Abstract: A method of automatic and dynamic environment discovery and policy adaptation for a containerized environment is disclosed. A plurality of traffic monitoring policies for acquiring and monitoring data traffic transmitted between one or more components of a containerized environment are accessed. The containerized environment includes a plurality of software-implemented containers. The traffic monitoring policies are caused to be applied to one or more components in the containerized environment. A change to a configuration of the containerized environment is automatically detected. In response, one or more containers of the plurality of software-implemented containers are automatically identified as containers affected by the change.

Abstract: A method of optimizing network traffic visibility resources comprises receiving, by a controller associated with a network traffic visibility system, information indicative of operation of the network traffic visibility system. The method further comprises facilitating, by the controller, control of resources in the network traffic visibility system, according to a configured resource control policy. The facilitating can include providing, by the controller, control signaling to cause maximization of network traffic monitoring fidelity for a plurality of Quality of Service (QoS) classes of network traffic, based on a specified fixed amount of one or more network resources associated with the network traffic visibility system. Alternatively or additionally, the facilitating can include providing, by the controller, control signaling to cause minimization of use of the one or more network resources, based on a specified fixed level of traffic monitoring fidelity associated with the plurality of QoS classes.

Abstract: A proxy device coupled to a network receives communications between a client and a server on the network. The proxy device operates transparently to the client and the server, while coupled to receive and process the communications from a node on the network via a network port in a one-armed configuration. The proxy device communicates packets of the communications with an external tool coupled to the proxy device via a tool port and operates transparently to the nod and the tool. In certain embodiments, the tool may be a network security device, such as a firewall.

Abstract: With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. A visibility platform can be used to monitor virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, or OpenStack. But it can be difficult to manage how the visibility platform handles incoming virtualized traffic. Introduced here, therefore, are graphs that visually represent the network fabric of a visibility platform. When the network fabric of the visibility platform is represented as a graph, an end user can easily modify the network fabric, for example, by adding, removing, or modifying nodes that represent network objects, adding, removing, or modifying connections between pairs of nodes that represent traffic flows between pairs of network objects, etc.

Abstract: A network appliance receives a communication from a client device that includes a request to establish a network connection to a server. Prior to initiating a network connection between the network appliance and the server, the network appliance accesses a server certificate issued by the server. In response to a determination, based on application of a policy to the server certificate, not to decrypt data transmitted between the client device and the server, the network appliance establishes only a single connection between the network appliance and the server. The network appliance transmits encrypted data between the client device and the server over the single connection.

Abstract: A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

Abstract: Systems and methods are disclosed for analyzing traffic received at a network visibility node to determine traffic levels relative to capacity at tools communicatively coupled to the network visibility node and throttling traffic when the traffic levels exceed tool capacity. In an illustrative embodiment, streams received at a network visibility node are analyzed to predict a traffic level) for a given traffic flow. The predicted level of traffic for a given traffic flow is used to decide whether to forward traffic associated with the given traffic flow to a tool port of the network visibility node that is communicatively coupled to an external tool.

Abstract: Introduced here are network visibility platforms having total processing capacity that can be dynamically varied in response to determining how much network traffic is currently under consideration. A visibility platform can include one or more network appliances, each of which includes at least one instance of an application configured to process data packets. Rather than forward all traffic to a single application instance for processing, the traffic can instead be distributed amongst a pool of application instances to collectively ensure that no data packets are dropped due to over-congestion. Moreover, the visibility platform can be designed such that application instances are elastically added/removed, as necessary, based on the volume of traffic currently under consideration.

Abstract: A method of optimizing network traffic visibility resources comprises receiving, by a controller associated with a network traffic visibility system, information indicative of operation of the network traffic visibility system. The method further comprises facilitating, by the controller, control of resources in the network traffic visibility system, according to a configured resource control policy. The facilitating can include providing, by the controller, control signaling to cause maximization of network traffic monitoring fidelity for a plurality of Quality of Service (QoS) classes of network traffic, based on a specified fixed amount of one or more network resources associated with the network traffic visibility system. Alternatively or additionally, the facilitating can include providing, by the controller, control signaling to cause minimization of use of the one or more network resources, based on a specified fixed level of traffic monitoring fidelity associated with the plurality of QoS classes.

