Ixia’s Inline Security Architecture
Transcript of Ixia’s Inline Security Architecture
Page 1
T E C H N I C A L O V E R V I E W
Ixia’s Inline Security Architecture
Find us at www.ixiacom.com
ContentsGeneric Solution Overview .................................................................................................2
Typical inline security components ............................................................................. 2
The inline visibility architecture ................................................................................... 5
Inline Security Ideal Customer Profile ......................................................................... 9
Inline Security Use Cases .................................................................................................10
Use case category #1 – Maximize network reliability for business continuity ............... 10
Use case category #2 – Eliminate security appliance downtime cost and risk ............... 11
Use case category #3 – Reduce malware infiltration risk ........................................... 14
Use case category #4 – Minimize complexity to control security solution costs and reduce wasted IT time ...................................................................................... 18
Use case category #5 – Deploy advanced security countermeasures ......................... 20
Solution Benefits .............................................................................................................22
Ixia Solution Summary .....................................................................................................23
iBypass switches .................................................................................................... 23
Vision series of inline NPBs ...................................................................................... 25
SecureStack SSL / TLS decryption .......................................................................... 26
ThreatARMOR threat intelligence gateway ................................................................ 27
Putting It All Together – The Ixia Visibility Architecture ........................................................28
Deployment configurations ...................................................................................... 29
Conclusion ......................................................................................................................33
Appendix A – Citations .....................................................................................................33
Page 2Find us at www.ixiacom.com
Generic Solution OverviewIxia offers many security products that solve problems for different parts of the network.
This solution focuses on inline visibility and security components. This means offering
Ixia products that augment traditional security products from our technical partners so
that Ixia can help customers create the most effective solution possible.
Typical inline security components
An inline architecture has become a critical component in the war to protect the data
networks of every enterprise. Inline monitoring appliances and tools must operate at
peak performance without failure and without affecting network uptime or application
responsiveness while inspecting network traffic 24 hours a day. Deployment of an
inline security solution with an IPS, WAF, unified threat management (UTM), or other
appliances can effectively screen incoming traffic for encrypted or unencrypted threats.
Here is an overview of common inline security appliances and their functions:
Firewall
Firewalls perform basic packet inspection to either block or allow packets based upon
preset criteria. The criteria often include IP address, IP address range, or port number.
They also perform network- and port-address translation (NAT and PAT) to allow
external network traffic into the internal network. These devices can either be physical
appliances or software-based.
The purpose of a firewall is to be your first line of defense against security attacks.
Typical placement occurs at the ingress to the network; usually after a router. Another
placement scenario is before a router in specific instances.
Most traditional firewall solutions are outdated. Next-generation firewalls (NGFW) with
additional features and capabilities have largely replaced legacy firewalls.
External bypass switch
When deploying an inline network security tool, such as an IPS, it is vital to ensure that
traffic continues to flow in all circumstances, even if the inline tool goes down. This
ensures that mission-critical business applications remain available. An external bypass
switch is one way of ensuring that traffic keeps flowing even in the event of a tool
outage.
A bypass switch is a special-purpose tap with fail-over capability. Unlike a tap, a bypass
is an active device that is a direct and integral part of network data transmission.
Page 3Find us at www.ixiacom.com
Internal bypass switch
The internal bypass switch is similar to the external bypass switch. However, it is
integrated with a security appliance. Despite the similarities in functionality, clear
differences exist between an internal and an external bypass.
The main differences between an internal and external bypass are as follows:
• The external bypass does not have any dependencies on a host security tool.
• The external bypass supports the use of device-independent heartbeat messages to validate that the connected device is available and working.
• The external bypass has improved efficiency as you can use one external bypass switch concurrently with multiple security appliances.
Web application firewall
A web application firewall (WAF) protects web applications from malicious traffic. It also
protects against various attacks such as cross-site scripting (XSS) and SQL injection.
This specific focus differentiates the WAF from a traditional firewall.
Page 4Find us at www.ixiacom.com
Next-generation firewall
A next-generation firewall (NGFW) is an evolution of the basic firewall. This device
typically combines a traditional firewall with a WAF, deep packet inspection, and
an intrusion prevention system. By combining all of these functions, the NGFW
can increase scrutiny of inbound traffic. This allows for quicker security threat
investigations closer to the perimeter of the network.
Firewall functionality continues to evolve. As an example, the demarcation between
NGFW feature sets and UTM features has become blurred. As manufacturers
continue to add more features to firewalls, the UTM category may end up
disappearing altogether.
Intrusion prevention system
Another useful security appliance is the intrusion prevention system (IPS). The IPS sits
behind the firewall as a second line of defense. Data passes from the firewall to IPS where
the IPS conducts deep packet inspection, looking for hidden malware and other attacks.
An IPS is normally deployed inline, which differentiates it from intrusion detection
systems (IDS), which are used in out of band deployment scenarios.
Unified threat management
Unified threat management (UTM) is a security solution that integrates multiple separate
security devices into one security appliance. It is essentially an all-in-one approach
designed to reduce operational complexity. There is one user interface, one set of
policies to program, and one system to patch.
As mentioned earlier, the borders between NGFWs UTMs have become blurred, and the
UTM category may end up disappearing.
Threat intelligence gateway
Threat intelligence gateways or platforms are devices that create threat intelligence
feeds for transmission to other security devices to help enhance the overall security
posture of an organization. These appliances aggregate and correlate data from
different source to recognize patterns. These patterns can include finger prints for
different types of malware (such as WannaCry or EternalBlue), suspicious lateral
movements of data on the network, suspicious communications to off-network
locations, or various other activities. Once this data is correlated and interpreted,
patterns emerge which are useful to other security appliances such as an IPS or
security information and event management (SIEM) appliances to look for new
security threats.
Page 5Find us at www.ixiacom.com
Data loss prevention
Data loss prevention tools, also sometimes called data leak prevention tools, protect data in
use, data at rest and data in motion from theft, exfiltration, inappropriate access or in some
cases even corruption. The increasing importance of regulatory compliance standards such
as PCI-DSS, HIPAA, GDPR, ITAR and others as well as recognition of the importance of
defending against insider threats are two of the factors driving DLP deployment.
Honeypot
A honeypot is a computer system with useless, but legitimate looking, data placed
in a special network environment to attract bad actors. The intention is to bait a bad
actor into attacking the honeypot and launching a security threat. Once this happens,
the owner of the honeypot can watch how the bad actor moves across the network
and what activities they conduct. From there, the honeypot owner can watch how
the attack inserts and detonates malicious code. This allows the honeypot’s SecOps
team to classify and chronicle the attack. The information is useful for protection of
the production network and thwart these types of attacks in the future. Since security
threats continue to morph, the deception technology market continues to grow at a
compound annual growth rate of 9%.
A honeypot is often located in a sandbox separate from the main corporate network.
This scenario is designed to attract inline threats. However, another use case exists
for some professional security organizations and agencies that wish to use distributed
honeypots. This deployment scenario would be an out-of-band scenario to determine if
and where the network has been infiltrated.
