Articles

Network Packet Broker

Let's clarify a couple of things: what is a network packet broker, what does it actually do and how do you automate it, once you have one in your network?

By Dariusz Suchojad

January 15, 2024 ⋅ 9 min. read

Share this article:LinkedIn | FB | Email

What is a network packet broker?

A packet broker is a piece of high-performance equipment that allows you to orchestrate the connectivity between network taps and ports, where your network events come from, with network tools, where the source traffic is processed by security and monitoring solutions in ways that are useful to humans.

Think of it as an intelligent hub that knows how to efficiently and correctly connect taps and ports with network tools, without making them interfere with each other, without requiring you to connect these data sources with recipients directly, and without losing any packets along the way.

A network broker helps network engineers and architects to tackle several pressing challenges inherent in larger networks, which leads us to the following question.

What does a network packet broker do?

The very existence of such as a class of solutions, and let's call it an NPB for short, owes itself to several circumstances:

• If you manage a larger network, you know very well that it goes without saying that monitoring and visibility are a must
• However, connecting packet sources and tools directly can very quickly become very complex or virtually impossible to implement and manage. For instance:
• A switch with limited SPAN ports will not be able to send traffic to all the tools that need it
• Conversely, a tool may not have the capacity to receive all the possible traffic - such a device may be simply not fast enough anymore - which leaves some of the traffic unmonitored if a tool does not process some of the packets lest it be overloaded
• Merely connecting taps and tools is not enough either - the data from taps and ports needs to be aggregated, packets deeply inspected, analyzed in real-time, SSL/TLS traffic needs to be decrypted, L7-level information needs filtering so filters have to be dynamically applied, duplicate events need to be removed, and all of that while being able to flexibly route the network events to potentially many tools
• There will be multiple organizations within your organization that deploy these tools, sometimes with conflicting requirements, each organization belonging to a different cost center, each having their own schedules and goals, yet all wanting to have access to what is essentially the same network data

Consider it all from the perspective of a given tool. Yes, to a degree, and by necessity, it will be partly able to do what an NBP specializes in but this is in fact the crux - tools are designed and implemented to focus on their analytical job that becomes input to people in a given organization so it makes sense to let another network component, the NBP, work in front of all these tools to ensure that they get only the relevant information, ready to be made use of with minimal overhead.

The end result is that with an NBP, tools receive complete traffic, and it is much more pertinent, cleaner and more to the point from their perspective - this reduces their overhead which in turn improves the efficacy of network security, performance monitoring and, quite directly, of the organizations that rely on these capabilities.

It is this elegance in the separation of concerns, combined with an intelligent design and a nuanced understanding of network demands, that, after you reach a certain scale, make a packet broker a non-negotiable part of the infrastructure rather than just a nice-to-have.

And, since network packet brokers are engineered to interface with a variety of network infrastructure components, ranging from legacy systems to the latest advancements in networking technology, it becomes easy to use them in a plug-and-play manner, meaning that they are becoming instrumental in mitigating network blind spots that otherwise would not be monitored at all.

How does an a network packet broker help a network engineer?

Two points - easier troubleshooting and improved security in everyday work. This is because:

• Easier troubleshooting through increased visibility - you have a clearer visibility into network traffic, and it becomes easier to identify and diagnose issues such as bottlenecks, congestion or security threats.
• Improved security posture - you have additional aid in threat detection, prevention and response thanks to the detailed visibility into network traffic, which helps security teams identify and mitigate potential breaches.

At the end of the day, this is what it all boils down to - enhanced visibility into what is going on in your network through the more efficient usage of your infrastructure.

From newly gained visibility follow better decisions, increased proactivity and improved morale - think how much better it is to identify an issue and open a ticket in Jira or ServiceNow before customers start calling your support line and, when they do, to be able to say that you are already aware of an issue and you are working on it.

A decent GUI dashboard

What will be important to a network engineer is the packet browser's dashboard that he or she will be using regularly. It is easy to think of an NBP as only a GUI-less piece of equipment but it is as important to consider how convenient it is actually to work with it.

If something happens, and you need to react quickly, a good dashboard where you can drag and drop network elements around is indispensable. After all, who enjoys having to recall obscure, vendor-specific CLI incantations in a hurry, under pressure?

Here are a few pictures of how a good dashboard should look like - this is VisionONE by Keysight (Ixia).

How to automate a network packet broker?

Use Python, the choice is obvious. This is the programming language that network engineers understand and prefer the most. Nothing else comes even close to its well deserved popularity among network engineers so the choice is simple.

A REST API is something that you should expect from an NBP and you should use it. Do not use SOAP in any new projects and applications unless you have no other choice.

Now, here is the tricky part - NBP is a powerful companion that advances your capabilities in network visibility, and it knows how to integrate with your network equipment, but it will not know how to integrate with your entire IT ecosystem and business apps because it does not specialize in it.

Does what follows sound familiar?

• You use tickets in Jira or a similar system when anything unusual in the network happens
• .. yet you typically communicate with your colleagues via Teams
• You would like to send admin commands to the broker from Teams too, because thanks to Teams you now receive practically zero irrelevant emails, so you have got used to it
• Perhaps you have a zero-trust network so access to the broker needs to be granted on demand for 10 minutes only
• .. but solely if you have checked a certain Microsoft 365 folder earlier
• .. and only if there are no works planned in a shared Outlook calendar
• .. assuming of course that your own in-house IT management systems have approved every part of this workflow so it would be good to have a convenient scheduler to periodically synchronize that too

Of course it does sound familiar because this is the reality that network engineers and architects face daily, and this is why network automation goes beyond mere network equipment and which is why automating and integrating your infrastructure, including IT/OT and beyond, to cloud and business systems, is a job for a dedicated Python automation platform.

Packet broker automation in Python

OK, Python is easy but how much effort is it exactly? Let's back the words with action - here is an example of what it looks like to automate a packet broker.

• We start off by defining a new API connection to the broker. You fill out a form and the automation platform will know itself how to connect and authenticate with the equipment because it understands its underlying API.

• Now, we are ready for the automation. For instance, in this case, we use the connection that we created above to reconfigure some of the broker's ports - all of it using basic, straightforward Python code.

  # -*- coding: utf-8 -*-
  
  # Zato
  from zato.server.service import Service
  
  class PacketBrokerAutomation(Service):
  
      # Name of our automation service
      name = 'api.packet-broker.automation'
  
      def handle(self):
  
          # Obtain a connection that we previously defined in the dashboard
          conn = self.keysight.vision.Packet_Broker_API
  
          # A list of ports to reconfigure
          ports = ['P01', 'P02', 'P02']
  
          # Go through each of the ports ..
          for port in ports:
  
              # .. indicate which API endpoint we are invoking ..
              endpoint = '/api/ports/' + port + '/clear'
  
              # .. and invoke it now.
              conn.put(endpoint)
  
          # End of code - all ports have been reconfigured now.
  

• There is nothing else needed - such a Python API service can be used immediately, for instance, you can plug it into the platform's scheduler and run this service periodically, as you see fit.

More about automation and integrations with Python

• Check the case studies if you like what you see to learn how other people automate and integrate their systems using Python
• Request a demo using the form below and let's talk about automating your network packet broker too - it is good to have one but having it automated is even better!

Dariusz Suchojad is founder of Zato Source.