What is a Network Packet Broker (Network Packet Broker)?
Network Packet Broker is a special type of network switch that comes in various forms from portable devices to 1U or 2U sized units to elaborate modular systems (chassis and blade).
Unlike a typical network switch, the NPB does not interfere with the network traffic flowing through it, unless the network administrator desires it.
The NPB can accept network traffic through one or more inputs (input ports), perform several predefined operations on that traffic, and send it to one or more output ports. This is usually referred to as "any to any", "many to any" and "any to many" (one to one, many to one and one to many) port mapping. It should be added here that any of the NPB interfaces - can be defined as input or output.
Operations that NPB can perform range from the simplest forwarding of traffic to one or a few selected ports to complex L5 layer filtering aimed at identifying a specific session.
Network packet brokers can have RJ45 copper connectors, but SFP/SFP+ or QSFP ports are the most common, allowing a wider range of media and connection speeds.
The set of functionalities offered by NPB is designed to enable the most effective use of network devices for monitoring and analyzing network traffic as well as IT security. NPBs together with TAPs are used to build systems referred to as Network Visibility Platform or Security Delivery Platform.
What capabilities do Network Packet Brokers offer?
NPB capabilities are numerous and can vary depending on the make and model of the device, although any decent NPB is expected to have a set of basic functions. Most, the most common NPBs on the market, operate at OSI layers L2-L4
Typical NPB switches operating in the L2-L4 layers have the following functions: redirection of network traffic or a specific portion of it; network traffic filtering; replication; protocol stripping (removal of network protocols ); packet slicing (packet pruning); initiation and termination of various network protocols; and load balancing (network traffic load balancing). In addition, among NPB L2-L4's capabilities, you can expect filtering of VLAN tags, MPLS, MAC and IP addresses (sender and receiver), TCP and UDP ports (sender and receiver), TCP flags, and ICMP, SCTP and ARP traffic. The above functions are not the only ones that can be found in these devices, but they show well that NPB, operating on layers 2 through 4, can seamlessly separate components of network traffic. A critical parameter of the NPB is the so-called "non-blocking backplane", a feature of the device that allows it to perform the aforementioned tasks at full link speed, e.g. 100G. The NPB must support maximum throughput on each of its ports because diagnostic devices connected to the NPB perform their role to the degree and quality at which network traffic is delivered to them. If the NPB "loses" packets, the network picture seen by monitoring devices will be skewed.
Most NPB designs are based on the use of ASICs or FPGAs because of the greater efficiency of such solutions in package processing. CPU-based NPBs are also available. This approach is used where flexibility in defining functionality is required - not possible in pure hardware solutions.
These functionalities include packet deduplication, time stamping, SSL/TLS decryption, keyword search and simple search. However, there are some limitations on functionality that depend on CPU processing power. Their performance is heavily dependent on a number of external variables and difficult to determine precisely before physical implementation. CPU-dependent functionalities significantly reduce the overall performance of NPB once they are activated.
CPUs together with programmable switching chips (e.g., Cavium Xpliant, Barefoot Tofino, Innovium Teralynx) serve as the basis for extensive sets of next-generation NPB (Next Generation Network Packet Broker) functionality. NGNPBs are devices that can handle traffic above the L4 layer, commonly referred to as "L7 NPBs." Advanced search functions are the best example of next-generation NPB features.
The packet search (payload) feature creates the ability to filter traffic at the Session and Application layers and provides more precise network control than is possible with devices operating at the L2-4 layers.
How does the Network Package Broker work with the infrastructure?
The Network Packet Broker (NPB) can be installed in two ways: inline and out-of-band. Each of these configurations offers different uses of the NPB available only in one of them.
In an inline arrangement, network traffic flows through the device to its destination. This creates the ability to affect traffic in real time, such as replicating traffic to a second link, while adding, removing or otherwise modifying VLAN tags or changing the destination IP address. The inline configuration allows connection redundancy for other inline devices such as IDS, IPS or Firewall. NPB can monitor the status of such a device and, if it fails, redirect traffic dynamically to a backup link.
