ixia’s inline security architecturean inline architecture has become a critical component in the...

T E C H N I C A L O V E R V I E W

Ixia’s Inline Security Architecture

Find us at www.ixiacom.com

ContentsGeneric Solution Overview .................................................................................................2

Typical inline security components ............................................................................. 2

The inline visibility architecture ................................................................................... 5

Inline Security Ideal Customer Profile ......................................................................... 9

Inline Security Use Cases .................................................................................................10

Use case category #1 – Maximize network reliability for business continuity ............... 10

Use case category #2 – Eliminate security appliance downtime cost and risk ............... 11

Use case category #3 – Reduce malware infiltration risk ........................................... 14

Use case category #4 – Minimize complexity to control security solution costs and reduce wasted IT time ...................................................................................... 18

Use case category #5 – Deploy advanced security countermeasures ......................... 20

Solution Benefits .............................................................................................................22

Ixia Solution Summary .....................................................................................................23

iBypass switches .................................................................................................... 23

Vision series of inline NPBs ...................................................................................... 25

SecureStack SSL / TLS decryption .......................................................................... 26

ThreatARMOR threat intelligence gateway ................................................................ 27

Putting It All Together – The Ixia Visibility Architecture ........................................................28

Deployment configurations ...................................................................................... 29

Conclusion ......................................................................................................................33

Appendix A – Citations .....................................................................................................33

http://www.ixiacom.com


Generic Solution OverviewIxia offers many security products that solve problems for different parts of the network.

This solution focuses on inline visibility and security components. This means offering

Ixia products that augment traditional security products from our technical partners so

that Ixia can help customers create the most effective solution possible.

Typical inline security components

An inline architecture has become a critical component in the war to protect the data

networks of every enterprise. Inline monitoring appliances and tools must operate at

peak performance without failure and without affecting network uptime or application

responsiveness while inspecting network traffic 24 hours a day. Deployment of an

inline security solution with an IPS, WAF, unified threat management (UTM), or other

appliances can effectively screen incoming traffic for encrypted or unencrypted threats.

Here is an overview of common inline security appliances and their functions:

Firewall

Firewalls perform basic packet inspection to either block or allow packets based upon

preset criteria. The criteria often include IP address, IP address range, or port number.

They also perform network- and port-address translation (NAT and PAT) to allow

external network traffic into the internal network. These devices can either be physical

appliances or software-based.

The purpose of a firewall is to be your first line of defense against security attacks.

Typical placement occurs at the ingress to the network; usually after a router. Another

placement scenario is before a router in specific instances.

Most traditional firewall solutions are outdated. Next-generation firewalls (NGFW) with

additional features and capabilities have largely replaced legacy firewalls.

External bypass switch

When deploying an inline network security tool, such as an IPS, it is vital to ensure that

traffic continues to flow in all circumstances, even if the inline tool goes down. This

ensures that mission-critical business applications remain available. An external bypass

switch is one way of ensuring that traffic keeps flowing even in the event of a tool

outage.

A bypass switch is a special-purpose tap with fail-over capability. Unlike a tap, a bypass

is an active device that is a direct and integral part of network data transmission.



Internal bypass switch

The internal bypass switch is similar to the external bypass switch. However, it is

integrated with a security appliance. Despite the similarities in functionality, clear

differences exist between an internal and an external bypass.

The main differences between an internal and external bypass are as follows:

• The external bypass does not have any dependencies on a host security tool.

• The external bypass supports the use of device-independent heartbeat messages to validate that the connected device is available and working.

• The external bypass has improved efficiency as you can use one external bypass switch concurrently with multiple security appliances.

Web application firewall

A web application firewall (WAF) protects web applications from malicious traffic. It also

protects against various attacks such as cross-site scripting (XSS) and SQL injection.

This specific focus differentiates the WAF from a traditional firewall.



Next-generation firewall

A next-generation firewall (NGFW) is an evolution of the basic firewall. This device

typically combines a traditional firewall with a WAF, deep packet inspection, and

an intrusion prevention system. By combining all of these functions, the NGFW

can increase scrutiny of inbound traffic. This allows for quicker security threat

investigations closer to the perimeter of the network.

Firewall functionality continues to evolve. As an example, the demarcation between

NGFW feature sets and UTM features has become blurred. As manufacturers

continue to add more features to firewalls, the UTM category may end up

disappearing altogether.

Intrusion prevention system

Another useful security appliance is the intrusion prevention system (IPS). The IPS sits

behind the firewall as a second line of defense. Data passes from the firewall to IPS where

the IPS conducts deep packet inspection, looking for hidden malware and other attacks.

An IPS is normally deployed inline, which differentiates it from intrusion detection

systems (IDS), which are used in out of band deployment scenarios.

Unified threat management

Unified threat management (UTM) is a security solution that integrates multiple separate

security devices into one security appliance. It is essentially an all-in-one approach

designed to reduce operational complexity. There is one user interface, one set of

policies to program, and one system to patch.

As mentioned earlier, the borders between NGFWs UTMs have become blurred, and the

UTM category may end up disappearing.

Threat intelligence gateway

Threat intelligence gateways or platforms are devices that create threat intelligence

feeds for transmission to other security devices to help enhance the overall security

posture of an organization. These appliances aggregate and correlate data from

different source to recognize patterns. These patterns can include finger prints for

different types of malware (such as WannaCry or EternalBlue), suspicious lateral

movements of data on the network, suspicious communications to off-network

locations, or various other activities. Once this data is correlated and interpreted,

patterns emerge which are useful to other security appliances such as an IPS or

security information and event management (SIEM) appliances to look for new

security threats.



Data loss prevention

Data loss prevention tools, also sometimes called data leak prevention tools, protect data in

use, data at rest and data in motion from theft, exfiltration, inappropriate access or in some

cases even corruption. The increasing importance of regulatory compliance standards such

as PCI-DSS, HIPAA, GDPR, ITAR and others as well as recognition of the importance of

defending against insider threats are two of the factors driving DLP deployment.

Honeypot

A honeypot is a computer system with useless, but legitimate looking, data placed

in a special network environment to attract bad actors. The intention is to bait a bad

actor into attacking the honeypot and launching a security threat. Once this happens,

the owner of the honeypot can watch how the bad actor moves across the network

and what activities they conduct. From there, the honeypot owner can watch how

the attack inserts and detonates malicious code. This allows the honeypot’s SecOps

team to classify and chronicle the attack. The information is useful for protection of

the production network and thwart these types of attacks in the future. Since security

threats continue to morph, the deception technology market continues to grow at a

compound annual growth rate of 9%.

A honeypot is often located in a sandbox separate from the main corporate network.

This scenario is designed to attract inline threats. However, another use case exists

for some professional security organizations and agencies that wish to use distributed

honeypots. This deployment scenario would be an out-of-band scenario to determine if

and where the network has been infiltrated.

