Research Institutions and Universities face a myriad of challenges. One of those challenges is dealing with the exploding growth of research data and the need for this data to be shared across the campus and across the world. Brocade developed an Intelligent Flow Management Solution to help speed the transfer of these large datasets. Knowing where the research data lives on these networks is another challenge. Network visibility is needed.
University networks have some unique requirements that make security and monitoring very difficult. Corporate networks can be controlled with binding policies for all employees relatively easily. But universities have a very diverse user base – administrative employees, temporary faculty, researchers, students – that has a lot of churn. This necessitates flexibility in provisioning, which means that these networks need to be relatively open.
However the device connectivity into these networks is at the same time very complex. Vast numbers of mobile devices, increasing usage of thumb drives, social media – all these create the need for stringent security policies. Universities also have a treasure trove of data, such as social security numbers of thousands of users, cutting edge research data, sometimes belonging to government and military organizations. Because of this, university networks suffer from a disproportionally large number of attacks. . In fact, studies have shown that Universities are 3 times more likely to have devices infected with malware than any other industry. If they are successful, the cost of these attacks can be rather high.
Network security and analysis tools often work off live data from the network. They can be fed this data directly, either from span ports, or from passive TAPs. There are problems with this approach however, some of which are:
Mismatch between tool performance and interface speeds.
Traffic being fed to the tool that contains no interesting information – degrading the tool’s performance and increasing costs.
Multiple tools require multiple copies of the data (replication).
Clustered tools require load balancing of the data.
Because of this, the pervasive network visibility required at Research Institutions is just not possible. Many installations just monitor their WAN links and hope they are catching all the issues.
This problem is easily solved however, with the introduction of a “Packet Broker” between the network and the analytics tools.
The packet broker can be a hardware appliance, or a software instance running in a VM. At a high level, it performs the following functions:
Aggregation: pervasive visibility requires that a large number of network interfaces are being TAPped, hence all this traffic needs to be aggregated towards the tools.
Mirroring: Copy the network traffic to each analytics solution.
Filtering: Deliver only the relevant traffic to each analytics solution.
Load Balancing: Share aggregated traffic load among instances of an analytics tool.
The following diagram shows Brocade’s packet broker architecture. On the left side is an enterprise that requires a network visibility solution. Live data is streamed out of this network via one of the following methods:
SDN FlowTap (only specified flows TAPped).
From the network, this streaming data comes to the Packet Broker network in the middle. Brocade packet brokers can be any combination of physical and virtual versions of the packet broker. From the packet broker, the data then goes to the analytics tools, types and examples of which are shown on the right. The packet broker network is managed by a software Visibility Manager. This manager exposes a REST API that the analytics tools can use to control the data flow towards them. For real time threat mitigation, filters may also be applied on the production network via Brocade’s Flow Optimizer tool. These use the SDN controller to manage the flows on the respective networks.
To protect against attacks yet keep costs within budget, universities often utilize open source solutions. The community aspects of these solutions fit well into the research culture, and also make these solutions robust and flexible. One of the more popular solutions for network security is the Bro Network Monitoring framework (www.bro.org). Bro analyzes actual network traffic in real time and performs many functions such as threat detection and mitigation, file extraction, intrusion detection.
Brocade is working closely with Broala LLC (www.broala.com) to integrate the Bro network monitoring framework with Brocade’s packet broker solution. Broala is a company formed by the creators of Bro. They sell an appliance that comes pre-installed with Bro and a large number of useful scripts, and they also provide support for the appliance and various customer needs.
The following figure shows the details of the integration between the Brocade Packet Broker solutions and Bro/Broala. Bro inspects the network traffic coming to it. If it detects malicious traffic, it can send commands to the production network Flow Optimizer, and block these flows. If it detects flows coming to it from the packet broker that it does not need to analyze, it can send shunting commands to the visibility network Flow Optimizer, and shunt these flows. Shunting is very important, it can be used to reduce data going to Bro by a significant amount, which improves the performance of Bro. It also reduces unnecessary log information from going to visualization tools like Splunk, which can result in significantly decreased cost.
The logs from Bro can be visualized in a variety of tools such as Splunk, Elastic Search and Kafka.
Brocade will demo this integration with Bro for both the production (Brocade) network and the visibility network (packet broker). The intent is to show the template for communication between Bro and the various network and packet broker components – the logic within Bro scripts is kept simple, this part can be replaced by existing logic being used by Bro users.
For the example of shunting in the network visibility instance, the Bro logic regards all flows that send traffic over 1 Gb within 1 minute as flows that need to be shunted. As soon as this threshold is crossed, Bro informs the Flow Manager to shunt these flows in the visibility network.
For the example of real-time threat mitigation in the production network, the Bro logic blacklists certain websites, such as facebook.com, from being accessed by servers. As soon as traffic is detected going towards these web sites, Bro informs the Flow Manager to block this traffic.