Abstract: Introduced here are network visibility platforms having total processing capacity that can be dynamically varied in response to determining how much network traffic is currently under consideration. A visibility platform can include one or more network appliances, each of which includes at least one instance of an application configured to process data packets. Rather than forward all traffic to a single application instance for processing, the traffic can instead be distributed amongst a pool of application instances to collectively ensure that no data packets are dropped due to over-congestion. Moreover, the visibility platform can be designed such that application instances are elastically added/removed, as necessary, based on the volume of traffic currently under consideration.

Abstract: A method of optimizing network traffic visibility resources comprises receiving, by a controller associated with a network traffic visibility system, information indicative of operation of the network traffic visibility system. The method further comprises facilitating, by the controller, control of resources in the network traffic visibility system, according to a configured resource control policy. The facilitating can include providing, by the controller, control signaling to cause maximization of network traffic monitoring fidelity for a plurality of Quality of Service (QoS) classes of network traffic, based on a specified fixed amount of one or more network resources associated with the network traffic visibility system. Alternatively or additionally, the facilitating can include providing, by the controller, control signaling to cause minimization of use of the one or more network resources, based on a specified fixed level of traffic monitoring fidelity associated with the plurality of QoS classes.

Abstract: Introduced here are visibility platforms able to process the traffic handled by the gateways of an Evolved Packet Core (EPC) with Control and User Plane Separation (CUPS). A visibility platform can include a control processing node (CPN) and one or more user processing nodes (UPNs). The visibility platform may populate a data structure in which the CPN and UPNs are associated with locations along an interface on which Sx/N4 traffic is exchanged between the control and user planes. Each location may be representative of the point on the Sx/N4 interface at which Sx/N4 traffic processed by the corresponding node is acquired. The CPN can use the data structure to program session flows that impact how user traffic is handled by the UPNs.

Abstract: Disclosed is a technique for providing packet filter maps with high branching factors in a system for managing network traffic in a visibility fabric. A high branching factor enables a map to branch out more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of the map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.

Abstract: A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

Abstract: A network appliance receives a communication from a client device that includes a request to establish a network connection to a server. The network appliance establishes, in response to the communication, a single connection between the network appliance and the server based on application of a policy that causes the network appliance to determine not to decrypt data transmitted between the client device and the server. The network appliance transmits encrypted data between the client device and the server over the single connection.

Abstract: A proxy device coupled to a network receives communications between a client and a server on the network. The proxy device operates transparently to the client and the server, while coupled to receive and process the communications from a node on the network via a network port in a one-armed configuration. The proxy device communicates packets of the communications with an external tool coupled to the proxy device via a tool port and operates transparently to the nod and the tool. In certain embodiments, the tool may be a network security device, such as a firewall.

Abstract: At least one technique for distributing traffic from a visibility node to a network tool is disclosed. In certain embodiments, the visibility node has a tool port through which to receive a plurality of packets which each include a compressed header. The visibility node determines, for each packet, whether a given network tool has received the compressed header in decompressed format based on a header-to-tool mapping structure. The structure includes information indicative of which packet headers each of the plurality of network tools have received in decompressed format. If the visibility node determines that the tool previously received the decompressed header, the visibility node transmits the packet to the network tool in compressed format. If the visibility node determines that the tool has not previously received the decompressed header, the visibility node decompresses the compressed header prior to transmitting the packet to the given network tool.

Abstract: A network appliance may be coupled to a network tool configured to monitor the traffic within a computer network. Often, the network tool is operable in two modes (i.e., an inline mode and an out-of-band mode). Before the network tool is deployed as an inline device, however, it is desirable to verify that the network tool is secure. Described herein are systems and techniques for verifying network tools prior to deployment as inline devices. More specifically, the network appliance may be configured to modify the content of a data packet (e.g., by altering a bit) and transmit the modified data packet downstream to a network tool. The network appliance can monitor the network tool to make sure the network tool drops or returns the modified data packet. These techniques allow the network appliance to controllably simulate the receipt of malicious traffic by the network tool.

Abstract: An apparatus for a network includes: a processing unit having a filter generation module configured for: receiving an indication that a packet matches a user-defined filter; and creating one or more derivative filters based at least in part on the received indication, wherein a first derivative filter of the one or more derivative filters provides a finer grade of filtration compared to the user-defined filter; and a non-transitory medium configured for storing the one or more derivative filters.

Abstract: Introduced here are network visibility appliances capable of implementing a distributed deduplication scheme by routing traffic amongst multiple instances of a deduplication program. Data traffic can be forwarded to a pool of multiple network visibility appliances that collectively ensure no duplicate copies of data packets exist in the data traffic. The network visibility appliances can route the traffic to different instances of the deduplication program so that duplicate copies of a data packet are guaranteed to arrive at the same instance of the deduplication program, regardless of which network visibility appliance(s) initially received the duplicate copies of the data packet.

