10 Criteria for Evaluating NPB, Security Architect Edition
Most large organizations rely on network packet brokers (NPBs) to provide visibility to network tools and security systems,
as NPBs enable the pervasive, scalable network access that TAPs alone cannot. If your IT group is tasked with evaluating an
NPB solution for security deployments, you need an assessment framework to ensure both business and technical goals are
The following ten criteria represent the key requirements of best practice network visibility deployments. Consider these criteria
to help your organization preserve existing tool investments, reduce the costs of new investments, and ease the scale out of
network infrastructure and security systems.
Extend visibility across both physical and virtual infrastructure (in traditional and SDN/NFV environments)
According to Gartner Research, over 70% of server workloads will be virtualized by 2014 (1)
, so it’s critical for network
security architects to gain visibility into traffic occurring on virtual servers in order to apply organizational monitoring
and security policies to it—without disrupting or degrading traffic by deploying agents, taxing the hypervisor, or
occupying compute slots.
The NPB system must also be able to seamlessly scale packet access and delivery across both physical and logical
network boundaries, delivering a fully interconnected mesh architecture over LAN and WAN segments. Such levels of
network reach, resilience, and flexibility—not limited to daisy chain or hub-and-spoke—will ensure continuous uptime
for network security systems.
Deliver network traffic to active/inline tools, passive/out-of-band tools, and direct to network attached
Large scale network security deployments are typically designed to inspect data in motion (live traffic), as well as data
at rest (newly copied and historical). Each tool type (active and passive) require unique capabilities in order to ensure
optimization and protection. For instance, inline systems need to be continuously monitored to ensure they’re capable
of remaining a bi-directional link in the monitoring chain. The NPB solution should be able to send traffic to both active
and passive tools, while ensuring 100% network uptime and high-availability monitoring.
The NPB solution should also be able to accommodate delivery of network data directly to NAS in an open format
(e.g. libpcap). Capturing network traffic in an open format and storing on a high-end server of choice enables flexible
visibility. Continuous capture for compliance can be made more cost effective, and libpcaps stored based on policy or
at the event-driven command of the security systems can be analyzed by one or multiple tools or internally developed
Address traffic microbursts to ensure continuous capture and prevent tools from dropping packets
When it comes to security and forensics, most tool vendors recommend copying and forwarding 100% of the network
traffic from SPAN ports or passive TAPs to ensure the tools have full visibility at each access point. When copying 100%
of SPAN/TAP traffic or when using NPBs to perform aggregation from multiple networks, there’s a risk the tools will
suffer packet loss when the network experiences temporary volume spikes.
SECURITY ARCHITECT EDITION
Top Ten Criteria for Evaluating Network Packet Broker Solutions
(1) “Forecast Analysis: Data center, Worldwide, 2010-2016,” Gartner Research, 2012.
In any network experiencing microbursts, the NPB vendor must be able to accommodate them in the following ways:
a) Provide buffering to handle microbursts and prevent packet loss to tools
b) Help avoid major network redesign or additional tool costs by precisely identifying and measuring over time where
and to what the degree the microbursts are occurring.
Optimize network tools and reduce costs by preprocessing network traffic in hardware
When delivering network traffic to the tools, the NPB vendor must be able to accommodate both active and passive
aggregation. In the case of active tools, the aggregation function should support 802.1q and 802.1ad tagging
standards (Q-in-Q), as well as MAC learning(2). These features effectively expand the network range of the security
tools and enable them to analyze asymmetrically routed traffic in both 1G and 10G networks and beyond.
Filtering L2-4 is an essential feature of NPB solutions, but additional L7 filtering can better optimize the network traffic
consumed by security systems, particularly when different types of applications carry different risks. As an example, the
NPB could filter out all Netflix and corporate VoD traffic before sending multi-gigabits of flows to the Advanced Web
Malware Prevention Appliance, preventing the appliance from needlessly processing or analyzing traffic.
This level of advanced traffic aggregation and filtering will help avoid tool oversubscription (or underutilization),
maximizing the effective throughput for each security and monitoring tool. Throughput optimization can drastically
reduce both initial capital investment and ongoing operating costs.
Maintain service assurance for both security operations and network operations
Network security operations teams are constantly under pressure to enhance security defenses and forensics
capabilities, while adhering to Service Level Agreements (SLA) and increasing Governance, Risk and Compliance
(GRC) mandates. Teams are often engaged in security system evaluations and proof-of-concept (POC) deployments.
These POCs might be pilot deployments of next generation firewall or IPS solutions, or the evaluations of best-of-
breed advanced malware tools or SSL decryption appliances to help protect against hidden threats. Each POC, along
with other ongoing projects and fire drills, involve change management requests and collaboration with the network
operations team. The network security design team and the network engineering team each has its own challenges and
pressures, particularly around migration and service assurance.
It’s critical that the NPB solution offer failsafe assurance both on the network and the tool side. For the security team
in particular, it must provide active, failsafe bypass capability to simulate bump-in-the-wire functionality, replicating
the link state on both sides to allow the network’s link aggregation and redundancy to work. In other words, it should
ensure that both east and westbound switches see any link failure state and fail traffic over to backup links accordingly
(HSRP, active/active fail over design). The NPB system must make each of the POCs simpler to bring up and deploy.