The inline visibility architecture
Inline means that a component or tool is deployed directly in the path of network data
flow. This includes both security tools and network visibility equipment. In the case
of visibility equipment, this would be a bypass switch, packet broker, and security
appliances. One drawback to this approach is that if any system in the data path fails,
the link goes down. Fortunately, there are solutions providing fail-over and redundancy
that eliminate the failure concern.
Page 6Find us at www.ixiacom.com
External bypass switch
The purpose of a bypass switch is to switch traffic around tools that have either gone
down due to some fault or issue with power or tools that need to be taken offline for
software updates, patches and subsequent reboots.
You can set a bypass switch to fail open or fail closed. Fail open means that traffic
continues to flow between network devices if you remove a security monitoring device
from the network or the bypass switch loses power. This mechanism is also referred to
as “fail to wire” to make it clear that this failure scenario supports business continuity,
versus the fail-closed scenario, where failure in the bypass switch results in no traffic
passing, the safest option.
The bypass switch generally uses a heartbeat packet to detect application, link, or
power failure on the attached monitoring device. If the heartbeat packet is disrupted,
then the bypass switch removes this point of failure by automatically shunting traffic
around the security tool whenever the tool is incapable of passing traffic.
While directly deploying inline security tools can create a line of defense, these tools can
also result in single points of failure. Even a strong mix of security and analytics tools
can lead to network reliability risks as regular rebooting, maintenance, and upgrades of
those tools increase the chances of a costly network outage. If an inline tool becomes
unavailable, it can completely bring down the network link, significantly compromising
network uptime and disrupting business continuity. This can be a significant problem for
the almost 20% of IT organizations that directly deploy inline security tools and the 40%
that deploy internal bypass solutions instead of external-based solutions.
An external bypass switch allows fail-safe deployments of inline security and monitoring
tools to ensure high availability and maximum uptime. The stand-alone (external) bypass
offers superior protection when compared to a security tool with an integrated bypass
option. For example, some external bypass switches have a mean time between failure
(MTBF) of approximately 450,000 hours. This reliability can be up to five times better
than various security tools (such as combined firewall and IPS solutions) that have an
MTBF of approximately 80,000 to 100,000 hours. Adding internal bypass capability
further reduces the MTBF and reliability for those types of solutions.
Page 7Find us at www.ixiacom.com
Also, when you replace various security tools, you may have to remove the integrated
bypass as well. An external bypass eliminates this issue.
Another key benefit to the external bypass switch is fail-over capability during upgrades.
Certain inline security tools include an internal bypass switch. This becomes a problem
when you want to replace the security tool, or, in some cases, simply update and
maintain that tool. Software upgrades or security patches may require a reboot, with
obvious negative implications for architectures using internal bypass switching. The
simple solution is to use an external bypass. Then you do not have to worry about
future upgrades.
An external bypass offers the following benefits:
• It eliminates single points of failures for inline tool deployments with a bypass switch.
• The MTBF of an external bypass switch can be up to five times better than an
integrated bypass.
• It provides more flexibility to add or remove inline security tools without network
impacts.
• An external bypass switch eliminates downtime from tool upgrades and removal.
1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WAFIPS
www Firewall Switch ServersBypassswitch
Bypassswitch
Bypassswitch
Bypassswitch
SSL decrypt
Other tools
Figure 1. Inline security solution with a bypass switch connected to all components
Inline network packet broker
The main purpose of the network packet broker is to optimize the flow of data going to
security tools. Sitting between bypass switches and inline security appliances, packet
brokers add another layer of data visibility to your security architecture. By providing
the ability to aggregate, filter, deduplicate, load balance, and decrypt SSL / TLS traffic,
packet brokers provide serialized data to a chain of security tools for deep data analysis.
Page 8Find us at www.ixiacom.com
Inline versions of NPBs also contain heartbeat and fail-over capabilities to properly
handle data continuity and high-availability. This works similarly to the bypass switch,
except that it is two-sided. There is communication between the bypass and NPB to
make sure the NPB is working. If not, the bypass switch will either divert the flow into
the network or stop the transmission of traffic completely. The exact action depends on
the options selected for the bypass.
Another set of communications sits between the NPB and security appliances. This
provides continuity and survivability for the data analysis process. Should a security
appliance fail, the NPB will divert traffic to other available security appliances, if
available. If all security appliances are out of operational state, you can set the NPB
configuration to operate in one of two ways. First, it could signal an error state to the
bypass. The bypass switch will interpret this as a failure and follow its pre-programmed
fail-open or fail-closed scenario. Once the security tools are operational again, the NPB
replies to the bypass switch heartbeat message, and data flows from the bypass to the
NPB again.
The second tool failure option is for the NPB not to declare an error and simply shunt
the traffic back to the bypass. While this means that no security inspection takes place,
the network remains up until one or more of the security tools becomes available again.
Then the NPB will forward incoming traffic to the security tool(s).
The NPB supports load balancing. If one or more tools fail, the NPB will redirect to
surviving tools. This is an excellent and cost-effective way of using n+1 survivability to
create tool redundancy, assuming the tools are over-dimensioned by at least one device.
The chapter on use cases provides more information on this functionality.
Another benefit from a packet broker is that you can automate the data inspection
process. Tool chaining accomplishes this. Preset toolchains ensure that data is passed
sequentially from one tool to another so that actions occur in sequences and do not
get overlooked. Linking of security and monitoring tools happens by using software
provisioning in the NPB to control the flow of data through the selected services.
Depending on the situation, the required data inspection can occur in parallel or in series.
At Ixia, the primary way that we address tool chaining is to use a grouping of ports. To
accomplish the proper flow of data, at least one tool gets assigned to a port or port
group on the NPB. Multiple port groups require chaining together to accomplish the
desired data flow.
Page 9Find us at www.ixiacom.com
The primary benefits of a packet broker are that it can help you with the following:
• improved uptime
• the ability to make real-time decisions
• extensive fail-over options
• cost savings resulting from load balancing across multiple tools
• built-in recovery options
• reduced complexity
• diversion of bad traffic to a honeypot
Visibility architecture diagram
The following diagram shows the proper way to integrate a bypass and an inline NPB
into an inline security architecture.
Security tools
Bypass switch
Data path
Network packet broker
ServersSwitchFirewallwww
Load balancing
Filtering
Aggregation
Figure 2. Inline security solution showing a typical traffic data path
Inline Security Ideal Customer Profile
Customers most likely to benefit the most from an inline security solution are midsized
to large organizations with on prem data centers. Banks; hospitals and healthcare
offices; manufacturing companies; city, state, and federal governments; and oil, gas,
and energy utilities are just some of the organizations that should consider an inline
visibility solution.
Branch offices represent another scenario where inline security architectures with
bypass switches and network packet brokers can be useful. This is essentially the same
as a large data center, just on a smaller scale. Deploying a bypass switch and an NPB
together provides increased survivability for edge security tools so those tools can
monitor, and if necessary, take action upon incoming and outgoing network traffic.
