Traffic visibility tools

Wed Jul 24 17:14:52 UTC 2019

On 7/24/19 09:16, Kenny Taylor wrote:
>
> Good morning,
>
>  
>
> I hate to pull away from the 44/8 fire (KJ6BSQ here, and former
> AMPRnet user), but I’d like to get some advice from the community on
> traffic visibility tools..
>
>  
>
> We use a pair of appliances called Exinda for traffic shaping and
> visibility.  The current appliances are end-of-support and the
> replacements are hugely expensive after GFI acquired Exinda.  Traffic
> shaping is less of a concern now, as circuit speeds have caught up
> with our users, but visibility is still a big need.  Those boxes do
> two things very well:  1) identification of FQDNs using SSL cert
> inspection on HTTPS traffic and 2) categorization of the traffic (i.e.
> Netflix, Youtube, etc.).  We have Netflow monitoring using PRTG, but
> seeing something like
> ‘ec2-34-214-76-39.us-west-2.compute.amazonaws.com’ in Netflow logs
> isn’t very useful.
>
tls 1.3 encrypted SNI  or QUIC and then DOH will eventually make https
opaque. Whether this is soon or not I guess is an open question but
passive inspection will probably become less useful over time. it seems
likely to cause industry / monitoring product change as well.
>
> We’re looking for something that could sit either inline or hang off a
> SPAN port, handle 5-10 Gbit of traffic, do the SSL cert FQDN
> identification, and preferably group results by site/subnet/category. 
> What would you guys recommend?
>
>  
>
> Thanks,
>
>  
>
> Kenny Taylor
>
> WAN Engineer
>
> Kern Community College District
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190724/f7c4fc52/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190724/f7c4fc52/attachment.key>