Iot Prot

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 91

Gigamon GigaSmart技術功能解析

啟動可視化之力量 . 網路一覽無遺

Stanley Lin 林大鈞


Gigamon 台灣區技術經理
[email protected]
0918-182-171
Agenda

1 技術觀念介紹

2 智慧型流量過濾– Flow Mapping®

3 智慧型流量過濾− GigaSMART®

4 GigaVUE-OS管理界面

5 GigaVUE-FM管理界面

©2017 Gigamon. All rights reserved. 2


智慧型流量過濾− GigaSMART
®

封包調適, 運用, 轉換
GigaSMART® – 進階智能流量處理

進階智能 去除重複資料包 FlowVUE™ GTP關聯 產生NetFlow SSL封包解密


流量處理

數據包切片 數據遮罩 表頭移除 應用會話級別過濾 自我調整封包過濾


(ASF) (APF)

©2017 Gigamon. All rights reserved. 4


GigaSMART®說明?
• GigaSMART: 一個強大的智慧型流量過濾可視化技術
– Hardware: 高效能的運算引擎
– Software: 基於軟體式的License
• GigaSMART主要分兩大類型
– GigaSMART Service: 以封包階層為主
• 封包裁切及遮罩 (Packet Slicing/Masking)
• 隧道 (Tunneling)
• 負載均衡 (Load Balancing)
• 表頭移除 (Header Stripping)
• 應用封包過濾 (APF)
– GigaSMART Applications: 以資料流及會談層為主
• 去除重複封包 (De-duplication)
• FlowVUE™
• GTP訊務關聯 (GTP Correlation)
• Netflow生成 (NetFlow Generation)
• SSL解密 (SSL Decryption)
• 應用會話層過濾 (Application Session Filtering)

©2017 Gigamon. All rights reserved. 5


GigaSMART® Engine組成
WHAT IS IT? • A network processor
– 40Gb: HC2
– 2 x 40Gb: HD0
N T
N – 10Gb: HB1
N N T T
N • Software-based
N T
N N T T
N – Processor-limited
N T – Adds latency to packets
N T
N
N T
N N
Flow Mapping Engine
S T
N • Hardware-based coprocessors
N S
T
N
– SSL Decryption
– Stack Links
• Merchant silicon switch chip
mgmt

CPU – Hardware-based
GigaSMART
Engine – Full line rate, non-blocking
– Low latency (< 3 µs)

©2017 Gigamon. All rights reserved. 6


TA10 & -HB1 Chassis內部構造
GIGAVUE-TA1 & -HB1對照

• All traffic goes to single


Flow Mapping® engine
• GigaSMART® attached
using internal stack link

10Gb
mgmt

mgmt

CPU CPU

©2017 Gigamon. All rights reserved. 7


Chassis Architecture
GIGAVUE-HC1
Front
• Flow Mapping engine on Main Board
– Built into main chassis
– Not field replaceable
• Physical interfaces on main chassis
and modules
– Main chassis is “Slot 1”
• All traffic goes to Main Board
– Even between ports on the same module
mgmt

CPU 20G
– GigaStream can be split across modules

©2017 Gigamon. All rights reserved. 8


HC2 Chassis內部構造
GIGAVUE-HC2
Front
• Flow Mapping® engine on Control Card
• Modules provide physical interfaces
40Gb
– And GigaSMART® engines
• All traffic goes to Control Card
– Even between ports on the same module
– GigaStream can be split across modules
mgmt

CPU 40Gb

Rear

©2017 Gigamon. All rights reserved. 9


Life of a Packet
WITHOUT CLUSTERING OR GIGASMART

Network or Where the Magic


There if needed
Hybrid Port Happens

Flow Ingress Egress


Ingress Buffer Egress
Mapping VLAN Tag Filter

It’s Complicated It’s Complicated Tool or


Hybrid Port

©2017 Gigamon. All rights reserved. 10


Life of a Packet
WITH CLUSTERING

Ingress from Network Egress from


Flow Mapping Buffer
or Hybrid Port Stack Port

Ingress from Ingress Egress to Tool


Buffer Egress Filter
Stack Port VLAN Tag or Hybrid Port

©2017 Gigamon. All rights reserved. 11


GigaSMART® Engine
流量處理效能限制

• Traffic Capability Approximate throughput per


– Traffic that exceeds stack link capacity GigaVUE HD or HC engine
will be dropped Header Stripping 12 Mpps
– No log, alarm, or stats Slicing 12 Mpps
– GigaVUE-HD or HC: 40 Gbps per Engine
Advanced Tunneling 10 Mpps
– GigaVUE-HB1: 10 Gbps*
De-duplication 10 Mpps
• Processing & Buffering Adaptive Packet Filtering 8-10 Mpps (without regex)
– Traffic that exceeds processing capacity 5 Mpps (with regex)
will be dropped
GTP Correlation 5 Mpps
– Log message will indicate drop 25,000-50,000 flows/second
– APF will give “no match” (and drop)
NetFlow 5 Mpps
– De-duplication will give “missed op” and 25,000-50,000 flows/second
pass non-duplicates
FlowVUE 5 Mpps
Note: X pps * (Packets大小 + 20bytes) * 8 bits = Y bps
©2017 Gigamon. All rights reserved. 12
GigaSMART® Engine Groups

• 如果有多個GigaSMART Engines綑綁在同一個Group, 相關連流量會自動分配


them.
– Packets of the same session go to the same engine
– Packets of different sessions may go to different engines
– A “session” are packets with the same ipsrc, ipdst, portsrc, portdst.
• 不同 GigaSMART engines 可以透過不同GS operations決定處理分配