Page 10Find us at www.ixiacom.com
Inline Security Use CasesThere are five basic categories of inline security use cases:
1. Maximize network reliability for business continuity. Create a hardened fail-over solution for security appliances.
2. Eliminate security appliance downtime cost and risk. Improve security tool survivability with high availability (HA) and n+1 options.
3. Reduce malware infiltration risk. Eliminate traffic from known bad IP addresses and perform active SSL decryption to challenge all incoming data.
4. Control security solution costs and reduce wasted IT time. Reduce complexity with simpler, but more powerful, network security solutions.
5. Deploy advanced security countermeasures. Deploy more capabilities with ease (such as honeypots), simple IOC measures (such as negative heartbeats), and more advanced threat (IOC) hunting.
The following sections will illustrate each use case.
Use case category #1 – Maximize network reliability for business continuity
Today’s data networks are crucial to a typical business as they affect employee productivity,
e-commerce, communications, and more. Because of this, data networks need more
reliability. Implementing bypass switches, inline NPBs, and HA architectures is part of
the solution. Another part of the solution is to create self-healing networks.
The primary focus of this use case is business continuity — keeping the network and
applications up and running. While components matter, this use case focuses on the
system (or the network).
Bypass switches let you connect inline security tools to your network without the risk
of network downtime. When an inline tool fails, bypass switches automatically kick in.
They redirect network traffic so that it flows around the failed tool, instead of through it.
The network traffic bypasses the blockage the tool caused. This way the network stays
up and running — even if the tool does not. This is important as the average cost of
network downtime is $7,790 per minute, according to the Ponemon Institute.
Bypass switches detect when an inline tool has failed or lost power by listening for
replies to special heartbeat packets. The bypass switch sends heartbeat packets to the
inline tool at regular intervals. If the tool does not reply the expected interval, the switch
assumes the inline tool has failed, and it reroutes network traffic.
Typical heartbeat intervals are 100 ms with a minimum of two retries, but this is
customizable. The bypass switch will continue to send heartbeat packets to the inline
Page 11Find us at www.ixiacom.com
tool until it receives a reply. Once it starts to get replies again, it considers the tool “up”,
and will start sending traffic to that tool again, creating a self-healing loop. If there is no
reception of a heartbeat message, and no redundant tool, then the bypass can initiate
a fail-over to keep the network up. Once heartbeat messaging returns, the bypass
functionality disengages.
This use case has the following benefits:
• Heartbeat technology in bypass switches and NPBs can help equipment create a self-healing architecture and maximize network availability.
• Fail-over and heartbeat technology in bypass switches and NPBs increase availability and survivability of inline security appliances.
• External bypass switches prevent disruption when security devices go out of service for upgrades or replacement.
• The security engineer does not need to actively participate, as the bypass will restore traffic to the tools once they are working again.
• Anti-tromboning technology reduces fail-over and fail-back network disruptions.
3© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WAFIPS
www Firewall Switch ServersBypassswitch
Bypassswitch
Bypassswitch
Bypassswitch
SSL decrypt
Other tool
Figure 3. Inline security solution with a bypass switch connected to all components
Use case category #2 – Eliminate security appliance downtime cost and risk
The primary focus of this use case is to keep security appliances up and running.
The inline NPB offers two methods to increase survivability of the tools: HA and n+1
survivability. HA typically means full redundancy, where you have a primary and standby
set of tools connected to the network. The second set of components processes traffic
only if the primary set fails. The n+1 option is where all the tools are active and running.
If one fails, the others take extra load to make up for the out-of-commission device.
Page 12Find us at www.ixiacom.com
The following provides a more detailed discussion of both types.
High availability
Let’s look at the first option, HA. This option is highly effective at maintaining maximum
network and tool uptime. You literally have a second copy of everything (bypass switch,
packet broker, and tools). If one component or path fails, the secondary equipment can
handle the load. While this option yields the highest level of mean time between failure,
it also comes at a high price — literally double the cost for everything.
Ignoring the cost issue, the use of redundant external bypass switches and packet
brokers can increase your network uptime and reliability beyond the level provided with
just redundant tools. In fact, the external bypass switch and packet broker can reliably
connect the redundant tools in a more cost effective and less complicated manner than
special-purpose load-balancing devices. An external bypass approach has the benefits
of delivering superior resilience because of more granular failure detection, faster fail-
over, and better application session integrity. This reduces the cost of the system while
making it more resilient.
Of course, you can always make trade-offs to reduce the cost. Since you have a
redundant bypass switch and packet broker, maybe you do not need a redundant set of
tools. You can count on the other equipment to provide reliability. This option could save
you a lot of money, as we all know how expensive security tools can be.
This use case has the following benefits:
• It uses HA to create full redundancy (n+n) for inline deployments of NPBs and bypass switches.
• It reduces network and component downtime costs.
• Heartbeats of 10 to 30 milliseconds enable super-fast fail-over between bypasses and NPBs for optical paths.
Page 13Find us at www.ixiacom.com
Figure 4. Inline security solution using high availability
N+1 survivability
Network security and monitoring tool survivability typically refers to redundant tools,
especially in the case of inline deployments. However, a cost-effective alternative
to HA is to implement an n+1 option for security tool (such as IPS and WAF)
redundancy. In this situation, you do not have a duplicate copy of tools waiting in a
standby mode to take over should the primary equipment fail. However, you do not
have to spend double the costs for a redundant solution as you do with HA. Until
now, cost has been a significant limiting factor in the deployment of n+1 survivability.
In this solution, security tools are allocated to a specific port group on an NPB.
Based on filtering criteria, the packet broker spreads traffic across devices on
the port group. Should a tool not acknowledge a heartbeat, the packet broker
distributes data evenly across the remaining tools in the port group. Note, the
default retry setting is three attempts, but this setting is configurable. Once the failed
tool starts replying to heartbeats again, the NPB will resume routing traffic to it.
For example, say you need four IPS tools to process your inline network traffic. In
this case, you would add a fifth IPS. The packet broker would then load balance the
traffic across all five IPS tools. Should any one of the tools fail, the packet broker
can load balance the full load across any of the remaining four IPS tools. This
provides a good level of survivability at a fraction of the cost of a fully redundant
system. If you would like to have more survivability, like an n+2 situation, you can do
that as well — all the way up to a fully redundant set of tools. It all depends on the
level of risk you feel comfortable with and your budget.
4© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Switch Server
Inline security tool farm
ServerSwitchBypass switch
Bypass switch
Network packet brokers (HA)
Out-of-bandsandboxing
Threat intelligence gateway
Firewall
Firewall
Page 14Find us at www.ixiacom.com
This use case has the following benefits:
• It deploys survivability to decrease risk and increase network security.
• Inline deployments of NPBs using load balancing can create an n+1 survivability option.
• N+1 is a more cost-effective solution than HA but still delivers high reliability.
