Prepare for the Inevitable: A Best Practice Guide to Network Recording

© 2013 Emulex Corporation

Network Recording Best PracticeFail-safe Network and Security Event Analysis

Sri Sundaralingam – VP Product Management

2 Emulex Confidential - © 2013 Emulex Corporation

Introducing Endace Products

A division of Emulex

World leader in packet capture and network recording

10+ year history selling network visibility to top-tier customers

– Govt, HFT, telco and enterprise

Global reputation for accuracy, scalability and performance


Investments in Network Health: 4 Categories

1. Prevention

2. Detection

Detect things that may be bad and were missed by prevention tools; generate alerts

Sit in the network and stop known bad things from happening

3. Response

4. Root cause

Help engineers respond to any kind of network-related problem fast

Enable engineers to understand exactly what happened and why

3

4

2

1

NPMAPMSIEM

FirewallWan Ops

NGF


Standard Corporate Investment Profile

1. Prevention

2. Detection 3. Response

4. Root cause

70%

0%

5%

25%

2

1

3

4

Characteristics• High alert & False

+ive rate• Sample driven• Broad view, low

granularity• Statistical analysis

Characteristics• Signature based• Optimize for known• Static

Issues• Hard to isolate

problems• Long/indefinite TTR• Tools deployed

after event• Intermittent problems

Issues• Low bandwidth• Incomplete data• High price / low value


70%

25%

Impact of Investment ‘Imbalance’

0%

5%

Backlog of events in NOC and SOC

Slow time-to-resolution on issues

Delayed response to events

High incidence of zombie tickets

No ability to contain real problems

Real risk of unplanned downtime


Intelligent Network Recording

60%

10%

10%

20%

Improve operational productivity

Improve confidence levels

Reduce operational costs

Ensures effective containment

Reduce time-to-value on new IT

Reduces risk of downtime


Who Values Accurate Network History?

Network operations teams rely on network history for troubleshooting

Network planning teams rely on accurate historical data for trending

Network security teams need history for breach containment and forensics

Compliance, legal and risk teams need history as evidentiary proof


What’s Important in Network Recording?

Accuracy of recording

Write-to-disk speed

Storage capacity and flexibility

Richness of indexing

Effectiveness of workflow

Platform flexibility


EndaceProbe™ INR Appliances

Next generation sniffer

100% accurate traffic recording– Real 10 Gbps performance

Up to 64 TB of local storage– Extensible via sledding or SAN

Full flow-based traffic indexing– Including application classification

Open and flexible– Endace Application dock– Programmable RESTful API


Total Datacenter Visibility


DetectionToolsDDoS IDS NPM

Core routers and switches (connectivity)

Firewalls (prevention)

Cor

e ne

twor

k in

fras

truc

ture

EndaceProbe Intelligent Network Recorders

Data Center Network Visibility Stack

APM

Network Packet Brokers (aggregation)

SIM NMS


Traffic Search and Retrieval - EndaceVision™

Web-based collaborative traffic search engine

More than 20 indexed flow parameters– Includes application classification

Rapid network-wide search

Elegant investigation workflow

Fast access to raw packets as required

Local protocol decoding

Integrated collaboration tools


Streamlining Workflow

Workflow start with an event detected by 3rd party tool

Analysts pivot between 3rd party dashboard and EndaceVision

RESTful API integration further streamlines workflow


Network Retention Best Practice

Where to record – Data center: aggregation links – DMZ: web and application

gateways

What to record– Full packet contents vs. headers– Full NetFlow records / metadata– Control plane vs. data plane

How long to retain– 3 days complete history– 30+ days select history


Business Benefits

Reduces time-to-resolution on events– Reduces impact and costs associated with

unplanned network downtime

Improves overall network performance and application delivery

– Treating causes not symptoms

Increases analyst productivity– Reduces opex burden– Allows team to scale for the future

Closes a potential compliance loop hole

Reduces overall capital exposure– One solution for netops and secops


Conclusions

Network recording is essential for mission critical network environments where downtime costs real money

Testing the fidelity of recording and the ease of search / retrieval before you invest is key

Streamlining the investigation workflow for NetOps and SecOps users generates real measurable business value

Dedicated, open recording infrastructure is more valuable and trustworthy than recording as a feature of another solution.


Thank you.

[email protected]

Prepare for the Inevitable: A Best Practice Guide to Network Recording

Technology

Transcript of Prepare for the Inevitable: A Best Practice Guide to Network Recording