The Network Design and Equipment Deployment Lifecycle

As we all know, technology has a life cycle of birth, early adoption, mainstream, and then obsoletion. Even the average consumer is very in touch with this lifecycle. However, within this overarching lifecycle there are “mini” lifecycles. One of these mini lifecycles that is particularly important to enterprises is the network design and equipment deployment lifecycle. This lifecycle is the basic roadmap of how equipment gets deployed within a company data network and key a topic of concern for IT personnel. While it’s its own lifecycle, it also aligns with the typical ITIL services of event management, incident management, IT operations management, and continual service improvement.

There are 5 primary stages to the network design and equipment deployment lifecycle: pre-deployment, installation and commissioning, assurance monitoring, troubleshooting, and decommissioning. I’ll disregard the decommissioning phase in this discussion as removing equipment is fairly straightforward. The other four phases are more interesting for the IT department.
The adjacent diagram shows a map of the four fundamental components within this lifecycle. The pre-deployment phase is typically concerned with lab verification of the equipment and/or point solution. During this phase, IT spends time and effort to ensure that the equipment/solution they are receiving will actually resolve the intended pain point.

During the installing and commissioning phase, the new equipment is installed, turned on, configured, connected to the network and validated to ensure that the equipment is functioning correctly. This is typically the least costly phase to find set-up problems. If those initial set-up problems are not caught and eliminated here, it is much harder and more costly to isolate those problems in the troubleshooting phase.

The assurance monitoring stage is the ongoing maintenance and administration phase. Equipment is monitored on an as-needed or routine basis (depending upon component criticality) to make sure that it’s functioning correctly. Just because alarms have not been triggered doesn’t mean the equipment is functioning optimally. Changes may have occurred in other equipment or the network that are propagating into other equipment downstream and causing problems. The assurance monitoring stage is often linked with proactive trend analysis, service level agreement validation, and quality of service inspections.

Troubleshooting is obviously the reactionary portion of the lifecycle devoted to fixing equipment and network problems so that the network can return to an optimized, steady state condition. Most IT personnel are extremely familiar with this stage as they battle equipment failures, security threats and network outages due to equipment problems and network programming changes.

Ixia understands this lifecycle well and it’s one of the reasons that it acquired Breaking Point and Anue Systems during 2012. We have capabilities to help the IT department in all four of the aspects of the network design and equipment deployment lifecycle. These tools and services are focused to directly attack key metrics for IT:

• Decrease time-to-market for solutions to satisfy internal projects
• Decrease mean-time-to-repair metrics
• Decrease downtime metrics
• Decrease security breach risks
• Increase business competitiveness

The exact solution to achieve customer-desired results varies. Some simple examples include the following:

• Using the NTO monitoring switch to give your monitoring tools the right information to gain the network visibility you need
• Using the NTO simulator to test filtering and other changes before you deploy them on your network
• Deploying the Ixia Storm product to assess your network security and also to simulate threats so that you can observe how your network will respond to security threats
• Deploying various Ixia network testing tools (IxChariot, IxNetwork) to characterize the new equipment and network during the pre-deployment phase

Additional Resources:

Ixia Solutions

Network Monitoring

Related Products

Ixia Network Tap Ixia Net Optics network taps provide access for security and network management devices.	Net Tool Optimizers Out-of-band traffic aggregation, filtering, dedup, load balancing

Thanks to Ixia for the article.

The Importance of State

Ixia recently added passive SSL decryption to the ATI Processor (ATIP). ATIP is an optional module in several of our Net Tool Optimizer (NTO) packet brokers that delivers application-level insight into your network with details such as application ID, user location, and handset and browser type. ATIP gives you this information via an intuitive real-time dashboard, filtered application forwarding, and rich NetFlow/IPFIX.

Adding SSL decryption to ATIP was a logical enhancement, given the increasing use of SSL for both enterprise applications and malware transfer – both things that you need to see in order to monitor and understand what’s going on. For security, especially, it made a lot of sense for us to decrypt traffic so that a security tool can focus on what it does best (such as malware detection).

When we were starting our work on this feature, we looked around at existing solutions in the market to understand how we could deliver something better. After working with both customers and our security partners, we realized we could offer added value by making our decrypted output easier to use.

Many of our security partners can either deploy their systems inline (traffic must pass through the security device, which can selectively drop packets) or out-of-band (the security device monitors a copy of the traffic and sends alerts on suspicious traffic). Their flexible ability to deploy in either topology means they’re built to handle fully stateful TCP connections, with full TCP handshake, sequence numbers, and checksums. In fact, many will flag an error if they see something that looks wrong. It turns out that many passive SSL solutions out there produce output that isn’t fully stateful and can flag errors or require disabling of certain checks.