Network packet broker
Tools40 GE
Network packet broker
Tools40 GE
10 GE
0 GE
10 GE
10 GE
10 GE
8 GE
8 GE
8 GE
8 GE
8 GE
Normal operation Tool failure situation
Figure 5. Inline security solution with n+1 survivability
Use case category #3 – Reduce malware infiltration risk
A fundamental use case of an inline security solution is to reduce malware infiltration.
Two inline use cases can thwart this type of security threat.
Threat intelligence gateway
Even with firewalls, IPS tools, and a wide array of security tools in place, businesses
still miss clues and suffer major breaches every day. Why? Because the sheer volume
of alerts generated places a huge load on the security team and the infrastructure itself.
This translates into wasted time and money as well as an increased risk of falling victim
to an attack.
A 2016 Ponemon Institute report states that security teams at large enterprises waste
more than 20,000 hours per year chasing false-positive alerts. By eliminating even 30%
of unwanted traffic, threat intelligence could save companies more than 7,000 hours per
year, or the equivalent of 150 weeks in professional time. This can mean a savings of
$300,000 per year, for a return on investment (ROI) of 15 times or more.
By pre-filtering known bad IP addresses and traffic from untrusted geographies, you
can stop that traffic from ever reaching inline security tools like an IPS. Blocking large
volumes of traffic based on IP address, location, and observed bad behavior enhances
Page 15Find us at www.ixiacom.com
your security architecture performance and reduces your team’s “alert fatigue.”
Automatic system updates eliminate the need for manual updates of known bad IP
addresses. This saves hours of configuration time over a firewall approach.
This use case has the following benefits:
• Significant reduction (up to 30%) in false positives.
• ROI of up to 15x.
• It blocks outbound communication from infected internal systems.
Figure 6. Inline security solution with a threat intelligence gateway
SSL decryption
Unfortunately, we live in an age where the stakes are high for both individuals and
organizations that fall victim to data theft. It is for good reason that the use of SSL
encryption has soared (and continues to soar) in popularity. According to Fortinet,
72% of all internet traffic uses encryption.
SSL encryption is a powerful weapon in the battle for data security, but its greatest
strength is also its greatest weakness. Encryption protects important or confidential
data. But it can hide other, less innocuous things too. Cybercriminals can take
advantage of SSL encryption, camouflaging malware, and other undesirables in
encrypted data, so that they can sneak into and around company networks undetected.
Since many network tools cannot inspect SSL-encrypted data, with TLS 1.3 being a
particular challenge, you must decrypt that data so those tools can inspect it.
7© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
www Firewall Switch ServersBypassswitch
Network packet broker
Threat intelligence gateway
Securitytools
Page 16Find us at www.ixiacom.com
Direct tangible threats such as malicious code can hide in SSL-encrypted traffic
disguised by the encryption process. This malware is particularly sophisticated and
likely to be part of an advanced, sustained attack on an organization. One example
is the Zeus botnet, which uses SSL communications to upgrade itself.
Some network monitoring tools (firewalls, IPS, NGFWs) come with SSL decryption
capabilities too. This is not an ideal solution, however. As with firewalls, enabling
SSL decryption on these tools can impact performance. Furthermore, requiring each
tool to decrypt its own data is inefficient. It means multiple siloed tools performing
the same decryption process on the same set of data. This is a waste of resources.
Why have several appliances repeating the same task when one tool could decrypt
the data and push it out to all of them?
An NPB makes decryption easier when routing data to security appliances. There
are two fundamental use cases. The first involves the use of a special-purpose
decryption tool. The second is where the NPB performs the decryption. A third use
case involves every tool decrypting and then re-encrypting the data as it passes
downstream. However, most security engineers disregard this approach because of
the delays and exorbitant costs involved.
Here are the first two use cases:
Appliance-based SSL decryption
An NPB can pass encrypted traffic to an SSL decryption appliance. This solution offers
complete visibility and control of encrypted traffic without requiring the re-architecture of
your network infrastructure. You can add policy-based SSL inspection and management
capabilities to your network security architecture to remove encrypted traffic blind spots.
The solution is straightforward. Incoming encrypted data goes to the decryption
appliance. The data returns to the NPB, which forwards the data on to security
appliances for threat analysis. Data that passes inspection comes back to the NPB,
which then forwards the data on to the decryption device for re-encryption. The re-
encrypted data passes back to the NPB, which then sends it on to the bypass switch
for insertion back into the network.
Page 17Find us at www.ixiacom.com
This use case has the following benefits:
• NPBs allow for distribution of encrypted data to decryption devices and then the distribution of the now-unencrypted data to various tools, such as NGFW, IPS, and DLP.
• It exposes hidden threats by using an NPB to efficiently distribute data to active decryption technology appliances such as A10 and Blue Coat.
• It alleviates the decryption load on individual security appliances (IPS, DLP, NGFW) that would have needed to decrypt the data, making those devices faster and more efficient.
Figure 7. Inline security solution with an external appliance for decryption
Inline SSL decryption using an NPB with integrated decryption
Most enterprise applications are now encrypted using the SSL standard, and its updated
version TLS, to thwart security attacks and hackers. Unfortunately, bad actors also use
encryption to obfuscate their activities. In fact, as of 2019, more than 70% of network
attacks hide within SSL-encrypted traffic.
Integrated decryption capabilities can provide an easy and cost-effective way to
examine suspect data. With an integrated decryption approach, the data decryption
happens at the NPB, and then the NPB forwards the data straight to special-purpose
tools. Offloading SSL decryption functions from a firewall, IPS, or WAF to an NPB
reduces the CPU load on those appliances by 45% or more.1
At the same time, the NPB has no impact on application performance. Sending data
to an external decryption device introduces multiple intervals of delay: sending data to
the decryption device, waiting for decrypted data to be sent back, sending data to be
re-encrypted after inspection by an inline security tool, and receiving encrypted data to
send to the network. This delay is all on top of any decryption or encryption time within
the decryption device.
6© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Firewall Switch ServersBypassswitch
Network packet broker
Encrypted traffic
SSL decrypt
IPS
Other tools
Page 18Find us at www.ixiacom.com
For example, this capability can decrypt Simple Mail Transfer Protocol traffic and hand
it off to an antiviral tool for virus and malware inspection. Other decrypted data can be
sent to a DLP device for deep packet inspection. This does not require resources on a
firewall or other device.
Performing SSL decryption with a network packet broker provides the following benefits:
• Reduces load on security tools by up to 45%.
• Integrated SSL / TLS decryption reduces architectural and operational complexity
• Not sending data to an additional device reduces data decryption time.
Firewall Switch ServersBypassswitch
Encrypted traffic
Network packet broker
SSL decrypt
IPS Other tools
Figure 8. Inline security solution with decryption integrated into the Ixia NPB
Use case category #4 – Minimize complexity to control security solution costs and reduce wasted IT time
Network and security complexity continue to grow. IT departments do not always realize
that their choice of a security solution contributes to this. The proper inline security
solution can help. Serial tool chaining allows for the automation of data flows. This
minimizes the amount of human intervention needed.
