The Importance of State

Ixia recently added passive SSL decryption to the ATI Processor (ATIP). ATIP is an optional module in several of our Net Tool Optimizer (NTO) packet brokers that delivers application-level insight into your network with details such as application ID, user location, and handset and browser type. ATIP gives you this information via an intuitive real-time dashboard, filtered application forwarding, and rich NetFlow/IPFIX.

Adding SSL decryption to ATIP was a logical enhancement, given the increasing use of SSL for both enterprise applications and malware transfer – both things that you need to see in order to monitor and understand what’s going on. For security, especially, it made a lot of sense for us to decrypt traffic so that a security tool can focus on what it does best (such as malware detection).

When we were starting our work on this feature, we looked around at existing solutions in the market to understand how we could deliver something better. After working with both customers and our security partners, we realized we could offer added value by making our decrypted output easier to use.

Many of our security partners can either deploy their systems inline (traffic must pass through the security device, which can selectively drop packets) or out-of-band (the security device monitors a copy of the traffic and sends alerts on suspicious traffic). Their flexible ability to deploy in either topology means they’re built to handle fully stateful TCP connections, with full TCP handshake, sequence numbers, and checksums. In fact, many will flag an error if they see something that looks wrong. It turns out that many passive SSL solutions out there produce output that isn’t fully stateful and can flag errors or require disabling of certain checks.

What exactly does this mean? Well, a secure web connection starts with a 3-way TCP handshake (see this Wikipedia article for more details), typically on port 443, and both sides choose a random starting sequence (SEQ) number. This is followed by an additional TLS handshake that kicks off encryption for the application, exchanging encryption parameters. After the encryption is nailed up, the actual application starts and the client and server exchange application data.

When decrypting and forwarding the connection, some of the information from the original encrypted connection either doesn’t make sense or must be modified. Some information, of course, must be retained. For example, if the security device is expecting a full TCP connection, then it expects a full TCP handshake at the beginning of the connection – otherwise packets are just appearing out of nowhere, which is typically seen as a bad thing by security devices.

Next, in the original encrypted connection, there’s a TLS handshake that won’t make any sense at all if you’re reading a cleartext connection (note that ATIP does forward metadata about the original encryption, such as key length and cipher, in its NetFlow/IPFIX reporting). So when you forward the cleartext stream, the TLS handshake should be omitted. However, if you simply drop the TLS handshake packets from the stream, then the SEQ numbers (which keep count of transmitted packets from each side) must be adjusted to compensate for their omission. And every TCP packet includes a checksum that must also be recalculated around the new decrypted packet contents.

If you open up the decrypted output from ATIP, you can see all of this adjustment has taken place. Here’s a PCAP of an encrypted Netflix connection that has been decrypted by ATIP:

The Importance of State

You’ll see there are no out-of-sequence packets, and no indication of any dropped packets (from the TLS handshake) or invalid checksums. Also note that even though the encrypted connection was on port 443, this flow analysis shows a connection on port 80. Why? Because many analysis tools will expect encrypted traffic on port 443 and cleartext traffic on port 80. To make interoperability with these tools easier, ATIP lets you remap the cleartext output to the port of your choice (and a different output port for every encrypted input port). You might also note that Wireshark shows SEQ=0. That’s not the actual sequence number; Wireshark just displays a 0 for the first packet of any connection so you can use the displayed SEQ number to count packets.

The following ladder diagram might also help to make this clear:

The Importance of State

To make Ixia’s SSL decryption even more useful, we’ve also added a few other new features. In the 1.2.1 release, we added support for Diffie Helman keys (previously, we only supported RSA keys), as well as Elliptic Curve ciphers. We’ve also added reporting of key encryption metadata in our NetFlow/IPFIX reporting:

The Importance of State

As you can see, we’ve been busy working on our SSL solution, making sure we make it as useful, fast, and easy-to-use as possible. And there’s more great stuff on the way. So if you want to see new features, or want more information about our current products or features, just let us know and we’ll get on it.

More Information

ATI Processor Web Portal

Wikipedia Article: Transmission Control Protocol (TCP)

Wikipedia Article: Transport Layer Security (TLS)

Thanks to Ixia for the article.

Ixia Taps into Visibility, Access and Security in 4G/LTE

The Growing Impact of Social Networking Trends on Lawful Interception

Ixia Taps into Visibility, Access and Security in 4G/LTELawful Interception (LI) is the legal process by which a communications network operator or Service Provider (SP) gives authorized officials access to the communications of individuals or organizations. With security threats mushrooming in new directions, LI is more than ever a priority and major focus of Law Enforcement Agencies (LEAs). Regulations such as the Communications Assistance for Law Enforcement Act (CALEA), mandate that SPs place their resources at the service of these agencies to support surveillance and interdiction of individuals or groups.

CALEA makes Lawful Interception a priority mission for Service Providers as well as LEA; its requirements make unique demands and mandate specific equipment to carry out its high-stakes activities. This paper explores requirements and new solutions for Service Provider networks in performing Lawful Interception.

