Modern solutions for building information security systems - network packet brokers (Network Packet Broker)

Information security has separated from telecommunications into an independent industry with its own specifics and its own equipment. But there is a little-known class of devices that stands at the junction of telecom and infobez - network packet brokers (Network Packet Broker), they are also load balancers, specialized / monitoring switches, traffic aggregators, Security Delivery Platform, Network Visibility and so on. And we, as a Russian developer and manufacturer of such devices, really want to tell you more about them.

Scope and tasks to be solved

Network packet brokers are specialized devices that have found the greatest use in information security systems. As such, the device class is relatively new and few in common network infrastructure compared to switches, routers, and so on. The pioneer in the development of this type of device was the American company Gigamon. Currently, there are significantly more players in this market (including similar solutions from the well-known manufacturer of test systems - IXIA), but only a narrow circle of professionals still knows about the existence of such devices. As noted above, even with the terminology there is no unambiguous certainty: the names range from "network transparency systems" to simple "balancers".

While developing network packet brokers, we were faced with the fact that, in addition to analyzing the directions for the development of functionality and testing in laboratories / test zones, it is necessary to simultaneously explain to potential consumers about the existence of this class of equipment, since not everyone knows about it.

Even 15-20 years ago, there was little traffic on the network, and it was mostly unimportant data. But Nielsen's law practically repeats Moore's law: Internet connection speed increases by 50% annually. The volume of traffic is also steadily growing (the graph shows the 2017 forecast from Cisco, source Cisco Visual Networking Index: Forecast and Trends, 2017–2022):

Along with the speed, the importance of circulating information (this is both a trade secret and notorious personal data) and the overall performance of the infrastructure are increasing.

Accordingly, the information security industry has emerged. The industry has responded to this with a whole range of traffic analysis (DPI) devices, from DDOS attack prevention systems to information security event management systems, including IDS, IPS, DLP, NBA, SIEM, Antimailware and so on. Typically, each of these tools is software that is installed on a server platform. Moreover, each program (analysis tool) is installed on its own server platform: software manufacturers are different, and a lot of computing resources are required for analysis on L7.

When building an information security system, it is necessary to solve a number of basic tasks:

• how to transfer traffic from infrastructure to analysis systems? (the SPAN ports originally developed for this in modern infrastructure are not enough either in quantity or in performance)
• how to distribute traffic between different analysis systems?
• how to scale systems when there is not enough performance of one instance of the analyzer to process the entire volume of traffic entering it?
• how to monitor 40G/100G interfaces (and in the near future also 200G/400G), since analysis tools currently only support 1G/10G/25G interfaces?

And the following related tasks:

• how to minimize inappropriate traffic that does not need to be processed, but gets to the analysis tools and consumes their resources?
• how to handle encapsulated packets and packets with hardware service marks, the preparation of which for analysis turns out to be either resource-intensive or unrealizable at all?
• how to exclude from the analysis part of the traffic that is not regulated by the security policy (for example, traffic of the head).

As everyone knows, demand creates supply, in response to these needs, network packet brokers began to develop.

General Description of Network Packet Brokers

Network packet brokers work at the packet level, and in this they are similar to ordinary switches. The main difference from switches is that the rules for distribution and aggregation of traffic in network packet brokers are completely determined by the settings. Network packet brokers do not have standards for building forwarding tables (MAC tables) and exchange protocols with other switches (such as STP), and therefore the range of possible settings and understandable fields in them is much wider. A broker can evenly distribute traffic from one or more input ports to a given range of output ports with an output load balancing feature. You can set rules for copying, filtering, classifying, deduplicating and modifying traffic. These rules can be applied to different groups of input ports of the network packet broker, as well as applied sequentially one after the other in the device itself. An important advantage of a packet broker is the ability to process traffic at full flow rate and preserve the integrity of sessions (in the case of balancing traffic to several DPI systems of the same type).

Preserving the integrity of the sessions is to transfer all the packets of the session of the transport layer (TCP / UDP / SCTP) to one port. This is important because DPI systems (usually software running on a server connected to the output port of a packet broker) analyze the content of traffic at the application level, and all packets sent/received by one application must arrive at the same instance of the analyzer . If the packets of one session are lost or distributed among different DPI devices, then each individual DPI device will be in a situation analogous to reading not a whole text, but individual words from it. And, most likely, the text will not understand.

Thus, being focused on information security systems, network packet brokers have functionality that helps connect DPI software systems to high-speed telecommunication networks and reduce the load on them: they pre-filter, classify and prepare traffic to simplify subsequent processing.

In addition, since network packet brokers provide a wide range of statistics and are often connected to various points in the network, they also find their place in diagnosing health problems of the network infrastructure itself.

Basic Functions of Network Packet Brokers

The name "dedicated/monitoring switches" arose from the basic purpose: to collect traffic from the infrastructure (usually using passive optical TAP taps and / or SPAN ports) and distribute it among analysis tools. Traffic is mirrored (duplicated) between systems of different types, and balanced between systems of the same type. The basic functions usually include filtering by fields up to L4 (MAC, IP, TCP / UDP port, etc.) and aggregation of several lightly loaded channels into one (for example, for processing on one DPI system).

