Blog

Using Network Packet Brokers in Campus Deployments

André Vink By: André Vink June 12, 2019

A leading education and research institution faced security, management, flexibility and robustness challenges pertaining to network visibility.

Niagara Networks N2 Network Packet Broker provided a highly configurable and robust, performance-enhancing aggregation point coupled with an enhanced "inline tap" for selective forwarding of traffic to security and monitoring tools.

Background

The customer is a private research university located in the southwestern United States.  It is among the top 10 largest research universities in the US in research funding and has an enrollment of more than15,000 students and supports a staff of over 39,000 (when counting the security conscious health organization associated to the university). The university IT department serves various teaching and research facilities that include clinics, labs, three hospitals, and more.

As a leading research and teaching establishment, the university’s Chief Information Security Officer (CISO) confronted several critical priorities. While some of these are heightened because of the university’s particular goals, most are faced by CISO’s of other similar public and private institutions of higher learning and research.

Situation

The university has several campuses, spread over a relatively wide geographical area; with each campus deploying its own communications network which presents a number of challenges for network and security administrators. Specifically, the CISO is concurrently focused on two conflicting priorities, optimizing the efficient utilization and costs of network security and monitoring tools while also providing a comprehensive and consistent level of security and policy enforcement for traffic across the campuses.

The different research facilities, schools and student traffic span separate wired and wireless networks in each campus, with a level of granularity in traffic handling and policies that are more complex than similarly sized enterprises.

Last but not least, providing students with the best user experience and application response times means that the university’s bandwidth requirements are higher and more varied than a similarly sized enterprise.  As such, the university’s network infrastructure is required to have headroom to enable migration efforts to enable migration and eventually higher rates.

Network Visibility Challenges

With the dramatic increase in network traffic and consequent network visibility requirements, the limitations of the university’s existing network visibility solution became painfully self-evident. First, the limitations of the existing solution from a management standpoint including an inelegant user interface for policy management capabilities such as filtering and configuration was found to be a major challenge.

In addition, the existing system was a “closed box” monitoring approach provided limited operational and performance insight.  While the university used SNMP counters and Syslog alerts, they lacked an application programming interface (API) for consistent and reliable monitoring of application-specific traffic and for the implementation of network configuration changes.

Beyond the limitations of its current network visibility infrastructure, the university has numerous additional network monitoring requirements driven by the expansion of their network environment and aggregate network traffic.

Specifically, the network visibility infrastructure was required to meet 2 out-of-band and inline use case scenarios.

  • Tapping multiple passive tap copies of 10 Gigabit (10Gb) east-west network traffic, including aggregating, filtering and load-balancing this traffic to a set of out-of-band security and monitoring tool clusters.
  • “Inline tap” of 10Gb links which allows for selectively forwarding both east-west traffic and north-south traffic to inline security devices, as well as providing the ability to bypass or reroute this traffic in the face of the failure of a downstream inline device

Solution

The university’s Manager of Security Operations and Engineering explored an extensive range of various network visibility solutions and found that the Niagara N2 2847 Network Packet Broker (NPB) visibility platform provided a single platform for optimally meeting the requirements for both of their use cases.  Especially attractive was non-disruptive support by N2 2847 NPB of a range of modules, such as for passive tap, bypass and packet broker capabilities.

visibility platform

Figure 1. Niagara 2847 Deployment in University Network

Support by the N2 bypass module of double protection bypass technology for providing non-stop availability in face of the failure of inline security appliances was an especially unique feature in light of the university’s visibility requirements.

In addition, the availability of 10Gb modules supporting multi-mode short-reach (SR) as well as single-mode long-reach (LR) fiber connectivity allowed N2 to out-of-the-box support appliances offering different types of fiber connectivity. Lastly, the availability of 40GbE modules provided the headroom to seamlessly support the institution’s requirements for expansion of network traffic bandwidth.

The Niagara customer also wanted to use the Sourcefire Intrusion Detection (IDS) solution inline for both external north-south and for internal east-west traffic. With Niagara Networks N2 NPB solution they were able to optimize the use of resources, configuring the N2 2847 to efficiently route traffic flows from both internal and external networks to the shared inline IDS appliances.

Success

The Niagara N2 solution was the perfect match for these institutions’ network visibility needs for both inline and out-of-band appliances. Niagara Networks N2 NPB provided the customer with a cost-effective solution with an intuitive, easy to use user interface and a robust set of features. The IT staff was satisfied with the improved performance, robustness, and visibility of the overall system.

In addition to N2 product capabilities, the customer found Niagara's support to be quick and professional. Lab testing confirmed that all the expected features worked as described. Outstanding performance and increased flexibility of load-balancing traffic across larger tool clusters have helped the customer to achieve overall stability and enhanced system visibility. In addition, the robust monitoring options via the Syslog export and SNMP, empowered the IT staff with a greater operational understanding of the health of their network’s visibility fabric.

Conclusion

A leading US research university comprises several campuses spread across a wide geographical area each with separate wired and wiles networks and various network security and traffic handling policies.

The institution’s CISO has a number of key, sometimes conflicting priorities, including improving use and costs of network security and monitoring tools, consistent network security policy enforcement across the university as well as providing students and staff with the best possible user experience which requires the university network to be seamlessly expandable from 10Gb to 40Gb speeds and higher.

The limitations of the existing network visibility solution including a cumbersome user interface, lack of an API and limited insight into network operations and performance issues caused the IT to evaluate alternative solutions. Additional requirements for an alternative solution included support for east-west passive traffic aggregation, filtering, and load-balancing for out-of-band 10Gb-based monitoring and security tool clusters as well as selective delivery of east-west and north-south traffic to inline security tools.

Following the evaluation of a number of solutions, the university chose Niagara Networks’ N2 NPB platform as the single solution meeting all of the key requirements including support for passive tap, bypass (including double protection technology) and network packet broker functionality, support of both 10Gb short-reach and long-reach fiber connectivity as well as extensibility through support of 40Gb modules. In addition, Niagara N2 enabled seamless routing of both east-west and north-south traffic to the university’s inline SourceFire IDS appliances.

The customer found the Niagara N2 solution to be optimal for its inline and out-of-band traffic visibility needs. Niagara N2 was found to be an economical solution having an instinctive, user-friendly interface, and a powerful feature set. The IT staff was gratified with the enhanced performance, availability and visibility attributes provided by the N2 system.

Beyond N2 product attributes, Niagara's support was found to be rapid and proficient. Prototype testing validated support of all of the customers’ network visibility requirements. In addition, exceptional performance and improved agility for load-balancing traffic across clusters of inline and out-of-band security and monitoring tools have helped the customer achieve high availability and optimum network visibility. Furthermore, the flexible network monitoring using Syslog export and SNMP enabled the IT staff with superior intelligence of the state of the network visibility infrastructure.

Niagara Networks is the industry-leading specialist in providing advanced network visibility solutions for the specific needs of campus and enterprise networks. Schedule a consultation with one of our networking experts today to evaluate your network visibility challenges.

New call-to-action