A Fast-Changing Environment Opens New Doors to Terrorism and Crime

In the past, Lawful Interception was simpler and more straightforward because it was confined to traditional voice traffic. Even in the earlier days of the Internet, it was still possible to intercept a target’s communication data fairly easily.

Now, as electronic communications take on new forms and broaden to a potential audience of billions, data volumes are soaring, and the array of service offerings is growing apace. Lawful Interception Agencies and Service Providers are racing to thwart terrorists and other criminals who have the technological expertise and determination to carry out their agendas and evade capture. This challenge will only intensify with the rising momentum of change in communication patterns.

Traffic patterns have changed: In the past it was easier to identify peer-to-peer applications or chat using well known port numbers. In order to evade LI systems, the bad guys had to work harder. Nowadays, most applications use Ixia Taps into Visibility, Access and Security in 4G/LTE standard HTTP and in most cases SSL to communicate. This puts an extra burden on LI systems that must identify overall more targets on larger volumes of data with fewer filtering options.

Social Networking in particular is pushing usage to exponential levels, and today’s lawbreakers have a growing range of sophisticated, encrypted communication channels to exploit. With the stakes so much higher, Service Providers need robust, innovative resources that can contend with a widening field of threats. This interception technology must be able to collect volume traffic and handle data at unprecedented high speeds and with pinpoint security and reliability.

LI Strategies and Goals May Vary, but Requirements Remain Consistent

Today, some countries are using nationwide interception systems while others only dictate policies that providers need to follow. While regulations and requirements vary from country to country, organizations such as the European Telecommunications Standards Institute (ETSI) and the American National Standards Institute (ANSI) have developed technical parameters for LI to facilitate the work of LEAs. The main functions of any LI solution are to access Interception-Related Information (IRI) and Content of Communication (CC) from the telecommunications network and to deliver that information in a standardized format via the handover interface to one or more monitoring centers of law enforcement agencies.

High-performance switching capabilities, such as those offered by the Ixia Director™ family of solutions, should map to following LI standards in order to be effective: They must be able to isolate suspicious voice, video, or data streams for an interception, based on IP address, MAC address or other parameters. The device must also be able to carry out filtering at wire speed. Requirements for supporting Lawful Interception activities include:

  • The ability to intercept all applicable communications of a certain target without gaps in coverage, including dropped packets, where missing encrypted characters may render a message unreadable or incomplete
  • Total visibility into network traffic at any point in the communication stream
  • Adequate processing speed to match network bandwidth
  • Undetectability, unobtrusiveness, and lack of performance degradation (a red flag to criminals and terrorists on alert for signs that they have been intercepted)
  • Real-time monitoring capabilities, because time is of the essence in preventing a crime or attack and in gathering evidence
  • The ability to provide intercepted information to the authorities in the agreed-upon handoff format
  • Load sharing and balancing of traffic that is handed to the LI system .

From the perspective of the network operator or Service Provider, the primary obligations and requirements for developing and deploying a lawful interception solution include:

  • Cost-effectiveness
  • Minimal impact on network infrastructure
  • Compatibility and compliance
  • Support for future technologies
  • Reliability and security

Ixia’s Comprehensive Range of Solutions for Lawful Interception

This Ixia customer, (the “Service Provider”), is a 4G/LTE pioneer that relies on Ixia solutions. Ixia serves the LI architecture by providing the access part of an LI solution in the form of Taps and switches. These contribute functional flexibility and can be configured as needed in many settings. Both the Ixia Director solution family and the iLink Agg™ solution can aggregate a group of links in traffic and pick out conversations with the same IP address pair from any of the links.

Following are further examples of Ixia products that can form a vital element of a successful LI initiative:

Test access ports, or Taps, are devices used by carriers and others to meet the capability requirements of CALEA legislation. Ixia is a global leader in the range and capabilities of its Taps, which provide permanent, passive access points to the physical stream.

Ixia Taps reside in both carrier and enterprise infrastructures to perform network monitoring and to improve both network security and efficiency. These inline devices provide permanent, passive access points to the physical stream. The passive characteristic of Taps means that network data is not affected whether the Tap is powered or not. As part of an LI solution, Taps have proven more useful than Span ports. If Law Enforcement Agencies must reconfigure a switch to send the right conversations to the Span port every time intercept is required, a risk arises of misconfiguring the switch and connections. Also, Span ports drop packets—another significant monitoring risk, particularly in encryption.

Director xStream™ and iLink Agg xStream™ enable deployment of an intelligent, flexible and efficient monitoring access platform for 10G networks. Director xStream’s unique TapFlow™ filtering technology enables LI to focus on select traffic of interest for each tool based on protocols, IP addresses, ports, and VLANs. The robust engineering of Director xStream and iLink Agg xStream enables a pool of 10G and 1G tools to be deployed across a large number of 10G network links, with remote, centralized control of exactly which traffic streams are directed to each tool. Ixia xStream solutions enable law enforcement entities to view more traffic with fewer monitoring tools as well as relieving oversubscribed 10G monitoring tools. In addition, law enforcement entities can share tools and data access among groups without contention and centralize data monitoring in a network operations center.

