SPS’s perimeter security solutions use Ixia | A Keysight Business hardware and technology to provide easy and cost-efficient methods to protect a network from disruptions caused by traffic congestion, configuration errors, or the unexpected loss of power to a security device. Network traffic keeps moving, even during unexpected software or hardware failures.
Using Ixia’s external bypass switch technology and approach, security appliances no longer deploy directly inline on live network links. When used in conjunction with a network packet broker (NPB), Security Operations gains greater control over the process of live traffic inspection, accommodating both Active-Inline inspection and Out-of-Band / Passive monitoring.
Ixia’s external, single-purpose bypass switches, deployed one-per-link, keep networks reliable, while also enhancing the reliability of security. Keeping bypass switches operationally separate (as opposed to integrating this functionality in a network packet broker) reduces maintenance hassles and the complexity of bypass function, greatly narrowing the footprint affected during change windows.
Should a failure occur in the primary security path, the bypass switch offers a secondary monitoring path with automatic failover, which avoids a network outage. Should failures occur in both paths, the bypass can be configured to sustain the network link on which it’s deployed, or, if required, shut down that link, allowing a customer’s routing scheme to furnish network resiliency.
Our solutions allow for existing security appliances to inspect increasing volumes network traffic when more links or segments are added to the network infrastructure (or when link speeds are upgraded and increased). Additional bypass switches are added to the links and connected to the NPB, the configuration is quickly updated with new filter definitions to accommodate the new links, and the security tools continue to perform their inspection tasks (provided there is enough capacity).
External bypass switches also facilitate Ixia’s unique High Availability (HA) Security capabilities, when configured for an alternate path to an additional, redundant NPB. The secondary NPB is connected to the same security tools as its peer, allowing the tools to process complete sets of traffic received by interfaces on either side.
Ixia’s Network Packet Brokers process traffic from as many links as require traffic monitoring or inspection. In our solutions, a bypass switch deployed on each link directs traffic to the NPB, where it is aggregated and processed according to security policy. Traffic from all four links can be divided, session-oriented, to each security tool, or shunted around the security tools altogether (for example, Layer 2 routing traffic not destined for inspection). Because the NPB handles the task of getting a complete set of traffic for each device, to each device, tools can be deployed or decommissioned easily. Each tool instance has no awareness of the others, and the supported network has no awareness of the change to the security infrastructure.
Ixia’s zero-packet-loss aggregation and load balancing is vital not only to inline packet inspection, but also to out-of-band security monitoring. For example, only out-of-band (passive) monitoring can identify multi-stage cyberattacks that are executed in phases – attacks constructed to avoid detection by inline tools.
Both bypass switches and NPBs can accomplish automatic failover, using both Link State and Heartbeats (pre-defined or customizable) to detect viable pathways in the security stack. We have expertise in handling heartbeat processing through complex security service chains.
Because only one tool type is almost never enough to satisfy a firm’s security requirements, and because no one tool does everything, enterprises seek to employ the appropriate number of different types of best-of-breed security devices and to build out each set of tools independently.
When servicing active / inline security devices, Ixia’s NPBs employ a concept of “Service Chaining,” where packets are filtered according to specified criteria, and then directed through security tools serially, passing through one set of tools, and then, if they survive, to the next tool type, and then back out to the network links.
One of the most useful features of Ixia’s NPBs is the ability to designate a tool or set of like tools as either REQUIRED or NOT REQUIRED. Our designs allow bypassing of the security stack if the viability of a security tool set (also known within Ixia as an “Inline Tool Resource,” or “ITR”) designated as REQUIRED fails. In fact, if the security policy dictates traffic on a link MUST be inspected, failure of the security tools would cause the bypass switch to close that link. If those tools are designated NOT REQUIRED, the NPB can shunt traffic past the failed ITR, and the other tools continue to see and inspect the traffic relevant to them.
SPS can support an enterprise High Availability Security Upgrade to achieve failover in high-volume environments as the capacity of security tools increases, ensuring network uptime and maximum-security inspection of live network traffic.
Ixia NPBs are uniquely capable of redundant and failsafe deployments of security appliances by configuring for high availability in active–active mode, where two NPBs are actively sharing the workload in normal operations. The HA connection between the NPBs allows them to exchange configuration and status information in complete synchronization. When a set of bypass switches detects the outage of one NPB (via Heartbeats or Link State), whether as a result of its removal for maintenance or because of an unforeseen problem, they automatically fail over to the other NPB, which directs traffic through the security stack using the same hash-based load balancing algorithm as the primary device. Security inspection and monitoring requirements are thereby sustained.
The combination of bypass switches and an additional, redundant NPB eliminates the single-NPB point-of-failure and makes the security stack as reliable as the network the NPB supports.