Out-of-band configuration: network traffic on a given link is copied over a network TAP or SPAN/Mirror port. It allows a number of possibilities for operations on packets of copied network traffic such as filtering, packet slicing, etc., and then replicating this traffic to one or more diagnostic devices without affecting the production network. This, in turn, achieves a very high level of network "transparency" and ensures that all devices receive a perfect copy of the traffic to be able to perform their functions properly. A very important task of NPB is to provide monitoring devices, analyzers and IT security with only the portion of traffic that is relevant to a particular device and does not unnecessarily burden it. For example, a situation where a particular analyzer does not need to analyze traffic related to backup (such data unnecessarily occupies the analyzer's disk space) and it can be easily filtered out. In addition, if you want the selected subnet to be "invisible" to other systems then this traffic can also be rejected on the selected output ports.
In practice, an individual NPB can affect selected inline links and handle other out-of-band traffic at the same time.
What are the most important problems Packet Broker solves?
Limited network access for diagnostic equipment.
One of the primary problems that NPB solves is limited access. In other words, the problem of providing a copy of network traffic to every IT security or monitoring system that needs it. By using a SPAN port or installing a TAP in our environment, we have a single source of network traffic that should probably be delivered to multiple diagnostic tools. Going forward, each device should be getting data from multiple points in the network to eliminate "dead spots." NPB solves these problems as follows. It accepts traffic from a given link and replicates it by sending an exact copy to as many devices as it has ports. In addition, NPB can accept traffic from different sources from separate points in the network, combine them into one and send it to a single device.
As mentioned earlier, it is possible to remove protocol headers from traffic that might otherwise be impossible for a diagnostic tool to interpret. NPB can also terminate tunnels, such as GRE, so that traffic in them can be analyzed by various tools.
The Packet Broker (NPB) also acts as a central hub to facilitate the addition of new tools to the network environment both inline and "out-of-band." The process of connecting another device to the NPB requires only simple configuration procedures and has no impact on network operation.
Optimize the efficiency of the use of diagnostic tools
NPB allows you to get the most out of surveillance and IT security devices from both an efficiency and return on investment (ROI) perspective. Let's consider a few situations involving the use of these devices.
Sometimes they waste their production power on processing network traffic for which they are not intended (e.g. VoIP analyzer unnecessarily deals with other packets than VoIP). Thus, there may be a situation in which the device reaches the limit of its performance processing traffic of interest to us as well as the "unwanted" one. Using a Packet Broker, you can filter out traffic (packets) that is irrelevant to the device.
Another example involves a device that analyzes only headers. By cutting off the part of the packet containing the main data, and then delivering such truncated traffic to the device, we significantly reduce its load. In this way, we can extend the life of a given device without having to replace it with a new one with higher bandwidth or upgrade it.
Another problem we may encounter is that there are too few available interfaces of a given diagnostic device, which still has excess capacity. With help comes the network traffic aggregation function, which NPB has. By aggregating traffic with NPB, we can use the maximum capacity of each port of a given device. In this way, we optimize bandwidth utilization and the number of available interfaces.
A similar scenario occurs when the network infrastructure has been migrated (upgraded) to the 10G standard while our diagnostic devices only have 1G interfaces. The device may be able to process traffic on a given link but cannot negotiate different speeds. Here, the NPB can act as a speed converter (speed converter) and deliver traffic to the device. If the load becomes too heavy, the NPB can discard irrelevant traffic, use packet slicing and distribute the remaining traffic across the device's available interfaces, thereby extending its lifetime and thereby achieving significant cost savings.
In addition,the NPB, by performing the above functions, can serve as a media converter in situations where the diagnostic device has copper interfaces and the traffic under investigation is over fiber optic links.
Summarizing the above points, it can be said that NPB allows an organization to maximize the benefits of its investment in monitoring equipment, improves the degree of resilience of the monitoring system and IT security to failures, network automation and reduces personnel costs.