Cov ntaub ntawv kev ruaj ntseg tau sib cais los ntawm kev sib txuas lus mus rau hauv ib qho kev lag luam ywj pheej nrog nws tus kheej tshwj xeeb thiab nws cov khoom siv. Tab sis muaj cov chav kawm me me ntawm cov khoom siv uas sawv ntawm kev sib tshuam ntawm kev sib txuas lus thiab kev ruaj ntseg cov ntaub ntawv - network packet brokers (Network Packet Broker), tseem hu ua load balancers, tshwj xeeb / saib xyuas cov keyboards, tsheb sib sau ua ke, Kev Ruaj Ntseg Xa Platform, Network Pom, thiab lwm yam. Thiab peb, raws li tus tsim tawm Lavxias teb sab thiab cov chaw tsim khoom ntawm cov khoom siv no, xav qhia koj ntau ntxiv txog lawv.
Scope thiab cov dej num yuav daws tau
Network packet brokers yog cov cuab yeej tshwj xeeb uas tau pom cov ntawv thov loj tshaj plaws hauv cov ntaub ntawv kev ruaj ntseg. Yog li ntawd, cov chav kawm ntawm cov khoom siv no yog qhov tshiab thiab me me hauv cov khoom siv hluav taws xob tseem ceeb piv rau cov keyboards, routers, thiab lwm yam. Tus pioneer hauv kev txhim kho cov cuab yeej no yog Asmeskas tuam txhab Gigamon. Tam sim no, muaj ntau tus neeg ua si hauv kev ua lag luam no (nrog rau cov chaw tsim khoom lag luam paub zoo, lub tuam txhab IXIA, muaj cov kev daws teeb meem zoo sib xws), tab sis tsuas yog lub voj voog nqaim ntawm cov tub txawg tseem paub txog qhov muaj nyob ntawm cov khoom siv no. Raws li tau sau tseg saum toj no, txawm tias cov ntsiab lus tsis meej: cov npe muaj xws li "network transparency systems" mus rau "balancers."
Thaum tsim lub network packet brokers, peb tau ntsib nrog qhov tseeb tias, ntxiv rau kev txheeb xyuas cov lus qhia rau kev txhim kho kev ua haujlwm thiab kev sim hauv cov chaw soj nstuam / qhov chaw sim, nws yog ib qho tsim nyog los piav qhia rau cov neeg siv khoom muaj peev xwm txog qhov muaj nyob ntawm cov khoom siv hauv chav kawm no, vim tsis yog txhua tus paub txog nws.
Tsuas yog 15-20 xyoo dhau los muaj kev tsheb me me ntawm lub network, thiab nws feem ntau yog cov ntaub ntawv tsis tseem ceeb. Tab sis xyaum ua dua : Internet kev sib txuas ceev nce txhua xyoo los ntawm 50%. Lub ntim ntawm kev khiav tsheb kuj tseem loj hlob tsis tu ncua (daim duab qhia txog 2017 kev kwv yees los ntawm Cisco, qhov chaw Cisco Visual Networking Index: Forecast thiab Trends, 2017-2022):
Nrog rau qhov ceev, qhov tseem ceeb ntawm kev nthuav tawm cov ntaub ntawv (qhov no yog ob qho tib si kev lag luam zais cia thiab cov ntaub ntawv tsis zoo ntawm tus kheej) thiab tag nrho cov kev ua tau zoo ntawm cov txheej txheem nce.
Raws li, cov ntaub ntawv kev ruaj ntseg kev lag luam tshwm sim. Kev lag luam tau teb rau qhov no nrog qhov tshwm sim ntawm tag nrho cov kev sib sib zog nqus kev tsom xam (DPI) cov khoom siv: los ntawm DDOS kev tiv thaiv kev tawm tsam mus rau cov ntaub ntawv kev nyab xeeb kev tswj hwm, suav nrog IDS, IPS, DLP, NBA, SIEM, Antimailware thiab lwm yam. Feem ntau, txhua yam ntawm cov cuab yeej no yog software nruab rau ntawm lub server platform. Ntxiv mus, txhua qhov kev pab cuam (tshuaj ntsuam xyuas) tau nruab rau ntawm nws tus kheej lub server platform: software manufacturers sib txawv, thiab kev tshuaj xyuas ntawm L7 yuav tsum tau siv ntau cov ntaub ntawv suav.