Director Pro™ and Director xStream Pro data monitoring switches offers law enforcement the ability to perform better pre-filtering via Deep Packet Inspection (DPI) and to hone in on a specific phone number or credit card number. Those products differs from other platforms that might have the ability to seek data within portions of the packet thanks to a unique ability to filter content or perform pattern matching with hardware and in wire speed potentially to Layer 7. Such DPI provides the ability to apply filters to a packet or multiple packets at any location, regardless of packet length or how “deep” the packet is; or to the location of the data to be matched within this packet. A DPI system is totally independent of the packet.

Thanks to Ixia for the article.

Ixia Taps into Hybrid Cloud Visibility

Ixia Taps into Hybrid Cloud VisibilityOne of the major issues that IT organizations have with any form of external cloud computing is that they don’t have much visibility into what is occurring within any of those environments.

To help address that specific issue, Ixia created its Net Tool Optimizer, which makes use of virtual and physical taps to provide visibility into cloud computing environments. Now via the latest upgrade to that software, Ixia is providing support for both virtual and physical networks while doubling the number of interconnects the hardware upon which Net Tool Optimizer runs can support.

Deepesh Arora, vice president of product management for Ixia, says providing real-time visibility into both virtual and physical networks is critical, because in the age of the cloud, the number of virtual networks being employed has expanded considerably. For many IT organizations, this means they have no visibility into either the external cloud or the virtual networks that are being used to connect them.

The end goal, says Arora, should be to use Net Tool Optimizer to predict what will occur across those hybrid cloud computing environments, but also to enable IT organizations to use that data to programmatically automate responses to changes in those environments.

Most IT organizations find managing the network inside the data center to be challenging enough. With the additional of virtual networks that span multiple cloud computing environments running inside and outside of the data center, that job is more difficult than ever. Of course, no one can manage what they can’t measure, so the first step toward gaining visibility into hybrid cloud computing environments starts with something as comparatively simple as a virtual network tap.

Thanks to IT Business Edge for the article.

Inline Security Solutions from Ixia

Flexible, Fail-Safe Inline Security Boosts Agility, Availability, and Resilience While Reducing Network Costs

As networks deliver more services and carry ever-higher volumes of multiprotocol traffic, data rates continue to soar. Voice, data, and streaming video now travel on one wire, raising security and compliance issues. Today’s intense threat landscape demands multiple proactive security systems throughout the network for a strong, layered security posture. These proactive devices include firewalls, next-gen firewalls, web-application firewalls, and Intrusion Prevention Systems (IPS)—and all require inline network deployment.

Multiple inline security resources can themselves actually become points of failure and vulnerability. They bring concerns about network uptime, performance, operational ownership, security flexibility and overall costs. Despite redundancy and other protections, they must be taken offline for upgrades and scheduled or unscheduled maintenance. Further, if a tool loses power or becomes overprovisioned, the network link can break and traffic cease to flow.

Now, Ixia’s Inline Security Framework offers a proven solution for deploying multiple inline security tools. This smart approach improves your network’s availability, agility, performance, and functionality, while providing greater security, flexibility, and resilience, and lowering overall costs and personnel workloads.

Ixia’s Inline Security Framework protects your network uptime with multiple resources: Bypass switch bi-directional heartbeat monitoring for system, link and power failures ensures uninterrupted network uptime while increasing network availability. Security tool load balancing ensures efficiency while enabling you to leverage existing tool investments and add capacity as needed, rather than investing in a forklift upgrade.

Replacing multiple inline security devices with a single passive bypass switch eliminates network maintenance downtime while providing a pay-as-you-go capacity upgrade path for your changing security needs—dramatically reducing costs of migrating your 1G tools to the 10G environment, for example.

Ixia Net Optics Bypass Switches offer proven, fail-safe Inline protection for your security and monitoring tools. A heartbeat packet protects the network link from application, link, and power failure: if a packet doesn’t return, the switch instantly goes into bypass mode and takes that appliance out of the traffic path. With support for 10Mbps to 40Gbps connectivity, you receive automated failover protection on full duplex traffic streams connected to the monitoring tools. Because the Bypass Switch is passive, link traffic continues to flow even if the Bypass itself loses power.

Packet Brokers reside behind the bypass switch to provide additional flexibility and control over traffic flow for inline security tools. These packet brokers provide advanced control of traffic as it traverses the security tools, including load balancing, traffic aggregation from multiple links, application filtering, and out-of-band access.

Ixia’s robust Inline Security Solutions give you the confidence of assured inline availability for improved business continuity and network health. Find out more about how our cost-effective inline approach extends the availability and security of your network.

Inline Security Solutions from Ixia

Related Products


Net Optics Bypass Switches

Net Optics Bypass Switches

Fail-safe deployments for inline security tools

Security Packet Brokers

Security Packet Brokers

Inline traffic aggregation, filtering, failover, and load balancing for security tools

Thanks to ixia for the article.

