Scribd
Upload
550 views22 pages

Bank Islam - Bypass & iSSL Design

network forensic project

Uploaded by

ToNY MoNTaNa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
550 views22 pages

Bank Islam - Bypass & iSSL Design

network forensic project

Uploaded by

ToNY MoNTaNa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Gigamon Visibility Platform

Gigamon Inline Bypass Protection


Gigamon Inline SSL Decryption
Bank Islam Malaysia Berhad

Indera Budiman
Agenda
• Bank Islam BoM
• Inline Bypass Concepts
• Current Network Design
• Propose Network Design For Bank Islam

©2017 Gigamon. All rights reserved. 3


Hardware Specification
GIGAMON GIGAVUE-HC2

Pwr

TAP-HC0-G100C0
Rd y M/S

Lock
PPS Fan Rear

PTP
IEEE
1588
Rdy
Stack
Mgmt 1 3
Port

Pwr
Mgmt
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

Con-

TAP-HC0-G100C0
sole

GigaVUE-HC2

GigaVUE-HC2 Base Unit(Front)


GigaVUE-HC2
FAN ASSEMBLY SKU: FAN-HC0

GigaVUE-HC2 MAIN MODULE

SMT-HC0-X16
Rdy
PPS
H/S

Pwr X1 X3 X5 X7 X9 X11 X13 X15


X2 X4 X6 X8 X10 X12 X14 X16

GigaVUE-HC2 Base Unit(Rear)


SMT-HC0-X16

Software License:
slicing, masking, source port and GigaVUE tunneling de-encapsulation
GigaSMART,HC Series, SSL Decryption for Inline and Out of Band Tools feature license per GigaSMART module

©2017 Gigamon. All rights reserved. 4


Inline Bypass
Gigamon provides flexibility in bypassing Tools; (due to Tool failure or for
Tool upgrades)

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 5
Deploying Security Tools with Inline Bypass Inline
Bypass

SCALING INLINE SECURITY WITH “INLINE BYPASS”


Without Gigamon With Gigamon

Maximize tool efficacy


E.g. WAN router IPS WAF

T1 T2 Increase scale of security monitoring


E.g. Firewall
Add, remove, and upgrade
tools seamlessly
T1 E.g. IPS

Consolidate multiple points of failure


T2 E.g. WAF into a single, bypass-protected solution

Integrate Inline, Out-of-Band, and


T3 E.g. ATD
Flow-based tools via the GigaSECURE®
T3 T3 T3
Security Delivery Platform
E.g. Core switch ATD ATD ATD

Inbound packets
Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. Outbound packets 6
Current Network Architecture

router router

1st tier Firewall 1st tier Firewall

IPS T1 T1 IPS

WAF T2 T2 WAF

2nd tier Firewall 2nd tier Firewall

Core switch Core switch

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 7
Proposed Network Architecture (1)

router router

1st tier Firewall 1st tier Firewall

IPS T1 Pwr
Rdy M/S
Pwr
Rdy M/S
T1 IPS
TAP-HC0-G100C0

TAP-HC0-G100C0
SMT-HC0-X16

Lock

SMT-HC0-X16
Lock
PPS Fan Rear
PPS Fan Rear

PTP
Rdy Rdy PTP
IEEE Rdy Rdy
IEE E
1588 H/S
1588 H/S
Pwr X1 X3 X5 X7 X9 X11 X13 X15 Pwr
S tack X2 X4 X6 X8 X10 X12 X14 X16
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12
Pwr X1 X3 X5 X7 X9 X11 X13 X15 Pwr
St ack X2 X4 X6 X8 X10 X12 X14 X16
Mgmt TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12
Port
1 3 Mgmt
1 3
Port

Mgmt
Mgmt

Co n-
Con-
sole
sole

GigaVUE-HC2
GigaVUE -HC2

WAF T 2 T2 WAF

2nd tier Firewall 2nd tier Firewall

Core switch Core switch

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 8
Proposed Network Architecture

T1 T2

TAP-HC0-G100C0

SMT-HC0-X16
IPS WAF
Rdy Rdy

H/S

Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

T1 T2

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 9
Proposed Network Architecture

1st tier Firewall 1st tier Firewall

T1 T2

TAP-HC0-G100C0
WAF

SMT-HC0-X16
Rdy Rdy

H/S
IPS
Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

Darktrace

2nd tier Firewall 2nd tier Firewall

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 10
Gigamon Inline Bypass

• Physical bypass when the Gigamon appliance is down; With TAP-HC0


module.
• Logical bypass when the inline tool is down.
• Enable Network-Port-Force-Down to bring down the inline network port when
the inline tool is down.