Thaum tsim kom muaj kev ruaj ntseg cov ntaub ntawv, nws yog ib qho tsim nyog los daws cov teeb meem tseem ceeb:
- Yuav ua li cas hloov tsheb los ntawm infrastructure mus rau kev tsom xam? (SPAN cov chaw nres nkoj Ameslikas tsim rau lub hom phiaj no hauv cov txheej txheem niaj hnub no tsis txaus nyob rau hauv qhov ntau lossis kev ua haujlwm)
- Yuav ua li cas faib tsheb khiav ntawm cov kev ntsuam xyuas sib txawv?
- Yuav ua li cas ntsuas cov tshuab thaum qhov kev ua tau zoo ntawm ib qho kev ntsuas ntsuas tsis txaus los ua kom tag nrho cov ntim ntawm kev nkag mus rau nws?
- Yuav ua li cas saib xyuas 40G / 100G interfaces (thiab yav tom ntej 200G / 400G), txij li cov cuab yeej tsom xam tam sim no tsuas yog txhawb nqa 1G / 10G / 25G interfaces?
Thiab cov haujlwm tseem ceeb hauv qab no:
- Yuav ua li cas peb thiaj txo tau cov tsheb thauj mus los uas tsis tas yuav tsum tau ua, tab sis tau txais cov cuab yeej tshuaj ntsuam xyuas thiab siv lawv cov peev txheej?
- Yuav ua li cas cov txheej txheem encapsulated packets thiab pob ntawv nrog cov kev pab cuam cim npe ntawm cov cuab yeej, qhov kev npaj ntawm uas rau kev tsom xam hloov mus rau ib qho kev pab-intensive los yog tsis yooj yim sua kom siv tau?
- yuav ua li cas cais tawm los ntawm kev txheeb xyuas qee qhov kev khiav tsheb uas tsis raug tswj hwm los ntawm txoj cai tswjfwm kev nyab xeeb (piv txwv li, tus thawj tswj xyuas kev khiav tsheb).
Raws li txhua tus paub, kev thov tsim cov khoom siv, thiab cov neeg siv khoom sib txuas lus tau pib tsim los teb rau cov kev xav tau no.
Cov lus piav qhia dav dav ntawm network pob ntawv brokers
Network packet brokers ua haujlwm ntawm pob ntawv qib, thiab hauv txoj kev no lawv zoo ib yam li cov keyboards tsis tu ncua. Qhov sib txawv tseem ceeb ntawm cov keyboards yog tias cov kev cai rau kev faib tsheb khiav thiab kev sib sau ua ke hauv network packet brokers tau txiav txim siab tag nrho los ntawm cov chaw. Network packet brokers tsis muaj cov qauv rau kev tsim cov rooj xa khoom (MAC rooj) thiab sib pauv cov txheej txheem nrog lwm cov keyboards (xws li STP), thiab yog li qhov ntau ntawm cov chaw ua tau thiab nkag siab thaj chaw hauv lawv tau dav dua. Tus broker tuaj yeem faib cov tsheb thauj mus los ntawm ib lossis ntau qhov chaw nkag mus rau ib qho chaw tso zis ntau yam nrog cov khoom tso zis sib npaug. Koj tuaj yeem tsim cov cai rau kev luam, lim, kev faib tawm, rho tawm thiab hloov tsheb. Cov kev cai no tuaj yeem siv tau rau ntau pawg ntawm cov pob ntawv network broker input ports, thiab tseem tuaj yeem siv ua ntu zus ib tom qab hauv lub cuab yeej nws tus kheej. Ib qho txiaj ntsig tseem ceeb ntawm cov pob ntawv broker yog lub peev xwm los ua cov kev khiav tsheb ntawm tag nrho cov ndlwg tus nqi thiab tswj kev ncaj ncees ntawm cov kev sib tham (nyob rau hauv cov ntaub ntawv ntawm kev sib npaug tsheb mus rau ob peb DPI systems ntawm tib hom).
