The age of Internet encryption has started, when I say started, it started a long time ago, but now it is at its climax. There are many forces driving this rapid adoption: monetization of intellectual property owned by the rulers of the internet: Facebook, Google, WhatsApp, E-Bay, Amazon. The rise of SAAS (e.g. O365, Salesforce, Workday or alike and the Public clouds (AWS, Azure, Google …) where infrastructure and applications alike, are born natively encrypted on the wire. Technology changes and reputation at stake, has its contribution to the adoption. It is all about how the application is ranked from security perspective and what protocols and standards are being used (HTTP 2.0, TLS 1.3 , ECC Ciphers …)
The change is a bless, however with it, comes darkness which is more commonly referred today as:” The Winter is coming”. This is a positive change, yet with a large risk hidden within. For enterprises and applications providers that means, they can no longer spot, see, catch or manipulate data communication easily as before, and there are several reasons for that:
One cannot open encrypted data without proxying it with when new standards such as DHE, ECC based encryption protocols are in useManaging encryption can yield massive performance and scale penaltyInfrastructure and technology keeps on changing therefore the solution picked should be agile to peripheral solutionsDecrypting is needed in more than one place, which makes the entire thing more complex and obscuredThere are regulations in place: What is allowed to be decrypted, what is not and how to process it
These needs opened a new market that is being adopted in an ever-growing speed by the market and is commonly referred to: SSL or TLS Orchestration. An architecture that provides:
Visibility and decision point of what is decrypted in high scaleDynamically chain security services that needs to receive decrypted traffic and free them from the unneeded workloads to become efficient againFlexible deployment options (TAP, ICAP, Inline L2/3, L4)
F5’s SSL Orchestrator, provides all of the above and more
Recently, I teamed up with an exciting startup company called CGS Tower Networks. CGS technology offering is unique in the packet broker and network visibility market and provides the following benefits:
Maximize the return on cyber security tools by filtering, load balancing network traffic, and performing rate adjustment between low bandwidth tools to high capacity networksImprove and empower cyber security deploymentsSolve the ‘blind spot’ and network congestion challenges that have a negative impact on cyber security and network performance management tools
CGS has also taken an innovative approach towards infrastructure needs, where they deploy packet broker software on mass production, modern, scalable powerful switches and X86 servers, that results in superior performance that eliminates bottlenecks and significant cost reduction.
CGS was looking for a technology partner with extensive industry experience, that could add decryption point of control capabilities to their offering, and F5 was a perfect fit. Integration with F5 was easy and resulted in a compelling offer that provides CGS with a unique value proposition and ability to:
Empowered by F5 Networks - a market leader in the security spaceThe architecture enables the layering of many security solutions with centralized focal point of managing certificates and encryption keysImprove cyber security deployments by eliminating network blind spotsOffer unparalleled Price/Performance and unmatched industry feature setLeverage F5 deployments that already include SSL/TLS functionalityScale SSL/TLS capacity and functionality without the need to upgrade the packet broker or any security solution in the chain
Two modes of deployments exist to CGS Network customers:
The objective of the Smart Grid is to modernize the power utilities infrastructure with two-way digital communications in order to improve grid reliability, reduce costs and enable integration of renewable energy sources.
The Network Visibility Challenge
The new communication infrastructure introduces new cyber security risks that span across electricity generation, transmission and distribution. Cyber security and monitoring applications are typically deployed within the utility data center in order to secure and monitor the Smart Grid network infrastructure as well as the Distribution Automation and Smart Meter applications. The challenge, however, is to ensure that the networks in the remote substations that are located across the service territory, are visible to the data center security and monitoring applications.
CGS Tower Networks has developed a packet broker that can TAP, aggregate and filter traffic from the remote networks to the utility data center for further analysis. The Packet Broker supports both Copper and Fiber Optic links to accommodate for legacy and modern network infrastructure. The CGS Packet Broker supports smart network processing operations such as de-duplication, packet slicing and header stripping that reduce network traffic and help optimize cyber security and monitoring applications.
Network Packet Brokers have become a core part of the network infrastructure, allowing enterprises to optimize their cyber security and NPM/APM deployments by providing full network visibility, filtering, DPI and load balancing. Traditionally, packet brokers were vertically integrated with inextricable hardware and software. This worked well for a while, however, as network traffic and capacities increased exponentially, proprietary packet broker hardware could rarely meet the performance requirements and required massive and expensive deployments that most customer could not afford.
Disaggregating packet broker hardware and software provides the following key benefits:
Enhanced visibility resulting from modern platforms with superior performance that ensures line-rate connectivity and avoids packet loss of critical data
Improved network staff productivity though a unified, modern and agile packet broker software deployed on all platforms with a wide range of feature set
Superior quality geared by the reliability of mass production hardware manufacturing and the simplified R&D and QA software vs. hardware processes
Alignment to customer requirements and budget constraints through a wide range of hardware options available in the market, scaling from the smallestto the most powerful packet broker platforms
Cost reduction enabled by innovation in switches and CPU platforms as well as the economy of scale of mass production
While industry analyst firms (seeEMA Next-Generation Network Packet Broker: Disaggregated and White Box Network Packet Broker report – Aug 2018, page 17) indicate the market trend and preference of hardware and software disaggregation, legacy vendors such as IXIA, NetScout and Gigamon managed to achieve this goal only in the basic aggregation functionality available on white box switches. Gaining the full benefits of disaggregation, would require an entire rewrite of the advanced product code on CPU platforms, a challenging task from both technology and business perspectives, and it is questionable if they will ever be able to go through this paradigm shift.
Shlomo Gurfinkel, the former VP Engineering at NetOptics (acquired by IXIA), was the first to identify the benefits of disaggregated and white box packet brokers, when he founded CGS Tower Networks back in 2014, to deliver the next generation packet brokers with pure and full disaggregation of packet broker software on white box switches, CPU appliances and virtual environments. According to the EMA report, 29% have already deployed disaggregated packet brokers, most probably just the basic aggregation functionality, and 32% plan to do so in the next 12 months. Chances are that 2019 will be noted as the tipping point where customers shift from the legacy proprietary packet brokers to the next generation white box switches and CPU based packet brokers. Stay tuned.