NTO Now Provides Twice the Network Visibility

Ixia is proud to announce that we are expanding one of the key capabilities in Ixia xStream platforms, “Double Your Ports,” to our Net Tool Optimizers (NTO) family of products. As of our 4.3 release, this capability to double the number of network and monitor inputs is now available on the NTO platform. If you are not familiar with Double Your Ports, it is a feature that allows you to add additional network or tool ports to your existing NTO by allowing different devices to share a single port. For example, if you have used all of the ports on your NTO but want to add a new tap, you can enable Double Your Ports so that a Net Optics Tap and a monitoring tool can share the same port, utilizing both the RX and TX sides of the port. This is how it works:

Standard Mode

In the standard mode, the ports will behave in a normal manner: when there is a link connection on the RX, the TX will operate. When the RX is not connected, the system assumes the TX link is also not connected (down).

Loopback Mode

When you designate a port to be loopback, the data egressing on the TX side will forward directly to the RX side of the same port. This functionality does not require a loopback cable to be plugged into the port. The packets will not transmit outside of the device even if a cable is connected.

Simplex Mode

When you designate a port to be in simplex mode, the port’s TX state is not dependent on the RX state. In the standard mode, when the RX side of the port goes down, the TX side is disabled. If you assign a port mode to simplex, the TX state is up when there is a link on the TX even when there is no link on the RX. You could use a simplex cable to connect a TX of port A to an RX of port B. If port A is in simplex mode, the TX will transmit even when the port A RX is not connected.

To “double your ports” you switch the port into simplex mode, then use simplex fiber cables and connect the TX fiber to a security or monitoring tool and the RX fiber to a tap or switch SPAN port. On NTO, the AFM ports such as the AFM 16 support simplex mode allowing you to have 32 connections per module: 16 network inputs and 16 monitor outputs simultaneously (with advanced functions on up to 16 of those connections). The Ixia xStream’s 24 ports can be used as 48 connections: 24 network inputs and 24 monitor outputs simultaneously.

The illustration below shows the RX and TX links of two AFM ports on the NTO running in simplex mode. The first port’s RX is receiving traffic from the Network Tap and the TX is transmitting to a monitoring tool.

The other port (right hand side on NTO) is interconnected to the Network Tap with its RX using a simplex cable whereas its TX is unused (dust-cap installed).

With any non-Ixia solution, this would have taken up three physical ports on the packet broker. With Ixia’s NTO and xStream packet brokers we are able to double up the traffic and save a port for this simple configuration, with room to add another monitoring tool where the dust plug is shown. If you expand this across many ports you can double your ports in the same space!

NTO Now Provides Twice the Network Visibility

Click here to learn more about Ixia’s Net Tool Optimizer family of products.

Additional Resources:

Ixia xStream

Ixia NTO solution

Ixia AFM

Solution Focus Category

Network Visibility

Thanks to Ixia for the article.


How Not to Rollout New Ideas, or How I Learned to Love Testing

How Not to Rollout New Ideas, or How I Learned to Love TestingI was recently reading an article in TechCrunch titled “The Problem With The Internet Of Things,” where the author lamented how bad design or rollout of good ideas can kill promising markets. In his example, he discussed how turning on the lights in a room, through the Internet of Things (IoT), became a five step process rather than the simple one step process we currently use (the light switch).

This illustrates the problem between the grand idea, and the practicality of the market: it’s awesome to contemplate a future where exciting technology impacts our lives, but only if the realities of everyday use are taken into account. As he effectively state, “Smart home technology should work with the existing interfaces of households objects, not try to change how we use them.”

Part of the problem is that the IoT is still just a nebulous concept. Its everyday implications haven’t been worked out. What does it mean when all of our appliances, communications, and transportation are connected? How will they work together? How will we control and manage them? Details about how the users of exciting technology will actually participate in the experience is the actual driver of technology success. And too often, this aspect is glossed over or ignored.

And, once everything is connected, will those connections be a door for malware or hacktivists to bypass security?

Part of the solution to getting new technology to customers in a meaningful way, that is both a quality end user experience AND a profitable model for the provider, is network validation and optimization. Application performance and security resilience are key when rolling out, providing, integrating or securing new technology.

What do we mean by these terms? Well:

  • Application performance means we enable successful deployments of applications across our customers’ networks
  • Security resilience means we make sure customer networks are resilient to the growing security threats across the IT landscape

Companies deploying applications and network services—in a physical, virtual, or hybrid network configuration—need to do three things well:

  • Validate. Customers need to validate their network architecture to ensure they have a well-designed network, properly provisioned, with the right third party equipment to achieve their business goals.
  • Secure. Customers must secure their network performance against all the various threat scenarios—a threat list that grows daily and impacts their end users, brand, and profitability.

(Just over last Thanksgiving weekend, Sony Pictures was hacked and five of its upcoming pictures leaked online—with the prime suspect being North Korea!)