©2017 Gigamon. All rights reserved. 13


GigaSMART® 簡介
UNDERLYING PLATFORM THAT POWERS TRAFFIC INTELLIGENCE

GigaSMART® Services Benefits


• 減小數據封包體積,以提高處理和監測的輸送量
Packet Slicing • 保留數據封包關鍵相關內容,減少處理量
• 顯著提升取證記錄工具設備的性能

• 從64到 9000位元組的偏移量覆蓋數據封包資訊
Masking • 隱藏包括金融和醫療資訊在內的隱私、機敏資訊 (符合PCI及HIPAA規範)
• 透過Offset及Pattern設定實現遮罩功能

• 採用 IP/UDP或L2GRE封裝,把遠端網站的數據封包發送至中心的監測工具設備
IP Tunneling • 建議過濾回傳數據為Lights-out Data Center及Remote Sites
• 擴大Physical及虛擬流量監測及分析、轉送已篩選過的流量至網路監測及安全工具設備中

• 終止ERSPAN隧道,整合、過濾和轉發相關ERSPAN通訊
ERSPAN • 將 ERSPAN III時間戳記轉換成一種監測工具設備可識別的格式(僅支援於GigaVUE H Series系列
Termination 設備

©2017 Gigamon. All rights reserved. 14


GigaSMART® 簡介
UNDERLYING PLATFORM THAT POWERS TRAFFIC INTELLIGENCE

GigaSMART Services Benefits


• 無需由監測工具設備來解析表頭協議.
Header Stripping • 透過移除表頭,便於數據封包過濾、匯聚和負載平衡
• 支援隔離的表頭和協:VN-Tags, VXLAN, MPLS, VLANs及Tunnels
• 依據多種選項,在多個連接埠間分發流量:散列法(Hashing)、頻寬、累計流量、數據封包速率、
連接和輪詢
Load Balancing • 依照權重分發流量,支援不同工具設備容量
• 使用 IP、IP-and-Port、Five-tuple和GTP-u tunnel ID等散列法選項
• 在儲存數據封包之前遮蔽其中包含的隱私和敏感性資 料,確保符合 SOX 法案、PCI 標準和
HIPAA 法案的規定。
Adaptive Packet • 使用基於 Regular Expression 匹配模式的篩檢程式,實現應用層更深度視覺化
• 過濾包括 VXLAN、VN-Tag、GTP、MPLS 在內多種高級封裝表頭,以及封裝在L3 / L4據封包
Filtering 中的內容
• 包含 GTP 關聯

©2017 Gigamon. All rights reserved. 15


GigaSMART® 簡介
UNDERLYING PLATFORM THAT POWERS TRAFFIC INTELLIGENCE
GigaSMART Applications Benefits
• 當數據封包被多個收集點收集時,每個被重複收集的數 據封包都只被發送一次,從而減少工
具設備的處理資源
De-duplication • 消除因VLAN間通訊或錯誤的交換器設定而導致的數據封包重複
• 減少IPv4/IPv6網路間的潛在重複封包資料流, 提升網路工具設備效能
• 發送與應用Session相關的流量至安全應用設備,提高安全應用設備的效率和性能
• 萃取所有感興趣的Application Sessions, 來優化資安工具設備處理效率
• 發送從Session開始(TCP handshake packets)到Session結束的所有數據封包至安全和檢測
Application Session 工具設備,使流量達完全可視化
Filtering • 對相關流量按特徵進行分類,以過濾視頻串流(YouTube, Netflix, Windows updates, VoIP
traffic)、電子郵件的附檔、Web 2.0和其它商業應用的流量.
• 透過Filter/Drop actions可以很彈性且重新定義特徵碼偵測
• 精準過濾、複製和發送需要監測的使用者Session,優化工具設備性能
• 基於Mobile subscriber-IDs,透過指定的關聯條件過濾、轉送GTP流量, 來優化相關工具設備
• 將關聯全網使用者session (Control和Data) 的工作,從工具設備卸載,提高輸送量
GTP Correlation • 可達即時的關聯相關資料的可視性,能深入檢視對等網路中的漫遊使用者
• 包含調適性數據封包過濾技術的License;GTP白名單功能(可Up至500k subscribers及多個
白名單基於GTP interface或version過濾), 需要FlowVUE的License

©2017 Gigamon. All rights reserved. 16


GigaSMART® 簡介
UNDERLYING PLATFORM THAT POWERS TRAFFIC INTELLIGENCE

GigaSMART Application Benefits


• 經由封包轉化成Netflow/IPFIX格式,減輕Router/Switch產生Netflow紀錄所帶來的設備負擔,進
而影響網路設備傳輸的效能
• 實現高度真實流量行為、非抽樣、1:1 流量統計資料轉送到NetFlow網路監測,分析及資安工具
NetFlow/IPFIX 設備中
Generation • 輸出記錄至高達六(6) 個支援NetFlow v5/v9和IPFIX的收集器
• 替代網路裝置承擔了NetFlow與Metadata 統計資料的生成任務,並且能夠從任意流量中生成
URL和HTTP回應代碼等專用於網路安全的關鍵中繼資料

• 提供對加密Session的可視性
• 發送加密數據封包至多種頻外工具設備:IDS (入侵偵測系統)、DLP (資料外洩防護系統)、APM
SSL Decryption (應用性能管理)、CEM (客戶體驗管理) 等
• 透過加密和基於不同角色的存取控制來保護Private keys

• 對活躍行動使用者設備進行流量辨識採樣篩選,選擇性減少轉送監測工具設備和分析工具設備的
流量,已提升工具設備的處理性能
FlowVUE™ • 即時減少資料分析輸送量,維持或提高 CEM (客戶體驗 管理)水準
• 將巨量資料轉化為可管理的可視化資料,瞬間可以獲取重要關鍵資訊, etc., 基於Subscriber
usage patterns

©2017 Gigamon. All rights reserved. 17


GigaSMART® 硬體對照表
Category HD Series HC Series HB Series
Platform GigaVUE-HD4 / HD8 GigaVUE-HC1/ HC2 GigaVUE-HB1