The NPB solution must maintain network service assurance (99.999% uptime) while providing fault tolerance and High
Availability (HA) for each active security and passive forensics and monitoring tool. This level of service assurance to
both teams will enable the entire IT organization to rapidly evaluate and deploy best-in-class security solutions without
the need for re-instrumenting the network or negatively impacting network services and SLAs.
Enhance & expand security service chaining to achieve “defense in depth”
Service chaining allows security teams to effectively scale defense depth and proactively mitigate against evolving
advanced targeted attacks, malware and zero day exploits—but it’s imperative the NPB vendor have a proven
reference architecture for service chaining with both inline and passive security and monitoring tools.
In addition to active failsafe bypass features, the NPB solution needs to perform customizable tool health checks and
event triggers to check both the software stack and the heartbeat (power or link up state) for each tool in the security
service chain. Health check monitoring enables the flexibility and confidence needed to add best-in-class inline and
passive security tools as needed. Ensure health checks can be performed not just by each tool’s NPB device but across
all NPB devices, and that they can monitor tool or link failures on local and remote NPB devices before redirecting
traffic or sending copies of actionable traffic to them.
(2) “MAC learning,” uses a learning algorithm based on MAC addressing to map traffic from multiple network links with their respective internal aggregated
network identifier. Contact VSS for additional detail: http://www.vssmonitoring.com/corporate/info.asp?subject=question&src=10crit
Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 2
Integrate network tools with NPBs to intelligently define capture controls in real time
Some NPBs promise to improve continuous monitoring initiatives, but most do not leverage the intelligence of the
security systems to determine capture parameters in real time. The following features can greatly enhance the
relevance of captured traffic to enable proactive and intelligent monitoring:
RESTful API that can be configured & invoked via XML
Triggers for traffic filtering, full or selective packet capture and/or traffic flow redirection based on known intelligence
(e.g. L2-L7 information like IP, MAC, URL, specific Hex value in header section)
Targeted, tool directed capture and store, where security systems initiative a command to the NPBs to send traffic to
tools, or libpcaps to NAS, for further analysis/troubleshooting
Validated reference architecture for integrating with security and forensic vendors.
Optimize and scale bi-directional SSL visibility to monitor encrypted applications (e.g. social media) and
protect against hidden malware
Many security and forensics tools are rapidly losing traffic visibility due to widespread adoption of cloud based
services and social media applications which use SSL/TLS to meet privacy requirements. Promised ROI from existing
IPS and Security Gateway solutions, as well as new Advanced Malware Prevention tools, are simultaneously
diminishing, along with the ability to defend against advanced targeted attacks leveraging SSL/TLS channels for spear
phishing, command and control communications, and data exfiltration. Relying on onboard tool decryption may not
be the answer, as the associated performance costs and overall limitations are high. This assessment is shared by
Security Analysts, such as John Pirc and Dave Shackleford (3)
A proven alternative to onboard tool decryption is the use of NPBs that are capable of both inline active and passive
packet delivery and load balancing in conjunction with dedicated, transparent SSL proxies. This combined solution will
enable the security tools to monitor and protect Gmail, Facebook and other social media applications that are using
advanced public key encryption and key exchange standards like DHE, ECDHE, and DSA.
The need to provide 100% network visibility (including inside SSL/TLS tunnels) to your inline IPS solutions is clear, but
it may also be advantageous to offer similar (SSL inclusive) visibility to passive forensics, monitoring and full packet
analytic tools. These tools may not be in close proximity to your inline tools, so the NPB solution needs to be able to
deliver copies of decrypted traffic in a reliable and secure manner (e.g. encapsulated over TCP/IP with support for
AES 128 or better) across LAN or WAN network boundaries.
Select an NPB vendor that has proven reference designs for joint deployments with transparent SSL proxies.
Use Deep Packet Inspection (DPI) to capture flows containing keywords or email targets
Most NPB vendors offer L2-L4 filtering; however, there are many use cases such as lawful interception (LI), forensic
analysis, and DPI enabled performance monitoring for video and VoIP analytics, where more advanced filtering is
required. Consider NPB systems that can filter based on payload content. Look for NPB vendors that offer deep packet
filtering, e.g. Regular Expression (RegEx) based, so you can gain flexibility to perform custom searches across packet
boundaries and identify specific network flows.
In some use cases (e.g. LI), specific flows need to be identified with a very high assurance level before they are
forwarded to an analytics or forensics tool. In other cases, specific flows need to be filtered out from large volumes
of traffic before forwarding the remainder traffic to security tools—this may be required to ensure compliance with
stringent legislative or risk mandates.
An NPB capable of deep traffic grooming before data comes to rest (stored in disk) will uniquely optimize the toolsets
(including those leveraging DPI), and enable considerable CAPEX and OPEX savings.
(3) “The Elephant in the Room” by John Pirc. <https://www.nsslabs.com/blog/ssl-decryption-elephant-room>
“Blind as a Bat” by Dave Shackleford. SANS <http://www.sans.org/reading-room/analysts-program/vss-BlindasaBat?ref=117957>
Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 3