Abstract: A disclosed method performed by a network device can include intercepting cryptographic certificates of host servers received in response to requests for encrypted connections between host servers and user devices, and determining that each encrypted connection is a suspicious connection or a normal connection based on a certificate validation policy. The method can further include causing decryption or metadata analysis of any suspicious encrypted connection and bypassing decryption or metadata analysis of any normal encrypted connection.

Abstract: A method for providing user access to a network switch appliance, includes: receiving from a user a request to access configuration item for the network switch appliance, the network switch appliance configured to pass packets received from a network to network monitoring instruments; and determining, using a processing unit, whether to allow the user to access the configuration item for the network switch appliance based on information regarding the user.

Abstract: A network appliance stores a session identifier that uniquely identifies a network communication session between a first device and the network appliance. A first communication is received from the first device over the network communication session. The network appliance also receives from a proxy tool, a second communication that includes a header specifying the session identifier and that includes data generated by the proxy in response to the first communication. The network appliance associates the first communication with the second communication using the session identifier. An encrypted representation of the data generated by the proxy is transmitted to a second device based on the association between the first communication and the second communication.

Abstract: A method of operating a network visibility node is disclosed. In certain embodiments, the network visibility node has a plurality of network ports through which to communicate data with a plurality of network hosts and has a plurality of tool ports through which to communicate data with a plurality of network tools. The network visibility node accesses a port group map associated with a plurality of tool port groups of the network visibility node, where each of the tool port groups includes one or more tool ports of the network visibility node, and where the port group map contains a separate tool alias for each tool port group of the plurality of tool port groups. Each tool alias can correspond to a different type of network traffic. The network visibility node uses the port group map to ascertain a tool port group through which to communicate the plurality of packets with a particular network tool.

Abstract: Embodiments are disclosed for a network switch appliance with a traffic broker that facilitates routing of network traffic between pairs of end nodes on a computer network through a configurable sequence of in-line tools.

Abstract: With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. A visibility platform can be used to monitor virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, or OpenStack. But it can be difficult to manage how the visibility platform handles incoming virtualized traffic. Introduced here, therefore, are graphs that visually represent the network fabric of a visibility platform. When the network fabric of the visibility platform is represented as a graph, an end user can easily modify the network fabric, for example, by adding, removing, or modifying nodes that represent network objects, adding, removing, or modifying connections between pairs of nodes that represent traffic flows between pairs of network objects, etc.

Abstract: A method performed by a network device includes: receiving an input indicating a change in an auxiliary network from a first configuration to a second configuration, wherein the auxiliary network is configured to obtain copies of packets from a traffic production network; determining a first network policy, wherein the first network policy is for application in the auxiliary network when the auxiliary network is in the first configuration; and determining a second network policy by the network device based on the received input and the first network policy, wherein the second network policy is for application in the auxiliary network when the auxiliary network is in the second configuration.

Abstract: A network appliance deployed in a visibility fabric may intelligently drop certain low priority traffic to avoid indiscriminate dropping of data packets across all flow maps during periods of high congestion. More specifically, the network appliance may determine the data packets of a flow map should be dropped based on priority measures assigned on a per-flow map basis. Such a technique enables the network appliance to drop low priority traffic and forward high priority traffic downstream. Also introduced herein are techniques for metering traffic in order to gain better control over the traffic that is forwarded to an egress port of a network appliance. Because a network tool connected to the egress port can become easily overwhelmed, the network appliance may filter the traffic based on the priority of the flow maps to ensure that the network tool does not receive more traffic than can be handled.

Abstract: Methods and systems are disclosed for analyzing control signaling messages over a network to inform policy-based sampling of network flows using a network visibility node communicatively coupled to the network. In an illustrative embodiment, session dialog information is extracted from control signaling messages exchanged between subscriber devices initiating a communications session and tracked. A network flow associated with the communications session is selected for sampling at the network visibility node based on the tracked session dialog information. Packets associated with the network flow are then forwarded by the network visibility node to an external tool for processing.

Abstract: Disclosed is a technique for providing packet filter maps with high branching factors in a system for managing network traffic in a visibility fabric. A high branching factor enables a map to branch out more than two ways. High branching factors can be realized by allowing a map to be affiliated with more than one action set. For example, each rule of the map may be affiliated with a unique action set that is executed only when the corresponding rule is satisfied.

