Get to Know Advanced Network Packet Broker Features

Yigal Amram By: Yigal Amram December 24, 2018

Network visibility isn’t a luxury—it’s a necessity if you want to keep applications running smoothly and sensitive data secure. But the simple, SPAN port-driven approaches to network visibility that worked in the past aren’t enough anymore.

As your network architecture expands and you keep adding tools for security, performance management, and monitoring, you need a more comprehensive network visibility layer.

That’s where network packet brokers (NPBs) have come into play in recent years. Alongside network taps and bypass switches, network packet brokers have allowed you to aggregate, filter, and load balance traffic across your many security and monitoring tools.

However, as networking needs have evolved, vendors have introduced new features to the network packet broker market. Aggregating large volumes of data is a given. Intelligent packet routing is a given. And out-of-band operation with pre-filtering capabilities are expected to improve security.

The evolution of network packet brokers won’t stop there, though. As network complexity and demands continue to increase, you’ll have to assess the value of more advanced NPB features.

There are four advanced NPB features that you should start getting to know now.

1. Metadata Engine Capabilities

Network metadata has become increasingly important to cybersecurity in recent years. As attacks become more advanced, you need as much information as possible about the packets you’re transmitting and receiving.

While SNMP counters can give you an idea of bandwidth usage, identifying malicious activity or gaining insights into performance problems requires more.

In the past, network metadata protocols like NetFlow, IPFIX, and IBM QRadar’s Log Event Extended Format (LEEF) produced data that existed in a silo. By bringing metadata engine capabilities into NPBs, you can forward more contextual packet data to security and monitoring tools for deeper analysis.

2. SSL Decryption

By 2019, 75% of web traffic will carry SSL or TLS encryption. To maximize network security, you’ll need a plan to decrypt this traffic before sending it to your tools.

With SSL/TLS decryption (both inline and out of band) is built in, your network packet brokers become more effective aggregators. Instead of forcing your security and monitoring tools to decrypt and re-encrypt traffic, your NPB can lighten the burden and streamline the process.

However, it’s important not to over-burden your network packet brokers. Just because SSL/TLS decryption is built in doesn’t mean NPBs are meant to be the sole point of contact. In some cases, it may make sense to have a dedicated SSL/TLS decryption tool connected to NPBs. Choosing when to go further than built-in NPB capabilities depends on your specific networking needs.

3. Application Session Filtering

Network packet brokers have always promised to filter traffic as necessary to optimize packet volume for individual tools. And adaptive packet filtering took that idea a step further by sorting through the contents of individual packets.

Application session filtering is a more advanced feature that focuses on extracting sessions deemed unnecessary for analysis. This further optimizes the performance of security and monitoring tools and reduces overall resource utilization.

Drilling down into specific packets is important for security and monitoring tools. But elevating the conversation at the NPB level and filtering based on application sessions will only increase the performance of connected tools.

4. Deduplication

While deduplication is quickly becoming the norm for NPB vendors, we’re still at a point where it can be considered advanced.

If you’re still relying on SPAN ports for network monitoring, deduplication is especially importance. Because you’re mirroring traffic, the odds that you’re duplicating packets as opposed to aggregating and filtering them is much greater than when network taps are the foundation of visibility.

With deduplication built into NPBs, you don’t have to worry about duplicate packets degrading performance on your security and monitoring tools. Instead, packets are sent to an internal packet processor and optimized for delivery to everything from IDS and IPS to forensics, network analyzers, and more.

Evaluating Your Specific Network Packet Broker Needs

As vendors add more and more advanced features to their NPBs, your job will be to evaluate the market more closely before making investments. These are critical components of your network visibility layer, but that doesn’t mean you have to focus on finding NPBs with every possible feature built in.

Instead, you need to evaluate your network visibility needs and find solutions that will support your architecture today, while setting you up for success down the road. Whether that means including support for emerging, advanced features or not is a choice you’ll have to make.

You don’t have to make NPB decisions blindly, though. There’s more than enough information out there to help you sort through the different features and capabilities of the network packet broker market.

If you want to learn more, check out our resources about choosing the right NPBs for your network visibility layer.

New call-to-action