Get best of the week

Modern solutions for building information security systems - network packet brokers (Network Packet Broker)

Information security has separated from telecommunications into an independent industry with its own specifics and its equipment. But there is a little-known class of devices, which stands at the crossroads of telecom and infobeza - brokers network packets (Network Packet Broker), they also load balancers, specialized / monitoring switches, traffic aggregators, Security Delivery Platform, Network Visibility and so on. And we, as a Russian developer and manufacturer of such devices, really want to talk more about them.

image


Scope and tasks


Network packet brokers are specialized devices that have found the greatest application in information security systems. As such, the class of devices is relatively new and small in the generally accepted network infrastructure compared to switches, routers, etc. The pioneer in the development of this type of device was the American company Gigamon. Currently, there are significantly more players in this market (including the well-known manufacturer of test systems - IXIA, who have such solutions), but only a narrow circle of professionals still knows about the existence of such devices. As noted above, even with the terminology there is no unequivocal certainty: the names range from “a system for ensuring network transparency” to simple “balancers”.

When developing brokers of network packages, we were faced with the fact that, in addition to analyzing the directions of development of functionality and testing in laboratories / test zones, it is necessary to simultaneously explain to potential consumers the existence of this class of equipment, since not everyone knows about it.

As early as 15-20 years ago, there was little traffic in the network, and these were mostly unimportant data. But Nielsen ’s law practically repeats Moore ’s law : Internet connection speed increases by 50% annually. The volume of traffic is also growing steadily (the graph shows the 2017 forecast from Cisco, source Cisco Visual Networking Index: Forecast and Trends, 2017–2022):

image

Along with speed, the importance of circulating information (this is a trade secret, and notorious personal data) and the overall performance of the infrastructure are increasing.

Accordingly, the information security industry also appeared. The industry responded to this with the advent of a whole range of devices for deep traffic analysis (DPI): from DDOS attack prevention systems to information security event management systems, including IDS, IPS, DLP, NBA, SIEM, Antimailware and so on. Typically, each of these tools is software installed on the server platform. Moreover, each program (analysis tool) is installed on its server platform: software manufacturers are different, and there are a lot of computing resources for analysis on L7.

When building an information security system, it is required to solve a number of basic tasks:

  • How to transfer traffic from infrastructure to analysis systems? (initially developed SPAN ports for this in the modern infrastructure are not enough in terms of quantity or performance)
  • how to distribute traffic between different analysis systems?
  • how to scale the system with the lack of performance of one instance of the analyzer to process the entire amount of traffic entering it?
  • How to monitor 40G / 100G interfaces (and in the near future, 200G / 400G), since the analysis tools currently only support 1G / 10G / 25G interfaces?

And the following related tasks:

  • how to minimize inappropriate traffic, which does not need to be processed, but falls into the analysis tools and consumes their resources?
  • how to handle encapsulated packets and packets with service marks of equipment, the preparation of which for analysis turns out to be either resource-intensive or impossible at all?
  • how to exclude from the analysis part of the traffic that does not fall under the regulation of security policy (for example, manager traffic).

image

As everyone knows, demand creates supply, in response to these needs, network packet brokers began to develop.

General Description of Network Packet Brokers


Network packet brokers operate at the packet level, and in this they are similar to regular switches. The main difference from switches is that the rules for distributing and aggregating traffic in network packet brokers are completely determined by the settings. Network packet brokers do not have standards for constructing forwarding tables (MAC tables) and communication protocols with other switches (such as STP), and therefore the range of possible settings and understandable fields in them is much wider. The broker can evenly distribute traffic from one or more input ports to a given range of output ports with the function of uniform load on the output. You can set the rules for copying, filtering, classification, deduplication and traffic modification. These rules can be applied to different groups of input ports of the network packet broker,and also apply sequentially one after another in the device itself. An important advantage of a packet broker is the ability to process traffic at full flow rate and maintain session integrity (in the case of balancing traffic to several DPI systems of the same type).

Saving the integrity of sessions consists in transferring all packets of a transport layer session (TCP / UDP / SCTP) to one port. This is important because DPI systems (usually the software running on a server connected to the output port of the packet broker) analyze the contents of traffic at the application level, and all packets sent / received by one application must go to the same analyzer instance . If packets from one session are lost or distributed between different DPI devices, then each individual DPI device will be in a situation similar to reading not whole text, but individual words from it. And, most likely, the text will not understand.