  • Optimize. Customers seek network optimization by obtaining solutions that give them 100% visibility into their traffic—eliminating blind spots. They must monitor applications traffic and receive real-time intelligence in order to ensure the network is performing as expected.

Ixia helps customers address these pain points, and achieve their networking goals every day, all over the world. This is the exciting part of our business.

When we discuss solutions with customers, no matter who they are— Bank of America, Visa, Apple, NTT—they all do three things the same way in their networks:

  • Design—Envision and plan the network that meets their business needs
  • Rollout—Deploy network upgrades or updated functionality
  • Operate—Keep the production network seamlessly providing a quality experience

These are the three big lifecycle stages for any network design, application rollout, security solution, or performance design. Achieving these milestones successfully requires three processes:

  • Validate—Test and confirm design meets expectations
  • Secure— Assess the performance and security in real-world threat scenarios
  • Optimize— Scale for performance, visibility, security, and expansion

So when it comes to new technology and new applications of that technology, we are in an amazing time—evidenced by the fact that nine billion devices will be connected to the Internet in 2018. Examples of this include Audio Video Bridging, Automotive Ethernet, Bring Your Own Apps (BYOA), etc. Ixia sees only huge potential. Ixia is a first line defense to creating the kind of quality customer experience that ensures satisfaction, brand excellence, and profitability.

Additional Resources:

Article: The Problem With The Internet Of Things

Ixia visibility solutions

Ixia security solutions

Thanks to Ixia for the article.

Will You Find the Needle in the Haystack? Visibility with Overlapping Filters

When chasing security or performance issues in a data center, the last thing you need is packet loss in your visibility fabric. In this blog post I will focus on the importance of how to deal with multiple tools with different but overlapping needs.

Dealing with overlapping filters is critical, in both small and large visibility fabrics. Lost packets occur when filter overlaps are not properly considered. Ixia’s NTO is the only visibility platform that dynamically deals with all overlaps to ensure that you never miss a packet. Ixia Dynamic Filters ensure complete visibility to all your tools all the time by properly dealing with “overlapping filters.” Ixia has over 7 years invested in developing and refining the filtering architecture of NTO, it’s important to understand the problem of overlapping filters.

What are “overlapping filters” I hear you ask? This is easiest explained with a simple example. Let’s say we have 1 SPAN port, 3 tools, and each tool needs to see a subset of traffic:

Will You Find the Needle in the Haystack? Visibility with Overlapping Filters

Sounds simple, we just want to describe 3 filter rules:

  • Tool 1 wants a copy of all packets on VLAN 1-3
  • Tool 2 wants a copy of all packets containing TCP
  • Tool 3 wants a copy of all packets on VLAN 3-6

Notice the overlaps. For example a TCP packet on VLAN 3 should go to all three tools. If we just installed these three rules we would miss some traffic because of the overlaps. This is because once a packet matches a rule the hardware takes the forwarding action and moves on to examine the next packet.

This is what happens to the traffic when overlaps are ignored. Notice that while the WireShark tool gets all of its traffic because its rule was first in the list, the NikSun and Juniper tools will miss some packets. The Juniper IDS will not see any of the traffic on VLANs 1-6, and the Niksun will not receive packets on VLAN 3. This is bad.

Will You Find the Needle in the Haystack? Visibility with Overlapping Filters

To solve this we need to describe all the overlaps and put them in the right order. This ensures each tool gets a full view of the traffic. The three overlapping filters above result in seven unique rules as shown below. By installing these rules in the right order, each tool will receive a copy of every relevant packet. Notice we describe the overlaps first as the highest priority.

Will You Find the Needle in the Haystack? Visibility with Overlapping Filters

Sounds simple but remember this was a very simple example. Typically there are many more filters, lots of traffic sources, multiple tools, and multiple users of the visibility fabric. As well changes need to happen on the fly easily and quickly without impacting other tools and users.

A simple rule list quickly explodes into thousands of discrete rules. Below you can see two tools and three filters with ranges that can easily result in 1300 prioritized rules. Not something a NetOps engineer needs to deal with when trying to debug an outage at 3am!

Will You Find the Needle in the Haystack? Visibility with Overlapping FiltersConsider a typical visibility fabric with 50 taps, eight tools, and one operations department with three users. Each user needs to not impact the traffic of other users, and each user needs to be able to quickly select the types of traffic they need to secure and optimize in the network.

With traditional rules-based filtering this becomes impossible to manage.

Ixia NTO is the only packet broker that implements Dynamic Filters; other visibility solutions implement rules with a priority. This is the result of many years of investment in filtering algorithms. Here’s the difference:

  • Ixia Dynamic Filters are a simple description of the traffic you want, without any nuance of the machine that selects the traffic for you, other filter interactions, or the complications brought by overlaps.
  • Priority-based rules are lower level building blocks of filters. Rules require the user to understand and account for overlaps and rule priority to select the right traffic. Discrete rules quickly become headaches for the operator.