Kev tswj xyuas kev ncaj ncees yuav tsum xa tag nrho cov txheej txheem thauj khoom (TCP/UDP/SCTP) mus rau ib qhov chaw nres nkoj. Qhov no yog qhov tseem ceeb vim tias DPI systems (feem ntau yog software khiav ntawm lub server txuas nrog lub pob ntawv broker qhov chaw tso tawm) txheeb xyuas cov ntsiab lus ntawm cov ntawv thov, thiab txhua pob ntawv xa / tau txais los ntawm ib daim ntawv thov yuav tsum tuaj txog ntawm tib lub ntsuas ntsuas. Yog tias cov pob ntawv los ntawm tib qhov kev sib tham tau ploj lossis faib ntawm cov khoom siv DPI sib txawv, tom qab ntawd txhua tus neeg DPI ntaus ntawv yuav pom nws tus kheej hauv qhov xwm txheej zoo li kev nyeem ntawv tsis yog tag nrho cov ntawv, tab sis cov lus ib leeg los ntawm nws. Thiab, feem ntau yuav, cov ntawv nyeem yuav tsis to taub.
Yog li, tau tsom mus rau cov ntaub ntawv kev ruaj ntseg cov ntaub ntawv, network packet brokers muaj functionality uas pab txuas DPI software systems rau high-speed telecommunication tes hauj lwm thiab txo cov load rau lawv: lawv nqa tawm ua ntej lim, faib thiab npaj cov tsheb khiav mus rau yooj yim tom qab ua.
Tsis tas li ntawd, txij li lub network packet brokers tsim ntau yam kev txheeb cais thiab feem ntau txuas nrog ntau lub ntsiab lus ntawm lub network, lawv kuj pom lawv qhov chaw thaum kuaj xyuas cov teeb meem nrog kev ua haujlwm ntawm lub network infrastructure nws tus kheej.
Basic functions ntawm network packet brokers
Lub npe "tshwj xeeb / saib xyuas cov keyboards" tau tshwm sim los ntawm lub hom phiaj tseem ceeb: txhawm rau sau cov tsheb khiav los ntawm cov txheej txheem (feem ntau yog siv passive optical couplers TAP thiab / lossis SPAN chaw nres nkoj) thiab faib nws ntawm cov cuab yeej tshuaj ntsuam. Kev tsheb yog mirrored (duplicated) ntawm cov tshuab ntawm ntau hom, thiab sib npaug ntawm cov tshuab ntawm tib hom. Cov haujlwm yooj yim feem ntau suav nrog kev lim dej los ntawm thaj chaw mus txog L4 (MAC, IP, TCP / UDP chaw nres nkoj, thiab lwm yam) thiab kev sib sau ua ke ntawm ntau qhov chaw thauj khoom yooj yim rau hauv ib qho (piv txwv li, rau kev ua haujlwm ntawm ib qho DPI system).
Qhov kev ua haujlwm no muab kev daws teeb meem rau txoj haujlwm tseem ceeb ntawm kev sib txuas DPI systems rau lub network infrastructure. Cov tuam txhab lag luam los ntawm ntau lub tuam txhab, txwv rau kev ua haujlwm yooj yim, muab kev ua haujlwm txog li 32 100G interfaces ib 1U (ntau qhov sib cuam tshuam tsis haum lub cev ntawm 1U pem hauv ntej vaj huam sib luag). Txawm li cas los xij, lawv tsis txo cov khoom ntawm cov cuab yeej tshuaj ntsuam, thiab rau cov txheej txheem nyuaj lawv tsis tuaj yeem muab cov kev cai rau kev ua haujlwm yooj yim: kev sib tham faib ntau lub qhov (lossis nruab nrog MPLS cov cim npe) tuaj yeem ua tsis sib npaug ntawm cov ntsuas sib txawv thiab feem ntau. poob tawm ntawm kev tsom xam.
Ntxiv nrog rau kev ntxiv 40/100G interfaces thiab, vim li ntawd, kev ua haujlwm nce ntxiv, cov neeg siv khoom sib txuas lus tau nquag txhim kho nyob rau hauv cov nqe lus ntawm kev muab cov peev txheej tshiab: los ntawm kev sib npaug raws li qhov nested tunnel headers rau tsheb decryption. Hmoov tsis zoo, cov qauv zoo li no tsis tuaj yeem khav theeb ntawm kev ua tau zoo hauv terabits, tab sis lawv tso cai rau koj los tsim kom muaj cov ntaub ntawv zoo tshaj plaws thiab cov txheej txheem "zoo nkauj" cov ntaub ntawv kev nyab xeeb, uas txhua qhov kev tshuaj ntsuam xyuas tau lees tias tau txais cov ntaub ntawv tsuas yog nws xav tau hauv daim ntawv tsim nyog tshaj plaws. rau kev tsom xam.