Built-in /
Blade SMT-HD0 SMT-HC0-R Built-in
SMT-HC0-X16
3 Front / 4 Front, 1
Blades/Chassis 2 (HD4) or 4 (HD8) N/A
Rear

Grouping Engines  N/A /  N/A

Ports/Blade 0 0 / 16 N/A

Processing Power 2 x 40Gb 20Gb / 40Gb 10Gb

©2017 Gigamon. All rights reserved. 18


GigaSMART® 功能對照說明
Feature G Series H Series
Time Stamping   (HD only)
Header Stripping  
Slicing  
Masking  
Gigamon Tunneling  
Ingress Port Label  
De-duplication IPv4 IPv4, IPv6
Load Balancing  
Match Filter  
GTP Correlation  
FlowVUE™  
Metadata Generation  
SSL Decryption  

©2017 Gigamon. All rights reserved. 19


可視化矩陣-GigaSMART智慧型過濾資料流程
Packet Identification,
Filtering and Forwarding
Physical

Network
Management

Application
Performance
Flow Mapping® GigaSMART®
Virtual

GigaVUE-VM
Security

GigaVUE-VM

©2017 Gigamon. All rights reserved. 20


封包裁切
減少封包大小, 提升系統吞吐量

• 減少封包大小,來提升系統處理及監測吞吐量
• 在派送至工具設備前,透過移除機敏資訊,達到符合合規及機密需求
• 經過減少不必要的封包資料收集,延長後端工具設備儲存空間,並優
化網路鑑識佈建收集
– 小量封包資訊 = 小量儲存空間需求
– 只保留部分封包派送給後端分析設備使用

©2017 Gigamon. All rights reserved. 21


封包裁切
減少封包大小, 提升系統吞吐量

• 針對協議或來源資料,自定義固定或變動的偏移量
• 在接收流量的Ingress Ports套用裁切規則

Web Server
Ethernet IP TCP Date: 15122017 | Card: 1482-6047-2581-3489 | Exp 7/18

User Switch Ethernet IP TCP Date: 15122017

APM

©2017 Gigamon. All rights reserved. 22


GigaSmart 應用 – Packet Slicing封包裁切
客戶來源IP 客戶目的IP

14 bytes
TCP欄位偏移20bytes之後,資料裁切
6 bytes
• SLICING功能

客戶來源IP 客戶目的IP

10 bytes
16 bytes
14 bytes TCP欄位偏移40bytes之後,資料裁切
©2017 Gigamon. All rights reserved. 23
去除重複封包
當收集各節點網路封包出現重複封包時,啟動去除重複封包,優化工具分析速度

• 減少重複封包,提升分析工具設備精準度
• 可選擇Drop或Count來處理重複封包

Packet 1 (in)
Packet 2 (out)
Packet 2 (in)
Packet 3 (out)
Packet 3 (in)

©2017 Gigamon. All rights reserved. 24


去除重複封包
當收集各節點網路封包出現重複封包時,啟動去除重複封包,優化工具分析速度

Customer
Physical

Experience
ABACCABACB
Management
(CEM)

AB Application
ABACCABACB
C Performance
Flow Mapping® De-duplication
Virtual

GigaVUE-VM
Billings
ABACCABACB
Monitor

GigaVUE-VM

Based on 2015 Gigamon buffer of 0.5ms – the largest buffer for de-duplication in the industry.
The closest competitor is 5000ms
©2017 Gigamon. All rights reserved. 25
去除重複封包應用
減少多達 50% 不需要的監測流量

Before De-duplication After De-duplication

當客戶需要更多的儲存空間, 啟動去除重複封包後,節省多達 50% 儲存空間,


有時其中的原因是存在著大量重複封包。 對發生封包重複會有非常明顯的減少。

©2017 Gigamon. All rights reserved. 26


資料遮罩
當收集全封包時,隱蔽相關的機敏資料

• 在派送至工具設備前,透過資料遮罩方式,達到符合法規及機密需求
– 隱蔽相關的機敏資料 (包含Financial及Medical資訊)
– 符合PCI及HIPAA規範
• 當偏移量及Pattern符合規則時,立即進行機敏資料遮罩

©2017 Gigamon. All rights reserved. 27


資料遮罩
當收集全封包時,隱蔽相關的機敏資料

• 針對某些特定協定,支援定義相關字元及本地端敏感資料流
• 篩選資料樣本(Pattern),以覆蓋方式,遮罩相關封包
• 在接收流量的Ingress Ports套用資料遮罩規則
Web Server
Ethernet IP TCP Date: 15122017 | Card: 1482-6047-2581-3489 | Exp 7/18

User Switch Ethernet IP TCP 15122017 | Card: 1482-6047-2581-3489


Date: 15122012 XXXX-XXXX-XXXX-XXXX | Exp 7/18

APM

©2017 Gigamon. All rights reserved. 28


GigaSmart 應用 - Masking敏感資料遮罩

TCP欄位偏移20bytes之後,
使用『ff』字元,遮罩100bytes敏感資料

• Masking功能
客戶來源IP 客戶目的IP

14 bytes
6 bytes
10 bytes
16x5 bytes
10 bytes

©2017 Gigamon. All rights reserved. 29


表頭移除
• 封包裡有些表頭是工具或資安系統無法識別的,例如 VM 環境中的 VxLAN,CISCO VM 環境中的
VNTag,電信核心網裡的 GTP:
VLAN Tags MPLS Labels VNTags (Cisco Nexus) VXLAN (VMware)
GTP tunnels ISL tunnels (Cisco) FibrePath

