What's new in Performance Vision version 2.18
-
Upload
securactive-performance-vision -
Category
Technology
-
view
455 -
download
0
description
Transcript of What's new in Performance Vision version 2.18
© SecurActive 2013
WHAT’S NEW IN VERSION 2.18?
© SecurActive 2013 2
PERFORMANCE VISION VERSION 2.18
Applications
HTTP improvements & TLS support
Protocols: Stack, Netflow & Skinny
Flexibility, Usability & Performance
© SecurActive 2013
Performance Vision 2.18
NEW APPLICATION DEFINITION
Applications
© SecurActive 2013 4
APPLICATION DEFINITION
Manage your application definitions:
With the internal editor
With your favorite tool (any CSV capable
software)
SPV Internal Editor
Any CSV capable software
or
Support both:
Import and Export
© SecurActive 2013 5
NEW APPLICATION LIST
Application Definition Application Rules
Create your own custom applications with the new editor
First step: Create your application
Second step: Define your application rules
© SecurActive 2013 6
EASILY CREATE NEW APPLICATIONS
Create your own custom applications with our new editor.
First step: Create your application
© SecurActive 2013 7
EASILY DEFINE APPLICATION RULES
Create your own custom applications with our new editor.
Second step: Define your application rules
© SecurActive 2013 8
APPLICATION RULES: CRITERIA
Criteria Description Example
Priority Higher values: highest priority 0 (default) or -100 or 1000
IP Protocol IP Protocol TCP, UDP, IpV6, ICMP…
Server Port Singe value or range 0 or 8080 - 8090
Protocol Stack List of protocols composing the flow IPv4/*/DNS
Pattern Web pattern for URL matching *.mycompany.com/intranet
Client IP IP or Subnet 192.168.80.0/24 or 192.168.80.1
Server IP IP or Subnet 192.168.80.0/24 or 192.168.80.1
Poller Poller that receives the traffic SPV (localhost)
Device Port on which the traffic gets in eth1
Netflow Source IP or subnet of Netflow device 127.69.12.99
Client Zone Name of the selected zone Internal Clients Sales
Server Zone Name of the selected zone Servers Database
Vlan Singe value or range 15 or 100-200
Ethernet Prococol Ethernet protocol IPv4 (0x800), IPv6 (0x86DD),…
Client Side MAC MAC Address 12:34:56:78:9A:BC
Server Side MAC MAC Address 12:34:56:78:9A:BC
© SecurActive 2013 9
APPLICATION RULES: COMBINATION
An application is defined by the scope of all associated rules.
Rules are combined with an OR operator
Application Rule 1 Rule 2OR
© SecurActive 2013 10
APPLICATION CONFIGURATION
Application Configuration
Web Applications are directly integrated into applications rules
Dynamic Protocols page is no longer useful thanks to auto-discovery
2.15 2.18
© SecurActive 2013 11
CHECK APPLICATION RULES CONFIGURATION
Check application rules configuration
Review the full rules list
Test matching rules
© SecurActive 2013 12
IMPROVE PERFORMANCE BY DELETING UNUSED APPLICATION
Need to speed-up performances?
Check unused application
Review and delete unused application
© SecurActive 2013 13
CREATE NEW APPLICATIONS FROM NON CLASSIFIED TRAFFIC
One-click application creation
Create an application with these properties
Use Filters for Non Classified traffic
© SecurActive 2013
Performance Vision 2.18
HTTP IMPROVEMENTS & TLS SUPPORT
© SecurActive 2013 15
DECODE HTTPS TRAFFIC
Install private keys on the probe
Decode https (TLS) traffic
Check constraints: User Guide > Configuration > TLS Decryption
© SecurActive 2013 16
TLS HANDSHAKE & SSL PROTOCOL NEGOTIATION
Client Server
Network
SYN
SYN ACK
ACKClient Hello
Server Hello
I request a secure connection,
here is my list of preferred cipher suites
Certificate
Server Hello Done
Client Key Exchange
Change Cipher Spec
Finished
Change Cipher Spec
Finished
Data
Data
This is my identity (digital certificate)
I would like to start a conversation with you
Sure, it would be a pleasure!
So far, I have nothing more to say
Here is a pre-master secret encrypted using your public key
Ok, among these, here is what we will use to discuss
I’m switching to secure mode,
all future communication should be done that way
I’m done with TLS negotiation, do you understand me?
I’m switching to secure mode too,
all future communication should be done that way
I’m done wit TLS negotiation, do you understand me?
Encrypted Data
List Must be compatible
© SecurActive 2013 17
NOTIFICATION ON INVALID KEYS
If key is malformed a notification is sent
Displayed in the notification area
Accessible through the Event Log
A key can be valid but not suited to the traffic or can be using an inappropriate protocol
© SecurActive 2013 18
HTTP PERFORMANCE: TOP URL
Displays top URL
Best when used with a filter on a host
© SecurActive 2013 19
TOP URLAGGREGATES URL WITHOUT QUERY
STRINGS
Full transaction URL Top URL Count
/service/soap/SearchRequest ?ID=256789&Query=Azerty
/service/soap/SearchRequest
5
/service/soap/SearchRequest ?ID=256789&Query=Qwerty
/service/soap/SearchRequest ?ID=012345&Query=Azerty
/service/soap/SearchRequest ?ID=987654&Query=Azerty
/service/soap/SearchRequest ?ID=256789&Query=Poiuyt
/service/soap/DoSearch ?Ax76h=0564
/service/soap/DoSearch 2
/service/soap/DoSearch
Displays top URLs, without query strings
Differentiates up to the ? character
© SecurActive 2013 20
IMPROVED HTTP INSPECT PAGE
HTTP Inspect pages has been updated
More information
Better design
© SecurActive 2013 21
REMOVED THE DEPRECATED WEB BROWSING
2.15 2.18
The deprecated Web module has been removed
Conversations are now in HTTP Performance
Reports will be migrated automatically
© SecurActive 2013 22
HTTP HITS ANALYSIS
Adds URL parsing on all HTTP traffic
Standard history length with degradation rules
© SecurActive 2013 24
HTTP PERFORMANCE LEVELS
HTTP traffic in Applications & Network conversations
No data in HTTP Performance
Adds URL parsing on all HTTP traffic
Standard history length with degradation rules
Adds page level analysis on selected traffic
48 hours history maximum
Store http requests with
"Save HTTP content" optionStore Content
Pages
Hits
No HTTP
Adds https analysis on traffic for which appropriate keys are providedHTTPS
© SecurActive 2013 26
Pages
HTTP PERFORMANCE IMPACT
Check impact of HTTP Hits!
Go to Workload database
Validate license limits
Enable / Disable HTTP Hits
Reduce scope of HTTP Pages
DiskWith this option
No HTTP
Database
CPU
RAM
Disk
Hits
Database
CPU
RAM
Disk
Database
CPU
RAM
Disk
HTTPS
Database
CPU
RAM
Disk
© SecurActive 2013 27
LINK TO CONFIGURATION FOR HTTP PAGES ACTIVATION
A warning is displayed with a direct link to configuration if HTTP Pages is not activated
Applies to HTTP Performance > Pages
© SecurActive 2013
Performance Vision 2.18
PROTOCOLS: STACK, NETFLOW
& SKINNY
© SecurActive 2013 29
PROTOCOL STACK
A New Depth in Analysis!
© SecurActive 2013 30
PROTOCOL STACK
Ethernet
IPv4 (tunnel)
IPv6
TCP
HTTP
Identify the different protocols layers of a flow
Make all sort of tunnels visible
Can automatically detect protocols even when running on non standard ports
© SecurActive 2013 31
PROTOCOL STACK
Protocol Stack data is available in:
Flow Detail screens
Raw Data screens
Applications
Network
© SecurActive 2013 32
PROTOCOL STACK FILTER
New Protocol Stack filter available on most screens
Separate protocols layers with / character
Autocomplete list
Simple wildcard syntax
Advanced regex filtering
Examples:
*IP*/UDP/DNS
*IP*/*/DNS
~.*IPv4/(TCP|UDP)$
© SecurActive 2013 33
ARP BGP Bittorrent CIFS Citr ix DNS DNS/TCP ERSPAN Ethernet FTP Gnutel la GRE HTTP ICMP ICMPv6 IMAP IPv4 IPv6 IRC Jabber
MGCP MySQL Netbios NTP PCanywhere POP PostgreSQL RDP RTCP RTP SDP SIP Skinny SSLv2 TCP Telnet TLS TNS UDP VNC
LIST OF PROTOCOLS IN PROTOCOL STACK
Protocols identified independently of the port number used (non exhaustive list)
Port Independent Protocol Identification
© SecurActive 2013 35
NETFLOW V5 SUPPORT
Support of Netflow v5
Integrated in Performance Vision workflow
DeviceID displays ports In -> Out of the switch
© SecurActive 2013 36
NETFLOW FILTERING
A new filter is available
Use 0.0.0.0/0 to see all Netflow traffic
© SecurActive 2013 37
NETFLOW V5 CONFIGURATION
Setup your devices to send Netflow traffi c to the IP address of any Performance Vision collector or poller
Confi gure Netflow devices update frequency!
You must configure all your Netflow emitters to
expire flows after not more than 2 minutes.
Central
Collector
Remote Poller
Remote Poller
Remote Poller
Remote Poller
Remote PollerNetflow
Netflow
Netflow
© SecurActive 2013 38
VOIP: SKINNY SUPPORT (BETA)
Support of Cisco’s Skinny Call Control Protocol (SCCP) in beta
In 2.18: VoIP Module: SIP, MGCP and Skinny
© SecurActive 2013
Performance Vision 2.18
FLEXIBILITY, USABILITY &
PERFORMANCE
© SecurActive 2013 40
NPS WORKS IN DISTRIBUTED MODE
NPS
NPP
NPP
NPP
NPPNPP
NPP
NPP
NPP
NPS works in distributed mode
Support of NPP pollers.
Network metrics only
© SecurActive 2013 41
AN APS COLLECTOR SUPPORTS NPP POLLER(S)
APS
APP
APP
NPP
APPAPP
APP
APP
APP
If absolutely required, this kind of configuration will work.
You will only have network metrics from the NPP poller
© SecurActive 2013 42
A NPS COLLECTOR DOES NOT SUPPORT APP POLLER(S)
NPS
NPP
NPP
APP
NPPNPP
NPP
NPP
NPPThis kind of configuration mixing an app poller with a NPS collector will not work.
Virtual APP (Poller) 1 credit
Virtual APS Express 1 credit
Virtual APS 100k flows 3 credits
Virtual APS Unlimited Flows 5 credits
MORE FREEDOM WITHENTERPRISE LICENSE AGREEMENT
(ELA)
© SecurActive 2013
Buy a stock of credits
Turn credits into licenses
Benefi ts
Full fl exibil ity
Economics based on the volume of credits
43
15 20 30 50 75 100
© SecurActive 2013 45
RAW DATA FOR IN-DEPTH ANALYSIS
Raw Data: In-depth flow analysis
© SecurActive 2013 46
RAW DATA FOR IN-DEPTH ANALYSIS
Flow Detail: Grouped by 2 minutes
Raw Data: No grouping
Display database data without any grouping
Useful for in-depth troubleshooting
Application behavior auditing
© SecurActive 2013 47
NEXT LEVEL CUSTOM FILTERS
For more information: User Guide > Appendix > Custom Filters
Examples: app=‘sql-intranet’ and srt > 200ms
bandw >= 10MiB and 0win > 100
begin > 100 and ct.count = 0
app=‘video_live' and diffserv != 20
(ip=10.10.*.* or ip.srv=10.20.30.*) and os.clt='linux‘
zone in 'Headquarters' and port.srv > 1024 and begin > 10000
(proto=udp and port.srv=53) and zone in '/Private/DNS'
Build fully customized filters for in-depth data mining.
© SecurActive 2013 48
COMBINE ADVANCED FILTERS
Combine advanced filters options
Build custom requests to isolate specific traffic
2.15 2.18
© SecurActive 2013 49
ADVANCED FILTERS: NEW OPTIONS
Add two new options in advanced filters:
Exclude intersection of provided zones
Only intersection of provided zones
Exclude intersection of provided
zones
Only intersection of provided
zones
© SecurActive 2013 50
INTEGRATION OF NON IPTRAFFIC IN GENERAL WORKFLOW
Non IP traffic is integrated in global workflow
New option “Non IP” in Protocol filter
Works for both tables and graph views
© SecurActive 2013 51
PERFORMANCES IMPROVEMENTS
Performance oriented improvements
More aggressive default data degradation
ICMP can now be degraded
© SecurActive 2013 52
MORE AGGRESSIVE DEFAULT DATA DEGRADATION
Version 2.15
Version 2.18
Default configuration is more aggressive on data degradation
No automatic update during migration
Use “Default button to apply 2.18 factory settings to a migrated 2.15
© SecurActive 2013 53
DATA DEGRADATION ON ICMP
Data merging enhancements
Data degradation is now possible on ICMP
Clear indication on which metric is degraded
© SecurActive 2013 54
PERFORMANCES: UNDER THE HOOD
Improved network sniffing
Better usage of multi-core by the sniffer/dumper
Optimized database querying
Database improvements for user requests (up to +20% faster)
Faster exporting
Export to CSV is significantly faster
© SecurActive 2013 55
SIMPLIFIED DISPLAY OF FILTERS
New filter presentation
Default basic filters on one line
Expand for more filters if needed
Memorize expansion state (session)
© SecurActive 2013 56
NEW TABLES DESIGN
Refined look & feel
Show / hide data columns
Memorize show / hide state (session)
© SecurActive 2013 57
INTEGRATED CONTEXTUAL HELP
Contextual help for expert filters is displayed:
On mouse over help icon
On field focus (click or tab)
© SecurActive 2013 58
NEW FILTERS FOR DASHBOARDS
Dashboards get extended filter options
2.15
2.18
© SecurActive 2013 59
DEFAULT VALUES FOR BCA/BCN
Save time on BCA/BCN creation
Default values for BCA creation
Use predefined templates for BCN
© SecurActive 2013 60
LIST OF GENERATED REPORTS
Display reports stored on the probe
Delete files
Browse through ftp
© SecurActive 2013 61
EMAIL ALERTS TO ADMINISTRATOR
An email alert is sent (once per hour) on:
License issue
Disk is almost full (<150 MB)
Configure SMTP Server and administrator’s email in Pulsar
© SecurActive 2013 62
SLIDE ON MATRIXES SCREENS WITH KINETICS
Move the matrixes with Kinetics
Click and drag (use inertia)
Efficiency depends on browser
© SecurActive 2013 63
SPV FOR DEVELOPERS, GEEKS, NERDS…
For developers, it is now possible to:
Programmatically run searches
Retrieve the result as HTML or PDF
through support of session-less access
Retrieve the Top Servers page as stripped-down HTML, using the command-line with wget:
wget 'http://admin:admin@SPV/++skin++simplehtml/nevrax/network/ipstats_dst.html?filter.capture_begin=2013-
01-31+14:50’
For more information:
User Guide > Appendix > SPV For Developpers
© SecurActive 2013 64
GET IN TOUCH THROUGH NEW FORUM
Through the forum to be launched
Follow news and announcements
Get general support
Provide feedback & feature requests
© SecurActive 2013 65
Vers ion 2.18
User Guide
Release Notes
DOCUMENTATION UPDATE
Documentation update:
One-click access in the interface
Available on SecurActive web site
User guide and release notes
http://www.securactive.net/en/resource-library/usersguide
© SecurActive 2013 66
VERSION 2.18: IMPACTS SUMMARY
Main Impacts compared to 2.15:
Database Migration Time: Medium
HTTP Hits
No major impact on existing metrics
Check impact of HTTP Hits on workload and license limits
Impact on database is medium.
Update should take few minutes to one hour or more depending on database size
© SecurActive 2013 67
REBOOT AFTER UPDATE
After the upgrade is completed
© SecurActive 2013 68
YOU’RE READY TO GO, ENJOY!
© SecurActive 2013
What’s Newin Version 2.18?
THANK YOU!
69
For any [email protected]
Follow Us on@SecurActivePV
www.securactive.netblog.securactive.net