The inline visibility architecture

Inline means that a component or tool is deployed directly in the path of network data

flow. This includes both security tools and network visibility equipment. In the case

of visibility equipment, this would be a bypass switch, packet broker, and security

appliances. One drawback to this approach is that if any system in the data path fails,

the link goes down. Fortunately, there are solutions providing fail-over and redundancy

that eliminate the failure concern.



External bypass switch

The purpose of a bypass switch is to switch traffic around tools that have either gone

down due to some fault or issue with power or tools that need to be taken offline for

software updates, patches and subsequent reboots.

You can set a bypass switch to fail open or fail closed. Fail open means that traffic

continues to flow between network devices if you remove a security monitoring device

from the network or the bypass switch loses power. This mechanism is also referred to

as “fail to wire” to make it clear that this failure scenario supports business continuity,

versus the fail-closed scenario, where failure in the bypass switch results in no traffic

passing, the safest option.

The bypass switch generally uses a heartbeat packet to detect application, link, or

power failure on the attached monitoring device. If the heartbeat packet is disrupted,

then the bypass switch removes this point of failure by automatically shunting traffic

around the security tool whenever the tool is incapable of passing traffic.

While directly deploying inline security tools can create a line of defense, these tools can

also result in single points of failure. Even a strong mix of security and analytics tools

can lead to network reliability risks as regular rebooting, maintenance, and upgrades of

those tools increase the chances of a costly network outage. If an inline tool becomes

unavailable, it can completely bring down the network link, significantly compromising

network uptime and disrupting business continuity. This can be a significant problem for

the almost 20% of IT organizations that directly deploy inline security tools and the 40%

that deploy internal bypass solutions instead of external-based solutions.

An external bypass switch allows fail-safe deployments of inline security and monitoring

tools to ensure high availability and maximum uptime. The stand-alone (external) bypass

offers superior protection when compared to a security tool with an integrated bypass

option. For example, some external bypass switches have a mean time between failure

(MTBF) of approximately 450,000 hours. This reliability can be up to five times better

than various security tools (such as combined firewall and IPS solutions) that have an

MTBF of approximately 80,000 to 100,000 hours. Adding internal bypass capability

further reduces the MTBF and reliability for those types of solutions.



Also, when you replace various security tools, you may have to remove the integrated

bypass as well. An external bypass eliminates this issue.

Another key benefit to the external bypass switch is fail-over capability during upgrades.

Certain inline security tools include an internal bypass switch. This becomes a problem

when you want to replace the security tool, or, in some cases, simply update and

maintain that tool. Software upgrades or security patches may require a reboot, with

obvious negative implications for architectures using internal bypass switching. The

simple solution is to use an external bypass. Then you do not have to worry about

future upgrades.

An external bypass offers the following benefits:

• It eliminates single points of failures for inline tool deployments with a bypass switch.

• The MTBF of an external bypass switch can be up to five times better than an

integrated bypass.

• It provides more flexibility to add or remove inline security tools without network

impacts.

• An external bypass switch eliminates downtime from tool upgrades and removal.

1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |

WAFIPS

www Firewall Switch ServersBypassswitch

Bypassswitch

Bypassswitch

Bypassswitch

SSL decrypt

Other tools

Figure 1. Inline security solution with a bypass switch connected to all components

Inline network packet broker

The main purpose of the network packet broker is to optimize the flow of data going to

security tools. Sitting between bypass switches and inline security appliances, packet

brokers add another layer of data visibility to your security architecture. By providing

the ability to aggregate, filter, deduplicate, load balance, and decrypt SSL / TLS traffic,

packet brokers provide serialized data to a chain of security tools for deep data analysis.



Inline versions of NPBs also contain heartbeat and fail-over capabilities to properly

handle data continuity and high-availability. This works similarly to the bypass switch,

except that it is two-sided. There is communication between the bypass and NPB to

make sure the NPB is working. If not, the bypass switch will either divert the flow into

the network or stop the transmission of traffic completely. The exact action depends on

the options selected for the bypass.

Another set of communications sits between the NPB and security appliances. This

provides continuity and survivability for the data analysis process. Should a security

appliance fail, the NPB will divert traffic to other available security appliances, if

available. If all security appliances are out of operational state, you can set the NPB

configuration to operate in one of two ways. First, it could signal an error state to the

bypass. The bypass switch will interpret this as a failure and follow its pre-programmed

fail-open or fail-closed scenario. Once the security tools are operational again, the NPB

replies to the bypass switch heartbeat message, and data flows from the bypass to the

NPB again.

The second tool failure option is for the NPB not to declare an error and simply shunt

the traffic back to the bypass. While this means that no security inspection takes place,

the network remains up until one or more of the security tools becomes available again.

Then the NPB will forward incoming traffic to the security tool(s).

The NPB supports load balancing. If one or more tools fail, the NPB will redirect to

surviving tools. This is an excellent and cost-effective way of using n+1 survivability to

create tool redundancy, assuming the tools are over-dimensioned by at least one device.

The chapter on use cases provides more information on this functionality.

Another benefit from a packet broker is that you can automate the data inspection

process. Tool chaining accomplishes this. Preset toolchains ensure that data is passed

sequentially from one tool to another so that actions occur in sequences and do not

get overlooked. Linking of security and monitoring tools happens by using software

provisioning in the NPB to control the flow of data through the selected services.

Depending on the situation, the required data inspection can occur in parallel or in series.

At Ixia, the primary way that we address tool chaining is to use a grouping of ports. To

accomplish the proper flow of data, at least one tool gets assigned to a port or port

group on the NPB. Multiple port groups require chaining together to accomplish the

desired data flow.



The primary benefits of a packet broker are that it can help you with the following:

• improved uptime

• the ability to make real-time decisions

• extensive fail-over options

• cost savings resulting from load balancing across multiple tools

• built-in recovery options

• reduced complexity

• diversion of bad traffic to a honeypot

Visibility architecture diagram

The following diagram shows the proper way to integrate a bypass and an inline NPB

into an inline security architecture.

Security tools

Bypass switch

Data path

Network packet broker

ServersSwitchFirewallwww

Load balancing

Filtering

Aggregation

Figure 2. Inline security solution showing a typical traffic data path

Inline Security Ideal Customer Profile

Customers most likely to benefit the most from an inline security solution are midsized

to large organizations with on prem data centers. Banks; hospitals and healthcare

offices; manufacturing companies; city, state, and federal governments; and oil, gas,

and energy utilities are just some of the organizations that should consider an inline

visibility solution.

Branch offices represent another scenario where inline security architectures with

bypass switches and network packet brokers can be useful. This is essentially the same

as a large data center, just on a smaller scale. Deploying a bypass switch and an NPB

together provides increased survivability for edge security tools so those tools can

monitor, and if necessary, take action upon incoming and outgoing network traffic.