Advanced Network Packet Broker Nta
1. Hais saum toj no sib npaug raws li nested headers nyob rau hauv tunneled tsheb.
Vim li cas thiaj tseem ceeb? Cia peb xav txog 3 yam uas tuaj yeem cuam tshuam ua ke lossis sib cais:
- ua kom muaj kev sib npaug sib npaug ntawm qhov muaj tsawg ntawm cov tunnels. Yog tias tsuas muaj 2 qhov ntawm qhov kev sib txuas ntawm cov ntaub ntawv kev ruaj ntseg, ces nws yuav tsis tuaj yeem cuam tshuam lawv raws li sab nraud headers ntawm 3 server platforms thaum khaws cia qhov kev sib kho. Nyob rau tib lub sijhawm, kev khiav tsheb hauv lub network yog kis tsis sib xws, thiab coj txhua qhov chaw mus rau qhov chaw ua haujlwm sib cais yuav xav tau kev ua haujlwm ntau dhau ntawm tom kawg;
- kom ntseeg tau qhov kev ncaj ncees ntawm cov kev sib tham thiab ntws ntawm ntau cov txheej txheem (piv txwv li, FTP thiab VoIP), cov pob ntawv uas tau xaus rau hauv qhov sib txawv. Lub complexity ntawm network infrastructure yog tas li nce: redundancy, virtualization, simplification ntawm kev tswj hwm, thiab hais txog. Ntawm qhov tod tes, qhov no nce kev ntseeg tau ntawm cov ntaub ntawv xa mus, ntawm qhov tod tes, nws nyuaj rau kev ua haujlwm ntawm cov ntaub ntawv kev nyab xeeb. Txawm hais tias cov kws tshuaj ntsuam xyuas muaj kev ua tau zoo txaus los ua cov kab ke tshwj xeeb nrog cov tunnels, qhov teeb meem hloov mus rau qhov tsis tuaj yeem daws tau, vim qee qhov ntawm cov neeg siv cov ntawv sib tham tau xa mus rau lwm cov channel. Tsis tas li ntawd, thaum qee qhov kev tsim kho vaj tse tseem sim saib xyuas kev ncaj ncees ntawm cov kev sib tham, ntau txoj kev cai tuaj yeem coj txoj hauv kev sib txawv kiag li;
- ntsuas qhov muaj MPLS, VLAN, cov khoom siv ib tus neeg, thiab lwm yam. Tsis yog raws nraim qhov tunnels, tab sis txawm li cas los xij, cov cuab yeej siv nrog kev ua haujlwm yooj yim tuaj yeem nkag siab qhov kev khiav tsheb no ua lwm yam tsis yog IP thiab sib npaug nws raws li MAC chaw nyob, ib zaug ntxiv ua txhaum qhov sib npaug ntawm qhov sib npaug lossis kev ncaj ncees ntawm kev sib tham.
Lub network packet broker parses sab nraud headers thiab ua raws li cov pointers mus rau lub nested IP header thiab sib npaug ntawm nws. Raws li qhov tshwm sim, muaj ntau qhov dej ntws ntau (raws li, nws tuaj yeem tsis sib npaug ntau qhov sib npaug thiab ntawm ntau lub platforms), thiab DPI system tau txais tag nrho cov ntawv sib tham thiab tag nrho cov kev sib tham ntawm ntau cov txheej txheem.
2. Kev hloov tsheb.
Ib qho ntawm cov haujlwm dav tshaj plaws nyob rau hauv cov nqe lus ntawm nws lub peev xwm, muaj ntau yam subfunctions thiab kev xaiv rau lawv daim ntawv thov:
- rho tawm payload, qhov no tsuas yog pob ntawv headers raug xa mus rau lub cuab yeej tshuaj ntsuam. Qhov no muaj feem xyuam rau cov cuab yeej tshuaj ntsuam lossis rau hom kev khiav tsheb uas cov ntsiab lus ntawm cov pob ntawv tsis muaj teeb meem lossis tsis tuaj yeem txheeb xyuas. Piv txwv li, rau encrypted tsheb parametric pauv cov ntaub ntawv (leej twg, nrog leej twg, thaum twg thiab ntau npaum li cas) tej zaum yuav txaus siab, tab sis payload yog cov khib nyiab uas siv cov channel thiab xam cov kev pab cuam ntawm lub analyzer. Kev hloov pauv tuaj yeem ua tau thaum lub payload raug txiav pib los ntawm qhov muab offset - qhov no muab cov peev txheej ntxiv rau cov cuab yeej tshuaj xyuas;
- detunneling, uas yog tshem tawm cov headers denoting thiab txheeb xyuas qhov tunnels. Lub hom phiaj yog kom txo cov load ntawm cov cuab yeej tshuaj ntsuam xyuas thiab ua kom lawv cov kev ua tau zoo. Detunneling tuaj yeem ua raws li qhov kev txiav txim siab ruaj khov lossis nrog kev txheeb xyuas lub taub hau dynamic thiab kev txiav txim offset rau txhua pob ntawv;
- tshem tawm ib feem ntawm cov pob ntawv headers: MPLS cov cim npe, VLAN, cov chaw tshwj xeeb ntawm cov cuab yeej thib peb;
- npog ib feem ntawm cov headers, piv txwv li, npog qhov chaw nyob IP kom paub meej tias tsis qhia npe tsheb;
- ntxiv cov ntaub ntawv kev pabcuam rau pob ntawv: timestamp, input port, traffic class label, etc.