Serial tool chaining
As mentioned earlier, tool chaining is a powerful solution for automating the movement
of data packets in security monitoring solutions. It can partition out suspect data
and pass that data through additional security inspections. The NPB enables this
functionality. Suspect data is passed back and forth between an NPB and multiple
security tools (such as IDS, DLP, SSL, WAF, and NGFW). Security tool chaining can
deliver the interoperability needed to make network security protection mechanisms
truly successful.
Page 19Find us at www.ixiacom.com
Security and monitoring tools are typically linked together to control the flow of data
through selected services. Depending on the situation, the data inspection can happen
in parallel or in serial. To achieve the proper flow of data, you can assign one or more
tools to a port or port group on the NPB. Multiple port groups are chained together.
A well-designed NPB can support complex service chaining with many tool groups in
parallel, serial, or a combination of both.
For example, data can pass to the NPB from the bypass switch. You can filter encrypted
data based on Hypertext Transfer Protocol Secure (HTTPS) and send it to a decryption
device. Once the decrypted data returns to the NPB from the SSL decryptor, it can
move to an IPS for inspection. To minimize latency, packets without anomalies move
along quickly. A common example is the use of an IPS solution to filter out suspicious
traffic for further analysis by other tools in the daisy chain. Traffic without exception goes
back through the network quickly to support the fastest possible response time. Data
flagged for additional inspection moves from the NPB to another port group that might
contain a DLP or some other device for further analysis. Based upon that analysis, the
data gets deleted, is deemed nonthreatening and gets passed on to the network or
requires further analysis or quarantining.
Using network packet brokers to power serial tool chaining provides the following benefits:
• Inline packet brokers enable easier serial tool chaining.
• Serial tool chaining enables deeper inspection/analysis of traffic.
• Preset NPB tool chains ensure that actions occur in the proper sequence.
Firewall Switch ServersBypassswitch
Network packet broker
Incoming traffic
SSL decrypt IPS Other tools
Figure 9. Inline security solution using serial tool chaining
Page 20Find us at www.ixiacom.com
Use case category #5 – Deploy advanced security countermeasures
Inline security appliances such as bypass switches and NPBs are enablers for other
technology. This technology includes tool failover, implementation of threat hunting
solutions, or diversion of suspicious traffic to a honey pot.
Negative heartbeat technology
Typical heartbeat checking monitors the health of attached inline monitoring devices by
transmitting small heartbeat packets at regular intervals out of the bypass or NPB ports
that connect to a security tool, like an IPS. Under normal operation, the IPS passes the
packet back to the transmitting device.
An alternative use case is to send heartbeat messages to devices that should not return
an acknowledgment message. One example is a firewall. If a firewall receives a message
that it does not understand or is unknown, normal operation is to discard it. The firewall
should not send an acknowledgment. Therefore, if a bypass switch sends heartbeat
messages to a firewall, those messages should be ignored. If an acknowledgement
occurs, then this can be an indicator that the firewall is either malfunctioning or has
been compromised.
The negative heartbeat technology use case has the following benefits:
• Negative heartbeat messages can point out that firewalls are not working correctly.
• Active participation not necessary by the security engineer; as the bypass switch is set up to periodically “ping” the firewall(s).
Firewall Switch ServersBypassswitch
Network packet broker
Incoming traffic
Other toolsTool #1
Tool #2
Bypass to NPB heartbeat
NPB to toolheartbeat
Negative (one way) heartbeat. If
acknowledged, there is a potential IOC.
Figure 10. Inline security solution illustrating Ixia bypass and negative NPB heartbeat technology
Page 21Find us at www.ixiacom.com
Threat hunting solutions
While security threats in general are a consistent concern for IT departments, the
specific types of security threats change over time. For instance, according to the
WatchGuard Internet Security Report - Q1 2019, cyber attackers use a wide range
of security attacks including malware, network attacks, and web application attacks
(specifically, XSS and SQLi).
Since security threats are changing, this means that you also need to modify or augment
your security tactics. One increasingly popular strategy is to actively hunt for threats on your
network. Passive security practices are not adequate anymore. It is critical to be proactive
to stop a breach, as the threats themselves have become much more sophisticated and
challenging to detect. Threat hunting solutions are both inline and out-of-band, so you will
need to decide which type of solution fits your requirements.
If you chose to implement an inline threat hunting solution, the first thing you will need
is a visibility architecture. By constructing a visibility architecture (with the bypass switch
and inline NPB), you will have access to all the data you need. The NPB allows you to
set up criteria to filter out all unnecessary data so that a threat hunting tool can inspect
traffic to quickly and efficiently hunt through the data for indicators of compromise (IOC).
While some people don’t think they need a packet broker, it will take you a lot longer to
find threats without one. There is also a greater chance of missing threats.
This use case has the following benefits:
• captures the right type of data and send it to a threat hunting solution for further analysis
• deployment of a threat hunting solution as soon as data enters the network to detect and stop incoming security threats
11© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
www Firewall Switch ServersBypassswitch
Network packet broker
Inspected traffic
Threat hunting appliance
Figure 11. Inline security solution illustrating an inline threat hunting solution
Page 22Find us at www.ixiacom.com
Honeypots
While professional security organizations and agencies may actively try to lure hackers
to their honeypots, most enterprise and service providers hope that they never find
anything in their honeypots. However, in the event of a network intrusion, you want to
be able to steer a hacker away from the real network and over to an inline decoy area
for containment and observation.
Once suspicious activity is detected, either data deletion is employed, or the data
redirects to another device, like a honeypot for analysis. The use of honeypots can also
take the burden away from your IPS and decrease the number of false positives and
negatives for security threats.
This use case has the following benefits:
• It diverts suspect traffic to a honeypot for further analysis.
• Reductions in IPS false negatives and positives are possible by deploying a honeypot to lure potential attackers to the wrong area of the network.
12© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Firewall Switch ServersBypass switch
Network packet broker
Incoming traffic
SSL decrypt
IPS
Honeypot
SIEMInter-tool
communication
Figure 12. Illustration of an inline security solution with a honeypot
Solution BenefitsThe Ixia inline security solution has many different benefits, depending on the use
case(s) deployed. The solution delivers the following benefits:
• increased network availability / MTBF because of an external bypass
• reduced risk due to enhanced security
• reduced security tool costs due to n+1 availability
• increased efficiency by intelligent filtering of known bad traffic at the front of the security validation process — avoids redundant inspection by equipment and security engineers
Page 23Find us at www.ixiacom.com
• reduced complexity with an all-in-one solution
• robust decryption support including TLS 1.3
• improved data inspection techniques with serial tool chaining
The actual solution benefits depend upon the different use cases implemented.
