Deployment Guide: Integrate GigaSECURE and Splunk Enterprise to Boost Network Security
Splunk® Enterprise, a platform for operational intelligence, aims to generate insights that make companies more productive, profitable, competitive, and secure. But did you know that you can integrate Splunk Enterprise with the GigaSECURE® Security Delivery Platform?
“Operational visibility is becoming increasingly necessary in order to maintain operational performance and maximum security,” says Ananda Rajagopal, vice president of product line management at Gigamon. “By leveraging Splunk solutions, our customers gain new insights and seamless capabilities that give them an optimal and actionable view of their network traffic.”
You can download a free guide, “Deploying Gigamon with Splunk,” that walks you through the three methods of achieving this integration. Let’s touch on each to better understand what’s on offer.
What’s extended metadata?
Gigamon’s extended IPFIX format adds several additional information elements, such as URL, HTTP/HTTPS return codes, and DNS information. Splunk can consume these new information elements with no modifications to the infrastructure. By using Gigamon’s unique metadata elements, you can run a query to find information such as URL and HTTP return codes as well as more common information—source and destination IP addresses and ports.
Splunk Add-on for IPFIX
Scanning for security threats is like seeking a needle in a haystack, but examining metadata—in this case, data describing network traffic—helps to more quickly identify any anomalous occurrences. Since it’s pared down to only essential information, this IPFIX metadata can be processed more quickly and puts less of a load on the network’s security infrastructure than would full-bandwidth packet analysis.
Moreover, the GigaSECURE platform straddles users, devices, and applications across physical, virtual, and cloud environments, making for a very efficient method to extract and normalize relevant, high-fidelity IPFIX data…with no impact to network performance or the end-user experience. Generating metadata with a unified platform also helps overcome departmental silos, deal with endpoint agents, and most importantly, provide a single place to manage the generation of such data.
For more, including implementation instructions, see Chapter 2 of “Deploying Gigamon with Splunk.”
Get smart with traffic intelligence
To further narrow the amount of data and increase Splunk efficacy, the Gigamon fabric can enable traffic intelligence applications such as Application Session Filtering (ASF), which provides a powerful filtering engine to identify applications based on signatures or patterns that can appear across any part of the packet payload.
Splunk App for Stream
In contrast to the metadata approach, you can use the scalable and easy-to-configure Splunk App for Stream to ingest, process, and analyze the network’s actual packet data. Sometimes called wire data, it can enrich existing data by providing context and allowing for more detailed analysis.
GigaSECURE can aggregate wire data from virtually any network, no matter the speed, topography (physical, virtual, software defined), or location (local, branch). With the combined solution, a complete yet customized set of aggregate data can then be rapidly forwarded to Splunk to gain real-time network visibility from anywhere in the infrastructure.
Chapter 3 of “Deploying Gigamon with Splunk” covers the ins and outs of utilizing the Splunk App for Stream.
Gigamon Visibility App for Splunk
Last but not least, the Gigamon Visibility App for Splunk enables granular operational insights from Gigamon networking infrastructure. Key benefits include:
- First-level visibility and troubleshooting of Gigamon infrastructure within Splunk
- Visibility Fabric™ health and analytics dashboards, including port and traffic policies health and metrics
- Tracking of Visibility Fabric user operations for audit and compliance purposes
- Pre-integration with GigaVUE-FM 3.1 using REST APIs
- Approval and free availability from Splunkbase
Combining Splunk’s security alerts with data from the Gigamon Visibility App can reduce mean time to resolution (MTTR) significantly, allowing faster identification of network problem root cause. For more details, see Chapter 4 of “Deploying Gigamon with Splunk.”
Read the guide for more
There you are: three ways the GigaSECURE Security Delivery Platform can complement Splunk Enterprise to deliver better network security insights, actionable alerts, and better overall security. Be sure to read “Deploying Gigamon with Splunk” for more information and full implementation details.