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 11
Design Consideration
PRO’S AND CON’S

Pro’s Con’s
• Physical bypass on Gigamon box • Single Chassis design.
power loss. Logical bypass on inline
• Under-utilized the inline tool
tool failure.
• Integrate inline tool and out of band tool
into single Security Delivery Platform.
• Only pass relevant traffic to the inline
tool for inspection.
• Decrypt traffic once, and feed to inline
and out of band tool.

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 12
Proposed Network Architecture (2)

router router

1st tier Firewall 1st tier Firewall

IPS T1 T1 IPS
Pwr
Rdy M/S

TAP-HC0-G100C0
SMT-HC0-X16
Lock
PPS Fan Rear

PTP Rdy
Rdy
IEEE
15 88 H/S

Pwr X1 X3 X5 X7 X9 X11 X13 X15 Pwr


Stack X2 X4 X6 X8 X10 X12 X14 X16 TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12
Mgmt 1 3
Port

Mgmt

Con-
sole

GigaVUE -HC2

WAF T2 T2 WAF

2nd tier Firewall 2nd tier Firewall

Core switch Core switch

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 13
Proposed Network Architecture

T1 T2

TAP-HC0-G100C0

SMT-HC0-X16
IPS WAF
Rdy Rdy

H/S

Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

T1 T2

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 14
Proposed Network Architecture

1st tier Firewall

1st tier Firewall

T1 T2

TAP-HC0-G100C0
WAF

SMT-HC0-X16
Rdy Rdy

H/S
IPS
Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

Darktrace

2nd tier Firewall

2nd tier Firewall

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 15
Gigamon Inline Bypass

• Physical bypass when the Gigamon appliance is down; With TAP-HC0


module.
• Logical bypass when the inline tool is down.
• Enable Network-Port-Force-Down to bring down the inline network port when
the inline tool is down.

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 16
Design Consideration
PRO’S AND CON’S

Pro’s Con’s
• Physical bypass on Gigamon box • Single Chassis design.
power loss. Logical bypass on inline
tool failure.
• Integrate inline tool and out of band tool
into single Security Delivery Platform.
• Only pass relevant traffic to the inline
tool for inspection.
• Decrypt traffic once, and feed to inline
and out of band tool.

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 17
Proposed Network Architecture (3)

router router

1st tier Firewall 1st tier Firewall

WAF
T2 T2 WAF
Pwr
Pwr
Rdy M/S
Rdy M/ S
TAP-HC0-G100C0

TAP-HC0-G100C0
SMT-HC0-X16

Lock

SMT-HC0-X16
Lock
PPS Fan Rear PPS Fan Rear

IPS T 1 T1
PTP PTP
Rdy

IPS
Rdy Rdy
IEEE IEEE Rdy
1588 H/S 1588 H/S

Pwr X1 X3 X5 X7 X9 X11 X13 X15 Pwr


Stack X2 X4 X6 X8 X10 X12 X14 X16
Pwr X1 X3 X5 X7 X9 X11 X13 X15 Pwr
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12 Stack X2 X4 X6 X8 X10 X12 X14 X16 TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12
Mgmt 1 3 Mgmt
Port Port
1 3

Mgmt Mgmt

Con - Con-
sole sole

GigaVUE-HC2 GigaVUE-HC2

2nd tier Firewall 2nd tier Firewall

Core switch Core switch


Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 18
Proposed Network Architecture

WAF

T1

TAP-HC0-G100C0

SMT-HC0-X16
IPS
Rdy Rdy

H/S

Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

T1

WAF

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 19
Proposed Network Architecture

WAF

WAF

T1

TAP-HC0-G100C0

SMT-HC0-X16
Rdy Rdy

H/S
IPS
Pwr X1 X3 X5 X7 X9 X1 1 X13 X1 5
Pwr X2 X4 X6 X8 X1 0 X1 2 X14 X1 6
TAP 1 TAP 2 TAP 3 TAP 4 TAP 5 TAP 6 TAP 7 TAP 8 TAP 9 TAP 10 TAP 11 TAP 12

Darktrace

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 20
Gigamon Inline Bypass

• Physical bypass when the Gigamon appliance is down; With TAP-HC0


module.
• Logical bypass when the inline tool is down.
• Enable Network-Port-Force-Down to bring down the inline network port when
the inline tool is down.

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 21
Design Consideration
PRO’S AND CON’S

Pro’s Con’s
• Physical bypass on Gigamon box • Single Chassis design.
power loss. Logical bypass on inline
• Decryption done twice by WAF and
tool failure.
Gigamon
• Integrate inline tool and out of band tool
into single Security Delivery Platform.
• Only pass relevant traffic to the inline
tool for inspection.
• Decrypt traffic once, and feed to inline
and out of band tool.

Confidential and Proprietary. For Internal Use Only. © 2018 Gigamon. All rights reserved. 22

You might also like