What exactly does this mean? Well, a secure web connection starts with a 3-way TCP handshake (see this Wikipedia article for more details), typically on port 443, and both sides choose a random starting sequence (SEQ) number. This is followed by an additional TLS handshake that kicks off encryption for the application, exchanging encryption parameters. After the encryption is nailed up, the actual application starts and the client and server exchange application data.

When decrypting and forwarding the connection, some of the information from the original encrypted connection either doesn’t make sense or must be modified. Some information, of course, must be retained. For example, if the security device is expecting a full TCP connection, then it expects a full TCP handshake at the beginning of the connection – otherwise packets are just appearing out of nowhere, which is typically seen as a bad thing by security devices.

Next, in the original encrypted connection, there’s a TLS handshake that won’t make any sense at all if you’re reading a cleartext connection (note that ATIP does forward metadata about the original encryption, such as key length and cipher, in its NetFlow/IPFIX reporting). So when you forward the cleartext stream, the TLS handshake should be omitted. However, if you simply drop the TLS handshake packets from the stream, then the SEQ numbers (which keep count of transmitted packets from each side) must be adjusted to compensate for their omission. And every TCP packet includes a checksum that must also be recalculated around the new decrypted packet contents.

If you open up the decrypted output from ATIP, you can see all of this adjustment has taken place. Here’s a PCAP of an encrypted Netflix connection that has been decrypted by ATIP:

You’ll see there are no out-of-sequence packets, and no indication of any dropped packets (from the TLS handshake) or invalid checksums. Also note that even though the encrypted connection was on port 443, this flow analysis shows a connection on port 80. Why? Because many analysis tools will expect encrypted traffic on port 443 and cleartext traffic on port 80. To make interoperability with these tools easier, ATIP lets you remap the cleartext output to the port of your choice (and a different output port for every encrypted input port). You might also note that Wireshark shows SEQ=0. That’s not the actual sequence number; Wireshark just displays a 0 for the first packet of any connection so you can use the displayed SEQ number to count packets.

The following ladder diagram might also help to make this clear:

To make Ixia’s SSL decryption even more useful, we’ve also added a few other new features. In the 1.2.1 release, we added support for Diffie Helman keys (previously, we only supported RSA keys), as well as Elliptic Curve ciphers. We’ve also added reporting of key encryption metadata in our NetFlow/IPFIX reporting:

As you can see, we’ve been busy working on our SSL solution, making sure we make it as useful, fast, and easy-to-use as possible. And there’s more great stuff on the way. So if you want to see new features, or want more information about our current products or features, just let us know and we’ll get on it.

More Information

ATI Processor Web Portal

Wikipedia Article: Transmission Control Protocol (TCP)

Wikipedia Article: Transport Layer Security (TLS)

Thanks to Ixia for the article.

Ixia Taps into Hybrid Cloud Visibility

One of the major issues that IT organizations have with any form of external cloud computing is that they don’t have much visibility into what is occurring within any of those environments.

To help address that specific issue, Ixia created its Net Tool Optimizer, which makes use of virtual and physical taps to provide visibility into cloud computing environments. Now via the latest upgrade to that software, Ixia is providing support for both virtual and physical networks while doubling the number of interconnects the hardware upon which Net Tool Optimizer runs can support.

Deepesh Arora, vice president of product management for Ixia, says providing real-time visibility into both virtual and physical networks is critical, because in the age of the cloud, the number of virtual networks being employed has expanded considerably. For many IT organizations, this means they have no visibility into either the external cloud or the virtual networks that are being used to connect them.

The end goal, says Arora, should be to use Net Tool Optimizer to predict what will occur across those hybrid cloud computing environments, but also to enable IT organizations to use that data to programmatically automate responses to changes in those environments.

Most IT organizations find managing the network inside the data center to be challenging enough. With the additional of virtual networks that span multiple cloud computing environments running inside and outside of the data center, that job is more difficult than ever. Of course, no one can manage what they can’t measure, so the first step toward gaining visibility into hybrid cloud computing environments starts with something as comparatively simple as a virtual network tap.

Thanks to IT Business Edge for the article.

Ixia Exposes Hidden Threats in Encrypted Mission-Critical Enterprise Applications

Delivers industry’s first visibility solution that includes stateful SSL decryption to improve application performance and security forensics

Ixia (Nasdaq: XXIA), a leading provider of application performance and security resilience solutions, announced it has extended its Application and Threat Intelligence (ATI) Processor™ to include stateful, bi-directional SSL decryption capability for application monitoring and security analytics tools. Stateful SSL decryption provides complete session information to better understand the transaction as opposed to stateless decryption that only provides the data packets. As the sole visibility company providing stateful SSL decryption for these tools, Ixia’s Visibility Architecture™ solution is more critical than ever for enterprise organizations looking to improve their application performance and security forensics.