This functionality provides a solution to the basic task - connecting DPI systems to the network infrastructure. Brokers from various manufacturers, limited to basic functionality, provide processing of up to 32 100G interfaces per 1U (more interfaces do not physically fit on the 1U front panel). However, they do not allow reducing the load on analysis tools, and for a complex infrastructure they cannot even provide the requirements for a basic function: a session distributed over several tunnels (or equipped with MPLS tags) can be unbalanced for different instances of the analyzer and generally fall out of the analysis.

In addition to adding 40/100G interfaces and, as a result, improving performance, network packet brokers are actively developing in terms of providing fundamentally new features: from balancing on nested tunnel headers to traffic decryption. Unfortunately, such models cannot boast of performance in terabits, but they make it possible to build a really high-quality and technically “beautiful” information security system in which each analysis tool is guaranteed to receive only the information it needs in the form most suitable for analysis.

Advanced functions of network packet brokers

1. Mentioned above nested header balancing in tunneled traffic.

Why is it important? Consider 3 aspects that can be critical together or separately:

• ensuring uniform balancing in the presence of a small number of tunnels. In the event that there are only 2 tunnels at the point of connection of information security systems, then it will not be possible to unbalance them by external headers on 3 server platforms while maintaining the session. At the same time, traffic in the network is transmitted unevenly, and the direction of each tunnel to a separate processing facility will require excessive performance of the latter;
• ensuring the integrity of sessions and streams of multisession protocols (for example, FTP and VoIP), the packets of which ended up in different tunnels. The complexity of the network infrastructure is constantly increasing: redundancy, virtualization, simplification of administration, and so on. On the one hand, this increases the reliability in terms of data transmission, on the other hand, it complicates the work of information security systems. Even with sufficient performance of the analyzers to process a dedicated channel with tunnels, the problem turns out to be unsolvable, since some of the user session packets are transmitted over another channel. Moreover, if they still try to take care of the integrity of sessions in some infrastructures, then multisession protocols can go completely different ways;
• balancing in the presence of MPLS, VLAN, individual equipment tags, etc. Not really tunnels, but nevertheless, equipment with basic functionality can understand this traffic not as IP and balance by MAC addresses, once again violating the uniformity of balancing or session integrity.

The network packet broker parses the outer headers and sequentially follows the pointers up to the nested IP header and balances already on it. As a result, there are significantly more streams (respectively, it can be unbalanced more evenly and on a larger number of platforms), and the DPI system receives all session packets and all associated sessions of multisession protocols.

2. Traffic modification.
One of the widest functions in terms of its capabilities, the number of subfunctions and options for their use are many:

• removing payload, in which case only packet headers are passed to the parser. This is relevant for analysis tools or for traffic types in which the contents of the packets either do not play a role or cannot be analyzed. For example, for encrypted traffic, parametric exchange data (who, with whom, when, and how much) may be of interest, while payload is actually garbage that occupies the channel and computing resources of the analyzer. Variations are possible when the payload is cut off starting from a given offset - this provides additional scope for analysis tools;
• detunneling, namely the removal of headers that designate and identify tunnels. The goal is to reduce the load on analysis tools and increase their efficiency. Detunneling can be based on a fixed offset or dynamic header analysis and offset determination for each packet;
• removal of some packet headers: MPLS tags, VLAN, specific fields of third-party equipment;
• masking part of the headers, for example, masking IP addresses to ensure traffic anonymization;
• adding service information to the packet: timestamps, input port, traffic class labels, etc.

3. Deduplication – cleaning of repetitive traffic packets transmitted to analysis tools. Duplicate packets most often occur due to the peculiarities of connecting to the infrastructure - traffic can pass through several points of analysis and be mirrored from each of them. There is also a resending of incomplete TCP packets, but if there are a lot of them, then these are more questions for monitoring the quality of the network, and not for information security in it.

4. Advanced filtering features – from searching for specific values ​​at a given offset to signature analysis throughout the entire package.

5. NetFlow/IPFIX generation – collection of a wide range of statistics on passing traffic and its transfer to analysis tools.

6. Decryption of SSL traffic, works provided that the certificate and keys are first loaded into the network packet broker. Nevertheless, this allows you to significantly unload the analysis tools.

There are many more functions, useful and marketing, but the main ones, perhaps, are listed.

The development of detection systems (intrusions, DDOS attacks) into systems for their prevention, as well as the introduction of active DPI tools, required a change in the switching scheme from passive (through TAP or SPAN ports) to active (“in break”). This circumstance increased the requirements for reliability (because a failure in this case leads to a disruption of the entire network, and not only to a loss of control over information security) and led to the replacement of optical couplers with optical bypasses (in order to solve the problem of the dependence of the network's performance on the performance of systems information security), but the main functionality and requirements for it remained the same.

We have developed DS Integrity Network Packet Brokers with 100G, 40G and 10G interfaces from design and circuitry to embedded software. Moreover, unlike other packet brokers, the modification and balancing functions for nested tunnel headers are implemented in our hardware, at full port speed.

Source: habr.com