187 posts categorized "Oldcommguy" Feed

Understanding Advanced Features in a Network Packet Broker (by Greg Zemlin)

Understanding Advanced Features in a Network Packet Broker

Network Packet Brokers (NPBs) have come a long way from their modest roots as data monitoring switches, though their intended application remains nearly the same.  The NPB is still primarily used as a device to maximize the performance of monitoring and security tools. The NPB’s most important features remain unchanged, these includes, 1:1, 1:N, N:1, and N:N port mappings, full L2-L4 filtering options, and configurable load balancing options.  In the pursuit of gaining a competitive advantage, vendors continue to add advanced features. This adds complexity in selecting the right product for your network.

Header image

The key to selecting the right Packet Broker is the understanding of each advanced feature and its alternatives.

Lets look at Deduplication, SSL/TLS decryption, and MetaData generation -  Important areas to understand!


Deduplication is a feature offered by many NPB vendors, which provides a mechanism for removing identical packets in a defined “window” of time.  The exact implementation of this feature varies from vendor to vendor but essentially all packets coming into a port supporting deduplication will be sent to an internal FPGA/Packet processor. A hash value is created and temporarily stored, the size of the storage block defines the deduplication window.  As new packets come into the system, the new hash value is compared to the already stored hash values of the preceding packets. If the hash values match, then the packet is deemed to be a duplicate and immediately discarded. Additional mechanisms can be in place to check against false positives.

Image 1

Duplicate packets can occur in any monitoring network, but most of these duplicates come from using SPAN ports.  Typically, SPAN ports mirror both ingress and egress ports or can be configured to Mirror traffic on a given VLAN.  This can result in > 50% of duplicate traffic feeding your monitoring network. These duplicates can be addressed at the source of the problem by moving away from SPAN ports in favor of well placed Network TAPs.  Network TAPs significantly reduce the number of duplicate packets. There will still be some duplicate packets but network engineers need to look at the sensitivity of their monitoring tools to decide if the remaining duplicates need to be removed, and if deduplication is still a necessary feature. 

Image 2Read More - wp-maximizing-visibility-understanding-the-role-of-network-taps-packet-brokers-and-hybrid-solutions

SL/TLS Decryption

Industry experts are predicting SSL/TLS traffic to exceed 70% of all network traffic by the end of 2019.  So, is this feature important? Absolutely, but a decision needs to be made whether or not this should be done within the NPB or sent out to an external platform dedicated to SSL decryption/encryption.  The technical details of SSL decryption is beyond the scope of this blog, but at a high level any secure connection starts with a handshake process. During the handshake the client and server agree on an encryption key and which cypher to use during the session.  After the handshake both endpoints have a symmetric key, and all subsequent transmissions are encrypted.

Image 3

The NPB or SSL visibility appliance act as either active or passive man-in-the middle (MITH).  For passive MITM the NPB needs to contain all server’s private keys. For active MITM, a SSL connection is made from the client to the NPB and from the NPB to the server.  Active MITM is more commonly used, especially as we move towards TLS 1.3. Regardless of active or passive MITH, SSL/TLS decryption, along with the required data masking, is extremely computationally expensive.  Using an NPB as a network’s only means of TLS decryption may not be the best choice. The very nature of TLS decryption can degrade the performance of the device as a whole, so caution needs to be taken in using SSL decryption in an NPB.  A dedicated SSL visibility appliance seems to be the safer choice in any network, allowing for scalability, high-availability deployment, and line-rate performance without compromising other features.

Metadata Generation

Metadata generation is an interesting topic as it relates to monitoring and visibility.  Visibility fabrics constantly aim to see all traffic traversing a network and metadata generation opposes that. Under the names Netflow, S-Flow, or IPFIX, metadata generation provides sampled summary statistics of network traffic flows.  Flow details generally include information on the 5-tuple, protocol information and insights in the application layer. If a network’s tools are flow based then the ability to generate these flows becomes critical. The choice of Netflow, S-flow, or IPFIX is completely dependent on the network and the tools that are planned for deployment.

As vendors continue to grow the feature set of the NPB, careful considerations need to be taken when making a purchasing decision.  Network engineers need to decide if they prefer one device that that can perform these features at a satisfactory level or multiple devices that perform their targeted task at the highest performance.  Their are obviously pros and cons to each approach but based on the success of companies making highly targeted, high performance devices, one can deduce that using the decentralized approach may be the better choice in the long run.

Greg ZemblinAuthor - Greg Zemlin -Greg is the Product Manager for Garland Technology. His background is in field applications engineering, project management, NPI, product development, competitive analysis, technical sales, training, hardware/software debugging, hardware design and verification, thermal design, and failure analysis. 

[Want to learn more about using Network Packet Brokers in combination with TAPs and Aggregators? Download our whitepaper, Maximizing Visibility: Understanding the Role of Network TAPs, Packet Brokers and Hybrid Solutions.]


Is your Network Security Slowing you Down? (by Jason Nutt)

Is Network Security Slowing you Down?

Measuring the Latency impact Created by Next Gen Security Solutions

As an IT professional, you are well aware of the challenges posed by network latency. Applications like audio and video delivery, bandwidth sensitive mobile applications, cloud computing and storage services are extremely sensitive to network latency.