“Together, FireEye and Ixia offer a powerful solution that provides stateful SSL inspection capabilities to help protect and secure our customer’s networks,” said Ed Barry, Vice President of Cyber Security Coalition for FireEye.

As malware and other indicators of compromise are increasingly hidden by SSL, decryption of SSL traffic for monitoring and security purposes is now more important for enterprises. According to Gartner research, for most organizations, SSL traffic is already a significant portion of all outbound Web traffic and is increasing. It represents on average 15 percent to 25 percent of total Web traffic, with strong variations based on the vertical market.1 Additionally, compliance regulations such as the PCI-DSS and HIPAA increasingly require businesses to encrypt all sensitive data in transit. Finally, business applications like Microsoft Exchange, Salesforce.com and Dropbox run over SSL, making application monitoring and security analytics much more difficult for IT organizations.

Enabling visibility without borders – a view into SSL

In June, Ixia enabled seamless visibility across physical, virtual and hybrid cloud data centers. Ixia’s suite of virtual visibility products allows insight into east-west traffic running across the modern data center. The newest update, which includes stateful SSL decryption, extends security teams’ ability to look into encrypted applications revealing anomalies and intrusions.

Visibility for better performance – improve what you can measure

While it may enhance security of transferred data, encryption also limits network teams’ ability to inspect, tune and optimize the performance of applications. Ixia eliminates this blind spot by providing enterprises with full visibility into mission critical applications.

The ATI Processor works with Ixia’s Net Tool Optimizer® (NTO™) solution and brings a new level of intelligence to network packet brokers. It is supported by the Ixia Application & Threat Intelligence research team, which provides fast and accurate updates to application and threat signatures and application identification code. Additionally, the new capabilities will be available to all customers with an ATI Processor and an active subscription.

To learn more about Ixia’s latest innovations read:

ATI processor

Encryption – The Next Big Security Threat

Thanks to Ixia for the article.

Encryption: The Next Big Security Threat

As is common in the high-tech industry, fixing one problem often creates another. The example I’m looking at today is network data encryption. Encryption capability, like secure sockets layer (SSL), was devised to protect data packets from being read or corrupted by non-authorized users. It’s used on both internal and external communications between servers, as well as server to clients. Many companies (e.g. Google, Yahoo, WebEx, Exchange, SharePoint, Wikipedia, E*TRADE, Fidelity, etc.) have turned this on by default over the last couple of years.

Unfortunately, encryption is predicted to become the preferred choice of hackers who are creating malware and then using encrypted communications to propagate and update the malware. One current example is the Zeus botnet, which uses SSL communications to upgrade itself. Gartner Research stated in their report “Security Leaders Must Address Threats From Rising SSL Traffic” that by 2017, 50% of malware threats will come from using SSL encrypted traffic. This will create a serious blind spot for enterprises. Gartner also went on to state that less than 20% of firewalls, UTM, and IPS deployments support decryption. Both of these statistics should be alarming to anyone involved in network security.

And it’s not just Zeus you need to look out for. There are several types of growing encrypted malware threats. The Gartner report went on to mention two more instances (one being a Boston Marathon newsflash) of encryption being misused by malware threats. Other examples exist as well: the Gameover Trojan, Dyre, and a new Upatre variant just found in April.

Another key point to understand is that “just turning on encryption” isn’t a simple, low-cost fix, especially when using 2048-bit RSA keys that have been mandated since January 1, 2014. NSS labs ran a study and found that the decryption capability in typical firewalls reduced the throughput of the firewalls by up to 74%. The study also found an average performance loss of 81% across all eight vendors that they evaluated. Turning on encryption/decryption capabilities will cost you—both in performance and in higher network costs.

And, it gets worse! Firewalls, IPS’ and other devices are usually only deployed at the edge of enterprise networks. The internal network communications between server to sever and server to client often go unexamined within many enterprises. These internal communications can be up to 80% of your encrypted traffic. Once the malware gets into your network, it uses SSL to camouflage its activities. You’ll never know about it—data can be exfiltrated, virus’ and worms can be released, or malicious code can be installed. This is why you need to look at internally encrypted traffic as well. Constant vigilance is now the order of the day.

