Alexandre Aeschbach, Chief - emitec datacom · • Harder to enforce security policies with dynamic...

Alexandre Aeschbach, Chief Solution Architect – emitec ag

Agenda

Data Acquisition inside the Cloud

Monitoring inside the Cloud

Data Acquisition in the Cloud

5© 2016 IXIA AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | Ixia Confidential| See disclaimer on slide 2 of this presentation|

IDS

IDS

Forensics Tool

DLP

Security and

Performance

Monitoring Tools

VIRTUAL DATA CENTER – THE CHALLENGEMost Virtual traffic is not seen by security and analytics tools

?

Most East-West

Traffic is NOT Seen

by Security/Analytics

Forensics

Tool

• Harder to enforce security

policies with dynamic

environment

• End-to-end monitoring

involves multiple locations

• East-west traffic between

VMs is Hidden from tools

• Virtual Workloads move – can’t

track by IP address, protocol and

port

Web

Production Network

Host

AP

P

D

B

App DB

East-WestTraffic NOT

Seen by Network Monitoring Tools

• Harder to assure quality for

time sensitive applications on

software based infrastructure


CLOUDLENS

Visibility platform across every cloud environment - public, private, and hybrid clouds


CLOUDLENS

PRIVATE


CloudLens

Manager

V

M

Production NetworkMonitoring

Network

vTap

ESXi

Hyper-V

OpenStack - KVM

V

M

V

M

Policy Updates

GRE, VLAN, ERSPAN

VIRTUAL MOBILE OPERATOR VISIBILITY

EPC traffic


CLOUDLENS PRIVATE - VISIBILITY PLATFORM

CloudLens vTap (ex-Phantom vTap)

Tap Virtual Traffic in the Private Cloud / Data Center

Intelligent Filtering

OpenStack Integration (TaaS & OVS Support)

CloudLens with PacketStack (Virtual Packet Broker)

Aggregation and Duplication

Get the Packets to the Performance and Monitoring Tools

Packet Processing

CloudLens with AppStack (Application & Threat Intelligence Processing)

NetFlow Generation

Application Intelligence – Geo-location

Application Filtering, Data Masking

CloudLens with MobileStack (Filtering and Load Balancing for Mobile Operators)

GTP Control and User Plane correlation and Load Balancing

Subscriber-aware filtering and sampling

CloudLens Private Today


UNIFIED VISIBILITY MANAGEMENT

• Complete visibility of inter-VM traffic

• Unified Visibility Management Across Different

Market Leading Hypervisor Platforms

VMware ESXi, Microsoft Hyper-V, KVM,

OpenStack KVM, NSX

• Multi-Tenancy Support in OpenStack

Environments (with TaaS)

• Automated Deployment and Monitoring

• Packet Filtering at the Source for Maximum

Scalability and Low Overhead

CloudLens vTap


CENTRALIZED MANAGEMENT

Central Management of vTaps and Policies

• Key functions

Virtual Taps Deployment & Management

Configuration

License Management

Software Upgrades

• Installation

Can be deployed anywhere as a Virtual Appliance

Can Manage vTaps on Different Hypervisors

Requires a direct path to all monitored hosts

CloudLens Service Manager


SUPPORTED ENVIRONMENTS

ESXi 5.0 & 5.1 ESXi 5.5 ESXi 6.0 & 6.5

ESXi – vSwitch (Kernel Module) Yes (Default) Yes (1) No

ESXi – vDS(SVM Based)

YesYes (2)

(Default)

Yes (2)

(Default)

ESXi – vSS(SVM Based)

No Yes (2) Yes (2)

CloudLens vTap 4.5

1 For upgrading existing customer or special case2 vCenter support only (No standalone ESXi host)

NSX – vTap 5.0 BETA - Integrated NSX support

KVM – With Open vSwitch (OVS)

• KVM 2.01 and above with OVS 2.0 and above

• Ubuntu 14.04, RHEL7, CENTOS 7

Hyper-V – Windows Server 2012, 2012 R2 and Windows Server 2016

OpenStack – KVM/OVS – Tap-as-a-Service (TaaS)

VMware


CLOUDLENS – KEY ADVANTAGES

• Central management of virtual monitoring and probe deployment

• Automatic VM tracking and policy migration (vMotion/DRS aware)

• Cross-hypervisor compatibility

• Universal policies for automatically monitoring new VMs

• VM based monitoring (vs. port based)