Ixia Solution SummaryIxia security solutions help enable more secure, more reliable and cost-effective inline
security tool deployments. The products are simple to use and manage — they offer
enhanced network survivability, encryption capability, and component redundancy for
your solutions. The solution forms a self-healing architecture featuring bypass switches
and network packet brokers that do not drop packets (unlike other industry NPBs).
Multiple levels of component redundancy and fail-over scenarios are supported to
thwart most of the attacks that bad actors can deploy.
While no security solution guarantees 100% complete elimination of security threats, this
inline security solution delivers protection aligned with industry best practices at a highly
cost-effective price.
The Ixia solution includes the following components:
• iBypass switches
• Vision Series of inline NPBs
• SecureStack SSL decryption
• ThreatARMOR threat intelligence gateway
iBypass switches
Ixia has an extensive array of external bypass switches. All external bypasses deliver
complete independence from a security tool or packet broker failure. The bypass
switches support active-standby as well as active-active network/security architectures.
These switches support a market-leading GUI interface that aids rapid deployment of
complex topologies that are not possible with other vendor’s bypass switches. Also,
Ixia bypasses support central management configuration using the Ixia Fabric Controller
Centralized Manager (IFC). IFC is the industry’s only centralized bypass management
tool. It simplifies and speeds up the configuration and management of tens to hundreds
of devices.
Page 24Find us at www.ixiacom.com
Ixia offers six different bypass switches:
iBypass 100 G The iBypass 100 G intelligent bypass switch is designed for a single appliance running at speeds up to 100 Gbps.
iBypass 40 G The iBypass 40 G intelligent bypass switch is designed for a single appliance running at speeds up to 40 Gbps.
iBypass 3 Copper The iBypass 3 Copper is a very high-density, 12-segment, 10 Gbps intelligent bypass switch.
iBypass VHD The iBypass VHD has the highest port density of any bypass switch on the market — it protects up to 12 network links, or 12 security devices, running at 10 Gbps in a compact, 1U rack mount form factor.
iBypass HD The iBypass HD is an 8-segment 10/100/1000 Mbps high-density intelligent bypass switch in a compact, 1U rack mount form factor.
iBypass DUO The iBypass DUO supports two security bypass switches with two separate management interface ports for redundancy.
WHY Ixia bypass switches?
The Ixia solution offers the following advantages:
• flexible heartbeat technology with anti-tromboning
• external architecture avoids outages when tools are rebooted for patches or updates, unlike approaches using internal bypass switching
• fast failover optical bypass functions – 10-30 milliseconds
• extensive failover options – user-selected fail-open or fail-closed
• highest density bypass on the market
• support for negative heartbeats that provide an indicator of compromise for firewalls
Page 25Find us at www.ixiacom.com
Vision series of inline NPBs
Ixia visibility solutions provide real-time, end-to-end visibility, insight, and security.
Solutions cover physical, virtual, SDN, and NFV based networks. You now have
the control, coverage, and performance to seamlessly protect and improve crucial
networking, data center, and cloud business assets.
Ixia NPBs lead the industry in delivering intelligent, sophisticated and programmable
network traffic. This optimizes visibility and security data visibility to enable IT
teams to quickly resolve application performance bottlenecks, trouble shoot
problems, improve data center automation, better utilize expensive network analysis
and security tools and help better business execution because of the improved
understanding of network and data center traffic.
The Vision Series of network packet brokers for inline security helps ensure continuous
security monitoring with fast failover and the ability to upgrade security tools without
downtime. They inspect live traffic for malware and attacks without risk to network
availability. To manage your network packet brokers and bypass switches, Ixia’s Fabric
Controller (IFC) delivers resilient and extremely easy to use visibility management
through a single pane of glass.
The following are Ixia’s portfolio of NPBs available for inline security architectures:
Vision ONE The Vision ONE is a 1 RU rack mount chassis that supports a maximum of sixty-four 10 G ports or four 40 G ports — it supports both simultaneous inline and out-of-band monitoring capabilities.
Vision X (future support for inline)
Vision X is a 3 RU rack mount chassis that supports up to 60 multispeed ports ranging from 10 to 100 G — each chassis processes up to 2 Tbps of data through dedicated FPGA hardware. It will support simultaneous inline and out-of-band monitoring capabilities.
Vision E40 Vision E40 is a 1 RU rack mount chassis that supports a maximum of 48 ports of 1/10 GE or 6 ports of 40 GE — it supports using both inline and out-of-band monitoring modes simultaneously.
Vision E100 Vision E100 is a 1 RU chassis that supports a maximum of 32 ports of 40/100 GE, or 128 ports of 10/25 GE, or a maximum of 64 ports of 50 GE. It supports using both inline and out-of-band monitoring modes simultaneously.
Page 26Find us at www.ixiacom.com
Why Ixia network packet brokers?
Here are some reasons to consider Ixia for your network:
• Advanced hardware architecture including high performance FPGA acceleration avoids dropped packets – even with filters and features enabled – an area software-based solutions struggle with.
• Active-active high availability – cost effective approach avoids the need to pay for largely unused redundant hardware. Active-Standby HA for NPBs is a less efficient approach which carries the risk of data loss and does not protect against tool outages.
• Non-blocking architecture – other NPB manufacturers have a blocking architecture that requires a feature compatibility matrix to show you what features can be used simultaneously.
• Extensive portfolio - Ixia offers a wide portfolio of NPBs with scalable port density options to optimize the cost of an NPB purchase.
• True load balancing - Ixia load balancing for security tools delivers an even split across ports. Other NPB manufacturer solutions can split unevenly, delivering unpredictable performance.
• Serial chaining - Ixia helps you maximize traffic inspection by offering the ability to serially chain multiple security tools together to ensure proper analysis of suspect data.
• Self-healing failover - Ixia NPBs support heartbeat messaging so they can automatically detect whether any of the security tools are in a failure state and dynamically adjust to the situation with a self-healing architecture.
• Intuitive GUI - the Ixia GUI makes filter programming, a difficult, error-prone process when using RegEx/CLI, easier and faster with less chance of human error.
SecureStack SSL / TLS decryption
Ixia’s SecureStack active SSL / TLS decryption capability enables organizations to see
inside traffic encrypted not only with traditional cryptographic approaches but also
decrypts ephemeral key traffic including TLS 1.3. The inline decryption functionality is
available in certain Ixia NPBs that including Vision ONE. Vision X will support the feature
in the near future.
With Ixia’s active SSL solution, you can:
• decrypt data once and scale your monitoring infrastructure
• offload SSL decryption to optimize security and monitoring tool performance
• deploy inline, out-of-band (OOB), and simultaneous inline and OOB configurations for ultimate flexibility
• create visibility into both outbound and inbound traffic to inspect downloads and detect server attacks
Page 27Find us at www.ixiacom.com
Active SSL is available via a high-performance application module for the Vision ONE
network packet broker. This product has the following key features:
• Dedicated cryptographic processor for the best possible throughput.
• Throughput options include 1 G, 2 G, 4 G, or 10 G; licensing per module.
• Product upgrades available through the licensing module.
• Built-in policy management, URL categorization, and real-time insight through reporting.
• Includes support for all leading ciphers including TLS 1.3.
• 150,000 maximum concurrent sessions.
What Makes Ixia SSL / TLS Decryption Better Than the Competition?
The following list highlights the SecureStack product differentiators:
• SecureStack is an integrated solution within the NPB which means there is less set up and programming complexity; it is not a separate product that requires configuration and administration.
• SSL decryption is an integrated solution (within the NPB) which means there is less delay than running the decryption / re-encryption functions through an external device.
• SecureStack supports forward and reverse proxy scenarios in a single module which reduces costs and complexity. Other NPB manufacturers require separate modules for each scenario.
• Using an integrated, but separate, piece of hardware means the Ixia solution can handle up to 10Gbps of SSL decryption with zero impact on the ability of the packet broker and the packet broker’s ability to function at line rate. Many other network packet brokers suffer architectural limitations such decryption does impact performance.
• SecureStack licensing is implemented in software for speeds of 1 Gbps, 2 Gbps, 4 Gbps, and 10 Gbps. This allows you to right size the solution for your needs and upgrade as required without a lift and shift box change or adding more modules.
• The host categorization library is completely located on the blade which means that no internet connection is required and delivers superior survivability compared to other decryption solutions on the market.
ThreatARMOR threat intelligence gateway
Ixia’s ThreatARMOR solution detects infected systems to thwart outbound connections
with botnets, phishing scams, and malware exploits. It blocks connections from known
malicious IP addresses and untrusted geographies while preventing phishing replies and
botnet connections. ThreatARMOR also helps reduce “alert fatigue” by stemming the
flood of alerts from SIEMs and security tools.
Page 28Find us at www.ixiacom.com
This appliance operates in three different modes: reporting, blocking, or fail-safe
bypass operation.
ThreatARMOR 1 G
ThreatARMOR is a threat intelligence appliance with four 1 GE copper Ethernet ports.
ThreatARMOR 10 G
ThreatARMOR 10 G is a threat intelligence appliance with four 10 GE SR fiber Ethernet ports.
What Makes Ixia Threat Intelligence Gateways Better Than the Competition?
Here are some reasons to consider using ThreatARMOR in your network:
• ThreatARMOR offers flexibil ity for use with blacklisting or whitelisting security architectures.
• The intelligence gateway blocks incoming and outgoing traffic to known bad IP addresses.
• Exclusions can be made by specific IP address or by country for ultimate flexibility.
• The product uses the Ixia ATI threat intelligence feed for updates every five minutes.
• It provides an intuitive, on-screen dashboard displaying blocked sites, countries of origin, and statistics.
• ThreatARMOR features easy 30-minute setup, with no ongoing tuning or maintenance required.
• It provides full line-rate performance.
Putting It All Together – The Ixia Visibility ArchitectureA properly designed visibility architecture with inline bypass switches and NPBs can
capture network data associated with a breach and direct that data to specific security
tools for analysis; like an IPS or DLP.
Figure 13 illustrates how an organization would deploy the Ixia inline security solution.
Here are the four most important use cases.
1. ThreatARMOR intelligence gateways eliminate as much of the incoming malware as possible.
2. iBypass switches bolster network reliability to maximize business continuity.
3. Vision ONE NPBs provide aggregation and load balancing to maximize tool survivability at the lowest cost.
4. Integrated SSL decryption (SecureStack) makes decryption as simple as possible, reducing complexity.
Page 29Find us at www.ixiacom.com
13© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
Network traffic Switch Servers
Network packet broker
(Vision ONE)
Firewall
Integrated SSL decrypt
Threat intelligence
gateway
IPS
(ThreatARMOR)
Bypass switch
(iBypass)
(SecureStack)
WAF Other tool
Screen incoming &outgoing traffic
Analyze data forsecurity threats
KEYSIGHT CONFIDENTIAL – FOR INTERNAL USE ONLY
Increase networksurvivability
Increase componentsurvivability
Inspect encrypted traffic
Figure 13. Ixia’s inline security solution
Deployment configurations
This section demonstrates common deployments where we explore before and after
scenarios illustrating the difference Ixia can make for SecOp teams.
Scenario 1: Inline vs External Bypass
The first example illustrates how and why an external bypass switch is superior to an
internal bypass. While an internal bypass might seem at first to be an elegant solution,
integration results in a lower (worse) MTBF.
Second, while the internal bypass can continue to work while the security appliance
is being patched or updated, if the appliance is going to be removed from the data
center, the internal bypass goes with it, creating network downtime and disruption. In
contrast, a separate external bypass simply shunts to bypass, sending traffic around the
missing tool.
14© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
With IXIA SecurityWithout IXIA Security
IPS
Fail-over feature
Tool removed from service
IPS
Tool removed from service
Internal bypass is useless when tool is removed
Network failure
Figure 14. Comparison of an inline bypass to an external bypass when removing a tool
Page 30Find us at www.ixiacom.com
Scenario 2 – How an NPB Improves Inline Security
A second common consideration is whether to deploy an inline NPB or not. In Figure 15,
it may appear simple enough to add a bypass switch and security appliance. However,
it is much more complicated. Incoming data has to run a latency inducing gauntlet of
security appliances before it can finally make it into the network and be delivered where
it needs to go. In addition, what happens if you do not need every tool to inspect every
piece of data? What if multiple tools conflict on the safety of specific data — basically
one tool says it is suspicious and another says that it is safe. What if every tool needs
decrypted data? This scenario can get quite complicated.
Deploying a network packet broker reduces the number of bypasses and other
equipment needed. There is less complexity and simpler configuration required due
to fewer devices. There is also the option for additional capability (filtering, integrated
decryption, and tool chaining) by using an NPB.
15© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
With IXIA securityWithout IXIA security
WAFIPS
www Firewall Switch ServersBypassswitch
Bypassswitch
Bypassswitch
Bypassswitch
SSL decrypt Other tool
www firewall switch serversBypassswitch
Security tools
Network packetbrokerData
path
Figure 15. Comparison of inline security with and without an NPB
Scenario 3: How Load Balancing Creates n+1 Survivability
This scenario illustrates the value of n+1 survivability for security tools. Without an
NPB, a tool failure causes a loss in processing capacity and functionality becomes
degraded until the missing tool is operational again. Individual load balancers are
an alternative, but these can cause a potential single point of failure when inserted
into the network and they require synchronization with the tools. With an NPB, load
balancing is an integrated feature. Should a tool fail, the processing load distributes
across the remaining tools. When the failed tool is operational again, the load is
automatically rebalanced across all the tools to form a self-healing architecture.
Page 31Find us at www.ixiacom.com
16© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
With IXIA securityWithout IXIA security
Network packet broker
Tools40 GE
8 GE
0 GE
8 GE
8 GE
8 GE
Tool failure problem
Network packet broker
Tools40 GE
10 GE
0 GE
10 GE
10 GE
10 GE
Tool failure correction
Figure 16. Self-healing architecture adjusts to tool failure situation with n+1 survivability
Scenario 4: Deployment of Active SSL Decryption
Decryption is another important scenario. Without active SSL/TLS decryption,
inline security appliances (like an IPS, WAF, or UTM) cannot inspect encrypted traffic.