One way to implement constant vigilance is for IT teams is to spot check their network data to see if there are hidden threats. Network packet brokers (NPBs) that support application intelligence with SSL decryption are a good solution. Application intelligence is the ability to monitor packets based on application type and usage. It can be used to decrypt network packets and dynamically identify the applications running (along with malware) on a network. And since the decryption is performed on out-of-band monitoring data, there is no performance impact.

An easy answer to gain visibility, especially for internally encrypted traffic, is to deploy the Ixia ATI Processor. The Ixia ATI Processor uses bi-directional, stateful decryption capability, and allows you to look at both encrypted internal and external communications. Once the monitoring data is decrypted, application filtering can be applied and the information can be sent to dedicated, purpose-built monitoring tools (like an IPS, IDS, SIEMs, network analyzers, etc.).

Ixia’s Application and Threat Intelligence (ATI) Processor, built for the NTO 7300 and also the NTO 6212 standalone model, brings intelligent functionality to the network packet broker landscape with its patent pending technology that dynamically identifies all applications running on a network. This product gives IT organizations the insights needed to ensure the network works—every time and everywhere. This visibility product extends past Layer 4 through to Layer 7 and provides rich data regarding the behavior and locations of users and applications in the network.

As new network security threats emerge, the ATI Processor helps IT improve their overall security with better intelligence for their existing security tools. The ATI Processor correlates applications with geography and can identify compromised devices and malicious activities such as Command and Control (CNC) communications from malicious botnet activities. IT organizations can now dynamically identify unknown applications, identify security threats from suspicious applications and locations, and even audit for security policy infractions, including the use of prohibited applications on the network or devices.

To learn more, please visit the ATI Processor product page or contact us to see a demo!

Additional Resources:

Application and Threat Intelligence (ATI) Processor

NTO 7300

NTO 6212

Solution Focus Category

Network Visibility

Thanks to Ixia for the article.

Advanced Packet Filtering with Ixia’s Advanced Filtering Modules (AFM)

An important factor in improving network visibility is the ability to pass the correct data to monitoring tools. Otherwise, it becomes very expensive and aggravating for most enterprises to sift through the enormous amounts of data packets being transmitted (now and in the near future). Bandwidth requirements are projected to continue increasing for the foreseeable future – so you may want to prepare now. As your bandwidth needs increase, complexity increases due to more equipment being added to the network, new monitoring applications, and data filtering rule changes due to additional monitoring ports.

Network monitoring switches are used to counteract complexity with data segmentation. There are several features that are necessary to perform the data segmentation needed and refine the flow of data. The most important features needed for this activity are: packet deduplication, load balancing, and packet filtering. Packet filtering, and advanced packet filtering in particular, is the primary workhorse feature for this segmentation.

While many monitoring switch vendors have filtering, very few can perform the advanced filtering that adds real value for businesses. In addition, filtering rules can become very complex and require a lot of staff time to write initially and then to maintain as the network constantly changes. This is time and money wasted on tool maintenance instead of time spent on quickly resolving network problems and adding new capabilities to the network requested by the business.

Basic Filtering

Basic packet filtering consists of filtering the packets as they either enter or leave the monitoring switch. Filtering at the ingress will restrict the flow of data (and information) from that point on. This is most often the worst place to filter as tools and functionality downstream from this point will never have access to that deleted data, and it eliminates the ability to share filtered data to multiple tools. However, ingress filtering is commonly used to limit the amount of data on the network that is passed on to your tool farm, and/or for very security sensitive applications that wish to filter non-trusted information as early as possible.

The following list provides common filter criteria that can be employed:

• Layer 2
  • MAC address from packet source
  • VLAN
  • Ethernet Type (e.g. IPv4, IPv6, Apple Talk, Novell, etc.)
• Layer 3
  • DSCP/ECN
  • IP address
  • IP protocol ( ICMP, IGMP, GGP, IP, TCP, etc.)
  • Traffic Class
  • Next Header
• Layer 4
  • L4 port
  • TCP Control flags

Filters can be set to either pass or deny traffic based upon the filter criteria.

Egress filters are primarily meant for fine tuning of data packets sent to the tool farm. If an administrator tries to use these for the primary filtering functionality, they can easily run into an overload situation where the egress port is overloaded and packets are dropped. In this scenario, aggregated data from multiple network ports may be significantly greater than the egress capacity of the tool port.

Advanced Filtering

Network visibility comes from reducing the clutter and focusing on what’s important when you need it. One of the best ways to reduce this clutter is to add a monitoring switch that can remove duplicated packets and perform advanced filtering to direct data packets to the appropriate monitoring tools and application monitoring products that you have deployed on your network. The fundamental factor to achieve visibility is to get the right data to the right tool to make the right conclusions. Basic filtering isn’t enough to deliver the correct insight into what is happening on the network.