• Gigamon 可以在分發到各工具或資安系統前,先進行表頭移除,使分發的封包成為一般 IP 封包。


• 協助工具設備去除表頭,提升設備效能
• 針對去除表頭後,易於封包過濾, 匯聚及負載均衡等等

©2017 Gigamon. All rights reserved. 30


ACI VxLAN – Before Gigamon: Unknown traffic

©2017 Gigamon. All rights reserved. 31


After Gigamon VxLAN Header Stripping

©2017 Gigamon. All rights reserved. 32


Source Port 標籤

• 利用 Source Port 標籤功能,在封包的尾部加入源頭資訊,


方便日後排查時,區分經過節點來源。

©2017 Gigamon. All rights reserved. 33


隧道
封裝與解封裝流量技術

• 針對相關路由路徑,封裝封包並轉送到工具設備中
• 針對ERSPAN會談,提供隧道終止技術,將資料合併、過濾並轉送相關的ERSPAN流量
• 將感興趣的流量轉送至中央監測工具中做進一步分析
• 透過封裝技術(GMIP or ERSPAN)也能將虛擬機中的流量轉送至實體的工具設備中
GigaSMART

GigaVUE-VM GigaSMART

GMIP, L2 GRE, or ERSPAN

Switch

©2017 Gigamon. All rights reserved. 34


負載均衡
智慧型流量分配至多個不同屬性的工具設備中

• 從不同的節點中透過Flow Mapping做流量收集時, 在單一工具設備中有時會


超過系統的可處理效能
– 基於網路設計, 有效的篩選相關流量(如只篩選L3-L4資料) 重新派送至多個分析工
具設備中
• 可基於各種不同的選項來派送資料至多個出口埠:雜湊, 頻寬, 累積流量,封包比
率, 連線數及round robin方式
• 套用權重輪循均衡至流量分配, 來因應不同工具設備的處理效能
• 雜湊選項支援: IP, IP-and-Port, five-tuple及GTP-u tunnel ID
• 支援所有的GigaVUE® H Series GigaSMART® licenses (不包括NetFlow)

©2017 Gigamon. All rights reserved. 35


Adaptive Packet Filtering (APF) –自我調整封包過濾
• APF 基於封包判斷在單一的GigaSMART引擎運作
– 比對每一筆封包
– 沒有轉送SESSION的概念
– 透過預先自定義或變動的偏移量,提供使用者客製化相關字串
– 透過Perl正規化表示法,定義變動的偏移量欄位
指派APF gsrules* 基於選擇Second level Map:

Patterns Layer 3 Layer 4


– String – IPv4 Address – Port
– Regular Expressions (RegEx) – IPv6 Address – TCP Flags
– IP Version
Layer 2 – IP Fragmentation flags Encapsulations
– EtherType – Type of Service – GTP-u Tunnel ID
– VLAN – Differentiated Services Code Point – VXLAN ID
– MAC Address – Time to Live – ERSPAN ID
– MPLS Label – Protocol – GRE Key
– VN-Tag Destination/Source vif id, list id – IPv6 Flow Label

©2017 Gigamon. All rights reserved. 36


Adaptive Packet Filtering (APF) –
自我調整封包過濾
PACKET FORWARDING AND PAYLOAD MASKING BASED ON PATTERN MATCH
SYN
• APF比對什麼?
SYN, ACK • 只要Pattern符合, APF forwards or drops封包
– 只有那筆Pattern封包會被過濾出來
ACK – 其它的封包會被忽略
Data • 同時間還可針對Payload進行資料遮罩
– 就像是…
Pattern Found • Social Security Number
• Credit Card Number
Forwarded


Packet
Phone Number
• Health Record Identifier
• Etc.
– … 機敏資料可被隱藏

©2017 Gigamon. All rights reserved. 37


應用封包過濾 (APF)
封包內容過濾機制 MAC Header LLC Header MPLS Label Stack IP Header Data MAC Trailer

Label = 5 Exp S=0 TTL=0 Label = 4 Exp S=0 TTL=0

Customer
Physical

Outer MPLS Label id = 4 Experience


Management
inner packet sourceIP= 12.1.75.1 (CEM)

VNTAG Destination VIF_ID = 4095


Application
Performance
VXLAN ID = 5000
Flow Mapping® Adaptive
Virtual

GigaVUE-VM Packet Filtering


Pattern Match = Plain Text
Billings
Monitor
Pattern Match = Hex
GigaVUE-VM

©2017 Gigamon. All rights reserved. 38


Application Session Filtering (ASF) –
應用會話級別過濾
• APF 基於會談運作
– 比對每一筆封包或前3-20筆封包符合,會轉送所有封包會談
– 有轉送SESSION的概念
Enable ASF features on a per GigaSMART operation basis
Assign ASF gsrules* on a per second level map basis:

Patterns Layer 3 Layer 4


– String – IPv4 Address – Port
– Regular Expressions (RegEx) – IPv6 Address – TCP Flags
– IP Version
Layer 2 – IP Fragmentation flags Encapsulations
– EtherType – Type of Service – GTP-u Tunnel ID
– VLAN – Differentiated Services Code Point – VXLAN ID
– MAC Address – Time to Live – ERSPAN ID
– MPLS Label – Protocol – GRE Key
– VN-Tag Destination/Source vif id, list id – IPv6 Flow Label

©2017 Gigamon. All rights reserved. 39


Application Session Filtering (ASF) –
應用會話級別過濾
SESSION FORWARDING BASED ON APF MATCH
SYN
• ASF比對什麼?
SYN, ACK • 只要Pattern符合, ASF forwards or drops

Lost Packets
Buffered
所有連續性的會談封包

Packets
ACK – 需比對大量的串流資料量
Data – 有時會忽略某些資料封包
– 可能會讓資安工具造成誤判
Pattern Found • Buffering 開啟
– 只比對前 3-20 packets,一直到Pattern符合, 然
Forwarded
後轉送所有封包會談
Packets