Ixia Dynamic Filters remove all the complexity by creating discrete rules under the hood, and a filter may require many discrete rules. The complex mathematics required to determine discrete rules and priority are calculated in seconds by software, instead of taking days of human work. Ixia invented the Dynamic filter more than seven years ago, and has been refining and improving it ever since. Dynamic Filtering software allows us to take into account the most complex filtering scenarios in a very simple and easy-to-manage way.

Another cool thing about Ixia Dynamic filter software is that it becomes the underpinnings for an integrated drag and drop GUI and REST API. Multiple users and automation tools can simultaneously interact with the visibility fabric without fear of impacting each other.

Some important characteristics of Ixia’s Dynamic Filtering architecture:

NTO Dynamic Filters handle overlaps automatically—No need to have a PhD to define the right set of overlapping rules.

NTO Dynamic Filters have unlimited bandwidth—Many ports can aggregate to a single NTO filter which can feed multiple tools, there will be no congestion or dropped packets.

NTO Dynamic Filters can be distributed—Filters can span across ports, line cards and distributed nodes without impact to bandwidth or congestion.

NTO allows a Network Port to connect to multiple filters—You can do this:

Will You Find the Needle in the Haystack? Visibility with Overlapping Filters

NTO has 3 stage filtering—Additional filters at the network and tool ports.

NTO filters allow multiple criteria to be combined using powerful boolean logic—Users can pack a lot of logic into a single filter. Each stage supports Pass and Deny AND/OR filters with ‘Source or Destination’, session, and multi-part uni/bi-directional flow options. Dynamic filters also support passing any packets that didn’t match any other Pass filter, or that matched all Deny filters.

NTO Custom Dynamic Filters cope with offsets intelligently—filter from End of L2 or start of L4 Payload skipping over any variable length headers or tunnels. Important for dealing with GTP, MPLS, IPv6 header extensions, TCP options, etc.

NTO Custom Dynamic Filters handle tunneled MPLS and GTP L3/L4 fields at line rate on any port—use pre-defined custom offset fields to filter on MPLS labels, GTP TEIDs, and inner MPLS/GTP IP addresses and L4 ports on any standard network port interface.

NTO provides comprehensive statistics at all three filter stages—statistics are so comprehensive you can often troubleshoot your network based on the data from Dynamic filters alone. NTO displays packet/byte counts at the input and output of each filter along with rates, peak, and charts. The Tool Management View provides a detailed breakdown of the packets/bytes being fed into a tool port by its connected network ports and dynamic filters.

In summary the key benefits you get with Ixia Dynamic filters are:

  • Accurately calculates required rules for overlapping filters, 100% of the time.
  • Reduces time taken to correctly configure rules from days to seconds.
  • Removes human error when trying to get the right traffic to the right tool.
  • Hitless filter installation, doesn’t drop a single packet when filters are installed or adjusted
  • Easily supports multiple users and automation tools manipulating filters without impacting each other
  • Fully automatable via a REST API, with no impact on GUI users.
  • Robust and reliable delivery of traffic to security and performance management tools.
  • Unlimited bandwidth, since dynamic filters are implemented in the core of the ASIC and not on the network or tool port.
  • Significantly less skill required to manage filters, no need for a PhD.
  • Low training investment, managing the visibility fabric is intuitive.
  • More time to focus on Security Resilience and Application Performance

Additional Resources:

Ixia Visibility Architecture

Thanks to Ixia for the article. 

Improving Network Visibility – Part 1: Data and Packet Conditioning

“What can really be done to improve network visibility?” This is a question that our customers often ask us. They’ve heard about this and that and something else but are often left confused as to what capabilities actually exist in the market to solve their network visibility problems.

In this multi-part blog, I’ll provide you an in-depth view of features that will deliver true benefits. There are 5 fundamental feature sets that we’ll cover:

  • Data and packet conditioning
  • Advanced packet filtering
  • Automated real time response capability
  • Intelligent, integrated and intuitive management
  • Vertically-focused solution sets

When combined, these capabilities can “supercharge” your network. This is because the five categories of monitoring functionality work together to create a coherent group of features that can, and will, lift the veil of complexity. These feature sets need to be integrated, yet modular, so you can deploy them to attack the complexity. This will allow you to deliver the right data to your monitoring and security tools and ultimately solve your business problems.

This first blog will focus on data and packet conditioning. Data and packet conditioning can mean different things to different people, but simply put it’s about manipulating the packets or packet streams for better quality. In the context of a data monitoring switch, we’re more concerned about removing duplicate data, grouping packets together to send to particular ports and tools, removing extraneous information like payload information and MPLS labels, or adding information like port tagging and timestamp information.

While data and packet conditioning is a general term, it usually incorporates the following components:

  • De-duplication
  • Load balancing
  • Packet trimming and MPLS stripping
  • Timestamping and port tagging

Let’s take a deeper look into each one of these components of data and packet conditioning to see what they really do.