Inline Security Use CasesThere are five basic categories of inline security use cases:

1. Maximize network reliability for business continuity. Create a hardened fail-over solution for security appliances.

2. Eliminate security appliance downtime cost and risk. Improve security tool survivability with high availability (HA) and n+1 options.

3. Reduce malware infiltration risk. Eliminate traffic from known bad IP addresses and perform active SSL decryption to challenge all incoming data.

4. Control security solution costs and reduce wasted IT time. Reduce complexity with simpler, but more powerful, network security solutions.

5. Deploy advanced security countermeasures. Deploy more capabilities with ease (such as honeypots), simple IOC measures (such as negative heartbeats), and more advanced threat (IOC) hunting.

The following sections will illustrate each use case.

Use case category #1 – Maximize network reliability for business continuity

Today’s data networks are crucial to a typical business as they affect employee productivity,

e-commerce, communications, and more. Because of this, data networks need more

reliability. Implementing bypass switches, inline NPBs, and HA architectures is part of

the solution. Another part of the solution is to create self-healing networks.

The primary focus of this use case is business continuity — keeping the network and

applications up and running. While components matter, this use case focuses on the

system (or the network).

Bypass switches let you connect inline security tools to your network without the risk

of network downtime. When an inline tool fails, bypass switches automatically kick in.

They redirect network traffic so that it flows around the failed tool, instead of through it.

The network traffic bypasses the blockage the tool caused. This way the network stays

up and running — even if the tool does not. This is important as the average cost of

network downtime is $7,790 per minute, according to the Ponemon Institute.

Bypass switches detect when an inline tool has failed or lost power by listening for

replies to special heartbeat packets. The bypass switch sends heartbeat packets to the

inline tool at regular intervals. If the tool does not reply the expected interval, the switch

assumes the inline tool has failed, and it reroutes network traffic.

Typical heartbeat intervals are 100 ms with a minimum of two retries, but this is

customizable. The bypass switch will continue to send heartbeat packets to the inline



tool until it receives a reply. Once it starts to get replies again, it considers the tool “up”,

and will start sending traffic to that tool again, creating a self-healing loop. If there is no

reception of a heartbeat message, and no redundant tool, then the bypass can initiate

a fail-over to keep the network up. Once heartbeat messaging returns, the bypass

functionality disengages.

This use case has the following benefits:

• Heartbeat technology in bypass switches and NPBs can help equipment create a self-healing architecture and maximize network availability.

• Fail-over and heartbeat technology in bypass switches and NPBs increase availability and survivability of inline security appliances.

• External bypass switches prevent disruption when security devices go out of service for upgrades or replacement.

• The security engineer does not need to actively participate, as the bypass will restore traffic to the tools once they are working again.

• Anti-tromboning technology reduces fail-over and fail-back network disruptions.


WAFIPS


Bypassswitch

Bypassswitch

Bypassswitch

SSL decrypt

Other tool

Figure 3. Inline security solution with a bypass switch connected to all components

Use case category #2 – Eliminate security appliance downtime cost and risk

The primary focus of this use case is to keep security appliances up and running.

The inline NPB offers two methods to increase survivability of the tools: HA and n+1

survivability. HA typically means full redundancy, where you have a primary and standby

set of tools connected to the network. The second set of components processes traffic

only if the primary set fails. The n+1 option is where all the tools are active and running.

If one fails, the others take extra load to make up for the out-of-commission device.



The following provides a more detailed discussion of both types.

High availability

Let’s look at the first option, HA. This option is highly effective at maintaining maximum

network and tool uptime. You literally have a second copy of everything (bypass switch,

packet broker, and tools). If one component or path fails, the secondary equipment can

handle the load. While this option yields the highest level of mean time between failure,

it also comes at a high price — literally double the cost for everything.

Ignoring the cost issue, the use of redundant external bypass switches and packet

brokers can increase your network uptime and reliability beyond the level provided with

just redundant tools. In fact, the external bypass switch and packet broker can reliably

connect the redundant tools in a more cost effective and less complicated manner than

special-purpose load-balancing devices. An external bypass approach has the benefits

of delivering superior resilience because of more granular failure detection, faster fail-

over, and better application session integrity. This reduces the cost of the system while

making it more resilient.

Of course, you can always make trade-offs to reduce the cost. Since you have a

redundant bypass switch and packet broker, maybe you do not need a redundant set of

tools. You can count on the other equipment to provide reliability. This option could save

you a lot of money, as we all know how expensive security tools can be.


• It uses HA to create full redundancy (n+n) for inline deployments of NPBs and bypass switches.

• It reduces network and component downtime costs.

• Heartbeats of 10 to 30 milliseconds enable super-fast fail-over between bypasses and NPBs for optical paths.



Figure 4. Inline security solution using high availability

N+1 survivability

Network security and monitoring tool survivability typically refers to redundant tools,

especially in the case of inline deployments. However, a cost-effective alternative

to HA is to implement an n+1 option for security tool (such as IPS and WAF)

redundancy. In this situation, you do not have a duplicate copy of tools waiting in a

standby mode to take over should the primary equipment fail. However, you do not

have to spend double the costs for a redundant solution as you do with HA. Until

now, cost has been a significant limiting factor in the deployment of n+1 survivability.

In this solution, security tools are allocated to a specific port group on an NPB.

Based on filtering criteria, the packet broker spreads traffic across devices on

the port group. Should a tool not acknowledge a heartbeat, the packet broker

distributes data evenly across the remaining tools in the port group. Note, the

default retry setting is three attempts, but this setting is configurable. Once the failed

tool starts replying to heartbeats again, the NPB will resume routing traffic to it.

For example, say you need four IPS tools to process your inline network traffic. In

this case, you would add a fifth IPS. The packet broker would then load balance the

traffic across all five IPS tools. Should any one of the tools fail, the packet broker

can load balance the full load across any of the remaining four IPS tools. This

provides a good level of survivability at a fraction of the cost of a fully redundant

system. If you would like to have more survivability, like an n+2 situation, you can do

that as well — all the way up to a fully redundant set of tools. It all depends on the

level of risk you feel comfortable with and your budget.


Switch Server

Inline security tool farm

ServerSwitchBypass switch

Bypass switch

Network packet brokers (HA)

Out-of-bandsandboxing


Firewall

Firewall




• It deploys survivability to decrease risk and increase network security.

• Inline deployments of NPBs using load balancing can create an n+1 survivability option.

• N+1 is a more cost-effective solution than HA but still delivers high reliability.


