More Related Content
Similar to What's new in Performance Vision version 2.18
Similar to What's new in Performance Vision version 2.18 (20)
More from PerformanceVision (previously SecurActive)
More from PerformanceVision (previously SecurActive) (15)
What's new in Performance Vision version 2.18
- 1. W HAT’ S N EW IN V ERSION
2.18?
© SecurActive 2013
- 2. P ERFORMANCE V ISION V ERSION 2.18
Applications
HTTP improvements & TLS support
Protocols: Stack, Netflow & Skinny
Flexibility, Usability & Performance
© SecurActive 2013
2
- 3. N EW
A PPLICATION D EFINITION
Performance
Vision 2.18
Applications
© SecurActive 2013
- 4. A PPLICATION D EFINITION
Manage your application definitions:
With the internal editor
With your favorite tool (any CSV capable software)
Support both:
Import and Export
SPV Internal Editor
or
Any CSV capable software
© SecurActive 2013
4
- 5. N EW A PPLICATION L IST
Create your own custom applications with the new editor
First step: Create your application
Second step: Define your application rules
Application Definition
Application Rules
© SecurActive 2013
5
- 6. E ASILY C REATE N EW A PPLICATIONS
Create your own custom applications with
our new editor.
First step: Create your application
© SecurActive 2013
6
- 7. E ASILY D EFINE A PPLICATION R ULES
Create your own custom applications with
our new editor.
Second step: Define your application rules
© SecurActive 2013
7
- 8. A PPLICATION R ULES : C RITERIA
Criteria
Description
Example
Priority
Higher values: highest priority
0 (default) or -100 or 1000
IP Protocol
IP Protocol
TCP, UDP, IpV6, ICMP…
Server Port
Singe value or range
0 or 8080 - 8090
Protocol Stack
List of protocols composing the flow
IPv4/*/DNS
Pattern
Web pattern for URL matching
*.mycompany.com/intranet
Client IP
IP or Subnet
192.168.80.0/24 or 192.168.80.1
Server IP
IP or Subnet
192.168.80.0/24 or 192.168.80.1
Poller
Poller that receives the traffic
SPV (localhost)
Device
Port on which the traffic gets in
eth1
Netflow Source
IP or subnet of Netflow device
127.69.12.99
Client Zone
Name of the selected zone
Internal Clients Sales
Server Zone
Name of the selected zone
Servers Database
Vlan
Singe value or range
15 or 100-200
Ethernet Prococol
Ethernet protocol
IPv4 (0x800), IPv6 (0x86DD),…
Client Side MAC
MAC Address
12:34:56:78:9A:BC
Server Side MAC
MAC Address
12:34:56:78:9A:BC
© SecurActive 2013
8
- 9. A PPLICATION R ULES : C OMBINATION
An application is defined by the scope of all
associated rules.
Rules are combined with an OR operator
Application
Rule 1
© SecurActive 2013
Rule 2
9
- 10. A PPLICATION C ONFIGURATION
2.15
2.18
Web Applications are directly
integrated into applications rules
Dynamic Protocols page is no longer
useful thanks to auto-discovery
Application Configuration
© SecurActive 2013
10
- 11. C HECK A PPLICATION R ULES C ONFIGURATION
Check application rules configuration
Review the full rules list
Test matching rules
© SecurActive 2013
11
- 12. I MPROVE P ERFORMANCE
B Y D ELETING U NUSED A PPLICATION
Need to speed-up performances?
Check unused application
Review and delete unused application
© SecurActive 2013
12
- 13. C REATE N EW A PPLICATIONS
FROM N ON C LASSIFIED T RAFFIC
One-click application creation
Create an application with these properties
Use Filters for Non Classified traffic
© SecurActive 2013
13
- 15. D ECODE HTTPS T RAFFIC
Install private keys on the probe
Decode https (TLS) traffic
Check constraints: User Guide > Configuration > TLS Decryption
© SecurActive 2013
15
- 16. TLS H ANDSHAKE & SSL P ROTOCOL N EGOTIATION
Client
Server
Network
I would like to start a conversation with you
SYN
Sure, it would be a pleasure!