Abstract: A visibility platform can be used to monitor traffic traversing private cloud infrastructures and/or public cloud infrastructures. In some instances, the traffic is provided to a set of network services that are accessible to the visibility platform. These network services can be provisioned in a serial or parallel fashion. Network service chaining can be used to ensure that traffic streams skip unnecessary network services and receive only those network services that are needed. For example, an email service chain can include virus, spam, and phishing detection, while a video streaming service chain can include traffic shaping policies to satisfy quality of service (QoS) guarantees. When the visibility platform is represented as a graph that makes use of action sets, network service chains can be readily created or destroyed on demand.

Abstract: Improved network visibility may be achieved by deriving network traffic information from numerous visibility platforms that are communicatively coupled to one another. In some embodiments, an end user interacts with a distributed visibility fabric via a user interface, which can include a high-level representation of each visibility platform. The end user can then map the network objects of each visibility platform onto a series of network visibility appliances. This technique allows certain network objects (e.g., maps) to be intelligently distributed amongst the series of network visibility appliances.

Abstract: A network appliance described herein allows the user to selectively forward the flow of packets received through a network port, to a particular egress port. The network appliance creates virtual ports, which can be assigned to the one or more egress ports. The network appliance assigns the flow of packets to the one or more virtual ports in the network appliance. The network appliance decides a forwarding treatment to be applied to the flow of packets, for forwarding the flow of packets to the egress tool ports, based on the virtual port to which the flow of packets is assigned and based on a detected network characteristic. The forwarding treatment can be a decision to drop the flow of packets, or to send the flow of packets to the egress port assigned to the virtual port.

Abstract: Introduced here are network visibility platforms having total processing capacity that can be dynamically varied in response to determining how much network traffic is currently under consideration. A visibility platform can include one or more network appliances, each of which includes at least one instance of an application configured to process data packets. Rather than forward all traffic to a single application instance for processing, the traffic can instead be distributed amongst a pool of application instances to collectively ensure that no data packets are dropped due to over-congestion. Moreover, the visibility platform can be designed such that application instances are elastically added/removed, as necessary, based on the volume of traffic currently under consideration.

Abstract: Introduced here is a technique for using a network switch device, which may include commodity switching fabric, to route packets through an inline tool, without introducing any additional information to the packets. The introduced technique modifies standard capability of packet forwarding and learning port-to-MAC address associations to route data packets through the inline tool. The technique may include applying two override settings to the network device. A first override setting involves a forwarding rule that is based on the arrival port and the content of the packet. A second override setting involves disabling the MAC address learning mechanism for the packet received from the inline tool via the second tool port of the network device.

Abstract: With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind sports.

Abstract: A packet broker deployed in a visibility fabric may intelligently assign identifiers to data packets that are routed through sequences of one or more network tools for monitoring and/or security purposes. Guiding techniques based on these identifiers offer flexible support for multiple network tool operational modes. For example, the packet broker may be able to readily address changes in the state of a network tool connected to the packet broker by modifying certain egress translation schemes and/or ingress translation schemes. The “state” of a network tool can be “up” (i.e., ready for service) or “down” (i.e., out of service) based on, for example, the network tool's ability to pass through health-probing data packets dispatched by the packet broker.

Abstract: Improved network visibility may be achieved by deriving network traffic information from numerous visibility platforms that are communicatively coupled to one another. In some embodiments, an end user interacts with a distributed visibility fabric via a user interface, which can include a high-level representation of each visibility platform. The end user can then map the network objects of each visibility platform onto a series of network visibility appliances. This technique allows certain network objects (e.g., maps) to be intelligently distributed amongst the series of network visibility appliances.

Abstract: A fabric manager includes: a processing unit having a service chain creation module configured to create a service chain by connecting some of a plurality of nodes via virtual links; wherein the some of the plurality of nodes represent respective network components of an auxiliary network configured to obtain packets from a traffic production network; and wherein the service chain is configured to control an order of the network components represented by the some of the plurality of nodes packets are to traverse.

Abstract: An apparatus for a network includes: a processing unit having a filter generation module configured for: receiving an indication that a packet matches a user-defined filter; and creating one or more derivative filters based at least in part on the received indication, wherein a first derivative filter of the one or more derivative filters provides a finer grade of filtration compared to the user-defined filter; and a non-transitory medium configured for storing the one or more derivative filters.