Tools40 GE


Tools40 GE

10 GE

0 GE

10 GE

10 GE

10 GE

8 GE

8 GE

8 GE

8 GE

8 GE

Normal operation Tool failure situation

Figure 5. Inline security solution with n+1 survivability

Use case category #3 – Reduce malware infiltration risk

A fundamental use case of an inline security solution is to reduce malware infiltration.

Two inline use cases can thwart this type of security threat.


Even with firewalls, IPS tools, and a wide array of security tools in place, businesses

still miss clues and suffer major breaches every day. Why? Because the sheer volume

of alerts generated places a huge load on the security team and the infrastructure itself.

This translates into wasted time and money as well as an increased risk of falling victim

to an attack.

A 2016 Ponemon Institute report states that security teams at large enterprises waste

more than 20,000 hours per year chasing false-positive alerts. By eliminating even 30%

of unwanted traffic, threat intelligence could save companies more than 7,000 hours per

year, or the equivalent of 150 weeks in professional time. This can mean a savings of

$300,000 per year, for a return on investment (ROI) of 15 times or more.

By pre-filtering known bad IP addresses and traffic from untrusted geographies, you

can stop that traffic from ever reaching inline security tools like an IPS. Blocking large

volumes of traffic based on IP address, location, and observed bad behavior enhances



your security architecture performance and reduces your team’s “alert fatigue.”

Automatic system updates eliminate the need for manual updates of known bad IP

addresses. This saves hours of configuration time over a firewall approach.


• Significant reduction (up to 30%) in false positives.

• ROI of up to 15x.

• It blocks outbound communication from infected internal systems.

Figure 6. Inline security solution with a threat intelligence gateway

SSL decryption

Unfortunately, we live in an age where the stakes are high for both individuals and

organizations that fall victim to data theft. It is for good reason that the use of SSL

encryption has soared (and continues to soar) in popularity. According to Fortinet,

72% of all internet traffic uses encryption.

SSL encryption is a powerful weapon in the battle for data security, but its greatest

strength is also its greatest weakness. Encryption protects important or confidential

data. But it can hide other, less innocuous things too. Cybercriminals can take

advantage of SSL encryption, camouflaging malware, and other undesirables in

encrypted data, so that they can sneak into and around company networks undetected.

Since many network tools cannot inspect SSL-encrypted data, with TLS 1.3 being a

particular challenge, you must decrypt that data so those tools can inspect it.





Securitytools



Direct tangible threats such as malicious code can hide in SSL-encrypted traffic

disguised by the encryption process. This malware is particularly sophisticated and

likely to be part of an advanced, sustained attack on an organization. One example

is the Zeus botnet, which uses SSL communications to upgrade itself.

Some network monitoring tools (firewalls, IPS, NGFWs) come with SSL decryption

capabilities too. This is not an ideal solution, however. As with firewalls, enabling

SSL decryption on these tools can impact performance. Furthermore, requiring each

tool to decrypt its own data is inefficient. It means multiple siloed tools performing

the same decryption process on the same set of data. This is a waste of resources.

Why have several appliances repeating the same task when one tool could decrypt

the data and push it out to all of them?

An NPB makes decryption easier when routing data to security appliances. There

are two fundamental use cases. The first involves the use of a special-purpose

decryption tool. The second is where the NPB performs the decryption. A third use

case involves every tool decrypting and then re-encrypting the data as it passes

downstream. However, most security engineers disregard this approach because of

the delays and exorbitant costs involved.

Here are the first two use cases:

Appliance-based SSL decryption

An NPB can pass encrypted traffic to an SSL decryption appliance. This solution offers

complete visibility and control of encrypted traffic without requiring the re-architecture of

your network infrastructure. You can add policy-based SSL inspection and management

capabilities to your network security architecture to remove encrypted traffic blind spots.

The solution is straightforward. Incoming encrypted data goes to the decryption

appliance. The data returns to the NPB, which forwards the data on to security

appliances for threat analysis. Data that passes inspection comes back to the NPB,

which then forwards the data on to the decryption device for re-encryption. The re-

encrypted data passes back to the NPB, which then sends it on to the bypass switch

for insertion back into the network.




• NPBs allow for distribution of encrypted data to decryption devices and then the distribution of the now-unencrypted data to various tools, such as NGFW, IPS, and DLP.

• It exposes hidden threats by using an NPB to efficiently distribute data to active decryption technology appliances such as A10 and Blue Coat.

• It alleviates the decryption load on individual security appliances (IPS, DLP, NGFW) that would have needed to decrypt the data, making those devices faster and more efficient.

Figure 7. Inline security solution with an external appliance for decryption

Inline SSL decryption using an NPB with integrated decryption

Most enterprise applications are now encrypted using the SSL standard, and its updated

version TLS, to thwart security attacks and hackers. Unfortunately, bad actors also use

encryption to obfuscate their activities. In fact, as of 2019, more than 70% of network

attacks hide within SSL-encrypted traffic.

Integrated decryption capabilities can provide an easy and cost-effective way to

examine suspect data. With an integrated decryption approach, the data decryption

happens at the NPB, and then the NPB forwards the data straight to special-purpose

tools. Offloading SSL decryption functions from a firewall, IPS, or WAF to an NPB

reduces the CPU load on those appliances by 45% or more.1

At the same time, the NPB has no impact on application performance. Sending data

to an external decryption device introduces multiple intervals of delay: sending data to

the decryption device, waiting for decrypted data to be sent back, sending data to be

re-encrypted after inspection by an inline security tool, and receiving encrypted data to

send to the network. This delay is all on top of any decryption or encryption time within

the decryption device.


Firewall Switch ServersBypassswitch


Encrypted traffic

SSL decrypt

IPS

Other tools



For example, this capability can decrypt Simple Mail Transfer Protocol traffic and hand

it off to an antiviral tool for virus and malware inspection. Other decrypted data can be

sent to a DLP device for deep packet inspection. This does not require resources on a

firewall or other device.

Performing SSL decryption with a network packet broker provides the following benefits:

• Reduces load on security tools by up to 45%.

• Integrated SSL / TLS decryption reduces architectural and operational complexity

• Not sending data to an additional device reduces data decryption time.


Encrypted traffic


SSL decrypt

IPS Other tools

Figure 8. Inline security solution with decryption integrated into the Ixia NPB

Use case category #4 – Minimize complexity to control security solution costs and reduce wasted IT time

Network and security complexity continue to grow. IT departments do not always realize

that their choice of a security solution contributes to this. The proper inline security

solution can help. Serial tool chaining allows for the automation of data flows. This

minimizes the amount of human intervention needed.

Serial tool chaining

As mentioned earlier, tool chaining is a powerful solution for automating the movement

of data packets in security monitoring solutions. It can partition out suspect data

and pass that data through additional security inspections. The NPB enables this

functionality. Suspect data is passed back and forth between an NPB and multiple

security tools (such as IDS, DLP, SSL, WAF, and NGFW). Security tool chaining can

deliver the interoperability needed to make network security protection mechanisms

truly successful.



