A quickstart to long-lasting security with network intelligence and Gigamon

5 min read

The invention of the radio telescope 80 years ago opened a new perspective into how we observed the heavens over millennia. We can now examine the universe day or night, through bad weather, through atmospheric noise, and even through intergalactic haze. Radio waves expanded the spectrum of what’s observable.

In the world of software observability, hybrid-cloud network intelligence is now expanding metrics, events, logs, and traces (MELT) to a new universe of visibility. You can see how network intelligence enhances and deepens observability with the Gigamon quickstart in New Relic Instant Observability. Together Gigamon Cloud Suite and New Relic One provide a different layer of security, an overlapping webbing of observability and network intelligence.

An initial tendency for some teams migrating workloads to the cloud is to assume cloud service providers take care of network security. They think, “We don’t have to do anything with the network because of our service-level agreement (SLA) for cloud infrastructure.” But seasoned cloud adopters know there’s tremendous value in collecting and mining network data for many use cases, especially security, where the “unknown unknowns” matter the most.

How network intelligence works in the Gigamon quickstart

Network intelligence telemetry is composed of packets, flows, and metadata. Using deep packet inspection, Gigamon Cloud Suite makes it possible to extract any combination of more than 5,000 metadata attributes from hybrid cloud network traffic. You can import the traffic metadata into your tools using IPFIX and CEF formats—and JSON for New Relic One.

The following diagram shows that Gigamon gets the network traffic using test access points or terminal access points (TAPs), which are agents that run inside the virtual machine. Gigmon does deep-packet inspection and sends up to 5,000 network traffic metadata in JSON format to New Relic One, where you can view it in dashboards.

The Gigamon elements work together with New Relic One:

  • Traffic access. Gigamon can collect data from any source, using either native methods, like Amazon Virtual Private Cloud (VPC) Traffic Mirroring, or a Gigamon virtual TAP for VM and container traffic. For workload scaling up or down, Gigamon supports all native orchestration and automation choices, such as CloudFormation, Terraform, Puppet/Chef, Ansible, and SALT.
  • Traffic transformation. Gigamon Cloud Suite, also known as V Series, then aggregates and optimizes the traffic with functions such as packet deduplication, packet slicing, personally identifiable information (PII) data masking, NetFlow record generation, and application metadata generation.
  • Metadata attributes sent to New Relic One. After optimization and transformation, you choose which metadata attributes to send to New Relic. Gigamon customers need to install a new metadata JSON conversion module in GigaVUE V Series or GigaVUE HC Series.
  • Quickstart dashboard. At this stage, you can point the radio telescope in any direction in the sky. Start with the security samples in the quickstart. To explore additional use cases for your infrastructure, see Gigamon.com.

Gigamon quickstart demo

In this Nerdlog video, we show a demo of the Gigamon quickstart.

As you saw in the video, you can use the dashboard to address many security concerns:

  • Use the SSL Version section of the dashboard to discover apps or hosts that are using deprecated SSL versions.
  • Use the SSL Ciphers section of the dashboard to identify servers that are still accommodating weak ciphers.
  • Use the DHCP IP & Hostnames section of the dashboard to view hosts on the network and amount of traffic generated.
  • Use the Application Overview section of the dashboard to view a breakdown of applications and protocols, and identify unauthorized apps, including applications that are running on non-standard ports (port-spoofing attacks). 
  • Use the DNS Servers & Queries section of the dashboard to identify data exfiltration by evaluating the frequency, volume, and type of DNS requests and tunneling activities, and helping detect domain generated algorithm.
  • Use the Top Talkers section of the dashboard to find hosts that generate significant traffic and baselining for traffic anomaly detection.
  • Use the HTTP Response Code section of the dashboard to analyze HTTP client errors to track resource availability, find client-experience errors, or spot threat actors attempting brute force attacks with 401 error codes.
  • Use the HTTP Response Time section of the dashboard to analyze poor app response times by tracking the delta between DNS, TCP, and HTTP response times.
  • Use the Suspicious Usage section of the dashboard to discover rogue DNS/DHCP servers and torrent traffic, detecting unwanted activities for nefarious purposes, such as shadow IT, peer to peer, crypto-mining, and monster-in-the-middle attacks that divert application traffic.
  • Use the SMB File Movement section of the dashboard to understand file movements and create compliance reports, identify file resources accessed by users, and discover older, risky SMB versions in use.

The top of the Gigamon quickstart dashboard includes SSL Version, SSL Ciphers, DHCP IP & Hostnames, and Application Overview sections.

The middle of the Gigamon quickstart dashboard includes DNS Servers & Queries, Top Talkers, HTTP Response Code, High Response Time HTTP sections.

The bottom of the Gigamon quickstart dashboard includes Suspicious Usage, SMB File Movement, and Current Incoming Data sections.

Install the quickstart

Ready to work with some data? You’ve got a built-in starter kit. Here’s all it takes to install the quickstart:

  1. To use your own data, make sure you have Gigamon Cloud Suite installed in your environment. This is where you can capture all the traffic and extract metadata. When Gigamon Cloud Suite is deployed in the environment, New Relic One can see all available applications communicating across the environment and collect metadata from that traffic.
    (You can still play with sample data and dashboards in the quickstart without Gigamon Cloud Suite.)
  2. Install the Gigamon quickstart from New Relic Instant Observability:
  3. After Gigamon is up and running, you can select different metadata elements based on an application or a family of applications, and export them to the Gigamon AMI Agent. The Gigamon AMI agent collects metadata elements from Gigamon Cloud Suite and forwards them to the New Relic One dashboard.