But what do we mean by “advanced filtering”? Advanced filtering includes the ability to filter packets anywhere across the network by using very granular criteria. Most monitoring switches just filter on the ingress and egress data streams.

Besides ingress and egress filtering, operators need to perform packet processing functions as well, like VLAN stripping, VNtag stripping, GTP stripping, MPLS stripping, deduplication and packet trimming.

Ixia’s Advanced Feature Modules

The Ixia Advanced Feature Modules (AFM) help network engineers to improve monitoring tool performance by optimizing the monitored network traffic to include only the essential information needed for analysis. In conjunction with the Ixia Net Tool Optimizer (NTO) product line, the AFM module has sophisticated capability that allows it to perform advanced processing of packet data.

Advanced Packet Processing Features

• Packet De-Duplication – A normally configured SPAN port can generate multiple copies of the same packet dramatically reducing the effectiveness of monitoring tools. The AFM16 eliminates redundant packets, at full line rate, before they reach your monitoring tools. Doing so will increase overall tool performance and accuracy.
• Packet Trimming – Some monitoring tools only need to analyze packet headers. In other monitoring applications, meeting regulatory compliance requires tools remove sensitive data from captured network traffic. The AFM16 can remove payload data from the monitored network traffic, which boosts tool performance and keeps sensitive user data secure.
• Protocol Stripping – Many network monitoring tools have limitations when handling some types of Ethernet protocols. The AFM16 enables monitoring tools to monitor required data by removing GTP, MPLS, VNTag header labels from the packet stream.
• GTP Stripping – Removes the GTP headers from a GTP packet leaving the tunneled L3 and L4 headers exposed. Enables tools that cannot process GTP header information to analyze the tunneled packets.
• NTP/GPS Time Stamping – Some latency-sensitive monitoring tools need to know when a packet traverses a particular point in the network. The AFM16 provides time stamping with nanosecond resolution and accuracy.

Additional Resources:

Ixia Advance Features Modules

Ixia Visibility Architecture

Thanks to Ixia for the article.

How Not to Rollout New Ideas, or How I Learned to Love Testing

I was recently reading an article in TechCrunch titled “The Problem With The Internet Of Things,” where the author lamented how bad design or rollout of good ideas can kill promising markets. In his example, he discussed how turning on the lights in a room, through the Internet of Things (IoT), became a five step process rather than the simple one step process we currently use (the light switch).

This illustrates the problem between the grand idea, and the practicality of the market: it’s awesome to contemplate a future where exciting technology impacts our lives, but only if the realities of everyday use are taken into account. As he effectively state, “Smart home technology should work with the existing interfaces of households objects, not try to change how we use them.”

Part of the problem is that the IoT is still just a nebulous concept. Its everyday implications haven’t been worked out. What does it mean when all of our appliances, communications, and transportation are connected? How will they work together? How will we control and manage them? Details about how the users of exciting technology will actually participate in the experience is the actual driver of technology success. And too often, this aspect is glossed over or ignored.

And, once everything is connected, will those connections be a door for malware or hacktivists to bypass security?

Part of the solution to getting new technology to customers in a meaningful way, that is both a quality end user experience AND a profitable model for the provider, is network validation and optimization. Application performance and security resilience are key when rolling out, providing, integrating or securing new technology.

What do we mean by these terms? Well:

• Application performance means we enable successful deployments of applications across our customers’ networks
• Security resilience means we make sure customer networks are resilient to the growing security threats across the IT landscape

Companies deploying applications and network services—in a physical, virtual, or hybrid network configuration—need to do three things well:

• Validate. Customers need to validate their network architecture to ensure they have a well-designed network, properly provisioned, with the right third party equipment to achieve their business goals.
• Secure. Customers must secure their network performance against all the various threat scenarios—a threat list that grows daily and impacts their end users, brand, and profitability.

(Just over last Thanksgiving weekend, Sony Pictures was hacked and five of its upcoming pictures leaked online—with the prime suspect being North Korea!)

• Optimize. Customers seek network optimization by obtaining solutions that give them 100% visibility into their traffic—eliminating blind spots. They must monitor applications traffic and receive real-time intelligence in order to ensure the network is performing as expected.

Ixia helps customers address these pain points, and achieve their networking goals every day, all over the world. This is the exciting part of our business.