Security and monitoring tools are typically linked together to control the flow of data

through selected services. Depending on the situation, the data inspection can happen

in parallel or in serial. To achieve the proper flow of data, you can assign one or more

tools to a port or port group on the NPB. Multiple port groups are chained together.

A well-designed NPB can support complex service chaining with many tool groups in

parallel, serial, or a combination of both.

For example, data can pass to the NPB from the bypass switch. You can filter encrypted

data based on Hypertext Transfer Protocol Secure (HTTPS) and send it to a decryption

device. Once the decrypted data returns to the NPB from the SSL decryptor, it can

move to an IPS for inspection. To minimize latency, packets without anomalies move

along quickly. A common example is the use of an IPS solution to filter out suspicious

traffic for further analysis by other tools in the daisy chain. Traffic without exception goes

back through the network quickly to support the fastest possible response time. Data

flagged for additional inspection moves from the NPB to another port group that might

contain a DLP or some other device for further analysis. Based upon that analysis, the

data gets deleted, is deemed nonthreatening and gets passed on to the network or

requires further analysis or quarantining.

Using network packet brokers to power serial tool chaining provides the following benefits:

• Inline packet brokers enable easier serial tool chaining.

• Serial tool chaining enables deeper inspection/analysis of traffic.

• Preset NPB tool chains ensure that actions occur in the proper sequence.



Incoming traffic

SSL decrypt IPS Other tools

Figure 9. Inline security solution using serial tool chaining



Use case category #5 – Deploy advanced security countermeasures

Inline security appliances such as bypass switches and NPBs are enablers for other

technology. This technology includes tool failover, implementation of threat hunting

solutions, or diversion of suspicious traffic to a honey pot.

Negative heartbeat technology

Typical heartbeat checking monitors the health of attached inline monitoring devices by

transmitting small heartbeat packets at regular intervals out of the bypass or NPB ports

that connect to a security tool, like an IPS. Under normal operation, the IPS passes the

packet back to the transmitting device.

An alternative use case is to send heartbeat messages to devices that should not return

an acknowledgment message. One example is a firewall. If a firewall receives a message

that it does not understand or is unknown, normal operation is to discard it. The firewall

should not send an acknowledgment. Therefore, if a bypass switch sends heartbeat

messages to a firewall, those messages should be ignored. If an acknowledgement

occurs, then this can be an indicator that the firewall is either malfunctioning or has

been compromised.

The negative heartbeat technology use case has the following benefits:

• Negative heartbeat messages can point out that firewalls are not working correctly.

• Active participation not necessary by the security engineer; as the bypass switch is set up to periodically “ping” the firewall(s).



Incoming traffic

Other toolsTool #1

Tool #2

Bypass to NPB heartbeat

NPB to toolheartbeat

Negative (one way) heartbeat. If

acknowledged, there is a potential IOC.

Figure 10. Inline security solution illustrating Ixia bypass and negative NPB heartbeat technology



Threat hunting solutions

While security threats in general are a consistent concern for IT departments, the

specific types of security threats change over time. For instance, according to the

WatchGuard Internet Security Report - Q1 2019, cyber attackers use a wide range

of security attacks including malware, network attacks, and web application attacks

(specifically, XSS and SQLi).

Since security threats are changing, this means that you also need to modify or augment

your security tactics. One increasingly popular strategy is to actively hunt for threats on your

network. Passive security practices are not adequate anymore. It is critical to be proactive

to stop a breach, as the threats themselves have become much more sophisticated and

challenging to detect. Threat hunting solutions are both inline and out-of-band, so you will

need to decide which type of solution fits your requirements.

If you chose to implement an inline threat hunting solution, the first thing you will need

is a visibility architecture. By constructing a visibility architecture (with the bypass switch

and inline NPB), you will have access to all the data you need. The NPB allows you to

set up criteria to filter out all unnecessary data so that a threat hunting tool can inspect

traffic to quickly and efficiently hunt through the data for indicators of compromise (IOC).

While some people don’t think they need a packet broker, it will take you a lot longer to

find threats without one. There is also a greater chance of missing threats.


• captures the right type of data and send it to a threat hunting solution for further analysis

• deployment of a threat hunting solution as soon as data enters the network to detect and stop incoming security threats




Inspected traffic

Threat hunting appliance

Figure 11. Inline security solution illustrating an inline threat hunting solution



Honeypots

While professional security organizations and agencies may actively try to lure hackers

to their honeypots, most enterprise and service providers hope that they never find

anything in their honeypots. However, in the event of a network intrusion, you want to

be able to steer a hacker away from the real network and over to an inline decoy area

for containment and observation.

Once suspicious activity is detected, either data deletion is employed, or the data

redirects to another device, like a honeypot for analysis. The use of honeypots can also

take the burden away from your IPS and decrease the number of false positives and

negatives for security threats.


• It diverts suspect traffic to a honeypot for further analysis.

• Reductions in IPS false negatives and positives are possible by deploying a honeypot to lure potential attackers to the wrong area of the network.


Firewall Switch ServersBypass switch


Incoming traffic

SSL decrypt

IPS

Honeypot

SIEMInter-tool

communication

Figure 12. Illustration of an inline security solution with a honeypot

Solution BenefitsThe Ixia inline security solution has many different benefits, depending on the use

case(s) deployed. The solution delivers the following benefits:

• increased network availability / MTBF because of an external bypass

• reduced risk due to enhanced security

• reduced security tool costs due to n+1 availability

• increased efficiency by intelligent filtering of known bad traffic at the front of the security validation process — avoids redundant inspection by equipment and security engineers



• reduced complexity with an all-in-one solution

• robust decryption support including TLS 1.3

• improved data inspection techniques with serial tool chaining

The actual solution benefits depend upon the different use cases implemented.

Ixia Solution SummaryIxia security solutions help enable more secure, more reliable and cost-effective inline

security tool deployments. The products are simple to use and manage — they offer

enhanced network survivability, encryption capability, and component redundancy for

your solutions. The solution forms a self-healing architecture featuring bypass switches

and network packet brokers that do not drop packets (unlike other industry NPBs).

Multiple levels of component redundancy and fail-over scenarios are supported to

thwart most of the attacks that bad actors can deploy.

While no security solution guarantees 100% complete elimination of security threats, this

inline security solution delivers protection aligned with industry best practices at a highly

cost-effective price.

The Ixia solution includes the following components:

• iBypass switches

• Vision Series of inline NPBs

• SecureStack SSL decryption

• ThreatARMOR threat intelligence gateway

iBypass switches

Ixia has an extensive array of external bypass switches. All external bypasses deliver

complete independence from a security tool or packet broker failure. The bypass

switches support active-standby as well as active-active network/security architectures.