Duplicate packets can come from several sources. Common sources include network switches, mirror ports and SPAN ports. For instance, even when a SPAN port is configured optimally, it may generate between one to four copies of a packet. This extra data can have negative implications, especially around monitoring and security. The duplicate packets from SPAN ports can represent as much as 50% of the network traffic being sent to a monitoring tool. Slower tools and duplicate packets reduce effective bandwidth capability, which causes data jams that result in dropped packets and lost data.

By adding a network monitoring switch, you can reduce the amount of data packets being sent to your tool farm. This has three fundamental benefits:

  • CPU load of a tool can be cut in half because the monitoring tool can focus on its primary task, not using CPU capability to sort and delete duplicate packets (which is extremely resource intensive)
  • Bandwidth at the Ethernet port of the tool can be conserved, so more data can be provided to the tool
  • The amount of data stored by the tools is reduced which can decrease your SAN (storage area network) costs

The Ixia Anue Net Tool Optimizer (NTO) takes de-duplication one step further with patented technology based upon implementing a de-duplication window that increases the efficiency of removing duplicate data packets in real-time from very high data rate streams. This patent allows the NTO to process duplicate packets with less loading on the monitoring switch CPU.

Load Balancing

Load balancing is another important feature of a monitoring switch that allows it to efficiently distribute data streams to the appropriate monitoring tools. This allows IT to prevent the overload of various tools in the tools farm.

The load balancing feature keeps session data together for better analysis. This function is used extensively with network data recorders. Since session data is kept together, only one data recorder needs to be accessed to analyze any given session at a later time.

The Ixia Anue NTO excels far above the competition in this area as well by supporting 16 ports of load balancing capability. This is one of the largest amounts of port balancing capability that is currently on the market and testifies as to the powerful capabilities contained within the NTO.

Packet Trimming and MPLS Stripping

Packet trimming capability gives IT the option to remove the data payload information, basically just leaving the header information. Since some monitoring tools don’t need the payload information, this is a useful feature.

There are two main benefits/use cases for this monitoring switch feature:

  • Since unnecessary information is removed, the monitoring tool can receive a far greater amount of network data
  • In the case of regulatory compliance concerns (HIPAA, PCI DSS, SOX, etc.), it may be desirable to “trim” or remove sensitive payload data

While MPLS is a useful protocol for traversing networks, it poses problems for many of the network monitoring tools in use today. Most monitoring tools aren’t capable of understanding MPLS-tagged packets, so they can’t monitor MPLS networks. Monitoring tools that can understand the MPLS label must spend time to process that information. This extra step usually has no benefit to the monitoring tool. By removing the MPLS labels, the monitoring tools can regain CPU processing capability and improve efficiency.

A good monitoring switch has the ability to remove the MPLS labels and forward the original packet so that monitoring tools which can’t handle the labels can still be used on MPLS networks. For the monitoring tools that can process the MPLS labels, the monitoring switch can improve their efficiency (i.e. increase capacity) by allowing the monitoring tools to focus on core monitoring functions.

Time Stamping and Port Tagging

Time stamping is a feature that allows you append a trailer containing a timestamp to individual packets. This allows you to have a diagnostic trail showing how long it takes for a packet to move from the monitoring switch to the monitoring tool that is downstream. This additional information can be useful when troubleshooting and investigating jitter and latency effects.

One of the Ixia NTO benefits associated with time stamping is that Ixia tags on the first bit of the first byte to ensure as accurate a timestamp as possible. The timestamp is then attached to the packet on egress. Other vendors tag on the last byte which allows for inaccuracies to be encountered before a timestamp is created. Since Ixia tags at the start, the packet timestamps are consistent across packet lengths.

Another important feature is the use of port tags. These tags can help ensure where packets came from and that transactions are secure. While most of the packet security responsibility falls upon firewalls, IPS/IDS and other SIEM tools, port tagging provides an additional way to ensure that packets have not been tampered with and the packet source location. The port tagging helps identify the source, beyond just an IP address, by placing VLAN information into the packet which helps determine where the packets came from. So if legitimate looking packets are coming from an unusual location, they can flagged for further investigation as to what is happening in the data center. The SIEM can help determine if the traffic is legitimate or not.

More information on the Ixia Anue Net Tool Optimizer monitoring switch and advanced packet filtering within the Network Visibility Operating System (NVOS) 3.8 is available on the Ixia website and the Simple Is website.

Additional Resources:

Thanks to Ixia for the article. 

Do You Really Know What’s Lurking in Your Data Center?

As mentioned in one of my previous blogs (Exposing The Ghost In The Virtual Machine), virtualization has been a great success story. At the same time, it holds hidden dangers that need to be managed. I want to take a couple minutes to outline those dangers and how to overcome them.

So, here are the dangers that can be hidden in a virtualized data center:

  • Potential security issues due unknown malware
  • Potential outages due to lack of proper performance data
  • Regulatory compliance issues due to lack of adequate policy tracking

According to a study commissioned by Cisco Systems, 29% of the North American organizations surveyed identified the overall state of security of virtual systems as a major concern for future server virtualization deployments. This is for good reason. Cyber criminals are employing VM-aware malware that can spread unnoticed and unchecked among VMs due to lack of visibility between machines on the same server. This allows VM-aware malware to unknowingly spread to physical servers when moving VMs or applications. Without proper visibility, these threats can gain a foothold and then flourish within your data center – and you wouldn’t even know it.