ACK
Client Hello
List
I request a secure connection,
here is my list of preferred cipher suites
Ok, among these, here is what we will use to discuss
This is my identity (digital certificate)
So far, I have nothing more to say
Client Key Exchange
Change Cipher Spec
Finished
SYN ACK
Must be compatible
Server Hello
Certificate
Server Hello Done
Here is a pre-master secret encrypted using your public key
I’m switching to secure mode,
all future communication should be done that way
I’m done with TLS negotiation, do you understand me?
I’m switching to secure mode too,
all future communication should be done that way
I’m done wit TLS negotiation, do you understand me?
Change Cipher Spec
Finished
Data
Encrypted Data
Data
© SecurActive 2013
16
- 17. N OTIFICATION O N I NVALID K EYS
If key is malformed a notification is sent
Displayed in the notification area
Accessible through the Event Log
A key can be valid but not suited to the
traffic or can be using an inappropriate protocol
© SecurActive 2013
17
- 18. HTTP P ERFORMANCE : T OP URL
Displays top URL
© SecurActive 2013
Best when used with a filter on a host
18
- 19. A GGREGATES
T OP URL
URL W ITHOUT Q UERY S TRINGS
Displays top URLs, without query strings
Differentiates up to the ? character
Full transaction URL
Top URL
Count
/service/soap/SearchRequest ?ID=256789&Query=Azerty
/service/soap/SearchRequest ?ID=256789&Query=Qwerty
/service/soap/SearchRequest ?ID=012345&Query=Azerty
/service/soap/SearchRequest
5
/service/soap/DoSearch
2
/service/soap/SearchRequest ?ID=987654&Query=Azerty
/service/soap/SearchRequest ?ID=256789&Query=Poiuyt
/service/soap/DoSearch ?Ax76h=0564
/service/soap/DoSearch
© SecurActive 2013
19
- 20. I MPROVED HTTP I NSPECT P AGE
HTTP Inspect pages has been updated
© SecurActive 2013
More information
Better design
20
- 21. R EMOVED
THE
D EPRECATED W EB B ROWSING
The deprecated Web module has been removed
Conversations are now in HTTP Performance
Reports will be migrated automatically
2.15
2.18
© SecurActive 2013
21
- 22. H TTP H ITS A NALYSIS
Adds URL parsing on all HTTP traffic
Standard history length with degradation rules
© SecurActive 2013
22
- 23. H TTP P ERFORMANCE L EVELS
Store http requests with
Store Content
HTTPS
Pages
Hits
No HTTP
"Save HTTP content" option
Adds https analysis on traffic for which appropriate keys
are provided
Adds page level analysis on selected traffic
48 hours history maximum
Adds URL parsing on all HTTP traffic
Standard history length with degradation rules
HTTP traffic in Applications & Network conversations
No data in HTTP Performance
© SecurActive 2013
24
- 24. H TTP P ERFORMANCE I MPACT
Check impact of HTTP Hits!
Go to Workload database
Validate license limits
Enable / Disable HTTP Hits
Reduce scope of HTTP
Pages
HTTPS
No HTTP
Hits
Pages
Database
Database
Database
Database
CPU
CPU
CPU
CPU
RAM
RAM
RAM
RAM
Disk
Disk
Disk
Disk
With this option
© SecurActive 2013
Disk
26
- 25. L INK TO C ONFIGURATION
FOR HTTP P AGES A CTIVATION
A warning is displayed with a direct link to
configuration if HTTP Pages is not activated
Applies to HTTP Performance > Pages
© SecurActive 2013
27
- 26. P ROTOCOLS :
S TACK, N ETFLOW & S KINNY
© SecurActive 2013
Performance
Vision 2.18
- 27. P ROTOCOL S TACK
A New Depth in Analysis!