These switches support a market-leading GUI interface that aids rapid deployment of

complex topologies that are not possible with other vendor’s bypass switches. Also,

Ixia bypasses support central management configuration using the Ixia Fabric Controller

Centralized Manager (IFC). IFC is the industry’s only centralized bypass management

tool. It simplifies and speeds up the configuration and management of tens to hundreds

of devices.



Ixia offers six different bypass switches:

iBypass 100 G The iBypass 100 G intelligent bypass switch is designed for a single appliance running at speeds up to 100 Gbps.

iBypass 40 G The iBypass 40 G intelligent bypass switch is designed for a single appliance running at speeds up to 40 Gbps.

iBypass 3 Copper The iBypass 3 Copper is a very high-density, 12-segment, 10 Gbps intelligent bypass switch.

iBypass VHD The iBypass VHD has the highest port density of any bypass switch on the market — it protects up to 12 network links, or 12 security devices, running at 10 Gbps in a compact, 1U rack mount form factor.

iBypass HD The iBypass HD is an 8-segment 10/100/1000 Mbps high-density intelligent bypass switch in a compact, 1U rack mount form factor.

iBypass DUO The iBypass DUO supports two security bypass switches with two separate management interface ports for redundancy.

WHY Ixia bypass switches?

The Ixia solution offers the following advantages:

• flexible heartbeat technology with anti-tromboning

• external architecture avoids outages when tools are rebooted for patches or updates, unlike approaches using internal bypass switching

• fast failover optical bypass functions – 10-30 milliseconds

• extensive failover options – user-selected fail-open or fail-closed

• highest density bypass on the market

• support for negative heartbeats that provide an indicator of compromise for firewalls



Vision series of inline NPBs

Ixia visibility solutions provide real-time, end-to-end visibility, insight, and security.

Solutions cover physical, virtual, SDN, and NFV based networks. You now have

the control, coverage, and performance to seamlessly protect and improve crucial

networking, data center, and cloud business assets.

Ixia NPBs lead the industry in delivering intelligent, sophisticated and programmable

network traffic. This optimizes visibility and security data visibility to enable IT

teams to quickly resolve application performance bottlenecks, trouble shoot

problems, improve data center automation, better utilize expensive network analysis

and security tools and help better business execution because of the improved

understanding of network and data center traffic.

The Vision Series of network packet brokers for inline security helps ensure continuous

security monitoring with fast failover and the ability to upgrade security tools without

downtime. They inspect live traffic for malware and attacks without risk to network

availability. To manage your network packet brokers and bypass switches, Ixia’s Fabric

Controller (IFC) delivers resilient and extremely easy to use visibility management

through a single pane of glass.

The following are Ixia’s portfolio of NPBs available for inline security architectures:

Vision ONE The Vision ONE is a 1 RU rack mount chassis that supports a maximum of sixty-four 10 G ports or four 40 G ports — it supports both simultaneous inline and out-of-band monitoring capabilities.

Vision X (future support for inline)

Vision X is a 3 RU rack mount chassis that supports up to 60 multispeed ports ranging from 10 to 100 G — each chassis processes up to 2 Tbps of data through dedicated FPGA hardware. It will support simultaneous inline and out-of-band monitoring capabilities.

Vision E40 Vision E40 is a 1 RU rack mount chassis that supports a maximum of 48 ports of 1/10 GE or 6 ports of 40 GE — it supports using both inline and out-of-band monitoring modes simultaneously.

Vision E100 Vision E100 is a 1 RU chassis that supports a maximum of 32 ports of 40/100 GE, or 128 ports of 10/25 GE, or a maximum of 64 ports of 50 GE. It supports using both inline and out-of-band monitoring modes simultaneously.



Why Ixia network packet brokers?

Here are some reasons to consider Ixia for your network:

• Advanced hardware architecture including high performance FPGA acceleration avoids dropped packets – even with filters and features enabled – an area software-based solutions struggle with.

• Active-active high availability – cost effective approach avoids the need to pay for largely unused redundant hardware. Active-Standby HA for NPBs is a less efficient approach which carries the risk of data loss and does not protect against tool outages.

• Non-blocking architecture – other NPB manufacturers have a blocking architecture that requires a feature compatibility matrix to show you what features can be used simultaneously.

• Extensive portfolio - Ixia offers a wide portfolio of NPBs with scalable port density options to optimize the cost of an NPB purchase.

• True load balancing - Ixia load balancing for security tools delivers an even split across ports. Other NPB manufacturer solutions can split unevenly, delivering unpredictable performance.

• Serial chaining - Ixia helps you maximize traffic inspection by offering the ability to serially chain multiple security tools together to ensure proper analysis of suspect data.

• Self-healing failover - Ixia NPBs support heartbeat messaging so they can automatically detect whether any of the security tools are in a failure state and dynamically adjust to the situation with a self-healing architecture.

• Intuitive GUI - the Ixia GUI makes filter programming, a difficult, error-prone process when using RegEx/CLI, easier and faster with less chance of human error.

SecureStack SSL / TLS decryption

Ixia’s SecureStack active SSL / TLS decryption capability enables organizations to see

inside traffic encrypted not only with traditional cryptographic approaches but also

decrypts ephemeral key traffic including TLS 1.3. The inline decryption functionality is

available in certain Ixia NPBs that including Vision ONE. Vision X will support the feature

in the near future.

With Ixia’s active SSL solution, you can:

• decrypt data once and scale your monitoring infrastructure

• offload SSL decryption to optimize security and monitoring tool performance

• deploy inline, out-of-band (OOB), and simultaneous inline and OOB configurations for ultimate flexibility

• create visibility into both outbound and inbound traffic to inspect downloads and detect server attacks



Active SSL is available via a high-performance application module for the Vision ONE

network packet broker. This product has the following key features:

• Dedicated cryptographic processor for the best possible throughput.

• Throughput options include 1 G, 2 G, 4 G, or 10 G; licensing per module.

• Product upgrades available through the licensing module.

• Built-in policy management, URL categorization, and real-time insight through reporting.

• Includes support for all leading ciphers including TLS 1.3.

• 150,000 maximum concurrent sessions.

What Makes Ixia SSL / TLS Decryption Better Than the Competition?

The following list highlights the SecureStack product differentiators:

• SecureStack is an integrated solution within the NPB which means there is less set up and programming complexity; it is not a separate product that requires configuration and administration.

• SSL decryption is an integrated solution (within the NPB) which means there is less delay than running the decryption / re-encryption functions through an external device.

• SecureStack supports forward and reverse proxy scenarios in a single module which reduces costs and complexity. Other NPB manufacturers require separate modules for each scenario.