What you may not realize, however, is the amount of latency created by your Next Generation Intrusion Prevention Systems (NG-IPS) and Next Generation Firewalls (NG-FW). While they are critical to protecting your network, these security tools and others that perform deep packet inspection can increase latency, significantly impacting your overall application performance.

Recently we worked with a large health care services provider trying to figure out why it was taking so long to send MRI data between locations. This was causing significant frustration for patients, doctors and medical staff. Having been aware of Aukua’s nanosecond precision capture and analysis tools, they asked for our help. The company suspected one of more of their NG-IPS devices was causing the delays, but they did not have a way to confirm this. Since these security tools do not treat all packets the same, they were unable to detect or measure the application latency issue with artificial traffic such as ICMP. And since some applications were being adversely delayed and others were not, they could not rely on the NG-IPS vendor’s generic latency specs for various packet sizes. In addition, compliance rules prohibited them from introducing new traffic into their live network.


Continue reading "Is your Network Security Slowing you Down? (by Jason Nutt)" »

How to easily detect SMBv1 scanning by using your traffic! ( by John Bronson)

How to easily detect SMBv1 scanning by using traffic visibility?

SMB Exploitation is an easy way to take control of a Network! - Read how to easily see this attack method!

NetFort has always believed in the visibility that can be extracted from wire data, basic network traffic analysis or deep packet inspection. Every device, user, and application on the network leaves a trail, always. No need to turn it ON, this vendor agnostic trail can easily be captured on any network and used for many security and operational use cases. Look at Wireshark and how strong the community is, it continues to grow from strength to strength. Of course, one of the main reasons is that all the people involved are passionate about network data traffic and really care about what they do. 

The traffic analysis engine should do as much of the heavy lifting as possible, to initially present it at a high level so one can see anomalies, make the network traffic data easier to store, query, search, read, analyse, correlate, and act on. This is what we help our customers do with traffic at NetFort. 

One of our core building blocks is the ability to generate metadata for easy visibility!

Building blocks to Metadata

We have a number of application ‘decoders’, stateful followers that generate application specific metadata.  The complexity of the decoder depends on the application, some for example including SMB and NFS are not trivial.

Fingerprinting, reassembly, metadata extraction and storage, all in real time is not easy. We have worked hard on these to get them reliable and to perform at scale. But, as a result, we now have a robust scalable unique engine ideal for many use cases proven on many diverse customer networks. The decoders have also helped us grow because they help organisations of all sizes (including central and local government, utilities, legal, education and the military) address various vulnerabilities including those found in implementations of Server Message Block 1.0. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

Read more on "How to detect SMB exploitation!" - 

Continue reading "How to easily detect SMBv1 scanning by using your traffic! ( by John Bronson)" »

No visibility in the GDPR era, be ready for BIG fines! (by Derek Burke)

No visibility in the GDPR era, be ready for BIG fines!

Legal problem!!! -

As of May 25, 2018 the EU General Data Protection Regulation (GDPR) went into effect.  GDPR requires compliance for any company interacting with persons in the EU and enforces strict standards on data handling and extremely fast responses to breaches of Personally Identifiable Information (PII).  Failing to fulfill these requirements can have dire consequences with fines ranging from a minimum €20.000.000,00 to 4% of a company’s gross annual earnings.  The demands that the GDPR places upon an organization are not only daunting but can seem insurmountable. 

Get Visibility #1

First steps - The first step -  a data flow and dependencies map to identify:

  • Data items (e.g. names, email addresses, records);
  • Formats (e.g. online data entry, database);
  • Transfer and sharing methods of data;
  • Locations where data is stored and needs protection inside and outside;
  • Who is connected to who and who has what information – via the network!

Technical problems – bullets best on how to gain visibility to solve above main issues!

i.e. – access – Full visibility, filtering on databases to see who has access, servers where data is stored, who has access, apps that share data, ..etc

NO BLIND SPOTS! On-site or Remote  Remote visibilityKey performance indicators from mobile probe panel


Continue reading "No visibility in the GDPR era, be ready for BIG fines! (by Derek Burke)" »

LMTV LIVE | How To Diffuse The IT Blame Game (with Keith Bromley and Scott Peerbolte)



LIVE EVENT START TIME : 9:30 AM PST, Wednesday, June 27th, 2018

6a00e008d95770883401b8d2e041f0970c-800wiThis week we will be talking with Keith Bromley (from Keysight Technologies, formerly Ixia) and Scott Peerbolte (of Corvil) about how you can help break down silos and reduce the blame game that are common for most IT departments. 

For instance, how well do your IT departments communicate with each other?  

Enterprises typically contain four or more IT sub-departments (Security, Network Operations, Virtual DC, Capacity Planning, Service Desk, Compliance, etc.) and it’s quite common for them to be at odds with each other, even in good times. For instance, there’s often contention over capital budgets, sharing resources, and headcount. But let’s be generous. Let’s say that in normal operations things are usually good between departments. What happens if there’s a breach though, even a minor one? Then things can change quickly. Especially if there are problems with acquiring accurate monitoring data for security and troubleshooting areas. Finger pointing can quickly result. 

So, what can you do? One answer is to create complete network visibility (at a moment’s notice) for network security and network monitoring/troubleshooting activities. Join us on this podcast to learn how.

Some key thoughts we will discuss during the event:


Continue reading "LMTV LIVE | How To Diffuse The IT Blame Game (with Keith Bromley and Scott Peerbolte)" »