– APF的進階功能

©2017 Gigamon. All rights reserved. 40


GigaSMART APF/ASF

ATM Packet

©2017 Gigamon. All rights reserved. 41


GigaSMART® SSL 解密的效益
後面工具設備可以對SSL加密流量可達可視化的視野

使SSL流量達可視化 存在的限制

• GigaSMART application for “SSL Decryption” • 加密資料造成後端資安及效能分析工具設備無法識別


• 支援所有GigaVUE® H系列 • 一些資安 / NPM/APM工具設備可以將流量解密,但
費用可能會較昂貴

客戶帶來的效益

• 透過GigaSMART智慧型過濾,可達到關鍵資訊的可視性
• 針對加密資料提供加解密後,主動可視化視野更寬廣
• GigaSMART的進階智慧型過濾使得流量分配的視野更具靈活性
• “Decryption as a Service” 使得基礎建設的分析工具設備更有效率
• GigaSMART 客戶透過SSL加解密的可視化,可省去單一設備軟體或硬體的升級

©2017 Gigamon. All rights reserved. 42


SSL OOB介接架構 -兩種封包解密方式 SSL
Decryption

對內部(Inbound)加密應用流量進行解密 對外部(Outbound)加密應用流量進行解密

©2017 Gigamon. All rights reserved. 43


SSL封包解密流程-OOB Tools
運作原理 1

1. 當監測到SSL數據
– 使用流量映射(Flow Mapping®)去挑選需要解密的數據
– 被挑選的資料會被發送到GigaSMART®處理
2. GigaVUE® 識別到Public keys互換時
3. 網路管理員上載Private keys 3

– 最多能上載2000-4000個Private Keys,並加密保存 2
– 為了更安全,全部利用額外密碼
4
– 只允許RBAC權限
4. 使用Keys去做解密
– 不只針對TCP 443埠的封包
– 可以改變成TCP 80埠
5. GigaVUE 把已解密的封包發送給各個工具設備 – 5
and/or 與其它GigaVUE應用智能連動使用
– Flow Mapping™
– 其它GigaSMART的功能

©2017 Gigamon. All rights reserved. 44


Use Case:SSL 加解密解除工具設備負担
OUT OF BAND與IN-LINE加解密 Encrypted Traffic Decrypted / Unencrypted Traffic

1 • Corporate servers Clients Internet Servers

• 企業已有 Server keys


• RSA key exchange 3 RSA/DH
• Gigamon 已於2014支援Out of band解密
Internet

2 • Corporate servers
Active, Inline Passive, Out-of-Band
• Diffie-Hellman (DH), PFS key exchange Appliance(s) Appliance(s)

• Emerging TLS 1.3 standard NGFW


Network
Forensics
• 必須在 inline 執行 SSL解密
IPS Anti-malware

3 • Internet Servers or SaaS services


• 企業並無 Internet server keys
• 必須在 inline 執行 SSL解密
1 RSA 2 DH, PFS
Corporate Servers
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.
? Clients

©2017 Gigamon. All rights reserved. 45


SSL 加解密結合分流與平衡負載減輕工具負担
3

SSL Session
Leg 3 Inline 工具群負載平衡
(encrypted) (decrypted traffic)

4
效益:
Web Monitor 工具 • 不管Servers/Clients 位於內部或外部
(decrypted traffic)
• 不需要採用Private keys
1 • 而是採用RSA, DH, PFS
SSL Session 2 • 可同時支援多個Inline與Out-of-band
Leg 1 工具, 並可篩選分流,工具間輕鬆
(encrypted) Bypass、負載平衡、支援客製化工具
間Heartbeat檢測標準
2
旁接式工具
(decrypted traffic) 加密流量
己解密流量

Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

©2017 Gigamon. All rights reserved. 46


SSL 封包解密與法規遵從
怎樣可以兩全其美?
Web 伺服器相關流量
轉發到 NPM / CEM
Physical

監控

封包切片

遙距節點所收
集到的流量轉
Flow SSL 發到 DLP 分析
Mapping® 封包解密
Virtual

GigaVUE-VM
敏感資料 誇越全網虛擬伺服
通道終結點 遮罩 器間的流量轉發到
GigaVUE-VM IDS 分析

• 利用封包切片,在轉發去分析系統前,把封包中含有敏感資料的部份移除。
• 利用封包切片,在轉發去分析系統前,把封包中敏感資料的部份遮罩,例如信用卡卡號,身份證號等。
©2017 Gigamon. All rights reserved. 47
全網NetFlow / IPFIX Generation
NetFlow / IPFIX
Generation

資安訊息派送平台產生不同需要的NETFLOW METADATA內容

• 1:1式NetFlowV5、V9/IPFIX的輸出, 可增進 “慢速攻擊” 的偵測


• 可依不同資安設備設定不同篩選條件的NetFlow記錄
Flow Metadata • 可以Offload資料傳輸交換器產生NetFlow/IPFIX的負擔

• 經由全流量Flow的視別可達成全域性 (End-to-End) 的資安防禦


• 對於利用資料傳遞通訊流程的攻擊方式特別有效地偵測
SIEM and NetFlow
Forensics Integration • 與市面領先之SIEM廠家或NetFlow統計鑑識設備商均有結合運作範例

• 可以選用輸出URL訊息至所產生的客製化格式中如
• 至多可以同時輸出6個不同NetFlow v5/v9 and IPFIX的接收/分析設備
Advanced Information
Elements • 可結合LLDP/CDP 定位資料傳輸來源介面

©2017 Gigamon. All rights reserved. 48


應用三 : 全網IPFIX Generation
NetFlow / IPFIX
Generation

HTTP Response Codes DNS Discovery*


DNS
C&C
Discover malicious
communications to
C&C servers using
Uncover Denial of Service & compromise DNS transactions
of internal web servers Bots

HTTPS Certificate Anomalies* Mapping User, Hostname & IP Address*

User

Analyze HTTPS certificates Correlate Kerberos


to discover bad/suspicious Metadata and DHCP logs to map
certificates “who” (user) with “what”
Machine IP
(hostname and IP)