Abstract: Introduced here are visibility platforms able to process the traffic handled by the gateways of an Evolved Packet Core (EPC) with Control and User Plane Separation (CUPS). A visibility platform can include a control processing node (CPN) and one or more user processing nodes (UPNs). The visibility platform may populate a data structure in which the CPN and UPNs are associated with locations along an interface on which Sx/N4 traffic is exchanged between the control and user planes. Each location may be representative of the point on the Sx/N4 interface at which Sx/N4 traffic processed by the corresponding node is acquired. The CPN can use the data structure to program session flows that impact how user traffic is handled by the UPNs.

Abstract: Disclosed is a technique for providing packet filter maps with high branching factors in a system for managing network traffic in a visibility fabric. A high branching factor enables a map to branch out more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of the map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.

Abstract: A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

Abstract: A network appliance receives a communication from a client device that includes a request to establish a network connection to a server. The network appliance establishes, in response to the communication, a single connection between the network appliance and the server based on application of a policy that causes the network appliance to determine not to decrypt data transmitted between the client device and the server. The network appliance transmits encrypted data between the client device and the server over the single connection.

Abstract: A proxy device coupled to a network receives communications between a client and a server on the network. The proxy device operates transparently to the client and the server, while coupled to receive and process the communications from a node on the network via a network port in a one-armed configuration. The proxy device communicates packets of the communications with an external tool coupled to the proxy device via a tool port and operates transparently to the nod and the tool. In certain embodiments, the tool may be a network security device, such as a firewall.

Abstract: At least one technique for distributing traffic from a visibility node to a network tool is disclosed. In certain embodiments, the visibility node has a tool port through which to receive a plurality of packets which each include a compressed header. The visibility node determines, for each packet, whether a given network tool has received the compressed header in decompressed format based on a header-to-tool mapping structure. The structure includes information indicative of which packet headers each of the plurality of network tools have received in decompressed format. If the visibility node determines that the tool previously received the decompressed header, the visibility node transmits the packet to the network tool in compressed format. If the visibility node determines that the tool has not previously received the decompressed header, the visibility node decompresses the compressed header prior to transmitting the packet to the given network tool.

Abstract: A network appliance may be coupled to a network tool configured to monitor the traffic within a computer network. Often, the network tool is operable in two modes (i.e., an inline mode and an out-of-band mode). Before the network tool is deployed as an inline device, however, it is desirable to verify that the network tool is secure. Described herein are systems and techniques for verifying network tools prior to deployment as inline devices. More specifically, the network appliance may be configured to modify the content of a data packet (e.g., by altering a bit) and transmit the modified data packet downstream to a network tool. The network appliance can monitor the network tool to make sure the network tool drops or returns the modified data packet. These techniques allow the network appliance to controllably simulate the receipt of malicious traffic by the network tool.

Abstract: An apparatus for a network includes: a processing unit having a filter generation module configured for: receiving an indication that a packet matches a user-defined filter; and creating one or more derivative filters based at least in part on the received indication, wherein a first derivative filter of the one or more derivative filters provides a finer grade of filtration compared to the user-defined filter; and a non-transitory medium configured for storing the one or more derivative filters.

Abstract: Introduced here are network visibility appliances capable of implementing a distributed deduplication scheme by routing traffic amongst multiple instances of a deduplication program. Data traffic can be forwarded to a pool of multiple network visibility appliances that collectively ensure no duplicate copies of data packets exist in the data traffic. The network visibility appliances can route the traffic to different instances of the deduplication program so that duplicate copies of a data packet are guaranteed to arrive at the same instance of the deduplication program, regardless of which network visibility appliance(s) initially received the duplicate copies of the data packet.

Abstract: Systems and methods are disclosed for analyzing traffic received at a network visibility node to determine traffic levels relative to capacity at tools communicatively coupled to the network visibility node and throttling traffic when the traffic levels exceed tool capacity. In an illustrative embodiment, streams received at a network visibility node are analyzed to predict a traffic level for a given traffic flow. The predicted level of traffic for a given traffic flow is used to decide whether to forward traffic associated with the given traffic flow to a tool port of the network visibility node that is communicatively coupled to an external tool.

Abstract: With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind spots.