CLOUDLENS PUBLIC


META-DATA & LOGS vs PACKET DATA

Meta-data & Logs

✓ When the conversation

started

✓ Duration of the

conversation

✓ Type of conversation

Cloud

Services

Packet-data

✓ When the conversation

started

✓ Duration of the

conversation

✓ Type of conversation

✓ Copy of the actual

conversation

Cannot identify the malicious

content

Malicious content

identified


CLOUDLENS FOR THE HYBRID CLOUD

App

Group

Web

Group

Security

Group

DB

Group

CloudCloud Cloud

Virtual

Tools

Guest VM

ESXi Hypervisor

Monitoring Network

Physical Tools

GRE,

VLAN,

ERSPA

N

USERS


Monitoring in the Cloud


Making the Invisible Visible

Monitoring within a virtual environment


The Complexity Challenge

Underlay Networks

Broadband2G/3G/4G/5G Internet MPLS EthernetPhysical

Elements

Virtual Service Infrastructure

Virtual

HW & SW

uCPE vCPE Data

Center

POP Edge

OpenStack VMware

Overlay Networks

Virtualized

Services VNF Service Chains

VNF VNF… vEPC SD-WAN

vIMS vSBC

VNF…Orchestration & Management

SDN Control Policy

EMS/NMSAutomation ETSI MANOONAP

Enterprise

Mobile

Fixed

How do you Assure End-to-End, Multi-layer, Multi-domain Services?

SaaS

Public

Cloud

Private

Cloud

The Software Defined Data Center - SDDC


vSCOUT Deployment Options

Agent Virtual Machine ContainerPlug-in

• Traffic acquisition from local interface

• Hypervisor independent, supports popular Linux/Windows distro’s

• Traffic acquisition from virtual switch

• Supports vSphere, KVM/OpenStack, Cisco NEXUS virtual switch

• OpenStack - Acquires traffic via Neutron plugin

• VMware/NSX – Acquires traffic as using NetX API

• Traffic acquisition via Docker bridge in the O/S

• Self contained


vSCOUT Examples• Virtual Smart Tap with Smart Visibility

vNIC

…VNF

vSCOUT

VNF VNF VNF

vSCOUT

Plugin

Virtual Infrastructure Manager

Hardware

vSCOUT

vNIC vNIC

…VNF VNF

vNIC

vSwitch

VNF Embedded Plugin – OpenStack, VMware

• Smart Visibility

ASI metrics per VNF

Minimal Overhead

• Smart TAP

ASI Metrics at source

Traffic forwarding & filtering

• Small footprint

Non dedicated cores

< 1vCPU

• Public/Private Cloud

AWS, Azure

OpenStack, VMware


vSTREAM

• Virtual Machine

VNF with multiple flavors

• 24x7

Packet capture, Session trace

• Personality

Next Generation or TEK Classic

• Fast I/O

DPDK, SR-IOV & PCI Pass through

• Orchestration

ETSI/MANO, OSM Certified

vNIC

…VNF VNF …VNF VNF


Hardware

vNIC vNIC

…VNF VNF

vNIC

vSwitch

VNFVNF

vSTREAM

vNIC

vSCOUT

Plugin

Packet Forwarding


vSTREAM• Monitoring at the source

• Virtual Machine

Reduce resources to what is needed, CPU, Diskspace

• 24x7

Packet capture without duplication of the traffic, Session trace

• Personality


• Reduce Traffic load

Only smart data are transferred over the network, ASRs /

Packets on demand

• Orchestration

ETSI/MANO, OSM Certified

…VNF VNF

vNIC

…VNF VNF

vNIC

vSwitch

VNFVNF

vSTREAM

vNIC


vSCOUT and ISNG

• Forwarding into existing

Infrastructure

GRE tunnel

• Multi- Consumer Environment

e.g. Security

• 24x7

Packet capture, Session trace

Enhanced packet retention

• Personality


vNIC

…VNF VNF


Hardware

vNIC

VNF

vSCOUT

Plugin

GRE Tunnel


vSTREAM Orchestration

…VNF VNF

vNIC

VNF VNF

vSwitch

VNFVNF

vSTREAM

vNIC

vNIC

…VNF VNF

vNIC

VNF VNF

vSwitch

VNFVNF

vNIC

NG1

1

Deploy VaaS

2

Instantiate vSTREAM

3

Se

tup

Tra

ffic

Mirro

ring

NFVO

• Orchestration Friendly

REST APIs

• Service Chaining/Deployment

NSDs and VNFDs

• Based on ETSI MANO

OSM Certified @ Telefonica

TACKER

NVFO


Fragen?

Alexandre Aeschbach, Chief - emitec datacom · • Harder to enforce security policies with dynamic...

Documents

Transcript of Alexandre Aeschbach, Chief - emitec datacom · • Harder to enforce security policies with dynamic...