* Planned Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

©2017 Gigamon. All rights reserved. 49


Problem Statement
VOLUME, TYPES AND AMOUNT OF DATA OVERWHELM SIEMS

Low
Performance

1010101000
1110010101
DNS, SSL,
0100011100 High
1010101000
HTTP, RDP,
1010101000
PowerShell
1110010101 Costs
0100011101

Low Visibility
SIEM Poor Security

Network

©2017 Gigamon. All rights reserved. 50


Gigamon Metadata Advantage
VOLUME, TYPES AND AMOUNT OF DATA OVERWHELM SIEMS

High
Performance

1010101000
1110010101
DNS, SSL,
0100011100 DNS, SSL,
Low
1010101000
HTTP, RDP,
1010101000
PowerShell
1110010101 HTTP, RDP Costs
0100011101

Metadata Full Visibility


SIEM Better Security
Engine

Network

©2017 Gigamon. All rights reserved. 51


DNS
PERFORMANCE IMPACT WITH LOGGING

DNS LOGGING

Local
DNS
Server SIEM

Low High
Performance Costs

• High impact on DNS Server


• Impact on network
performance
• Lots of logs to index,
USERS WITHIN THE ORGANIZATION
high costs
Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

©2017 Gigamon. All rights reserved. 52


DNS Metadata
HIGH PERFORMANCE

Local
DNS
Server SIEM

DNS High Low


Metadata Performance Costs

1. No impact on DNS Server


2. Original authoritative request

USERS WITHIN THE ORGANIZATION


Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.

©2017 Gigamon. All rights reserved. 53


©2017 Gigamon. All rights reserved. 54
©2017 Gigamon. All rights reserved. 55
Splunk Dashboard with Certificates

©2017 Gigamon. All rights reserved. 56


GigaSMART 相關設定

©2017 Gigamon. All rights reserved. 57


建立GigaSMART
• 新增GS Groups

©2017 Gigamon. All rights reserved. 58


建立Gigasmart-Deduplication
• 新增GS Operations
• 建立Deduplication

©2017 Gigamon. All rights reserved. 59


建立Gigasmart-Header Strip
• 新增GS Operations
• 建立Header strip

©2017 Gigamon. All rights reserved. 60


在Map 當中啟用Gigasmart功能
Creating Maps

進入Map設定畫面->GSOP點選要使用的Gigasmart功能

©2017 Gigamon. All rights reserved. 61


MAP流量分配設定畫面

©2017 Gigamon. All rights reserved. 62


Flow Map Configuration
Creating Maps

點選Maps ->New 新增map條件

©2017 Gigamon. All rights reserved. 63


Flow Map Configuration-By Rule
Creating Maps

進入Map設定畫面

©2017 Gigamon. All rights reserved. 64


Flow Map Configuration
• 設定Rules方式
當有兩條Rule將為OR的條件,以下圖為例流量只要有192.168.1.200或是
Vlan100的資料都會通過此過濾條件

©2017 Gigamon. All rights reserved. 65


Flow Map Configuration
• 設定Rules方式
當1條Rule有多個過濾條件,必須全部符合,流量才會通過,以下圖為例,流
量中必須是vlan 200的Port 80的資料才會通過

©2017 Gigamon. All rights reserved. 66


Flow Map Configuration-Collector
Creating Maps

進入Map設定畫面

©2017 Gigamon. All rights reserved. 67


目的
此章節主要說明GigaSMART® NetFlow Generation的設定. 當中會提到關於:

• 說明Netflow參數的幾種用法
• 敘述NetFlow Generation的流程
• 透過CLI設定NetFlow Generation
• 透過Fabric Manager Web GUI設定NetFlow Generation

©2017 Gigamon. All rights reserved. 68


NetFlow Generation Application
基本FLOW 說明 & 分析方式
Enterprise / DC

Security

Application
Performance
Service Provider

NetFlow
Flow Mapping®
Generation
Customer
Experience
Management
(CEM)

• 跨越多個區段將Packet Data轉換成NetFlow Records


• 智慧型過濾匯出到1個或多個NetFlow collectors, performance及security工具設備做監測

©2017 Gigamon. All rights reserved. 69


NetFlow version 5

NetFlow v5
一般來說, v5是目前最常見的Flow Protocol版本.

• NetFlow Version 5 為
一個固定的格式
• 一個Packet至少包含
30種NetFlow
version 5 flow
summary records

Choosing a NetFlow Version

©2017 Gigamon. All rights reserved. 70


NetFlow Version 9 & IPFIX
NetFlow v9 and IPFIX
最新版本的NetFlow支援所選的許多種欄位, 可包含在單一個Flow summary報表中.
• 一種全新的靈活和可擴展的Netflow資料輸出格式,採用了基於範本(Template)的
統計資料輸出。
• 不需要特別定義欄位, 此NetFlow versions可彈性的發送統計資料.
• Flow summary templates一般傳送只需數分鐘間隔, 但有時需要數小時才能完成.
• 直到Template被接收到Flow Summaries後, 才會丟棄.

x x x Template
   
Choosing a NetFlow Version

71
©2017 Gigamon. All rights reserved. 71
NetFlow Generation的產生流程

流量經由Gigamon Map產生NetFlow Recoder的流程如下:


• 透過SPAN或TAP將流量導入Map中
• Map rules篩選流量轉送到NetFlow Monitor, 再到Flow Cache database
Node
• 當結束時, Flows摘要會等待排隊送至 Map GigaSMART Engine Group
Tunnel輸出 GSOP
Monitor

• Flow 摘要會從Tunneled N
Record

Tool Port傳送至1個或多個Collectors
Flow Cache

Exporter

TT

©2017 Gigamon. All rights reserved. 72


NetFlow 設定主要元件
NetFlow Generation主要組成元件說明:
• Network Port(s) – 導入流量至Map Rule中
• Map – 連結/集合所有元件: Network port(s), Tunnel Tool port, Map filter(s), GigaSMART® operation
(Monitor, Record, Exporter)
• GigaSMART Operation (GSOP) – 在GigaSMART engine group中, 包含選擇的Monitor, Record及
Exporter 設定
• GigaSMART Record – 定義哪些Packet欄位,被用來Match確認是否 Node

