Presentation on theme: "Shared Data Access Network (SDAN)"— Presentation transcript:
1Shared Data Access Network (SDAN) for Monitoring, Security, PerformanceJ. Scott HaugdahlPrincipal Engineer, Blue Cross Blue ShieldFormer Asst. VP & Architect, US BankData Connectors Minneapolis, March 28th, 2013
2The US Bank Experience Who is US Bank (Symbol: USB)? Part of U.S., a diversified financial services, holding companyFifth-largest commercial bank in the U.S with over 3,000 branchesRecognized for its strong financial performance and prudent risk management, capital generation, and product qualityWhat is Network Application Analysis (NAA)?Founded in 2008 as part of US Bank’s Network Planning and Engineering to adapt new thinking methods, tools, process, and collaboration in order to focus on resolving potential or chronic application performance problemsSolutions oriented, not only the lower network (i.e. infrastructure) layersGained a high level of visibility and credibility during pre-migration analysis to new data centerCreated the Shared Data Access Network (SDAN) to support security, monitoring, and analysis toolsWhy the SDAN?The only solution able to collect and aggregate multiple streams simultaneously from several tiers in real-time to feed Application Performance Monitoring (APM), fraud detection, security, and sniffer tools
4The Dark Ages“Technicians had to physically unplug and move tools from one tap or SPAN port to another. That necessitated change orders and scheduling during off hours, slowing the group’s agility and flexibility to monitor effectively.”- Royal Bank of CanadaThe data center crash cart. Not to mention tripping over wires or pulling the wrong one.
6Sharing SPANs Got Ugly Hey, It’s MY SPAN PORT! (Referee from Gigamon) (Dropped Packets)(Blade Server)Only two ports per 6509, problem with oversubscribing, port channels, Nexus 7k with top of rack 2k’s (line card fabric extension) is collapsing the architecture and making it worse – still only 2 spans per 7k
7Fast Forward Gigamon Intelligent Matrix The Shared Data Access Network (SDAN) Collects & Sends Packets to ConsumersTapped MediaMirror PortsLoad BalancersFirewallsMainframeSwitchesUCS FabricBlade ChassisPacketSourcesGigamon Intelligent MatrixSwitching, Filtering, Aggregation, Slicing, etc.- SDAN – another name for Gigamon’s “Visibility Fabric”.The scope of the SDAN is the taps and matrix switches… all other devices are consumers of the SDAN, a very important distinction to make when “selling it”.Sniffers can assist in DDoS and IDS leakage analysis.Intrusion DetectionFraudThreat AnalysisData Loss PreventionAPMSnifferConsumers
8SDAN Value – The Big Three Collect and Aggregate Packet Flows Several streams from multiple tiers can be collected and aggregated to one or more 10 Gbps outputs, in order to monitor complex applications and save on tool portsPassively Share Packet Flows Packet stream sources (network ports) can service many consumers (tool ports) critical to protecting your customers and improving the end-user experienceThis really is the only solution that can effectively collect multiple packet streams and aggregate them to out-of band tools.Filter and Preprocess Packet FlowsFlows can be filtered by MAC, VLAN, IP (and sliced, de-duped, etc.) allowing focused analysis or fraud detection and significant drop in CPU demand on the tool or appliance
9Simplified App Mapping & Tapping Application “X”Internet UsersTier 3Tier 1Load BalancerAuthenticationInternet Routers“X” Web ServersPoliciesLoad Balancer“X” App Servers“X” DB ServersFirewallsTier 2Load Balancer“DMZ”Tapping above and below load balancers are great places to pick up services to monitor, isolate faults by domain, troubleshoot, optimize appsLoad BalancerMessagingAccess GWMainframeFirewalls
10Steps to a Successful SDAN Deployment Document the logical flow of the applicationIn complex environments, use application (not network) conceptual flow diagrams to determine the logical tap points per end-tool requirements (packet analysis, security, APM, etc.)Different applications will have different flows and services, especially customer facing vs. internal applicationsMap the logical flows and devices to physical portsExample: Firewalls and where they attachTap the physical media into your SDAN network portsThese comprise the ingress or network portsAggregate the packet streams and send to your SDAN tool portsFilters may be required to remove irrelevant packetsFeed the security flows to your sniffer to validate your setupDon’t forget this important last step!IDS security below the firewall is a given. But what about fraud detection, data loss prevention, and other such tools?Validate your packet flows through the SDAN before an attack or breach!
11After SDANWith the SDAN, we are now one big happy family sharing the sandbox! Note the Gigamon orange color of the sandbox. :)
12Some SDAN Security Tool Best Practices Tap related network points into a Gigamon 420 or TA1 and send aggregated flows to 2404/HD4/HD8 for security tool consumptionExample: Tier 1 Firewalls and Interfaces -> TA1 -> Tier 1 Firewall Aggregate -> HD8 -> IDSExample: Nexus 2232/2248’s -> TA1 -> Server Farm Aggregate -> HD8 -> Fraud DetectionExample: Mainframe OSAs -> TA1 -> Mainframe Aggregate -> HD8 -> Data Loss PreventionUse rules and filtering to greatly reduce load on the security applianceSecurity and APM appliances do not need to waste cycles filtering irrelevant dataReducing unnecessary intake can also increase post analysis processing performanceSPANs (and mirror ports) usefulness is diminishing, so avoid if possibleEasy to over subscribe, especially with port channel or full duplex aggregationEliminate the old practice of using aggregation taps and use fiber where possibleBe mindful that each tap requires two SDAN ports when operating in non-aggregation modeConsider preserving separate send/receive full duplex tap ports all the way through to your tools for certain data center or branch WAN connectionsPreserving full duplex tapped router connections helps to preserve incoming vs. outgoingCopy your security flows to permanent sniffers for post mortem analysisData mine stored packet flows for deep dive forensics analysis- Preserving the send and recieve side of full duplex taps to our tools can help reserve send/receive reports and statistics