1© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | REFERENCE ARCHITECTURE GUIDE ADDING SCALE & RESILIENCY TO YOUR FIREEYE NX DEPLOYMENTS
2© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | CONTENTS Purpose… Executive Summary How to Overcome Deployment Challenges Key Technologies BypassSwitch Network Packet Broker Reference Architectures Design 1: In-Line Network Resiliency Design 2: Load Balancing for In-Line & Out-of-Band Deployments Design 3: Advanced Fail-Over & Redundancy Design 4: Load Balancing from Multiple Links Design 5: Service Chaining Multiple Monitoring Tools Contacts
3© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | PURPOSE This Reference Architecture Guide is intended to assist FireEye employees and partners in planning, deploying and managing FireEye security solutions. This document highlights key considerations to avoid operational challenges and customer constraints by leveraging Ixia’s Network Visibility Solutions. This document is not intended to be a detailed setup and configuration guide, but rather a high-level navigational tool to use as your building blocks. Configuration files and setup guides can be found here:
4© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | EXECUTIVE SUMMARY FireEye NX is a web application firewall solution with powerful features and impressive specifications. However, in today’s competitive security market, IT customers are looking for system level security solutions that can cost effectively scale and change to their growing networks needs and resilient to outages. Ixia’s Network Visibility Solutions (NVS) complement FireEye’s security products to create the best-in-class scalable and resilient security solutions that IT professional need and want to purchase. This best practice document draws on industry trends and lessons learned to add scalability and resilience to FireEye NX deployments. The methods and suggestions outlined in this document are provided to answer IT customer question on “how to” accomplish their scalability and resilience goals with NX. The use cases defined in this document are tested, widely deployed and are ready to be demonstrated with the intent of accelerating customers’ evaluation cycles, avoid technical pitfalls at deployment and helping customers grow their FireEye NX deployments. By closely linking FireEye NX and Ixia NVS products to build a system level solution, FireEye and Ixia’s mutual channel partners will gain the benefit of providing customers a complete highly scalable solution that is easy to deploy. The paper spells out how to integrate FireEye NX with Ixia’s NVS to proactively: Enhance Inline network resiliency Dynamically load balanced workloads across multiple FireEye NX appliances Maximize utilization by accessing multiple network links across the data center Implement advanced failover mechanisms to prevent outages and minimize maintenance downtime Build high availability into mission critical deployments
5© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | HOW TO OVERCOME DEPLOYMENT CHALLENGES The following list of typical problem areas can negatively impact a successful NX POC, technical design, commercial bid or create unnecessary support calls. The remainder of this Reference Architecture Guide shows proactive mitigation steps leveraging Ixia’s Network Visibility Solutions. Here’s an overview of the ways Ixia’s Network Visibility solutions help you get over typical scalability and resilience challenges in NX deployments. ChallengeDescriptionIxia Solution FlexibilitySwitching from (passive) out- of-band monitoring to (active) in-line monitoring easily During initial Security product deployments, IT organizations often run a NX as a passive monitoring tool and later rewire the network to support inline protection. This causes delays while maintenance windows are obtained. Ixia bypass switches provide a mechanism to create a common physical connection topology that supports both passive tap monitoring or active inline protection (configurable in software). Need to coexist with other security or monitoring tools Ixia NPBs allow for sharing of traffic amongst many tools to ensure the right traffic is forwarded to the right tools and in the right sequence. From the existing network interfaces, additional tools can be added or removed while the NPB delivers workloads from tool to tool. ResilienceTools fail or require maintenance It is just a reality that tools over time tools require maintenance or fail. When this happens Inline protection tools shut down the services that they are intended to protect. Ixia bypass switches and NPB use heartbeats to check the health and functionality of the tool and keep the network fully operation until remediation is accomplished on the tool. ScalabilityIncrease inspection bandwidth Ixia NPBs prevent oversubscribing NGNXs by load balancing and filtering traffic. Additional FireEye NGNXs can be added to the NPB seamlessly without any downtime to protected services Mix of network link speeds 1G/10G/40G Ixia NPBs can aggregate various link speeds and forward to NGNXs across 1G, 10G, or 40G interfaces with the option of load balancing, filtering, and de-duplication. Maximize tool efficiency Ixia taps allow for traffic capture on multiple segments that can be aggregated with Ixia NPBs before forwarding to NGNXs or NGNX pool for full visibility. The NPB will keep track of flow coherency to the NGNX High AvailabilityFully redundant state-sharing Ixia NVS solutions can be implemented as fully redundant high availability to support Active/Active or Active/Standby with heartbeat monitoring to ensure availability. EconomicLeverage investment in existing tools Ixia NPBs allow existing and new tools to coexist. For instance, business-critical applications can be sent to NX while the rest is sent to the preexisting tools (e.g. NPM, Security).
6© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | KEY TECHNOLOGIES Ixia Network Visibility Solutions works in concert with FireEye NX to protect the customer’s network. Ixia NVS provides NX with Inline bypass switch and load balancing technology for offering highly resilient, fault-tolerant, and scalable NX deployments. NX deployments can be upgraded or expanded as the customer’s traffic and protection needs increase, without the need to take the current NX solutions out of service. Ixia NVS may also be used for out of band NX deployments. Ixia NVS can optionally help FireEye solutions work at peak efficiency by filtering out unneeded protocols. Bypass Switches Ixia offers a family of Bypass Switches providing failsafe inline protection to fit any size network. Today’s enterprise networking environment uses many security, performance and analytics tools. Over months of continuous operation, tools require rebooting, maintenance and upgrades as business needs grow. All of Ixia’s Bypass Switches safeguard networks with automated failover protection ensuring temporary tool outages do not become network outages. Bypass Switch In-Line Mode Bypass Switch Tap Mode Bypass Switch Bypass Mode x x What sets Ixia’s Bypass Switches apart is the scalability, failsafe design and integrated security tool heartbeat configurations. Choose the bypass that is right for your needs: Reliability Options: Standard failsafe or High Availability Switch Capacity: single up to twelve segments Network Speed: 1G, 10G, 40G Active Monitoring Passive Monitoring Out of Service
7© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | KEY TECHNOLOGIES Network Packet Brokers (NPB) Network Packet Sources Network Packet Destinations Span Port Network Tap Bypass Switch Virtual Tap FireEye NX Intrusion Detection Application Performance Forensics Recorder Aggregation Filtering Speed Conversion De-Duplication SSL Decryption Load Balancing Network Packet Broker The Ixia network packet brokers (NPB) for monitoring high-speed network traffic let you share the network’s rapidly increasing traffic load among multiple FireEye NX appliances via load balancing. Ixia’s NPB allows inline tool deployment in serial (for service chaining) and provides failover features to maximize scalability and resiliency of FireEye deployments. Key Benefits Comprehensive High Availability (HA) features support fail-safe inline security tools deployment Inline security tools can be deployed very flexibly to meet varying, and sometimes drastically different requirements from different customers. Tool-sharing reduces costs by allowing multiple departments in an organization to utilize the same monitoring tool to monitor multiple links throughout the organization Filtering increases efficiency and maximizes tool utilization by sending each tool only the traffic it needs
8© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | REFERENCE ARCHITECTURES Design 1: In-Line Network Resiliency FireEye NX Bypass Switch DescriptionIn-line bypass with FireEye NX solutions can help customers over come network resiliency concerns. Solution Features Ixia external Bypass Switch Active in-line access for 1G and 10G links Automatic fail-open and fail-closed options (configurable) Heartbeat heath check technology BenefitsTraffic continuity is preserved in case of FireEye NX appliance outage FireEye NX can be taken out of service for upgrade w/o taking down the network FireEye NX can be connected in tap mode or in-line mode w/o rewiring the network Proven Bypass Switch technology eliminates single-point-of-failure
9© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | REFERENCE ARCHITECTURES Design 2: Load Balancing for In-Line & Out-of-Band Deployments Bypass Switch FireEye NX (Active) FireEye NX (Active) FireEye NX (Active) Network Packet Broker DescriptionIndividual FireEye NX appliances may not have sufficient capacity to fully protect busy network links, especially in the case of high speed connections and bandwidth intensive applications Solution Features Inline load balancing Load balance 10/40G network traffic across multiple FireEye NX appliances Two or more NX appliances, up to 16 per load balanced group Symmetry awareness, specific session uses same NX appliances in both directions Intelligent Inline 5 tuple filtering to exclude non-essential traffic from NX inspection Configurable options to pass through or block non-essential traffic on network Configurable Heartbeat health check technology BenefitsWire speed protection for 10/40G network links & bandwidth intensive applications Heartbeat technology protects against “brown out” type issues - i.e. degraded performance due to too much traffic going through NX appliance, removes appliance from group until heartbeats return Improve capacity by filtering and forwarding only relevant protocols to NX Appliance and protection scenario Proven bypass technology addresses customer objections of single point of failure Deploy additional FireEye NX appliances as traffic loads and customers protection needs grow
10© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | REFERENCE ARCHITECTURES Design 3: Advanced Fail-Over & Redundancy FireEye NX (Active) FireEye NX (Standby) FireEye NX (Active) Network Packet Broker Bypass Switch DescriptionIn event that the FireEye NX unit fails or requires maintenance, the need to ensure that remaining units automatically take over inspection of the units traffic in a fault tolerant, session aware manner. Solution Features Traffic that comes into Ixia NPB from a particular network link is sent back out the same link Works based on mac address filtering rules Can be used in conjunction with Ixia NPB in-line load balancing All features of single network link load balancing continue to be available (as per previous sections) BenefitsGraceful load balancing algorithm minimizes session disruption when appliances fail Flexibility to support any combination of Active/Active & Active/Spare failover Automatic hot standby failover Take units out of service for maintenance without disruption the network Ability to support multiple different inline tools in load balanced groups, so that FireEye NX can be integrated in any existing customer environment Also supports out-of-band deployments
11© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | REFERENCE ARCHITECTURES Design 4: Load Balance Multiple Links FireEye NX (Active) FireEye NX (Active) FireEye NX (Active) Bypass Switch Network Packet Broker DescriptionCustomer wants to distribute traffic from multiple network links across a common FireEye NX appliance, or load balanced groups of FireEye appliances Solution Features Ixia traffic routing inline protection of multiple network links Traffic that comes into Ixia NPB from a particular network link is sent back out the same link Works based on mac address filtering rules Can be used in conjunction with in-line load balancing All features of single network link load balancing continue to be available (as per previous sections) BenefitsMaximize resource utilization, using a pool of FireEye NX appliances for multiple network links Maximize FireEye NX capacity when used with Ixia load balancing Transparency, no tags added to disrupt communication through FireEye NX appliances
12© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | REFERENCE ARCHITECTURES Design 5: Service Chaining Multiple In-Line Tools FireEye NX (Active) DescriptionCustomer wants to distribute traffic from multiple network links across a common FireEye NX appliance, or load balanced groups of FireEye appliances, deploy FireEye along side additional monitoring tools, both inline and out of band Solution Features Inline Load Balancing Load balance 10/40G network traffic across multiple Inline appliances 2 or more NX, IPS or Firewall Appliances (up to 16 per load balanced group) Symmetry awareness, specific session uses same FireEye NX in both directions Intelligent Inline 5 tuple filtering to exclude non-essential traffic from NX inspection. Configurable options to pass through or block non-essential traffic on network Configurable Heartbeat health check technology Also supports out-of-band deployments BenefitsWire speed protection for 10/40G network links & bandwidth intensive applications Heartbeat technology protects against “brown out” type issues - i.e. degraded performance due to too much traffic going through NX appliance, removes appliance from group until heartbeats return Improve capacity by filtering and forwarding only relevant protocols to FireEye NX appliance and protection scenario Proven bypass technology addresses customer objections of single point of failure Add additional monitoring tools as traffic loads and customers protection needs grow Bypass Switch Network Packet Broker SSL Decryption Application Performance
13© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |13© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | CONTACTS Dennis Carpio Ixia Technology Partners Or: Ruby Sharma FireEye Cyber Security Coalition
14© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |