Transcription
�者Stanley Lin 林大鈞Sales Engineer, Taiwanstanley.lin@gigamon.com
Gigamon Inc. – 美商奇望The Company. The Team. The Results. 成立於 2004 年美國加州,2005 年第一個產品交貨 – 2013年六月在NYSE IPO 創造了Data Access Network – 現在稱為 Unified Visibility Fabric 架構 多項專利技術 – 31 項專利, 28 項申請中 超過 2000 個集團大型客戶使用GigaVUE ,分布在 60 多個國家 美國開發與生產 超過 78 個世界 Fortune 100 公司已採用Gigamon的方案Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.2
Gigamon – Q2'16GigamonIxia NVSGigamon growth rate (YoY) 46.85 51.45 35.60 28.8047.50% 47.60% 56.65 33.5044.30% 67.20 29.2043.40% 75.10 30.2046.00%Ixia NVS growth rate (YoY)47.10%12.00% -16.20% -18.00%4.90%11.60% 67.00 32.5030.70% 較次大市場佔有率廠家成長率高出4倍 37.6% market share as per Gartner“Gigamon is the market share leader in theNPB market delivering Layer 2 through Layer7 NPB visibility, filtering and correlation via itsGigaSMART platform”- Gartner, Jan 2016Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.3
ntial and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.4
�防範投資不可謂不多了FIREWALL/VPN 設備企業網路安全設備 6,721M防毒, EMAIL;WAF,NAC 9,209MIPS 1,520M具資安功能 ROUTERS 968MSource: Gartner Trends Telecom Forecast (March 2014)Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.5
資安問題卻不斷發生 – 規模之大令人震驚“ 美國人事行政局 (OPM) 指出大約有22.1M 個人資料已被盜用 ” ��模的個資外洩事件。” * 司, AnthemInc. , 正式宣佈約有8千萬客戶資訊被盜用 ” k-unparalleled-cyber-security-firm-1201372889/ tify-employees-of-cybersecurity-incident/ th-care-anthem-hacked/22900925/Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.6
盗領事件的省思 – dential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.7
給CIO與CSO組長的提醒 �(Prevention)模式轉化為偵測與立即反應 (Detection & Response) 模式 �的資安聯結架構, 以供各種不同資安設備的佈建與擴充 GigaSECURE是業界首套資安訊息派送平台 (Security Delivery Platform) �� – 使資安設備更有防治效益, 更自動化,更降低成本Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.8
Introducing ECURITY DELIVERY PLATFORM Confidential2015 Gigamon.and Proprietary.All rights reserved.For Internal Use Only. 2015 Gigamon. All rights reserved.9
如何鎖定資安威脅: e”Switches 為達資安效能要求導致成本極高 資安設備爭奪訊務流量的取得RoutersData LossPrevention ware(Inline) 訊務流量無法保持一致性 加密封包無法快速解密 導致太多假警報 false positives“Leaf”SwitchesEmail ThreatDetectionForensicsVirtualizedServer ��禦者的時侯了Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.10
全網可視性Visibility的革命: SystemIPSAnti-Malware(Inline) IPS(Inline)(Inline)RoutersData sEmail 蓋:實體網與虛擬網ForensicsData il ThreatDetection資安訊息派送平台Security Delivery Inline bypass zedServer FarmSecurity Delivery Platform: tial and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.11
GigaSECURE 的效益1. 增加工具本體效益 2. 全網可視性提高工具的偵測效果 3. 網路運作不受工具影響更穩定Legacy Approach Without GigamonSecurity ToolSecurity ToolSecurity ToolWith Gigamon Security Delivery PlatformSecurity ToolIrrelevantTrafficSecurity ToolSecurity ToolSecurity ToolSecurity ToolRelevantTrafficRelevantTrafficEnterprise LAN 只見局部網路點之訊務 無法控制要取得哪種訊務 資訊設備的效能無法善用Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.Enterprise LAN 全面性的訊務視別能力 精密篩選訊務供不同資安設備 大幅提昇資安設備效能12
Gigamon適用於各種不同資安, 管理網路取證 /大數據分析Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.13
Gigamon全範圍可視化方案 - Visibility Fabric Applications3rd Party Apps(e.g. Splunk, Viavi)GigamonApplicationsAPIFabric Control(Management)APIFabricVUE Traffic AnalyzerApplications & ToolsInfrastructure,User CommunityGigaVUE-FMNetFlow & MetadataGenerationSSL DecryptionHeaderStrippingTunnelingFlowVUE AdaptivePacket FilteringSlicingTime StampingGTPCorrelationApplicationSession FilteringGigaVUE-HD8GigaVUE-HD4Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.GigaVUE-HB1GigaVUE-OSon white boxTAPsGigaVUE-TA100G-TAP M SeriesGigaVUE-VMG-TAPG-TAP BiDiG SeriesGigaVUE-HC2GigaVUE-TA40Virtual VisibilityGigaVUE-TA10TA Series(Pervasive visibility acrossphysical, virtual, remotesites, and SDNproduction networks)MaskingInline BypassH SeriesVisibilityFabric NodesTrafficIntelligenceFlow Mapping E-2404GigaVUE-420G-TAP A SeriesEmbedded TAPsG-SECURE-021614
資安訊息派送平台應用範例Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.15
應用一 : In-Line Bypass �一台工具Firewall2Firewall1Switch x ��到影響Switch x 2WAF1WAF2Switch x 2任何資安設備的變動, 如新加/移除設備, 版本升級, 必導致網路運作停頓新增設備測試時, nfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.16
應用一 : In-Line Bypass �安設備可同時運作, 提昇檢測容量heartbeatsSwitch x �路頻寬而定Switch x 2WAF1WAF2SiSwitch x 2Si任何資安設備的變動, 如新加/移除設備, 版本升級, 並不影響網路運作整合串接 Inline, 旁接 Out-of-Band, Flow-based設備於 GigaSECURE 平台一體架構SiSiConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.17
應用一 : In-Line Bypass �一、一對多Port A1Port B1 �安管理的規模 ��大資安管理的能力Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.18
應用一 : In-Line Bypass �一、多對多Port A1Port B1Port A2Port B2VLAN 101VLAN 102VLAN 101VLAN 102 合併多條線路的流量 (最多可以36條線路),轉發去同一台 inline 資安分析設備上 VLAN標籤用來區分回路 (回到真正線路前會自動去掉)Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.19
應用一 : In-Line Bypass 增進資安運作效能與彈性Application-Aware Bypass, Serial Inline ToolsApplication Aware BypassA1B1A2B2A3B3 �量至不同資安設備 Inline訊務流量可以啟用Flow Mapping功能 策 對不需監的訊務流量直接Bypass 可提昇網路與應用程式效能Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.InlineBypassSerial Inline ToolsA1B1A2B2A3B3 �介面 可以Bypass � 串聯設備一台斷線導致全部流量中斷 ��響網路運作20
應用二虛擬環境流量可視式Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.21
應用二 : 虛擬環境流量可視式- GigaVUE-VMLIGHTWEIGHT 量處理 去除重複封包 敏感資料遮罩 Source Port標籤 表頭移除CoreGigaVUE-VM andGIgaVUE �提高了關聯分析準確性 時間戳記應用特徵過濾NetFlow 用管理 APMGigaVUE-VM Flow Mapping 按VM、tcp/udp 埠進行過濾 封包裁切 etworkTunnel Port網路管理 NPMDB ServerLeafLeafLeafLeafDBOSTunnelingConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.資安檢測22
應用二 : 虛擬環境流量可視式- GigaVUE-VMGigaVUE-VM andGIgaVUE Nodes 只在主機Hypervisor 佈放建置 GigaVUE-VM on every ESXi host 篩選所需流量輸出GigaVUE-VM VDS, VSS, Nexus 1kAPMTrafficNPMPoliciesVDS, VSS, N1kVDS, VSS, N1kVMware ESXiVMware ESXiGigaVUE-FM 與vCenter整合, fidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.23
應用二 : 虛擬環境流量可視式- GigaVUE-VMCisco ACI 架構亦可應用REST APIsClosed Loop Monitoring UE-FMTraditional ArchitectureNew ACI ArchitectureCentralized Tools 解析ACI 打包封包格式, 並去除VXLAN報頭再派送給工具設備 流量分類篩選再派送給工具設備, � 因而降低資安設備成本VM TrafficInlineBypassVXLAN 6000SSLDecryptionCoreSpine(Nexus 7K)(Nexus 9500)VXLAN 5000NetFlowGenerationAggregation(Nexus 5K,Catalyst 6K)NetworkTransformationG-TAP BiDi(40Gb)AccessLeaf(Nexus 2K)(Nexus 9300)GigaVUE-VMServer FarmVirtualized Server Farm ceManagementCustomerExperienceManagementDe-cap VXLANSecurityNetFlow / HYPERVISORConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.24
應用三全網Packets level, NetFlow / IPFIX GenerationConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.25
應用三 : 全網NetFlow / IPFIX GenerationNetFlow / �需要的NETFLOW METADATA內容Flow Metadata 1:1式NetFlow/IPFIX的輸出, 可增進 “慢速攻擊” 的偵測 �NetFlow記錄 FIX的負擔SIEM and NetFlowForensics Integration 經由全流量Flow的視別可達成全域性 (End-to-End) 的資安防禦 �特別有效地偵測 設備商均有結合運作範例Advanced InformationElements �格式中如 至多可以同時輸出6個不同NetFlow v5/v9 and IPFIX的接收/分析設備 可結合LLDP/CDP 定位資料傳輸來源介面Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.26
應用三 : 全網NetFlow / IPFIX GenerationHTTP Response CodesNetFlow / IPFIXGenerationDNS Discovery*DNSC&CDiscover maliciouscommunications toC&C servers usingDNS transactionsUncover Denial of Service & compromiseof internal web serversHTTPS Certificate Anomalies*BotsMapping User, Hostname & IP Address*UserAnalyze HTTPS certificatesto discover bad/suspiciouscertificates* PlannedConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.MetadataMachineIPCorrelate Kerberosand DHCP logs to map“who” (user) with “what”(hostname and IP)Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and subject to change.27
應用三 : 全網NetFlow / IPFIX GenerationNetFlow / ��範例123456ReconnaissancePhishing & zeroday attackBack doorLateralmovementDatagatheringExfiltrateC&C analysiswith URL, HTTP,SSL certificateand DNSanalysisAnomaly baseddetectionthrough flow,login, andsession analysisPatient zeroanalysis withHTTP, HTTPSand DNSanalysisConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.URL, volumetric, HTTP / HTTPS, SSLcertificate, DNS analysis28
應用三 : 全網NetFlow / IPFIX GenerationNetFlow / �測問題所在DHCP query andresponse informationSSL ne)DataContextLossand Intent-basedIntrusionPreventionBig Data AnalyticsDetectionSystemForensicsEmail ThreatDetectionDNS query andresponse informationURL accessInformationKerberos and userlogin informationUser flow recordsand session informationHTTP request,response informationGigaVUE-VM andGIgaVUE NodesNetFlow / IPFIXGenerationApplicationSession FilteringSSLDecryptionInlineBypassServer, applicationconnectivity informationMetadata EngineConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.29
業界支持NetFlow / IPFIXGenerationGIGAMON NETFLOW / IPFIX GENERATIONInprogressConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights ntlyAvailableInprogressInprogressInprogress30
Necessary And al and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.31
Necessary And Sufficient?Full Packet Stream能找出攻擊內容與源頭Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.32
ApplicationSession FilteringFull Packet StreamASF – 應用辨識 SESSION �監控Email監控ApplicationSession FilteringMACLLCIPData rfb 00[1-9]\.00[0-9]\x0a 集器 DPI/Content-based Filtering 把應用辨識,並把同一個 session 的封包一併過濾出來 舉例: 帶 attachment 的 email,BitTorrent 封包,,URL地址,在 HTTP上的 Over-the-top 應用 (下載,youtube, facebook) 支持使用 RegEx (Regular Express) 定義特徵 Session AwareConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.33
自我調整數據包過濾 Adaptive Packet tial and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.34
SSL �?VirtualPhysicalWeb 伺服器相關流量轉發到 NPM / CEM監控封包切片FlowMapping 遙距節點所收集到的流量轉發到 DLP �間的流量轉發到IDS 分析 �把封包中含有敏感資料的部份移除。 ��用卡卡號,身份證號等。Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.35
�遮蓋Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.36
應用四 : �包去除重覆封包 去除重覆封包 單一session流量經由數個網路結點, 會產生多個相同而重覆的封包 ��封包只留取一筆, 而可減少33 75%的封包量 封包裁切選擇性封包裁切 �, 可以減少側錄或大數據設備的容量 平均網路流量封包長度約為800Byte, 如果依需要裁切為平均200Byte, 則可節省80%流量Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.37
Gigamon 客戶實用案例分享臺北某科技大學 計算機與網路中心Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.38
未建置Gigamon架構前困擾問題 ��安等級提升為A級 8Gbps �無法負荷之預算金額 POC測試設備時無法克服– 核心交換器因Mirror Port過多無法負荷– �路造成斷線– 測試設備異常無法即時拔除Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.39
該校 In-Line 連接架構示意QoS DeviceWAN Switch2WAN Switch1StackVSSCore (Local)Core (Remote)NG FirewallConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.40
該校 Out-of-band 連接示意 可透過設定將多路聚合 (多對1)POC DevicePOC DeviceSIEMConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.Flow Analysis41
建置後現階段效益 設備採購成本降低– 緩衝資安設備HA一次到位預算壓力– 使用Map Filter �4Gb設備,如: IP Dst 非Server Farm 不通過WAF設備 非SSL封包不通過SSL解密設備 非關鍵業務網段不通過APT設備 高度彈性– �不浪費– ail Open、Fail Close)– �務持續運作成效Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.42
Deep Packet Inspection辨識關鍵業務 - 金融應用
Deep Packet Inspection – GigaSMART APF/ASFConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.44
金融交易 – 以字段 “03 06 45 20 9168” 辨識及過濾Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.45
金融交易 – 以字段 “03 06 45 20 9168” 辨識及過濾Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.46
Cisco ACI & SDDC環境監測
Cisco ACI & SDDC 環境Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.48
Cisco ACI & SDDC 環境監測挑戰 Spine-Leaf是40Gb BiDi線路– 監測工具不支援 扁平化架構– 線路增多– �捕捉 使用VxLAN技術– �無法解譯 Cisco UCS虛擬環境– 出現監測盲點Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.49
ACI VxLAN – Before Gigamon: unknown trafficConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.50
After Gigamon VxLAN Header StripConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.51
為什麼現在需要Gigamon平台 全網資安訊息的可視性 – 提供資安設備完整訊息– �視 工具設備介接與實作網路分離 – 工具設備介接彈性– �動不影響網路運作 DPI深度訊務封包辨識 – � 包含封包Header, ��具設備需要處理的訊務量 應用程式訊務辨識 – mission critical app 的應用結合– 金融應用 - 關鍵營運業務 (如ATM訊務) 的篩選可作稽核與分流Confidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.55
See MoreSecure MoreConfidential and Proprietary. For Internal Use Only. 2015 Gigamon. All rights reserved.56
(e.g. Splunk, Viavi) Applications & Tools Infrastructure, User Community Gigamon全範圍可視化方案 - Visibility Fabric Traffic Intelligence Visibility ity Fabric Nodes s (Pervasive visibility across physical, virtual, remote sites, and SDN production networks) Fabric Services Flow Mapping Fabric Control (Management) Inline Bypass
