Why You Need Network Intelligence at the Visibility Layer

The underlying objective of the visibility layer, as a layer of devices sitting between the network itself and the network tools and appliances, is to serve as an adaptation layer responsible for delivering the right traffic to the right tool. By doing this we are increasing the efficiency of the tools, streamlining the enterprise's operations and reducing overall total cost of ownership.

What does Niagara’s Network Intelligence offer?

A
Taking the motto of “getting the right traffic to the right tool” to the next level.

By performing more advanced traffic processing in the NPB, the connected network appliance will receive traffic from the NPB more efficiently and in a manner that it can actually process. For example, handling TLS encryption. This is traffic that the network tool cannot otherwise process because it's encrypted. By performing TLS decryption in the NPB, the connected network tool receives traffic in a format that it can ingest. With Niagara NI, the NPB can perform more advanced performance-intensive utility processing functions so that the network tool can be off-loaded to focus its resources on its designed task.

intelligent network

The figure depicts offloading of TLS Decryption and De-duplication from each individual network tool to the NPB in a centralized and optimized manner. This can equally apply if the network tool did not have these advanced processing capabilities in the first place

B
Open Visibility Platform - Process Once, Provide to Many

Many of the same advanced traffic processing tasks are required by different network tools. It’s only natural to perform these in the visibility layer in a centralized manner. In the visibility layer NI processing applications can be performed once and fed efficiently to multiple tools. In addition, utility tasks, such as decryption, can be done once according to relevant policies, ensuring compliance and easing the work involved with audits and reporting.

All diagrams for network intelligence page_V7_1 copy-1

Figure depicts “process-once, provide many” when multiple solutions need the same treatment for traffic. By offloading common utility tasks we are increasing the efficiency and performance of the connected solutions

C
Deployment Hub and utility process chaining

Niagara’s NPB’s meet the stringent demands for the core networking reliability, scalability and performance required by networking teams. Combining the NPB with the Packetron provides users with an agile and flexible deployment hub.

 

Users can combine multiple NI utility processing applications on the same network packet broker. NI Applications will be applied at a user defined logical sequence on the data traffic. Moreover, trigger-based policy capabilities can steer traffic to different processing applications or to a different sequence of processing depending on the status and state of the connected network and security appliances or in case of traffic triggers.

 

All Network Intelligence applications are seamlessly integrated into the FabricFlow operation of the host multipurpose visibility node. Users can apply the NI Application on the traffic from user friendly, hassle-free menu screens.

2@2x

This figure depicts consolidating multiple network tools into a single NPB. Processing modules can be added to the NPB to scale performance to meet user’s needs.

The Packetron

Niagara’s Network Intelligence is achieved using the Packetron packet processor acceleration hardware module. This module fits into the network packet broker and enables the user to add more modules in cases where more traffic intelligence processing power is needed.

Network Intelligence using Packetron

Figure depicts NPB<-->Packetron combo. Combining Packet broker functionality with application layer processing agility.

Applications running on the Packetron automatically and seamlessly benefit from aggregation, replication, filter, load balance, inline bypass and other traffic manipulation capabilities of a fully featured NPB. By connecting to the non-blocking switching core, traffic from any port and to any port can be easily accomplished.

Network Intelligence for out-of-band and inline deployments

The Packetron module occupies a single bay in the multi-purpose visibility node. This provides superior packet processing density per form factor. Input traffic from packet broker ports, bypass ports or tap ports via the non-blocking switching fabric, enables the Packetron to provide Network Intelligence application for both out-of-band monitoring deployments and for inline deployments.

A multi purpose visibility node is powered by a switching fabric that is able to deliver great processing and forwarding capabilities on packets, up to Layer 4. The Packetron module is directly connected to the host switching fabric. The Packetron is able to handle sophisticated application level and L7 level processing on packets, sessions and flows.

 

The Packetron has a nominal processing capacity of 80GbE. Though actual performance may vary based on the application and or number of applications that are run simultaneously on a single Packetron module. As a modular, field replaceable module, users can add Packetron modules to scale up their processing needs.

Open Visibility Platform

Figure depicts schematic deployment of Niagara's Open Visibility Platform (OVP). Security application can be deployed on Packetron modules as part of the SSL/TLS decryption platform. This powerful combination enhances the efficiency of both the decryption platform and the on-board resident security application, delivering a cyber threat detection multiplier.