Thus, being oriented towards information security systems, network packet brokers have functionality that helps connect DPI software systems to high-speed telecommunication networks and reduce the load on them: they carry out preliminary filtering, classification and preparation of traffic to simplify subsequent processing.

In addition, since brokers of network packets give out a wide list of statistics and often find themselves connected to various points of the network, they also find their place in diagnosing the health problems of the network infrastructure itself.

Basic features of network packet brokers


The name “specialized / monitoring switches” arose from its basic purpose: to collect traffic from the infrastructure (usually using passive optical TAP couplers and / or SPAN ports) and distribute it between the analysis tools. Between heterogeneous systems, traffic is mirrored (duplicated), between homogeneous systems it is balanced. The basic functions usually include filtering by fields to L4 (MAC, IP, TCP / UDP port, etc.) and aggregating several lightly loaded channels into one (for example, for processing on one DPI system).

This functionality provides a solution to the basic problem - connecting DPI systems to the network infrastructure. Brokers of various manufacturers, limited by the basic functionality, provide processing of up to 32 100G interfaces per 1U (more interfaces do not physically fit on the 1U front panel). However, they do not allow reducing the load on the analysis tools, and for complex infrastructure they cannot even provide the requirements for the basic function: a session distributed over several tunnels (or equipped with MPLS tags) can be unbalanced for different analyzer instances and generally fall out of the analysis.

In addition to adding 40 / 100G interfaces and, as a result, increasing productivity, network packet brokers are actively developing in terms of providing fundamentally new features: from balancing nested tunnel headers to decrypting traffic. Unfortunately, such models cannot boast terabit performance, but they allow you to build a really high-quality and technically “beautiful” information security system in which each analysis tool is guaranteed to receive only the information it needs in the most suitable form for analysis.

Advanced Network Packet Brokers


image

1. Mentioned above balancing on nested headers in tunneled traffic.

Why is it important? Consider 3 aspects that can be critical together or individually:

  • . , 2 , 3 . , ;
  • (, FTP VoIP), . : , , . , , , . , , . , ;
  • balancing in the presence of MPLS, VLAN, individual equipment tags, etc. Not exactly tunnels, but nevertheless, equipment with basic functionality can understand this traffic not as IP and balance by MAC addresses, once again violating the balance or the integrity of the sessions.

The network packet broker parses the external headers and sequentially follows the pointers to the nested IP header itself and balances it. As a result, there are significantly more threads (accordingly, you can unbalance more evenly and on a larger number of platforms), and the DPI system receives all session packets and all associated sessions of multisession protocols.

2. Modification of traffic.
One of the widest functions in terms of its capabilities, the number of subfunctions and their application options are numerous:

  • payload, . , , . , (, , ), payload , . , payload , – ;
  • , , . – . ;
  • : MPLS-, VLAN, ;
  • , , IP- ;
  • : , , ..

3. Deduplication - cleaning of duplicate traffic packets transmitted to analysis tools. Duplicate packets most often arise due to the peculiarities of connecting to the infrastructure - traffic can go through several points of analysis and be mirrored with each of them. There is also repeated sending of TCP packets that have not reached, but if there are a lot of them, then these are more likely to be questions of monitoring the quality of the network, rather than information security in it.

4. Advanced filtering functions - from searching for specific values ​​at a given offset to signature analysis throughout the package.

5. NetFlow / IPFIX generation - collection of a wide list of statistics on the passing traffic and its transmission to the analysis tools.

6. Decryption of SSL traffic,It works provided that the certificate and keys are preloaded into the network packet broker. Nevertheless, this allows to significantly unload the analysis tools.

There are many more useful and marketing features, but the main ones are perhaps listed.

The development of detection systems (intrusions, DDOS attacks) in their prevention systems, as well as the introduction of active DPI tools, required a change in the switching scheme from passive (via TAP or SPAN ports) to active (“into the gap”). This circumstance increased the reliability requirements (because failure in this case leads to disruption of the entire network, and not only to loss of control over information security) and led to the replacement of optical couplers with optical bypass (in order to solve the problem of the dependence of network performance on system performance information security), but the basic functionality and requirements for it remained the same.

We have developed DS Integrity Network Packet Brokers with 100G, 40G and 10G interfaces from design and circuitry to embedded software. Moreover, unlike other package brokers, the modification and balancing functions for the embedded tunnel headers are implemented in hardware, at full port speed.

image

More articles:


All Articles