Design of Internet gateways in organizational networks almost always revolves around two basic requirements: security and high availability.
Network traffic security is typically enforced with (increasing number of) inline security devices receiving and transferring traffic: firewall, secure web gateway (web proxy), secure mail gateway (mail proxy), ATP inspection, DLP, IPS/IDS, SSL inspection, Deep Packet Inspection (DPI), and so on.
When described on “paper”, inline topology may look something like this:
High availability within an in-line scenario may traditionally be achieved by network path redundancy, using Spanning Tree Protocol (STP) to construct an alternative network path to the gateway router, often combining with the Cisco HSRP protocol to achieve a redundant default gateway. Typical overview of this solution is shown in the figure below:
The problem with this legacy architecture lies in newer security requirements, especially ATP Inspection & Mitigation devices (e.g. Trend Micro or FireEye) and visibility requirements for encrypted SSL communications: this means that the network path from the LAN to the router and the Internet must pass through a growing number of potential points of failure. Additional disadvantages of this approach are:
- Support for Active/Passive high availability only, i.e. only half of the network devices are used at any given moment (Master/Slave mode). Therefore, we are investing in unused equipment.
- Scalability is suffering, i.e., adding new capacity-expanding devices to the traffic transport chain is not simple.
- All devices receive all traffic, although some of them have no interest for all packages; therefore, each device must be sized in a way to handle overall bandwidth.
- Network maintenance and administration becomes very complex, and the STP protocol is known for its extremely difficult troubleshooting.
With Gigamon packet broker technology, you can customize your Internet gateway design to achieve full scalability and flexibility in times of ever-increasing security requirements and growing number of network devices placed in the Internet gateway path. The advantages of this packet broker architecture are numerous:
- Drastically simplified network maintenance and scalability: adding, switching-off or upgrading different devices can be done without power outages;
- Increased efficiency and utilization of network devices, i.e., each device doesn’t have to process all traffic: for example, processing SIP and audio-video media content using the ATP solution is questionable. This makes it possible to substantially revise capacity requirements of individual network devices and achieve considerable savings with greater flexibility.
- Reduced number of points of failure and inline bypass (failopen) features
- Integration with inline and out-of-band solutions such as SIEM, NetFlow, IDS, etc.
- Possibility of intelligent traffic routing to different tools, i.e. package consumers: e.g. SMTP traffic sent only to mail scanning solutions or meta data only to SIEM (TCP session data, URL in http requests, content type in responses, data from SSL certificates, etc.). This makes network tools faster, especially when it comes to network analytics and similar processes.