對應到的Flow,存在在Flow cache database或假如一個新的Record Map GigaSMART Engine Group

已被請求, 這些欄位是否已Collect為Flow record的一部分 GSOP


Monitor
• GigaSMART Monitor – 取決於Record是否知道哪一些欄位已被 Record
Match及Collect, 並寫入到Flow cache database
N

• GigaSMART Exporter – 從flow cache database接收到Records及 Flow Cache


透過Tunneled Tool Port轉送至1個或多個Collectors
Exporter

©2017 Gigamon. All rights reserved. 73


NetFlow Record 欄位
NETFLOW-V9 欄位

Fields Match (比對的欄位) Collect (需顯示的欄位)

• Match versus Collect • Match Fields • Collect Fields


fields – Data link – Counter
• Match 欄位用來新增一個 – Interface – Data Link
“n” 組合的元件集合來比對判 – IPv4 – Flow
斷已存在或獨有的新Flows. – IPv6 – Interface
• Collect 欄位定義在單一 – Transport – IPv4
Record中的哪些欄位將被存放 – IPv6
在Cache Flow database.
– Private* (IPFIX only)
• 注意: 假如想要一個Match欄位 – Timestamp
也是一個Collect欄位, 需要被 – Transport
勾選在這兩個Groups中.

©2017 Gigamon. All rights reserved. 74


NetFlow Generation – CLI
下面表格為CLI說明Network Port 1接收流量, 產生NetFlow後, 傳送至Tunneled Tool port 5.

FlowVUE Configuration Example Description

apps netflow record alias NetFlow9-record Creates a GigaSMART® NetFlow Record arbitrarily named NetFlow9-record.

netflow-version netflow-v9 Configures the Record to use NetFlow version 9 field choices
match add ipv4 protocol Configures the first Match field in the Record to be the IPv4 protocol field.
Additional Match fields are omitted here.
collect add counter bytes Configures the first Collect field in the Record to be a counter for bytes seen.
Additional Collect fields are omitted here.

apps netflow exporter alias v9-flows Creates a GigaSMART NetFlow Exporter arbitrarily named v9-flows

destination ip4addr 192.168.51.41 Configures the Exporter destination Collector IP address to be 192.168.51.41

netflow-version netflow-v9 Configures the Exporter to prepare flow summaries using NetFlow version 9 flexible
NetFlow records
template-refresh-interval 300 Configures the Exporter to send a NetFlow record description template every five
minutes

©2017 Gigamon. All rights reserved. 75


NetFlow Generation – CLI (2)

下面表格為CLI說明Network Port 1接收流量, 產生NetFlow後, 傳送至Tunneled Tool port 5.

FlowVUE Configuration Example Description

apps netflow monitor alias GS51-NetFlowMonitor Creates a GigaSMART® NetFlow Monitor arbitrarily named GS51-NetFlowMonitor

cache timeout active 60 Configures the timeout value for a still-active flow to 1 minute (60 seconds)

record add NetFlow9-record Configures the NetFlow Monitor to use the NetFlow Record definition named
NetFlow9-record as the basis for managing and updating the flow cache database

gsgroup alias GS51 port-list 1/5/e1 Configures the specified GigaSMART engine group for use, and arbitrarily names it
GS51

©2017 Gigamon. All rights reserved. 76


NetFlow Generation – CLI (3)
下面表格為CLI說明Network Port 1接收流量, 產生NetFlow後, 傳送至Tunneled Tool port 5.

FlowVUE Configuration Example Description

tunneled-port 1/1/x5 ip 192.168.51.91 255.255.255.0 Creates a Tunnel on port 5 using IP address 192.168.51.91 as a source with a /24
gateway 192.168.51.1 mtu 1500 port-list GS51 mask, 192.168.51.1 as a router, sets the MTU at 1500, and uses GigaSMART®
engine group GS51
tunneled-port 1/1/x5 netflow-exporter add v9-flows Configures the Tunnel on port 5 to use the NetFlow Exporter named v9-flows

gsparams gsgroup GS51 Opens the GigaSMART engine group parameter list for GS51
netflow-monitor add GS51-NetFlowMonitor Configures the GS51 engine group to use the NetFlow Monitor definition named
GS51-NetFlowMonitor
gsop alias v9NetFlow flow-ops netflow port-list GS51 Creates a GigaSMART Operation for NetFlow Generation arbitrarily named
v9NetFlow on GigaSMART engine group GS51

map alias NetFlowExample Creates a map arbitrarily named NetFlowExample


use gsop v9NetFlow Configures the map to use the GigaSMART operation named v9NetFlow

rule add pass ipver 4 Configures a map filter to pass all IP version 4 traffic
to 1/1/x5 Configures the map to use Tunneled Tool port 5
from 1/1/x1 Configures the map to receive traffic on port 1

©2017 Gigamon. All rights reserved. 77


NetFlow Generation – CLI (4)
下面畫面為CLI, 說明如何新增一個GigaSMART® NetFlow Generation 設定方式