When we discuss solutions with customers, no matter who they are— Bank of America, Visa, Apple, NTT—they all do three things the same way in their networks:

• Design—Envision and plan the network that meets their business needs
• Rollout—Deploy network upgrades or updated functionality
• Operate—Keep the production network seamlessly providing a quality experience

These are the three big lifecycle stages for any network design, application rollout, security solution, or performance design. Achieving these milestones successfully requires three processes:

• Validate—Test and confirm design meets expectations
• Secure— Assess the performance and security in real-world threat scenarios
• Optimize— Scale for performance, visibility, security, and expansion

So when it comes to new technology and new applications of that technology, we are in an amazing time—evidenced by the fact that nine billion devices will be connected to the Internet in 2018. Examples of this include Audio Video Bridging, Automotive Ethernet, Bring Your Own Apps (BYOA), etc. Ixia sees only huge potential. Ixia is a first line defense to creating the kind of quality customer experience that ensures satisfaction, brand excellence, and profitability.

Additional Resources:

Article: The Problem With The Internet Of Things

Ixia visibility solutions

Ixia security solutions

Thanks to Ixia for the article.

Will You Find the Needle in the Haystack? Visibility with Overlapping Filters

When chasing security or performance issues in a data center, the last thing you need is packet loss in your visibility fabric. In this blog post I will focus on the importance of how to deal with multiple tools with different but overlapping needs.

Dealing with overlapping filters is critical, in both small and large visibility fabrics. Lost packets occur when filter overlaps are not properly considered. Ixia’s NTO is the only visibility platform that dynamically deals with all overlaps to ensure that you never miss a packet. Ixia Dynamic Filters ensure complete visibility to all your tools all the time by properly dealing with “overlapping filters.” Ixia has over 7 years invested in developing and refining the filtering architecture of NTO, it’s important to understand the problem of overlapping filters.

What are “overlapping filters” I hear you ask? This is easiest explained with a simple example. Let’s say we have 1 SPAN port, 3 tools, and each tool needs to see a subset of traffic:

Sounds simple, we just want to describe 3 filter rules:

• Tool 1 wants a copy of all packets on VLAN 1-3
• Tool 2 wants a copy of all packets containing TCP
• Tool 3 wants a copy of all packets on VLAN 3-6

Notice the overlaps. For example a TCP packet on VLAN 3 should go to all three tools. If we just installed these three rules we would miss some traffic because of the overlaps. This is because once a packet matches a rule the hardware takes the forwarding action and moves on to examine the next packet.

This is what happens to the traffic when overlaps are ignored. Notice that while the WireShark tool gets all of its traffic because its rule was first in the list, the NikSun and Juniper tools will miss some packets. The Juniper IDS will not see any of the traffic on VLANs 1-6, and the Niksun will not receive packets on VLAN 3. This is bad.

To solve this we need to describe all the overlaps and put them in the right order. This ensures each tool gets a full view of the traffic. The three overlapping filters above result in seven unique rules as shown below. By installing these rules in the right order, each tool will receive a copy of every relevant packet. Notice we describe the overlaps first as the highest priority.

Sounds simple but remember this was a very simple example. Typically there are many more filters, lots of traffic sources, multiple tools, and multiple users of the visibility fabric. As well changes need to happen on the fly easily and quickly without impacting other tools and users.

A simple rule list quickly explodes into thousands of discrete rules. Below you can see two tools and three filters with ranges that can easily result in 1300 prioritized rules. Not something a NetOps engineer needs to deal with when trying to debug an outage at 3am!

Consider a typical visibility fabric with 50 taps, eight tools, and one operations department with three users. Each user needs to not impact the traffic of other users, and each user needs to be able to quickly select the types of traffic they need to secure and optimize in the network.

With traditional rules-based filtering this becomes impossible to manage.

Ixia NTO is the only packet broker that implements Dynamic Filters; other visibility solutions implement rules with a priority. This is the result of many years of investment in filtering algorithms. Here’s the difference:

• Ixia Dynamic Filters are a simple description of the traffic you want, without any nuance of the machine that selects the traffic for you, other filter interactions, or the complications brought by overlaps.
• Priority-based rules are lower level building blocks of filters. Rules require the user to understand and account for overlaps and rule priority to select the right traffic. Discrete rules quickly become headaches for the operator.

Ixia Dynamic Filters remove all the complexity by creating discrete rules under the hood, and a filter may require many discrete rules. The complex mathematics required to determine discrete rules and priority are calculated in seconds by software, instead of taking days of human work. Ixia invented the Dynamic filter more than seven years ago, and has been refining and improving it ever since. Dynamic Filtering software allows us to take into account the most complex filtering scenarios in a very simple and easy-to-manage way.