Abstract: Systems and methods are disclosed for analyzing traffic received at a network visibility node to determine traffic levels relative to capacity at tools communicatively coupled to the network visibility node and throttling traffic when the traffic levels exceed tool capacity. In an illustrative embodiment, streams received at a network visibility node are analyzed to predict a traffic level for a given traffic flow. The predicted level of traffic for a given traffic flow is used to decide whether to forward traffic associated with the given traffic flow to a tool port of the network visibility node that is communicatively coupled to an external tool.

Abstract: With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind spots.

Abstract: A laminate curtain can suppress electromagnetic radiation leakage from an electronic appliance, as well as assist in managing cables interconnected to the electronic appliance. More specifically, a laminate curtain can include a conductive elastomer panel that absorbs spurious electromagnetic radiation generated by the electronic appliance, a conductive adhesive film disposed along one side of the conductive elastomer panel, and a conductive support frame affixed to the conductive adhesive film. The laminate curtain can be installed within a mounting frame, which secures the laminate curtain to the electronic appliance. Electromagnetic radiation that is absorbed by the conductive elastomer panel can travel to the electronic appliance via the conductive adhesive film, the conductive support frame, and the mounting frame. Thus, the conductive elastomer panel can be used to form a ground plane that catches and shunts the spurious electromagnetic radiation to the electronic appliance, which is grounded.

Abstract: Disclosed are a method and apparatus for assisting in the physical wiring or debugging of connections between devices, which may include one or more network visibility appliances. In at least one embodiment, the computer system receives first user input that specifies a first port of a plurality of selectable physical ports or a connection between the first port and a second port of the plurality of selectable physical ports. At least one of the first port or the second port is on a device that is external to the computer system. In response to the first user input, the computer system sends a first signal to the device to trigger the device to output a first visual indication in proximity to the first port, the first visual indication identifying the first port and a status of at least one of the first port or the connection.

Abstract: A method performed by a network device includes: receiving a first packet by the network device, wherein the first packet is tapped from a network; identifying a session to which the first packet belongs when the first packet has one or more values that at least partially match one or more terms, wherein the act of identifying the session is performed by the network device; receiving a second packet by the network device; determining whether the second packet belongs to the session; and performing a packet processing action by the network device based on the identified session; wherein the session is identified based on a first criterion, and the act of determining whether the second packet belongs to the session is performed based on a second criterion that is different from the first criterion.

Abstract: A network visibility appliance automatically and dynamically determines a data traffic sampling policy that it should apply, i.e., a policy for determining which flows the network appliance should forward to one or more tools. The technique can be used to adjust for changes in network traffic to avoid exceeding performance constraints (e.g., maximum throughput) of network analytic tools, while maintaining high efficiency of usage of the tools. In the technique, a policy engine monitors network traffic characteristics in a subscriber throughput table and dynamically determines a sampling policy to apply, so as to decrease and/or increase traffic throughput to a given tool, so that the tool is efficiently used.

Abstract: The disclosed techniques include at least one method. The method includes receiving, by a network device, incoming packets communicated over a computer network, and detecting flows to which the incoming packets belong. Each incoming packet belongs to a flow of the flows. The method further includes sampling each incoming packet that satisfies a flow condition having a flow interval of packets for the flow of the incoming packet, and sampling each incoming packet that satisfies a global condition having a global interval of packets irrespective of the flow of the incoming packet. The method further includes storing any sampled packets or information indicative of any sampled packets.

Abstract: Introduced here are visibility platforms able to process the traffic handled by the gateways of an Evolved Packet Core (EPC) with Control and User Plane Separation (CUPS). A visibility platform can include a control processing node (CPN) and one or more user processing nodes (UPNs). The visibility platform may populate a data structure in which the CPN and UPNs are associated with locations along an interface on which Sx/N4 traffic is exchanged between the control and user planes. Each location may be representative of the point on the Sx/N4 interface at which Sx/N4 traffic processed by the corresponding node is acquired. The CPN can use the data structure to program session flows that impact how user traffic is handled by the UPNs.

Abstract: A disclosed method performed by a network device can include intercepting cryptographic certificates of host servers received in response to requests for encrypted connections between host servers and user devices, and determining that each encrypted connection is a suspicious connection or a normal connection based on a certificate validation policy. The method can further include causing decryption or metadata analysis of any suspicious encrypted connection and bypassing decryption or metadata analysis of any normal encrypted connection.