Security Implications of Migrating to 100Gb Networks (Part 2)

Yigal Amram By: Yigal Amram July 21, 2017

Improved efficiency of security tools

In the first part of this blog series, we looked at how 100GbE-based Network Packet Brokers (NPBs) can help establish resilient connectivity between 10/40GbE-capable network security tools and 100GbE core networks.  In this post, we will look at how NPBs optimize distribution of traffic from 100GbE networks to lower speed appliance ports to maximize the utilization of existing appliances.

Today’s skyrocketing traffic and high-speed 100Gb links put severe pressure on vital security tools like Intrusion Prevention Systems (IPS) that inspect traffic to block data leaks and malware. Once basic connectivity is established between 100 Gigabit Ethernet core networks and 10/40Gb-capable security tools, another challenge comes to the forefront: how to effectively distribute traffic from 100Gb network links to the security tools so as to mitigate the gap between the higher data rate of the core network and the lower data processing capacity of the tools to  optimize the functionality offered by each tool.

Advanced NPBs offer load balancing, which allows one or more high-speed 100Gb network ports to send traffic to multiple lower-speed appliance ports based on sophisticated flow-aware schemes. Moreover, NPBs can dynamically adjust the load balancing scheme based on the number of actively attached devices. Specialized security and performance appliances focus only on a specific type of traffic. If an appliance only evaluates HTTPS, for example, why waste its CPU cycles by sending it SMTP traffic? The 100Gb-enabled Network Packet Brokers can employ sophisticated filtering schemes for load balancing to filter out traffic that is irrelevant to a specific 10/40Gb-capable appliance and map only the traffic that the appliance needs to the appropriate port. NPB load balancing helps optimize the data processing capacity of existing appliances without being required to purchase more expensive and complex higher-speed appliances and avoiding tool oversubscription by providing  a cost-effective way to share the increasing traffic load among multiple inline tools.


Load balancing options for optimum connectivity

With load balancing, one size doesn’t fit all, which is why advanced Network Packet Brokers offer a spectrum of options for getting the most from your security tools during the process of upgrading to 100 Gigabit Ethernet. Load balancing can distribute 100Gb/s traffic to multiple 10/40Gb tools, plus aggregate traffic from multiple 100Gb and 40Gb links and distribute it to share the load.

Basic load balancing splits 100Gb/s traffic to let multiple tools work on different parts of the traffic. For example, you can filter and send packets with odd IP source addresses to one 10Gb tool and those with even addresses to another—or you can use other filtering criteria. Dynamic load balancing, engineered for 100Gb line speeds, actively monitors load levels on 10/40Gb output channels and adjusts traffic distribution in real time to keep loads even.

100g Migration diagrams FINAL_Page_11.jpg


Network Packet Brokers also offer dynamic inline load balancing with link-state awareness. That means if a tool in the load balance set fails, the solution redistributes traffic to the remaining tools until the failed tool is repaired or replaced and the link comes back up. NPBs also provide deep packet inspection (DPI) functionality, enabling fine-grained selection of traffic to be load balanced.

NPBs can also take traffic from any network 100Gb port (or aggregated set of network ports) and distribute it to two, three, four, or any number of available 10/40Gb monitor ports, balancing loads by any packet header field. The device’s ultra-low latency ensures minimal delays that can degrade the accuracy of timing analysis.

NPBs complement dynamic load balancing with deep packet inspection (DPI) and filtering capabilities. To balance loads, data is processed by multiple tools working in parallel and supporting multiple independent dynamic load balancing groups. The greatest benefit of dynamic load balancing is for inline monitoring for IPS and other inline security tools. It also supports 100Gb/s to 10/40Gb/s data rate conversion, letting you monitor 100Gb/s traffic with a pool of 10/40Gb-based tools for a cost-efficient approach. In addition, Network Packet Brokers can also employ a tool-sharing topology to let several independent links share a pool of inline tools.


As core networks evolve from 10 and 40 Gigabit Ethernet to 100 Gigabit Ethernet, there is a critical need to ensure high-performance threat monitoring with support for aggregation and processing of high-speed network traffic to different performance, application, and security monitoring tools that may otherwise be unable to process traffic at these higher speeds. Advanced Network Packet Brokers can provide a unique future-proof solution for supporting non-disruptive and resilient network security in data centers migrating to 100 Gigabit Ethernet core networks.

New call-to-action