The stateful LAN: Layer 7 visibility and control

Enterprises have seen an explosion of new applications, devices and classes of users on their LANs, which makes it harder than ever for IT to ensure network performance, secure corporate assets and comply with regulations. In response, next-generation intelligent LAN switches are emerging that are designed to provide stateful, deep-packet inspection up through Layer 7, providing granular user- and application-level controls.

Other network devices that have already “moved up” the protocol stack include WAN-acceleration platforms and load-balancing switches. Now, by maintaining state information, intelligent switches can forward based on flows instead of packets. Advanced deep-packet inspection provides user identity and L7 application detail in classifying flows, enabling IT to apply access and QoS policies far beyond the virtual LAN/ACL controls that traditional L3/L4 switches support.

Intelligent switches with L7 deep-packet inspection and stateful flow analysis can correlate user, device, application, destination and other information to continuously monitor and control LAN traffic, which greatly simplifies troubleshooting, compliance, security provisioning and other IT tasks.

Stateful inspection savvy

Like a stateful firewall, a stateful switch holds in memory key attributes of each flow or connection, such as user identity, IP addresses and ports involved in the connection, application and underlying protocols and flows in use, and the specific content accessed. These attributes, which are referred to as the state of the connection, are maintained through the life of the flow and aid in policy enforcement and visualization.

The most CPU-intensive checking is performed at the connection setup, with subsequent packets monitored at rapid rates. Some intelligent switches also learn the user’s identity — including username and organizational role — at connection setup, and tie this information to the source media access control and IP addresses. Consequently, IT can intelligently control traffic flows and maintain traffic logs based on username and role as well as the application type.

Many LAN devices attempt to glean application information by reading L4 details and deducing the application based on well-known port numbers. In contrast, an intelligent switch with stateful deep-packet inspection can be programmed to watch for unique application behavior.

For example, SSH follows a predictable pattern and can be identified regardless of the L4 port used, alerting IT that this encrypted traffic is going to external destinations over non-standard ports. Intelligent switches can also distinguish between protocols that operate over port 80, and understand different traffic types running over HTTP. L7 analysis can even yield application detail such as the name of a file in use or the URL a user is attempting to reach. Achieving this level of intelligence requires a new switch architecture and operating system design.

Processing muscle, software sophistication

Maintaining state is a processing-intensive task. Historically, firewalls have been the primary stateful network device. Operating at the WAN boundary to protect an organization from incoming traffic, a firewall’s relatively slow throughput doesn’t hamper network performance. To date, stateful inspection rarely occurred within the LAN because devices couldn’t maintain gigabit throughput levels. The advent of multi-core processors, however, provides the horsepower a LAN switch needs to perform stateful deep packet inspection at speeds up to 10Gbps.

Multi-core processors allow for parallel processing on a single chip. While these devices have powered servers for years, they've only recently been designed into the forwarding engine of LAN switches. Several silicon manufacturers already build multi-core processors for switches, and some intelligent LAN switch vendors have developed custom multi-core packet processors.

This new silicon is powerful enough to see and log every flow from every user on the LAN, in contrast to sampling techniques such as NetFlow and S-Flow, which see roughly one in every thousand packets. As a result, an intelligent LAN switch can log every user access to servers and files, creating an audit trail to meet compliance requirements for regulations such as Payment Card Industry (PCI) standards and the Health Insurance Portability and Accountability Act.

To take advantage of its multi-core design, an intelligent switch requires multi-threaded system software designed to drive the cores simultaneously. System software functions include per-flow decoding and applying policy dynamically to each user session.

In addition, vendors of intelligent switches often provide tools, such as a policy console and analysis engine, that streamline operations. From the console, IT can use simple language to define rules for which user or device is allowed access to what resources from where and when. These policies greatly simplify routine moves, adds and changes. Intelligent switches check each flow against policy and take the appropriate enforcement action, such as allow, deny, rate limit, or log the flow. The analysis engine then correlates flow information into actionable data for IT, such as displaying all users who have touched the finance server.

Benefits of intelligent control

Because of advances in processor and software design, LAN switches can perform stateful deep-packet inspection at gigabit speeds. As a result, IT has the insight into and intelligent control over LAN traffic that's needed in today’s complex business environment, with its dynamic workforce, application proliferation and diverse endpoints — laptops, IP phones, PDAs, card readers, even robots.

Stateful deep-packet inspection enables intelligent switches to track LAN traffic by username, device and network addresses; associate users with organizational roles; identify applications; apply policies; and log all activity. Consequently, IT can direct policy down to the user level, and the LAN switch can granularly control traffic – even limit a flow’s bandwidth.

Enterprises benefit from better protection of data and other assets, increased productivity and improved operational efficiency. For example, with full visibility into each traffic flow, IT has complete data for troubleshooting and auditing purposes. If the IP voice service isn’t working, IT can pull up consolidated log information for that service. Similarly, if a user calls with a problem, IT can look up the username and see in human-readable language the applications and resources in use and any policies in effect.

With intelligent switches, troubleshooting is accelerated, which boosts user productivity and lowers operational costs. Likewise, audits are smoother and compliance easier to document; IT can quickly confirm that only people in the PCI role saw credit card data, for example. Stateful deep-packet inspection truly brings intelligent control to LAN switches.

Previous ArticleNext Article

Leave a Reply


The free newsletter covering the top industry headlines

Send this to a friend