Keysight / Ixia’s network packet brokers (NPBs) provide a cost-effective way to scale enterprise network security appliances to match requirements. Using Layer 2-4 filtering, load balancing and automatic failover designs, SPS can intelligently specify or minimize traffic to each security or monitoring tool, making more efficient use of its capacity. Our designs enable security failover readiness on Day 2 and reduce the time and expense of adding more tool instances as network traffic increases. Our designs sustain network resilience during tool maintenance and troubleshooting, while simultaneously ensuring the reliability of the enterprise’s security posture.
While our designs accommodate the scaling of security tools to capacity, they also accelerate the deployment of appliances to production environments. Our solutions separate the security fabric from the network links. Tools can be deployed and tested with minimal impact on network operations, and our bypass failover options, along with automatic load balancing, allow a tool to be temporarily taken out of service or swapped, without requiring lengthy time periods during which network links are shut down.
Once our solutions are in place, it’s easy to add new types of security inspection to the design. Additional connections to new security appliances are generally accommodated with amendments to the filter definition in the Network Packet Broker configuration, allowing the rest of the security infrastructure to continue to function as previously defined and expected.
Ixia’s NPBs are optimized and fully-featured to accommodate Full Term Out-of-Band (OOB) Security appliances and monitoring. Its Dynamic (Intersection) Filtering technology allows filter definitions to overlap among tool types / sets, where different traffic is sent to each compare to the other (“running in parallel”).
Conversely, the NPB can also be configured to direct traffic serially, for inspection inline, with filter definitions applied at the Service Chain level. In fact, an ITR can be a member of multiple service chains, with different filter rules applied in each.
We offer solutions to accommodate both Serial and Parallel inspection needs within a single chassis or security fabric, and we optimize the configuration to handle both Full Term (always on) and On-Demand (activated intermittently, for troubleshooting or packet capture, for example) OOB monitoring.
Many security tools must inspect decrypted traffic in order to detect an attack hidden in an SSL session.
While individual security tools may have decryption capability, activating this functionality within multiple boxes adds costs, increases latency for end-to-end traffic and spreads maintenance hassles.
SPS solutions can help direct traffic decrypted (and later re-encrypted) at only one point in the security fabric (usually at the beginning of a service chain) before feeding it to other devices in the security stack. As with any other ITR, SSL devices can also be scaled and subject to Ixia’s load-balancing features.
Single-instance decryption can be just as important to passive security solutions as it is to inline inspection of network traffic. For example, decrypted packets are often mandatory for Application Monitoring solutions.
SPS develops and documents best practices for our partners and customers’ perimeter security infrastructure, incorporating SNMP and SIEM monitoring capabilities and syslog monitoring, making network infrastructure more reliable and more integrated with the normal operations of the IT environment.
SPS can help you take advantage of its visibility architecture and design to source and isolate network and security problems. By defining filter rule parameters, the location and magnitude of network or security problems can be identified and removed from the production environment more quickly (even automatically) to mitigate reliability failures and security risks. The NPB GUI features real-time packet and utilization counters for both ports and filters, and packet capture functionality is available. While the appliances in the security stack are invisible to the network and do not participate in routing, they do participate in SNMP traps and Syslog feeds to accommodate centralized monitoring of network health.
SPS solutions bridge the gap between Enterprise Network Management and Security Management roles and responsibilities, while the architecture itself allows network and security projects to be decoupled. SPS helps customers examine their networks to help ensure security policy, as handled by the security stack, is applied to customer-specified traffic flows and endpoints. We are experienced at identifying visibility risks found in enterprise network traffic and in the most efficient way to direct suspect traffic for inspection and monitoring. Once the security fabric framework is in place, either network or security infrastructure changes and upgrades be planned independently and deployed with minimal risk of interference.
SPS can help enterprise customers with an overall visibility strategy, reducing the risk of future operational expenditures. We identify and document the means and methods for adaptability, by adding more capacity and/or different security tools, formulating inspection chains depending on security or application requirements without the need for network redesign, and allowing organizations to quickly change which traffic is inspected. However, when network topology and speed changes inevitably occur, our solution framework scales and allows for incremental build-out to reduce costs.
Here is a sampling of the Keysight / Ixia visibility products we support.
Vision E40 -Max 48 ports of 1/10GE | Max 6 ports of 40GE
Vision E100 – Max 32 ports of 40/100GE | Max 128 ports of 10/25GE | Max 64 ports of 50GE
Vision ONETM – Max 64 10G ports / Max 4 40G ports; built-in application layer filtering and threat intelligence
Vision xStream 40 – filters and load balances 10GE/40GE networks
Vision xStream 10 – filters and load balances 1GE/10GE networks
Bypass Switches – iBypass VHD, iBypass DUO, iBypass 40G, iBypass HD, iBypass 3 Copper
Taps – Copper or Fiber, 100% passive, simple link traffic aggregation, regen (multiple copies)
Our Solutions Support Visibility to Security Appliances. Here are some examples:
IPS (Intrusion Prevention System)
Ex.Ixia SecureStack(Decryption as a Service)
Web Application Firewall (WAF)
DDOS (Distributed Denial of Service)