• Using an integrated, but separate, piece of hardware means the Ixia solution can handle up to 10Gbps of SSL decryption with zero impact on the ability of the packet broker and the packet broker’s ability to function at line rate. Many other network packet brokers suffer architectural limitations such decryption does impact performance.

• SecureStack licensing is implemented in software for speeds of 1 Gbps, 2 Gbps, 4 Gbps, and 10 Gbps. This allows you to right size the solution for your needs and upgrade as required without a lift and shift box change or adding more modules.

• The host categorization library is completely located on the blade which means that no internet connection is required and delivers superior survivability compared to other decryption solutions on the market.

ThreatARMOR threat intelligence gateway

Ixia’s ThreatARMOR solution detects infected systems to thwart outbound connections

with botnets, phishing scams, and malware exploits. It blocks connections from known

malicious IP addresses and untrusted geographies while preventing phishing replies and

botnet connections. ThreatARMOR also helps reduce “alert fatigue” by stemming the

flood of alerts from SIEMs and security tools.



This appliance operates in three different modes: reporting, blocking, or fail-safe

bypass operation.

ThreatARMOR 1 G

ThreatARMOR is a threat intelligence appliance with four 1 GE copper Ethernet ports.

ThreatARMOR 10 G

ThreatARMOR 10 G is a threat intelligence appliance with four 10 GE SR fiber Ethernet ports.

What Makes Ixia Threat Intelligence Gateways Better Than the Competition?

Here are some reasons to consider using ThreatARMOR in your network:

• ThreatARMOR offers flexibil ity for use with blacklisting or whitelisting security architectures.

• The intelligence gateway blocks incoming and outgoing traffic to known bad IP addresses.

• Exclusions can be made by specific IP address or by country for ultimate flexibility.

• The product uses the Ixia ATI threat intelligence feed for updates every five minutes.

• It provides an intuitive, on-screen dashboard displaying blocked sites, countries of origin, and statistics.

• ThreatARMOR features easy 30-minute setup, with no ongoing tuning or maintenance required.

• It provides full line-rate performance.

Putting It All Together – The Ixia Visibility ArchitectureA properly designed visibility architecture with inline bypass switches and NPBs can

capture network data associated with a breach and direct that data to specific security

tools for analysis; like an IPS or DLP.

Figure 13 illustrates how an organization would deploy the Ixia inline security solution.

Here are the four most important use cases.

1. ThreatARMOR intelligence gateways eliminate as much of the incoming malware as possible.

2. iBypass switches bolster network reliability to maximize business continuity.

3. Vision ONE NPBs provide aggregation and load balancing to maximize tool survivability at the lowest cost.

4. Integrated SSL decryption (SecureStack) makes decryption as simple as possible, reducing complexity.




Network traffic Switch Servers


(Vision ONE)

Firewall

Integrated SSL decrypt

Threat intelligence

gateway

IPS

(ThreatARMOR)

Bypass switch

(iBypass)

(SecureStack)

WAF Other tool

Screen incoming &outgoing traffic

Analyze data forsecurity threats

KEYSIGHT CONFIDENTIAL – FOR INTERNAL USE ONLY

Increase networksurvivability

Increase componentsurvivability

Inspect encrypted traffic

Figure 13. Ixia’s inline security solution

Deployment configurations

This section demonstrates common deployments where we explore before and after

scenarios illustrating the difference Ixia can make for SecOp teams.

Scenario 1: Inline vs External Bypass

The first example illustrates how and why an external bypass switch is superior to an

internal bypass. While an internal bypass might seem at first to be an elegant solution,

integration results in a lower (worse) MTBF.

Second, while the internal bypass can continue to work while the security appliance

is being patched or updated, if the appliance is going to be removed from the data

center, the internal bypass goes with it, creating network downtime and disruption. In

contrast, a separate external bypass simply shunts to bypass, sending traffic around the

missing tool.


With IXIA SecurityWithout IXIA Security

IPS

Fail-over feature

Tool removed from service

IPS

Tool removed from service

Internal bypass is useless when tool is removed

Network failure

Figure 14. Comparison of an inline bypass to an external bypass when removing a tool



Scenario 2 – How an NPB Improves Inline Security

A second common consideration is whether to deploy an inline NPB or not. In Figure 15,

it may appear simple enough to add a bypass switch and security appliance. However,

it is much more complicated. Incoming data has to run a latency inducing gauntlet of

security appliances before it can finally make it into the network and be delivered where

it needs to go. In addition, what happens if you do not need every tool to inspect every

piece of data? What if multiple tools conflict on the safety of specific data — basically

one tool says it is suspicious and another says that it is safe. What if every tool needs

decrypted data? This scenario can get quite complicated.

Deploying a network packet broker reduces the number of bypasses and other

equipment needed. There is less complexity and simpler configuration required due

to fewer devices. There is also the option for additional capability (filtering, integrated

decryption, and tool chaining) by using an NPB.


With IXIA securityWithout IXIA security

WAFIPS


Bypassswitch

Bypassswitch

Bypassswitch

SSL decrypt Other tool

www firewall switch serversBypassswitch

Security tools

Network packetbrokerData

path

Figure 15. Comparison of inline security with and without an NPB

Scenario 3: How Load Balancing Creates n+1 Survivability

This scenario illustrates the value of n+1 survivability for security tools. Without an

NPB, a tool failure causes a loss in processing capacity and functionality becomes

degraded until the missing tool is operational again. Individual load balancers are

an alternative, but these can cause a potential single point of failure when inserted

into the network and they require synchronization with the tools. With an NPB, load

balancing is an integrated feature. Should a tool fail, the processing load distributes

across the remaining tools. When the failed tool is operational again, the load is

automatically rebalanced across all the tools to form a self-healing architecture.






Tools40 GE

8 GE

0 GE

8 GE

8 GE

8 GE

Tool failure problem


Tools40 GE

10 GE

0 GE

10 GE

10 GE

10 GE

Tool failure correction

Figure 16. Self-healing architecture adjusts to tool failure situation with n+1 survivability

Scenario 4: Deployment of Active SSL Decryption

Decryption is another important scenario. Without active SSL/TLS decryption,

inline security appliances (like an IPS, WAF, or UTM) cannot inspect encrypted traffic.

Integrated decryption capabilities allow Ixia NPBs to decrypt traffic, send it to security

appliances for inspection, then re-encrypt and return that traffic to the network for

delivery. The solution is quick, simple, and easy.