Another cool thing about Ixia Dynamic filter software is that it becomes the underpinnings for an integrated drag and drop GUI and REST API. Multiple users and automation tools can simultaneously interact with the visibility fabric without fear of impacting each other.

Some important characteristics of Ixia’s Dynamic Filtering architecture:

NTO Dynamic Filters handle overlaps automatically—No need to have a PhD to define the right set of overlapping rules.

NTO Dynamic Filters have unlimited bandwidth—Many ports can aggregate to a single NTO filter which can feed multiple tools, there will be no congestion or dropped packets.

NTO Dynamic Filters can be distributed—Filters can span across ports, line cards and distributed nodes without impact to bandwidth or congestion.

NTO allows a Network Port to connect to multiple filters—You can do this:

NTO has 3 stage filtering—Additional filters at the network and tool ports.

NTO filters allow multiple criteria to be combined using powerful boolean logic—Users can pack a lot of logic into a single filter. Each stage supports Pass and Deny AND/OR filters with ‘Source or Destination’, session, and multi-part uni/bi-directional flow options. Dynamic filters also support passing any packets that didn’t match any other Pass filter, or that matched all Deny filters.

NTO Custom Dynamic Filters cope with offsets intelligently—filter from End of L2 or start of L4 Payload skipping over any variable length headers or tunnels. Important for dealing with GTP, MPLS, IPv6 header extensions, TCP options, etc.

NTO Custom Dynamic Filters handle tunneled MPLS and GTP L3/L4 fields at line rate on any port—use pre-defined custom offset fields to filter on MPLS labels, GTP TEIDs, and inner MPLS/GTP IP addresses and L4 ports on any standard network port interface.

NTO provides comprehensive statistics at all three filter stages—statistics are so comprehensive you can often troubleshoot your network based on the data from Dynamic filters alone. NTO displays packet/byte counts at the input and output of each filter along with rates, peak, and charts. The Tool Management View provides a detailed breakdown of the packets/bytes being fed into a tool port by its connected network ports and dynamic filters.

In summary the key benefits you get with Ixia Dynamic filters are:

• Accurately calculates required rules for overlapping filters, 100% of the time.
• Reduces time taken to correctly configure rules from days to seconds.
• Removes human error when trying to get the right traffic to the right tool.
• Hitless filter installation, doesn’t drop a single packet when filters are installed or adjusted
• Easily supports multiple users and automation tools manipulating filters without impacting each other
• Fully automatable via a REST API, with no impact on GUI users.
• Robust and reliable delivery of traffic to security and performance management tools.
• Unlimited bandwidth, since dynamic filters are implemented in the core of the ASIC and not on the network or tool port.
• Significantly less skill required to manage filters, no need for a PhD.
• Low training investment, managing the visibility fabric is intuitive.
• More time to focus on Security Resilience and Application Performance

Additional Resources:

Ixia Visibility Architecture

Thanks to Ixia for the article. 

Ixia’s Virtual Visibility with ControlTower and OpenFlow

Ixia is announcing support for OpenFlow SDN in Ixia’s ControlTower architecture. Our best-in-breed Visibility Architecture now extends data center visibility by taking advantage of a plethora of qualified OpenFlow hardware.

ControlTower is our innovative platform for distributed visibility launched nearly two years ago. This solution manages a cluster of our Net Tool Optimizers (NTOs) as if you were managing a single logical NTO. At the time of its launch, we leveraged Software Defined Networking (SDN) concepts to achieve powerful distributed monitoring for data centers and campus networks. The drag and drop GUI, advanced packet processing, and patented filter compiler allow multiple users to manage and optimize traffic across the cluster without interfering with each other. We had great response from customers to the ControlTower concept; they loved how we took very complex routing and rules calculation problems and boiled them down to an easy-to-use, single-pane-of-glass GUI (or API) even when spanning across multiple NTOs.

Our announcement takes ControlTower one giant leap further by allowing qualified OpenFlow switches to become members of a ControlTower cluster, incorporating them under one powerful and simple management console, extending powerful network visibility capabilities throughout the data center. You don’t need to be an OpenFlow expert, just hook up your OpenFlow switches and we take care of the complicated management. You get all the benefits of our straightforward GUI and advanced features for the entire cluster.

We heard from many customers that scalable, cost-effective network visibility is critical to operating a secure and high performance data center. They need analytics tools that access any segment of the network quickly and easily. Monitored traffic must be filtered and optimized to ensure tools are used efficiently. Customers need to focus on optimizing application performance and heading off security issues in every part of their data center, not managing switch ACL’s, CLI’s, forwarding rulesets, interconnects, etc.