Another concern is potential outages that can result from malware or other issues within the data center (problematic software upgrades, overloaded equipment and links, and programming mistakes). Common symptoms of performance problems can include: slow traffic and devices, unnecessary bandwidth consumption, and intermittent issues that pop-up long enough to be noticed but then disappear quickly. By the time you recognize the symptoms, it’s often too late as the problems have the ability to be service affecting. Proper performance monitoring mitigates this concern by allowing IT managers to perform trend analysis and monitor single points of failure – like load balancers, cloud services, WAN optimizers, etc.

Regulatory compliance is a third fundamental concern. Much emphasis has been placed on this topic over the last several years, and while you may have everything in order on the physical components of your network, it’s often harder to square away the virtualized portion of the network. One of the main reasons is audit validation. What’s your current plan to know if you are compliant with all applicable regulations (e.g., FISMA, HIPAA, PCI, etc.)? And do you have the proper access to data in the virtualized portion of your network to prove that you are compliant? The business concern, of course, is that if one portion of your network is non-compliant then the company is non-compliant (or partially compliant, if you have some marketing spin leeway!).

The key question is how do you find the source of the hidden dangers within your virtual network? Your primary target should be the data center. According to a study by Gartner, up to 80% of the traffic in a virtualized data center never makes it to the top of the rack, where conventional monitoring practices like packet brokers and monitoring tools can capture the data. So, are you sure you know what’s happening in your data center before this point? Most data center managers don’t.

Ixia Net Optics Phantom vTapThis diagram should make it a little clearer. It shows the four key visibility points in a virtual network. Point number 1 isn’t a problem. Since the data is transferred from the equipment in one rack to another, this gives the data center administrator an opportunity to use a physical tap to access the data. But for situations 2 through 4, there is no easy access with standard taps and monitoring tools.

In the case of point number 2, there is limited visibility within the server chassis. The traffic across the backplane isn’t accessible by traditional monitoring tools.

In case number 3, the traffic passes between VMs within the same physical host. In this case, everything is handled strictly through software. So again, there is no opportunity for traditional monitoring tools and practices to help.

And in case number 4 (when VMs are moved) any access to the VM that might have been established is typically lost.

Points 2 through 4 are what we mean when we talk about the opportunity for blind spots to exist. The blind spots are where the hidden dangers lurk. Traditional monitoring tools won’t help as they don’t give you access to the data in this portion of the network.

So now we see the problem, but how do you fix it? A virtual tap is often one of the best solutions. They are cost effective pieces of software that can be installed directly into the virtual data center. They function in a similar manner as a physical tap in that they replicate traffic and forward that data on. This gives you the access points you need to forward traffic out of the data center and towards your standard monitoring gear, like packet brokers and specialized monitoring analysis tools.

One note, not all virtual taps are created equal. You probably want to make sure that the virtual tap performs some level of filtering so that the replicated traffic isn’t a complete copy of everything in your data center. Otherwise, you’ll overload the LAN. Also, you’ll want hypervisor plug-in capability to maximize your access to the virtual traffic. Lastly, consider virtual taps that have minimal performance impacts on the hypervisor or you can actually create potential performance problems. There are products on the market that perform all three functions.

Once the virtual tap(s) is inserted into you data center, you’ll have the data you need to implement proactive, instead of reactive, approaches to problem resolution and security threats. You’ll also be able to implement the same internal security and monitoring policies across your network which should help greatly with work flows, problem resolution capabilities and even costs.

Ixia makes a virtual tap product called the Ixia Phantom vTap. More information about the Ixia Phantom vTap and how it can help generate the insight needed for your business is available on the Ixia website.

Additional Resources:

Illuminating Data Center Blind Spots

Increased Visibility and Monitoring of Virtual Systems

Creating A Visibility Architecture

Thanks to Ixia for the article.

Phantom vTap v3.5 Release

The Phantom Virtualization Tap™ (Phantom vTap™) v3.5 release is now available. This software solution provides IT monitoring staff access to packet data in virtualized data centers, allowing you to pinpoint performance issues and improve network security. With this capability, you can remove virtualized data center blind spots by exposing the approximately 80% of hidden inter-VM (“east-west”) traffic that exists in this environment and that raises the risk of undetected threats or performance issues.

Key Benefits

  • Provides access to vital data to improve your virtualized data center security and performance
  • Single solution for VMware vSphere and other hypervisors
  • No VM resources or probes are required
  • Uses a kernel module plug-in, enabling full access to traffic passing between virtual machines on a hypervisor stack

If you have questions and would like to speak with a representative, please contact us at: 800-561-4019 or

download_buttonIxia's Illuminating Blind Data Centre Spots download_buttonIxia Phantom vTap

Thanks to Ixia for the article.