IPS IPS

Vision One with ActiveSSL

Clear textEncrypted traffic not understood

Figure 17. Decrypt and inspect traffic with an in-line monitoring tool

Scenario 5: Stop Malware Before It Ever Enters Your Network

Another important scenario is the deployment of a threat intelligence gateway. Threat

intelligence gateways, such as Ixia’s ThreatARMOR, provide an additional layer of

defense, further enhancing any defense in depth strategy. ThreatARMOR reduces the

load on your existing security infrastructure by providing front line filtering of traffic

from known bad IP addresses and known bad geographies, stopping volumes of

malicious traffic before it ever has a chance to impact your tools or compromise your



network. ThreatARMOR can block up to 80% of malicious traffic, including ransomware

and botnets. This increases the productivity of your security appliances (and staff) by

reducing the number of alerts that require investigation. It also reduces the impact of

alert fatigue.

If your network is already infected, ThreatARMOR can stop outgoing traffic to known

bad IP addresses, preventing the exfiltration of data from your network.





Securitytools

Switch ServersBypassswitch

Threat ARMOR

Security tools process more threats which

generates more alerts and consumes more time

and effort

Reduce workload and positive threats by 80% or

more before incoming traffic ever reaches your

security tools

www Firewall


Securitytools

Security tools generate fewer

positive and false positive alerts which consumes less time

and effort

Figure 18. Make network security simpler by immediately removing known bad traffic

Scenario 6: Improve Security Data Inspection with Tool Chaining

This scenario shows the value of security tool chaining. If the NPB does not have the

ability to perform sequential tool chaining, then only one tool inspects traffic. After that,

the traffic passes back to the bypass switch and returns to the network. Unfortunately,

even the best security tools don’t detect 100% of malicious traffic. In some cases, you

have to run traffic through an IPS, a WAF, a UTM, SSL decryption, or other appliance

before you detect a threat. An NPB that supports serial chaining makes it easy to pass

all or certain types of traffic through multiple security appliance inspections. This saves

time, money, and can quite possibly prevent a data breach.





Securitytools

Suspect data is sent to one individual tool for

analysis



Tool #1

Suspect data can be sent to one tool after another for extensive analysis

Data Path

Tool #3

Tool #2

Figure 19. Maximize data inspection with tool chaining



ConclusionIxia can help you enhance your inline security deployments. The iBypass switch provides

a scalable, fail-safe way to eliminate security appliance failure concerns. This is a

fundamental concern for security teams, as they cannot afford for the solution to cause

an outage. The heartbeat messaging feature that these devices have are some of the

best-in-class in the market.

Adding Ixia NPBs between iBypass switches and security tools enable some powerful

options. This includes the ability to create cost-effective redundancy using an n+1

approach, serial tool chaining for rigorous data inspection, and data decryption built-in

to the NPB. These solutions help reduce latency.

The addition of Ixia’s ThreatARMOR allows security architects to reduce SIEM alerts by

80% or more. This has a dynamic ripple effect throughout the inline security architecture

as this reduces the amount of time spent analyzing those potential security threats. An

ROI of 15x or more is possible with this solution.

Combining the Ixia inline security solution set with classic Ixia NPB features, such as the

dynamic filter engine, intuitive GUI, and FPGA hardware acceleration, creates a unique

and powerful value proposition for customers. In addition, tests conducted by the

Tolly Group11 show that even under load with features and filters turned on, Ixia packet

brokers perform as expected and unlike many other NPBs, don’t drop packets.

Appendix A – Citations1 “Global Deception Technology Market 2017-2021.”Technavio. Last modified June 2017.

https://www.technavio.com/report/global-it-security-global-deception-technology-market.

2 McGillicuddy, Shamus. “On-Demand Webinar: Next-Generation Network Packet Brokers:

Defining the Future of Network Visibility Fabrics.” Enterprise Management Associates.

Accessed September 12, 2019. http://info.enterprisemanagement.com/next-gen-network-

packet-brokers-webinar-ws.

3 Ixia conducted research

4 “2016 Cost of Data Center Outages.” Ponemon Institute. Last modified January 19, 2016.

https://www.ponemon.org/blog/2016-cost-of-data-center-outages.

5 “2016 Cost of Data Center Outages.” Ponemon Institute. Last modified January 19, 2016.

https://www.ponemon.org/blog/2016-cost-of-data-center-outages.


https://www.technavio.com/report/global-it-security-global-deception-technology-market

http://info.enterprisemanagement.com/next-gen-network-packet-brokers-webinar-ws

http://info.enterprisemanagement.com/next-gen-network-packet-brokers-webinar-ws

https://www.ponemon.org/blog/2016-cost-of-data-center-outages

https://www.ponemon.org/blog/2016-cost-of-data-center-outages

Find us at www.ixiacom.com Page 34

Learn more at: www.ixiacom.com

For more information on Ixia products, applications, or services,

please contact your local Ixia or Keysight Technologies office.

The complete list is available at: www.ixiacom.com/contact/info

Find us at www.ixiacom.com This information is subject to change without notice. © Keysight Technologies, 2019-2020, Published in USA, January 7, 2020, 7119-1217.EN

6 “Quarterly Threat Landscape Report.” Fortinet. Last modified March 2018. https://

www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-q3-2018.pdf.

7 “Cisco Encrypted Traffic Analytics.” Cisco. Last modified July 2019. https://www.

cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-

security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf.

8 Simplified Programming of a Visibility Layer Can Have a Big Impact on Application

Performance, Zeus Kerravala, ZK Research. https://www.ixiacom.com/zh/resources/

simplified-programming-visibility-layer-can-have-big-impact-application-performance.

November 2016.

9 Simplified Programming of a Visibility Layer Can Have a Big Impact on Application

Performance, Zeus Kerravala, ZK Research. https://www.ixiacom.com/zh/resources/

simplified-programming-visibility-layer-can-have-big-impact-application-performance.

November 2016.

10 “Internet Security Report - Q1 2019.” WatchGuard: Network Security, Secure Wi-Fi,

and MFA Solutions. Last modified June 24, 2019. https://www.watchguard.com/wgrd-

resource-center/security-report-q1-2019.

11 The Tolly Group. “Ixia Net Tool Optimizer (NTO) 5288.” Ixia Network Security

Application Performance. Last modified January 19, 2016. https://support.ixiacom.com/

info/tolly-report/downloads/216100IxiaNetworkToolOptimizerPerformance.pdf.


www.ixiacom.com

http://www.ixiacom.com/contact/info

www.ixiacom.com

https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-q3-2018.pdf

https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-q3-2018.pdf

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf



https://www.ixiacom.com/zh/resources/simplified-programming-visibility-layer-can-have-big-impact-application-performance




https://www.watchguard.com/wgrd-resource-center/security-report-q1-2019

https://www.watchguard.com/wgrd-resource-center/security-report-q1-2019

https://support.ixiacom.com/info/tolly-report/downloads/216100IxiaNetworkToolOptimizerPerformance.pdf

https://support.ixiacom.com/info/tolly-report/downloads/216100IxiaNetworkToolOptimizerPerformance.pdf

ixia’s inline security architecturean inline architecture has become a critical component in the...

Documents