© SecurActive 2013
29
- 28. P ROTOCOL S TACK
Ethernet
Identify the different protocols layers of a flow
IPv4 (tunnel)
Make all sort of tunnels visible
Can automatically detect protocols even
when running on non standard ports
IPv6
TCP
HTTP
© SecurActive 2013
30
- 29. P ROTOCOL S TACK
Applications
Network
Protocol Stack data is available in:
© SecurActive 2013
Flow Detail screens
Raw Data screens
31
- 30. P ROTOCOL S TACK F ILTER
New Protocol Stack filter available on most screens
Separate protocols layers with / character
Autocomplete list
Simple wildcard syntax
Advanced regex filtering
Examples:
*IP*/UDP/DNS
*IP*/*/DNS
~.*IPv4/(TCP|UDP)$
© SecurActive 2013
32
- 31. L IST
ARP
BGP
Bittorrent
CIFS
Citrix
DNS
DNS/TCP
E R S PA N
Ethernet
FTP
Gnutella
GRE
HTTP
ICMP
I C M P v6
IMAP
I P v4
I P v6
IRC
Jabber
OF
P ROTOCOLS
MGCP
M yS Q L
Netbios
NTP
P C a n ywh e r e
POP
PostgreSQL
RDP
RT C P
RT P
SDP
SIP
Skinny
S S L v2
TCP
Te l n e t
TLS
TNS
UDP
VNC
IN
P ROTOCOL S TACK
Protocols identified independently of the port
number used (non exhaustive list)
Port Independent Protocol Identification
© SecurActive 2013
33
- 32. N ETFLOW V5 S UPPORT
Support of Netflow v5
Integrated in Performance Vision workflow
DeviceID displays ports In -> Out of the switch
© SecurActive 2013
35
- 33. N ETFLOW F ILTERING
A new filter is available
Use 0.0.0.0/0 to see all Netflow traffic
© SecurActive 2013
36
- 34. N ETFLOW V 5 C ONFIGURATION
Setup your devices to send Netflow traffic to the IP address of
any Performance Vision collector or poller
Remote
Poller
Netflow
Remote
Poller
Remote
Poller
Central
Collector
Netflow
Netflow
Remote
Poller
Remote
Poller
Configure Netflow devices update frequency!
You must configure all your Netflow emitters to
expire flows after not more than 2 minutes.
© SecurActive 2013
37
- 35. V O IP: S KINNY S UPPORT (B ETA )
Support of Cisco’s Skinny Call Control
Protocol (SCCP) in beta
In 2.18: VoIP Module: SIP, MGCP and Skinny
© SecurActive 2013
38
- 37. NPS W ORKS
IN
D ISTRIBUTED M ODE
NPP
NPS works in distributed mode
NPP
NPP
NPS
NPP
NPP
Support of NPP pollers.
NPP
Network metrics only
NPP
NPP
© SecurActive 2013
40
- 38. A N APS C OLLECTOR S UPPORTS NPP P OLLER ( S )
APP
APP
APP
APP
APS
APP
APP
If absolutely required, this kind of
configuration will work.
You will only have network
metrics from the NPP poller
NPP
APP
© SecurActive 2013
41
- 39. D OES
A NPS C OLLECTOR
N OT S UPPORT APP P OLLER ( S )
NPP
NPP
NPP
NPP
NPS
NPP
NPP
This kind of configuration mixing
an app poller with a NPS collector
will not work.
APP
NPP
© SecurActive 2013
42
- 40. M ORE F REEDOM WITH
E NTERPRISE L ICENSE A GREEMENT (ELA)
Buy a stock of credits
15
20
30
50
75
100
Turn credits into licenses
Virtual APP (Poller)
1 credit
Virtual APS Express
1 credit
Virtual APS 100k flows
3 credits
Virtual APS Unlimited Flows
5 credits
Benefits
Full flexibility
Economics based on the volume of credits
© SecurActive 2013
43
- 41. R AW D ATA
FOR I N -D EPTH
A NALYSIS
Raw Data: In-depth flow analysis
© SecurActive 2013
45
- 42. R AW D ATA
FOR I N -D EPTH
A NALYSIS
Flow Detail: Grouped by 2 minutes
Display database data without any grouping
Useful for in-depth troubleshooting
Application behavior auditing
Raw Data: No grouping
© SecurActive 2013
46
- 43. N EXT L EVEL C USTOM F ILTERS
Build fully customized filters for in-depth data mining.