Ixia responded by enhancing ControlTower to recognize OpenFlow devices, allowing customers to scale our powerful visibility features across hundreds of OpenFlow ports. Today, ControlTower is qualified to work with HP, Dell, and Arista OpenFlow switches—and we will expand the list further in the future.

This addition to the ControlTower platform is exciting for several reasons:

• The powerful advanced features of ControlTower can now be applied across more of your network for greater visibility.
• You don’t need to be conversant in OpenFlow or deploy an SDN controller, we take care of all the complexity in managing the OpenFlow switches. Just hook them up and our clever software takes control of the configuration details.
• We provide RESTful API for integration with automation.
• You can apply features such as Dynamic Filters, Packet Deduplication, ATIP (Application Threat Intelligence Processor), TimeStamping, Packet Trimming, and Traffic Shaping to any traffic in the cluster.
• OpenFlow is ubiquitous with Ethernet switch vendors, presenting tremendous range of deployment options
• OpenFlow helps future proof your visibility architecture by incorporating future developments in speed, density and capacity.
• You have the flexibility to share precious switching hardware and rack space between production and visibility networks.
• You can easily partition a switch, with some OpenFlow ports for network visibility and some ports for normal production traffic. The production partition doesn’t even need to run OpenFlow, it can be a basic L2 Ethernet switch!
• You can easily provision more visibility ports dynamically as your network expands or changes.
• Ixia’s extensive OpenFlow expertise enabled us to make this advancement. Ixia was first in the testing of OpenFlow technologies with our IxNetwork product several years ago, and we have been very active in development of the OpenFlow standard.

Customers who have seen this new feature set have been very excited. ControlTower’s OpenFlow capabilities will help them reach all the corners of their data center, and provide a new flexibility to deploy network resources how they wish with all benefits of an end-to-end Network Visibility Architecture.

Additional Resources:

NTO ControlTower

Network Visibility Architecture

Thanks to Ixia for the article.

Ixia Extends Visibility Architecture with Native OpenFlow Integration

Ixia (Nasdaq: XXIA), a leading provider of application performance and security resilience solutions, announced an update to its ControlTower distributed network visibility platform that includes support for OpenFlow enabled switches from industry leading manufacturers. ControlTower OpenFlow support has at present been interoperability tested with Arista, Dell and HP OpenFlow enabled switches.

“Dell is a leading advocate for standards such as Openflow on our switching platforms to enable rich and innovative networking applications,” said Arpit Joshipura, Vice President, Dell Networking. “With Ixia choosing to support our Dell Networking switches within its ControlTower management framework, Dell can extend cost-effective visibility and our world-class services to our enterprise customers.”

Ixia’s enhanced ControlTower platform takes a unique open-standards based approach to significantly increase scale and flexibility for network visibility deployments. The new integration makes ControlTower the most extensible visibility solution on the market. This allows customers to leverage SDN and seamlessly layer the sophisticated management and advanced processing features of Ixia’s Net Tool Optimizer® (NTO) family of solutions on top of the flexibility and baseline feature set provided by OpenFlow switches.

“Data centers benefit from the power and flexibility that OpenFlow switches can provide but cannot afford to lose network visibility,” said Shamus McGillicuddy, Senior Analyst, Network Management at Enterprise Management Associates. “However organizations can use these same SDN-enabled switches with a visibility architecture to ensure that their existing monitoring and performance management tools can maintain visibility.”

Key highlights of the expanded visibility architecture include:

• Ease of use, advanced processing functions and single pane of glass configuration through Ixia’s NTO user interface and purpose-built hardware
• Full programmability and automation control using RESTful APIs
• Patented automatic filter compiler engine for hassle-free visibility
• Architectural support for line speeds from 1Gbps to 100Gbps in a highly scalable design
• Open, standards-based integration with the flexibility to use a variety of OpenFlow enabled hardware and virtual switch platforms
• Dynamic repartitioning of switch ports between production switching and visibility enablement to optimize infrastructure utilization

“This next-generation ControlTower delivers solutions that leverage open standards to pair Ixia’s field-proven visibility architecture with best of breed switching, monitoring and security platforms,” added Deepesh Arora, Vice President of Product Management at Ixia. These solutions will provide our customers the flexibility needed to access, aggregate and manage their business-critical networks for the highest levels of application performance and security resilience.”

About Ixia’s Visibility Architecture

Ixia’s Visibility Architecture helps companies achieve end-to-end visibility and security in their physical and virtual networks by providing their tools with access to any point in the network. Regardless of network scale or management needs, Ixia’s Visibility Architecture delivers the control and simplicity necessary to improve the usefulness of these tools.

Thanks to Ixia for the article.