Authored by: Gregory Copeland, Director Technical Alliances, Keysight Technologies
For many years enterprises and service providers have implemented network visibility architectures in their on-premise environments. The goal of network visibility was (and still is) to gather copies of network data such as packets, as well as network derived metadata such as flows, and deliver them to security and performance monitoring tools where the data can be stored, searched, analysed, and reported for use cases including threat hunting, incident response, application performance monitoring and more.
The first building block of network visibility was use of the switch mirror port, or network tap device, to gather copies of packets from a single network link.
But for large environments with many network links of increasing speeds, and many different tools needing access to the data, the simple mirror or tap wasn’t enough and didn’t scale. So the next building block become the network packet broker appliance which could gather data from many links of varying speeds, optimise the data feed using techniques such as de-duplication, decryption, filtering, and load balancing, replication of the traffic to different tools, and otherwise add a flexible enterprise grade layer for network visibility.
When organisations started moving their workloads to the cloud they faced a challenge, the traditional network methods used to mirror or tap packets didn’t yet exist. They had to rely on other data sources such as logs, which while useful didn’t provide the level of detail that network data does. However, more recently cloud providers such as Google Cloud (GCP) have introduced packet mirroring services.
At a high level you can think of these packet mirror services as similar to their physical mirror/tap counterparts. They do a good job at straightforward network visibility needs such as forwarding packets from particular hosts to a tool. But for broader and more complex network visibility requirements, packet mirror services can be complemented by data brokering services such as the CloudLens offering from Keysight Technologies. Keysight CloudLens offers features such as data aggregation, de-duplication, replication, encryption/decryption, tunnelling, advanced filtering, and more – complementing Google Cloud Packet Mirroring and together offering a complete network visibility offering analogous to what organisations have come to depend upon in their on-premise environments.
But in the cloud, there’s more to consider than traditional network visibility functions. By its nature monitoring of cloud hosted resources is dynamic, ephemeral, and more complex than static physical networks. Furthermore consider that many organisations have hybrid cloud/non-cloud and multi-cloud deployments, each with differing network visibility capabilities. Meanwhile data needs to be collected and securely delivered to wherever the analysis tools live, over infrastructure that may not always be secure. To meet these challenges of cloud visibility Google Cloud and Keysight Technologies have partnered to offer a complete network visibility solution for cloud.
Keysight CloudLens enables security operations with a uniform way to quickly and safely deploy or change network visibility policies. CloudLens hides complexities of underlying configurations, making it possible to take advantage of cloud capabilities for rapid tool deployment during ongoing incident investigations.
A single pane of glass is used, freeing the operator for having to navigate all the configuration differences of each public or private cloud provider. CloudLens creates a distributed and encrypted packet brokering layer between native cloud packet mirroring functions such as GCP’s and the traffic analysis tools, so that data can be securely delivered regardless of whether the visibility traffic sources and destination reside in the same availability zones, regions, or even infrastructure provider. Full network visibility and security analysis capabilities are maintained without sacrificing data security.
Together GCP Packet Mirroring and Keysight CloudLens enable intent-based visibility for Google Cloud, hybrid, and multi-cloud deployment. Organisations can forward whatever data is needed in a simple intent-based manner using a drag and drop user interface, or programmatic APIs, with traffic monitoring polices that scale and adjust dynamically along with the cloud infrastructure. Organisations can host the CloudLens manager within their own GCP account, with full control over their data collection. The solution from Google and Keysight has been tested together and is in use at joint customers. We encourage you to consider the benefits of intent-based network visibility for cloud.