3. Deduplication - ntxuav cov ntaub ntawv sib npaug ntawm cov khoom xa mus rau cov cuab yeej tshuaj ntsuam. Duplicate pob ntawv feem ntau tshwm sim vim qhov xwm txheej ntawm kev sib txuas rau cov kev tsim kho vaj tse - kev khiav tsheb tuaj yeem dhau los ntawm ntau lub ntsiab lus tsom xam thiab raug tsom los ntawm txhua tus ntawm lawv. Kev xa rov qab ntawm cov pob ntawv TCP ua tsis tau zoo kuj tseem muaj, tab sis yog tias muaj ntau ntawm lawv, cov no yuav muaj teeb meem ntau dua rau kev saib xyuas lub network zoo, tsis yog cov ntaub ntawv kev ruaj ntseg hauv nws.
4. Advanced filtering nta - los ntawm kev tshawb nrhiav cov txiaj ntsig tshwj xeeb ntawm qhov muab offset rau kev txheeb xyuas kos npe ntawm tag nrho pob ntawv.
5. NetFlow/IPFIX tiam - sau los ntawm ntau yam kev txheeb cais ntawm kev hla dhau thiab nws hloov mus rau cov cuab yeej tshuaj ntsuam.
6. Decryption ntawm SSL tsheb, ua haujlwm tau hais tias daim ntawv pov thawj thiab cov yuam sij yog thawj zaug thauj mus rau hauv lub network pob ntawv broker. Txawm li cas los xij, qhov no tso cai rau koj kom txo qis cov cuab yeej tsom xam.
Muaj ntau ntau txoj haujlwm, muaj txiaj ntsig thiab kev lag luam, tab sis qhov tseem ceeb yog tej zaum tau teev tseg.
Kev txhim kho cov cuab yeej tshawb nrhiav (kev nkag mus, DDOS tawm tsam) rau hauv cov kab ke tiv thaiv lawv, nrog rau kev qhia txog cov cuab yeej DPI nquag, yuav tsum muaj kev hloov pauv hauv cov txheej txheem hloov pauv los ntawm passive (ntawm TAP lossis SPAN chaw nres nkoj) kom nquag plias ("hauv qhov sib txawv. β). Qhov xwm txheej no tau nce cov kev xav tau rau kev ntseeg siab (vim qhov ua tsis tiav hauv qhov no ua rau muaj kev cuam tshuam ntawm tag nrho lub network, thiab tsis yog tsuas yog poob ntawm kev tswj hwm cov ntaub ntawv kev ruaj ntseg) thiab coj mus rau kev hloov ntawm optical couplers nrog optical bypass (los daws qhov teeb meem ntawm lub dependence ntawm network operability ntawm lub operability ntawm systems ntaub ntawv kev ruaj ntseg), tab sis lub ntsiab functionality thiab yuav tsum tau rau nws nyob twj ywm tib yam.
Peb tau tsim DS Integrity Network Packet Brokers nrog 100G, 40G thiab 10G interfaces los ntawm kev tsim thiab kev tsim hluav taws xob rau firmware. Ntxiv mus, tsis zoo li lwm cov pob ntawv brokers, kev hloov kho thiab ntsuas kev ua haujlwm ntawm cov nested tunnel headers yog siv rau hauv kho vajtse, ntawm qhov chaw nres nkoj tag nrho.
Tau qhov twg los: www.hab.com