Network Intelligence Applications

Packet Slicing

Packet Slicing reduces the volume of data to be forwarded for analysis and processing by a network appliance by reducing the packet length. This is especially useful for network applications that only require header analysis and or a defined set of bytes from each packet. Packet length is reduced based on user configurable rules.

new diagrams_Packet Slicing-2

Deduplication

Deduplication identifies and removes duplicate packets from being sent to a network appliance. While duplicate packets may occur on the network from backup and failovers deployment architectures, the more common occurrence is with the use of multiple SPAN ports across connected switches and routers that are feeding to a network appliance. When a network appliance handles duplicate packets, the duplicate packets consume the tools limited processing resources, resulting in significant performance degradation and may also affect the accuracy and results reported.

8@2x

Figure depicts the function of deduplication. User can optimize deduplication for his network needs by configuring the window size and refining deduplication criteria based on header attributes.

NetFlow/IPFIX and metadata

With the increase in traffic capacity on the one hand and the need for greater processing granularity on the other hand, many network tools ingest traffic metadata rather than the raw traffic data packets themselves. There are well standardized metadata frameworks as well as numerous specified fields and extensions for additional vendor specific fields. Often, metadata reports are generated by the network element itself like a switch or a router. The disadvantage is that as metadata generation is not the primary objective of the switch or router, metadata performance generated by the switch or router may be degraded in times of congestion versus Niagara’s solution where such a degradation does not take place. Furthermore, to address congestion, the switch or router utilize traffic sampling, instead of taking into account every packet in the flow.

Data Masking

Data Masking enables the enterprise to forward and share data traffic across departments, while at the same time providing them with a tool to mask private and confidential user information that is contained in the data.

new diagrams_Data Masking

Application Filtering

Identification of applications and layer 7 protocols often require deep packet inspection and analysis. Application filtering performs DPI and supports the identification of dozens of applications. Supported application list is updated on a regular basis

new diagrams_App filtering-

TLS Decryption

SSL/TLS decryption offering is an important foundation of the security visibility layer. Without SSL/TLS Decryption your organization is blind to attacks, malware and other security and cyber threats impacting your network via the TLS layer. Organizations need a way to identify threats and malware in order to protect their users and intellectual property.

 

Niagara's SSL/TLS decryption platform supports three deployment modes:

 

  • Passive out of band - the SSL/TLS decryption platform receives a copy of the encrypted traffic. The decrypted traffic can be forwarded to an out of band tool. The decryption process has no impact of the network traffic. This mode is only available with supporting TLS version and cipher suites.

 

  • Active out of band - the SSL/TLS decryption platform sits inline, receiving the encrypted traffic. The encrypted traffic is decrypted and re-encrypted back to the network. A copy of the decrypted traffic can be forwarded to an out of band appliance. The actions of the out of band appliance itself have no impact on the network traffic.

 

  • Active inline - the SSL/TLS decryption platform sits inline, receiving the encrypted traffic. The encrypted traffic is decrypted, and the decrypted traffic may be forwarded to an inline appliance. Decrypted traffic from the inline appliance is received back at the SSL/TLS decryption platform and is re-encrypted on to the network.
SSL/TLS Network Deployments

Figure depicts the three SSL/TLS network deployments. The three modes can bee support simultaneously on the same platform.

Tunnel Support

Tunnels are used to encapsulate traffic and send it from one location to another. This application supports the ability to encapsulate traffic and send it to a remote/central location. It also supports the ability to terminate a tunnels and forward the decapsulated (de-tunneled) traffic to a network tool

GTP Correlation

GTP Correlation encompases multiple applications associated with facilitating network tool connectivity in mobile environments. One of the primary challenges in mobile networks network tools, whether used for performance, monitoring, behavioral analysis, and or any other analysis that requires differentiating user traffic is that in mobile networks the user plane and control plane are decoupled. In order to correctly identify a specific user’s traffic we need to correlate it with the control/signaling plane. Other associated applications include optimized load balancing based on user traffic, IMSI filtering and more.

Header Stripping

Header Stripping is designed to facilitate and modify traffic in a manner that the intended network tool can process it and fulfill its intended purpose. Niagara’s application will strip the header from the traffic exposing the relevant packet for processing

new diagrams_Header Stripping (1)

Regex

Regex Patterns application, functions as an expansion for existing filtering and data masking capabilities, while adding additional new modes of operation. The user can define any pattern through a regular expression, or load a predefined expression. With this capability, the user can perform advanced packet filtering, advanced masking and advanced session filtering.  With session filtering, once the pattern is detected in any packet, the entire session is identified and can be filtered. For every pattern match, the user can configure to filter or to exclude the match.

Network Intelligence Open Visibility Partners