(config) # port 1/1/x5 type tool


(config) # apps netflow record alias NetFlow9-record
(config apps netflow record alias NetFlow9-record) # netflow-version netflow-v9
(config apps netflow record alias NetFlow9-record) # match add ipv4 protocol
(config apps netflow record alias NetFlow9-record) # match add ipv4 source address
(config apps netflow record alias NetFlow9-record) # match add ipv4 destination address
(config apps netflow record alias NetFlow9-record) # match add transport source-port
(config apps netflow record alias NetFlow9-record) # match add transport destination-port
(config apps netflow record alias NetFlow9-record) # collect add counter bytes
(config apps netflow record alias NetFlow9-record) # collect add counter packets
(config apps netflow record alias NetFlow9-record) # collect add transport source-port
(config apps netflow record alias NetFlow9-record) # collect add transport destination-port
(config apps netflow record alias NetFlow9-record) # collect add counter packets
(config apps netflow record alias NetFlow9-record) # collect add timestamp sys-uptime first
(config apps netflow record alias NetFlow9-record) # collect add timestamp sys-uptime last
(config apps netflow record alias NetFlow9-record) # collect add ipv4 protocol
(config apps netflow record alias NetFlow9-record) # collect add ipv4 source address
(config apps netflow record alias NetFlow9-record) # collect add ipv4 destination address
(config apps netflow record alias NetFlow9-record) # exit
(config) #

78
©2017 Gigamon. All rights reserved. 78
NetFlow Generation – CLI (5)
下面畫面為CLI, 說明如何新增一個GigaSMART® NetFlow Generation 設定方式

(config) # apps netflow exporter alias v9-flows


(config apps netflow exporter alias v9-flows) # destination ip4addr 192.168.51.41
(config apps netflow exporter alias v9-flows) # netflow-version netflow-v9
(config apps netflow exporter alias v9-flows) # template-refresh-interval 300
(config apps netflow exporter alias v9-flows) # snmp enable
(config apps netflow exporter alias v9-flows) # transport udp 2055
(config apps netflow exporter alias v9-flows) # exit
(config) # apps netflow monitor alias GS51-NetFlowMonitor
(config apps netflow monitor alias GS51-NetFlowMonitor) # cache timeout active 60
(config apps netflow monitor alias GS51-NetFlowMonitor) # cache timeout inactive 900
(config apps netflow monitor alias GS51-NetFlowMonitor) # cache timeout event transaction-end
(config apps netflow monitor alias GS51-NetFlowMonitor) # record add NetFlow9-record
(config apps netflow monitor alias GS51-NetFlowMonitor) # exit
(config) # gsgroup alias GS51 port-list 1/5/e1
(config) # tunneled-port 1/1/x5 ip 192.168.51.91 255.255.255.0 gateway 192.168.51.1 mtu 1500 port-list GS51
(config) # tunneled-port 1/1/x5 netflow-exporter add v9-flows
(config) #

79
©2017 Gigamon. All rights reserved. 79
NetFlow Generation – CLI (6)
下面畫面為CLI, 說明如何新增一個GigaSMART® NetFlow Generation 設定方式

(config) # gsparams gsgroup GS51


(config gsparams gsgroup GS51) # netflow-monitor add GS51-NetFlowMonitor
(config gsparams gsgroup GS51) # exit
(config) # gsop alias v9NetFlow flow-ops netflow port-list GS51
(config) # map alias NetFlowExample
(config map alias NetFlowExample) # use gsop v9NetFlow
(config map alias NetFlowExample) # rule add pass ipver 4
(config map alias NetFlowExample) # to 1/1/x5
(config map alias NetFlowExample) # from 1/1/x1
(config map alias NetFlowExample) # exit
(config) #

©2017 Gigamon. All rights reserved. 80


NetFlow Generation – Fabric Manager
CREATE WORKFLOW

• Use Workflows option for


guidance on the creation and
configuration of NetFlow
Generation flow maps
• Select Map with NetFlow
• Select GS Group
• Click Next

©2017 Gigamon. All rights reserved. 81


NetFlow Generation – Fabric Manager (2)
TUNNEL PORT

• Create Tunnel Port


• Define tunnel port parameters
– Select port
– Enter IP address and mask
– Select Gateway
– Enter MTU value
– Verify engine group
• Click Save

©2017 Gigamon. All rights reserved. 82


NetFlow Generation – Fabric Manager (3)
NETFLOW EXPORTER CONFIGURATION

• Add NetFlow Exporter


• Click Create
• Enter NetFlow Exporter
parameters
• Click Save

©2017 Gigamon. All rights reserved. 83


NetFlow Generation – Fabric Manager (4)
NETFLOW RECORD CONFIGURATION

• Add NetFlow Record


• Click Create
• Enter NetFlow Record
parameters
– Enter Alias
– Choose NetFlow version
– Choose fields from Key Fields
(Match)
– Choose fields from Key Fields
(Collect)
• Click Save

©2017 Gigamon. All rights reserved. 84


NetFlow Generation – Fabric Manager (5)
NETFLOW MONITOR CONFIGURATION

• Add Network Monitor


• Click Create
• Enter NetFlow monitor
parameters
• Click Save

©2017 Gigamon. All rights reserved. 85


NetFlow Generation – Fabric Manager (6)
GS GROUP CONFIGURATION

• Configure GS Group
• Make sure proper GS Engine
is pre-selected
• Verify NetFlow Monitor
• Click Save

©2017 Gigamon. All rights reserved. 86


NetFlow Generation – Fabric Manager (7)
GS OPERATION CONFIGURATION

• Add GS Operation
• Click Create
• Enter GS operation
parameters
• Click Save

©2017 Gigamon. All rights reserved. 87


NetFlow Generation – Fabric Manager (8)
SOURCE PORT CONFIGURATION

• Select source port


• Click Next

©2017 Gigamon. All rights reserved. 88


NetFlow Generation – Fabric Manager (9)
NEW MAP CONFIGURATION

• Configure New Map


• Enter Map alias
• Verify map source, destination
and GS operation
• Add Rule
• Click Save

©2017 Gigamon. All rights reserved. 89


NetFlow Generation – Fabric Manager (10)
MAP DISPLAY

• Click on To Maps button to


display configured map
• Confirm Topology

Network Tool
Map

©2017 Gigamon. All rights reserved. 90


#wefightsmart

©2017 Gigamon. All rights reserved. 91

You might also like