will extract the data in motion from any point in the network and intelligently filter, correlate and deliver the relevant data to each security, monitoring and management system. The delivered data could be network traffic in form of raw packets, meaningful extracted metadata, specific application flows/sessions or transformed traffic (e.g. masking of sensitive data in traffic or decrypted network traffic).
Cyberseer is installing Gigamon Visibility Platform into customer’s infrastructures, delivering pervasive visibility into data in motion across the entire network – physical, virtual, public/private/hybrid cloud, and remote sites. This visibility layer is agnostic to choices made in the network or tooling layers and delivers support to the network optimisation and security needs of organisations of all types and sizes.
Key Benefits of a Visibility Platform
There are three key benefits of the Gigamon data-in-motion Visibility Platform:
1. Manage, consolidate and automate traffic delivery to tools.
2. Deliver relevant data to maximise performance of monitoring and security tools.
3. Gain full transparency into what’s happening on the network.
Armed with pervasive traffic visibility, organisations can maximise current investments, support IT security operations and deliver better, faster service to high-value customers and are empowered to make better, faster decisions.
Overview of the Visibility Platform:
Figure 1: Gigamon Data-in-Motion Visibility Platform
Contact us to learn more about key elements of the Visibility Platform:
Physical and virtual nodes (appliances or software) distributed across critical parts of the infrastructure.
Visibility nodes are offered in a variety of hardware and software form factors to provide a range of services in the Visibility Platform.
- Physical visibility nodes vary from multi-terabit custom hardware appliances with rich traffic intelligence to entry-level traffic aggregators (including visibility software running on a white box).
- Hardware appliances offer intelligent visibility and are modular to meet a variety of requirements such as space, traffic volume and functionality/cost. Traffic intelligence enables organizations to extract meaningful information and insight from any network, regardless of the volumes of network traffic.
- Network TAPs provide the ability to gain non-intrusive access to network traffic at various network speeds: 1Gb, 10Gb, 40Gb, and 100Gb. TAPs can be active, passive, or embedded in custom appliances. Specialized network TAPs to handle Cisco 40Gb BiDi links are also available.
- Visibility nodes may also be deployed in software form factors to gain visibility into virtual/private cloud and public cloud infrastructure.
- Extend visibility within virtual networks and monitor traffic between virtual machines. Virtual visibility will be particularly important in future cloud and NFV environments, where the disaggregation of critical infrastructure components increases the need for visibility.
- Public cloud Infrastructure-as-a-Service (IaaS) offers special challenges because of its multi-tenant nature. The Gigamon Visibility Platform provides a consistent method to gain access to traffic in the public cloud infrastructure such as Amazon Web Services (AWS) and distributes relevant data to tools resident in the public cloud or on-premise.
The visibility nodes can be distributed at critical locations in the infrastructure to form a distributed fabric (also referred to as the Visibility Fabric). The core of the Visibility Platform is powered by a common operating system, GigaVUE-OS that offers several foundational services:
- Flow Mapping® technology patented by Gigamon identifies and directs incoming traffic flows of interest to tools based on user-defined policies. Flow Mapping allows multi-tenant access and segregation of monitored traffic and policies by providing advanced role-based management.
- Clustering enables multiple visibility nodes to be administered as a single logical entity. An important attribute of clustering is the ability to extend traffic intelligence anywhere in the cluster by combining intelligent visibility nodes with traffic aggregators.
- Inline bypass bridges the performance gap between the network and critical inline security tools (e.g. Intrusion Prevention Systems, Web Application Firewalls, etc.). Using this capability, visibility nodes can detect and distribute traffic of interest to inline security tools. Inline bypass solves a critical pain point for both security operations and network operations.
Powered by GigaSMART for pervasive intelligent visibility.
Gigamon’s patented GigaSMART traffic intelligence provides stateful and packet optimisation functions that run as software applications on high-performance compute engines in the visibility nodes. GigaSMART applications are an integral part of the Visibility Platform as they help maximise the performance of the overall tooling infrastructure. Key GigaSMART applications include:
- Packet Slicing / Masking: Slice/mask confidential information before sending network packets to a monitoring tool.
- Header Stripping: Remove extraneous headers to deliver normalised IP packets to monitoring tools.
- Adaptive Packet Filtering: Filter across advanced encapsulation headers found in network traffic, including VxLAN, VN-Tag, MPLS, etc., and inner (encapsulated) Layer 3/Layer 4 packet contents. Such pre-processing enables tools to receive traffic in a normalised IP format or extract tenant-specific traffic.
- Application Session Filtering: Builds upon Adaptive Packet Filtering by extracting entire application sessions of interest. Application Session Filtering is useful in identifying traffic corresponding to applications with unique signatures even if those signatures are found in only a few packets in that session. One example use case is identification and offloading entire video traffic streams from being processed by overloaded tools.
- De-duplication: Remove duplicate instances of the same packet (monitored at different points in the infrastructure) from being sent to the tools. De-duplication eliminates unnecessary traffic processing by tools.
- SSL Decryption: Offload the decryption function from tools and instead offer decryption as a centralised service on the Visibility Platform. Significant cost, performance and administration efficiencies are obtained in the tooling layer by decrypting SSL traffic on the Visibility Platform instead of decrypting SSL traffic on each analytic tool.
- NetFlow and Metadata Generation: Generate un-sampled NetFlow/IPFIX/metadata records along with additional context-aware metadata extensions to feed security and information event management (SIEM) tools and other collectors. Generating such records on the Visibility Platform offloads the network, enables generation of NetFlow records from traffic anywhere in the infrastructure, and permits addition of custom metadata elements. Metadata extensions such as URL info found in http records, DNS transaction metadata, SSL certificate info, and HTTP Response Codes are invaluable in detecting anomalous activities over time.
- FlowVUE®: Provides subscriber-based IP sampling that enables existing tools to connect to high-speed networks. FlowVUE also allows white-listing of subscribers of interest to extract traffic from specific subscribers for SLA management or attachment of specific services.
- GTP (GPRS Tunneling Protocol) Correlation: Correlate traffic between user and data planes in 3G and 4G/LTE mobile networks. This correlation enables mobile service providers to get subscriber-aware visibility in their monitoring infrastructure.
Centralised orchestration and common policy framework.
A distributed fabric of nodes that interfaces with so many locations in the infrastructure needs an orchestration element for the Visibility Platform. GigaVUE-FM (Fabric Manager) provides centralised orchestration and a common policy framework for the Visibility Platform. GigaVUE-FM delivers a single-pane-of-glass view of all the physical and virtual nodes in the Visibility Platform with easy-to-use wizards for common operations.
The GigaVUE-FM Fabric Manager features integration with commonly used operational frameworks, IT operational systems and applications. Examples include Amazon Web Services (AWS) Elastic Compute Cloud (EC2), AWS CloudWatch, OpenStack, Splunk, VMware NSX Manager, VMware vCenter, etc. These integrations enable the Visibility Platform to automatically discover changes in the infrastructure being monitored.
In addition to centralised orchestration, GigaVUE-FM features end-to-end topology visualisation, network auto-discovery, fabric-wide reporting with summarised and customisable dashboards, and enhanced monitoring capabilities.
GigaVUE-FM also provides a set of RESTful APIs to integrate with other third-party applications used in a specific environment. Together, these APIs form the basis for Software-Defined Visibility, an open extensible framework for programmability, automation and tool integration.