Examples:
app=‘sql-intranet’ and srt > 200ms
bandw >= 10MiB and 0win > 100
begin > 100 and ct.count = 0
app=‘video_live' and diffserv != 20
(ip=10.10.*.* or ip.srv=10.20.30.*) and os.clt='linux‘
zone in 'Headquarters' and port.srv > 1024 and begin > 10000
(proto=udp and port.srv=53) and zone in '/Private/DNS'
For more information: User Guide > Appendix > Custom Filters
© SecurActive 2013
47
- 44. C OMBINE A DVANCED F ILTERS
Combine advanced filters options
Build custom requests to isolate specific traffic
2.15
2.18
© SecurActive 2013
48
- 45. A DVANCED F ILTERS : N EW O PTIONS
Add two new options in advanced filters:
Exclude intersection of provided zones
Only intersection of provided zones
Exclude
intersection of provided zones
Only
intersection of provided zones
© SecurActive 2013
49
- 46. I NTEGRATION OF N ON IP
T RAFFIC IN G ENERAL W ORKFLOW
Non IP traffic is integrated in global workflow
New option “Non IP” in Protocol filter
Works for both tables and graph views
© SecurActive 2013
50
- 47. P ERFORMANCES I MPROVEMENTS
Performance oriented improvements
More aggressive default data degradation
ICMP can now be degraded
© SecurActive 2013
51
- 48. M ORE A GGRESSIVE D EFAULT D ATA D EGRADATION
Version 2.15
Version 2.18
No automatic update during
migration
© SecurActive 2013
Default configuration is
more aggressive on data
degradation
Use “Default button to apply
2.18 factory settings to a
migrated 2.15
52
- 49. D ATA D EGRADATION
ON
ICMP
Data merging enhancements
Data degradation is now possible on ICMP
Clear indication on which metric is degraded
© SecurActive 2013
53
- 50. P ERFORMANCES : U NDER
THE
H OOD
Improved network sniffing
Better usage of multi-core by the
sniffer/dumper
Optimized database querying
Database improvements for user
requests (up to +20% faster)
Faster exporting
© SecurActive 2013
Export to CSV is significantly faster
54
- 51. S IMPLIFIED D ISPLAY
OF
F ILTERS
New filter presentation
Default basic filters on one line
Expand for more filters if needed
Memorize expansion state (session)
© SecurActive 2013
55
- 52. N EW T ABLES D ESIGN
Refined look & feel
© SecurActive 2013
Show / hide data columns
Memorize show / hide state (session)
56
- 53. I NTEGRATED C ONTEXTUAL H ELP
Contextual help for expert filters is displayed:
On mouse over help icon
On field focus (click or tab)
© SecurActive 2013
57
- 54. N EW F ILTERS
FOR
D ASHBOARDS
2.15
Dashboards get extended filter options
2.18
© SecurActive 2013
58
- 55. D EFAULT V ALUES
FOR
BCA/BCN
Save time on BCA/BCN creation
Default values for BCA creation
Use predefined templates for BCN
© SecurActive 2013
59
- 56. L IST
OF
G ENERATED R EPORTS
Display reports stored on the probe
© SecurActive 2013
Delete files
Browse through ftp
60
- 57. E MAIL A LERTS
TO
A DMINISTRATOR
An email alert is sent (once per hour) on:
License issue
Disk is almost full (<150 MB)
Configure SMTP Server and
administrator’s email in Pulsar
© SecurActive 2013
61
- 58. S LIDE
ON
M ATRIXES S CREENS
WITH
K INETICS
Move the matrixes with Kinetics
Click and drag (use inertia)
Efficiency depends on browser
© SecurActive 2013
62
- 59. SPV F OR D EVELOPERS , G EEKS , N ERDS …
For developers, it is now possible to:
Programmatically run searches
Retrieve the result as HTML or PDF
through support of session-less access
For more
information:
User Guide >
Appendix >
SPV For
Developpers
Retrieve the Top Servers page as stripped-down HTML, using the command-line with wget:
wget 'http://admin:admin@SPV/++skin++simplehtml/nevrax/network/ipstats_dst.html?filter.capture_begin=2013-01-31+14:50’
© SecurActive 2013
63
- 60. G ET
IN
T OUCH T HROUGH N EW F ORUM
Through the forum to be launched
Get general support
© SecurActive 2013
Follow news and announcements
Provide feedback & feature requests
64
- 62. V ERSION 2.18: I MPACTS S UMMARY
Main Impacts compared to 2.15:
Database Migration Time: Medium
HTTP Hits
Impact on database is medium.
Update should take few minutes to one
hour or more depending on database
size
No major impact on existing metrics
Check impact of HTTP Hits on workload
and license limits
© SecurActive 2013
66
- 63. R EBOOT A FTER U PDATE
After the upgrade is completed
© SecurActive 2013
67
- 64. Y OU ’ RE R EADY
TO
© SecurActive 2013
G O , E NJOY !
68