Integrated decryption capabilities allow Ixia NPBs to decrypt traffic, send it to security
appliances for inspection, then re-encrypt and return that traffic to the network for
delivery. The solution is quick, simple, and easy.
17© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
With IXIA securityWithout IXIA security
IPS IPS
Vision One with ActiveSSL
Clear textEncrypted traffic not understood
Figure 17. Decrypt and inspect traffic with an in-line monitoring tool
Scenario 5: Stop Malware Before It Ever Enters Your Network
Another important scenario is the deployment of a threat intelligence gateway. Threat
intelligence gateways, such as Ixia’s ThreatARMOR, provide an additional layer of
defense, further enhancing any defense in depth strategy. ThreatARMOR reduces the
load on your existing security infrastructure by providing front line filtering of traffic
from known bad IP addresses and known bad geographies, stopping volumes of
malicious traffic before it ever has a chance to impact your tools or compromise your
Page 32Find us at www.ixiacom.com
network. ThreatARMOR can block up to 80% of malicious traffic, including ransomware
and botnets. This increases the productivity of your security appliances (and staff) by
reducing the number of alerts that require investigation. It also reduces the impact of
alert fatigue.
If your network is already infected, ThreatARMOR can stop outgoing traffic to known
bad IP addresses, preventing the exfiltration of data from your network.
18© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
With IXIA securityWithout IXIA security
www Firewall Switch ServersBypassswitch
Network packet broker
Securitytools
Switch ServersBypassswitch
Threat ARMOR
Security tools process more threats which
generates more alerts and consumes more time
and effort
Reduce workload and positive threats by 80% or
more before incoming traffic ever reaches your
security tools
www Firewall
Network packet broker
Securitytools
Security tools generate fewer
positive and false positive alerts which consumes less time
and effort
Figure 18. Make network security simpler by immediately removing known bad traffic
Scenario 6: Improve Security Data Inspection with Tool Chaining
This scenario shows the value of security tool chaining. If the NPB does not have the
ability to perform sequential tool chaining, then only one tool inspects traffic. After that,
the traffic passes back to the bypass switch and returns to the network. Unfortunately,
even the best security tools don’t detect 100% of malicious traffic. In some cases, you
have to run traffic through an IPS, a WAF, a UTM, SSL decryption, or other appliance
before you detect a threat. An NPB that supports serial chaining makes it easy to pass
all or certain types of traffic through multiple security appliance inspections. This saves
time, money, and can quite possibly prevent a data breach.
19© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
With IXIA securityWithout IXIA security
www Firewall Switch ServersBypassswitch
Network packet broker
Securitytools
Suspect data is sent to one individual tool for
analysis
www Firewall Switch ServersBypassswitch
Network packet broker
Tool #1
Suspect data can be sent to one tool after another for extensive analysis
Data Path
Tool #3
Tool #2
Figure 19. Maximize data inspection with tool chaining
Page 33Find us at www.ixiacom.com
ConclusionIxia can help you enhance your inline security deployments. The iBypass switch provides
a scalable, fail-safe way to eliminate security appliance failure concerns. This is a
fundamental concern for security teams, as they cannot afford for the solution to cause
an outage. The heartbeat messaging feature that these devices have are some of the
best-in-class in the market.
Adding Ixia NPBs between iBypass switches and security tools enable some powerful
options. This includes the ability to create cost-effective redundancy using an n+1
approach, serial tool chaining for rigorous data inspection, and data decryption built-in
to the NPB. These solutions help reduce latency.
The addition of Ixia’s ThreatARMOR allows security architects to reduce SIEM alerts by
80% or more. This has a dynamic ripple effect throughout the inline security architecture
as this reduces the amount of time spent analyzing those potential security threats. An
ROI of 15x or more is possible with this solution.
Combining the Ixia inline security solution set with classic Ixia NPB features, such as the
dynamic filter engine, intuitive GUI, and FPGA hardware acceleration, creates a unique
and powerful value proposition for customers. In addition, tests conducted by the
Tolly Group11 show that even under load with features and filters turned on, Ixia packet
brokers perform as expected and unlike many other NPBs, don’t drop packets.
Appendix A – Citations1 “Global Deception Technology Market 2017-2021.”Technavio. Last modified June 2017.
https://www.technavio.com/report/global-it-security-global-deception-technology-market.
2 McGillicuddy, Shamus. “On-Demand Webinar: Next-Generation Network Packet Brokers:
Defining the Future of Network Visibility Fabrics.” Enterprise Management Associates.
Accessed September 12, 2019. http://info.enterprisemanagement.com/next-gen-network-
packet-brokers-webinar-ws.
3 Ixia conducted research
4 “2016 Cost of Data Center Outages.” Ponemon Institute. Last modified January 19, 2016.
https://www.ponemon.org/blog/2016-cost-of-data-center-outages.
5 “2016 Cost of Data Center Outages.” Ponemon Institute. Last modified January 19, 2016.
https://www.ponemon.org/blog/2016-cost-of-data-center-outages.
Page 34Find us at www.ixiacom.com Page 34
Learn more at: www.ixiacom.com
For more information on Ixia products, applications, or services,
please contact your local Ixia or Keysight Technologies office.
The complete list is available at: www.ixiacom.com/contact/info
Find us at www.ixiacom.com This information is subject to change without notice. © Keysight Technologies, 2019-2020, Published in USA, January 7, 2020, 7119-1217.EN
6 “Quarterly Threat Landscape Report.” Fortinet. Last modified March 2018. https://
www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-q3-2018.pdf.
7 “Cisco Encrypted Traffic Analytics.” Cisco. Last modified July 2019. https://www.
cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-
security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf.
8 Simplified Programming of a Visibility Layer Can Have a Big Impact on Application
Performance, Zeus Kerravala, ZK Research. https://www.ixiacom.com/zh/resources/
simplified-programming-visibility-layer-can-have-big-impact-application-performance.
November 2016.
9 Simplified Programming of a Visibility Layer Can Have a Big Impact on Application
Performance, Zeus Kerravala, ZK Research. https://www.ixiacom.com/zh/resources/
simplified-programming-visibility-layer-can-have-big-impact-application-performance.
November 2016.
10 “Internet Security Report - Q1 2019.” WatchGuard: Network Security, Secure Wi-Fi,
and MFA Solutions. Last modified June 24, 2019. https://www.watchguard.com/wgrd-
resource-center/security-report-q1-2019.
11 The Tolly Group. “Ixia Net Tool Optimizer (NTO) 5288.” Ixia Network Security
Application Performance. Last modified January 19, 2016. https://support.ixiacom.com/
info/tolly-report/downloads/216100IxiaNetworkToolOptimizerPerformance.pdf.