The Network Packet Broker (NPB) has become a critical component to any network. They offer numerous benefits to both network operations and network security teams. With an increasing number of vendors offering these products, selecting the right product has become more challenging than ever. A good approach to selecting the right product is to first understand that modern NPBs really fall into one of three categories. These include full-featured NPBs, White Box NPBs, and Aggregators. Understanding these three product categories can help reduce the time it takes to locate the correct product for your network.
The most feature rich appliances that lead the way in terms of price. Traditionally these are multi RU chassis designed for large, core installations. There are only a couple remaining vendors that take this approach to designing a network visibility fabric, but if you're looking for a single box solution for SSL/TLS decryption, some on-board analytics, and additional advanced features this category would be a good place to start. Everyone likes to justify equipment purchases in terms of ROI, so buyers in this category may have a hard time justifying the upfront cost, however, neither of the other categories can match these in terms of pure performance.
White Box NPBs
Also called Disaggregated Packet Brokers, they leverage commodity hardware with proprietary software to create an NPB. In an industry that has traditionally been dominated by a vertically integrated approach, this category is deviating from the norm. Products in this category are significantly less expensive than their full featured counter parts, however, commodity hardware can’t support some advanced packet processing features. Still, this product segment is rapidly growing because the White Box NPB can be tightly integrated with other best in class solutions to offer the necessary advanced features operations and security teams are looking for. Some vendors in this category are taking the stand-alone approach, while others are bringing SDN principles to the visibility fabric. Depending on the size of the deployment either approach can be well suited.
They are unique in the sense that they can be used as a standalone device in most NPB applications, or they can be used to improve the utilization of existing full featured NPBs. In terms of ROI, aggregators may be the best choice because of their low CAPEX and deployment flexibility. As a stand-alone device Aggregators are responsible for efficiently funneling data from network TAPs and SPAN ports to each tool. This is typically done through a combination of aggregation, replication and L2-L4 filtering. The groomed, tool specific traffic is sent out for processing. More and more tool vendors are including advanced NPB features within the tool itself, making Aggregators increasingly appealing for visibility applications. Like White Box NPBs, many Aggregator vendors also leverage tightly integrated solutions with ecosystem partners to offer additional advanced features where needed.
In the second application Aggregators act in a similar manner, they take ingress traffic from TAP or SPAN ports, aggregate, and distribute with or without filtering to a full featured NPB. This is being called the 4-Tier approach to network visibility.
This 4-Tier approach increases port utilization for the full featured NPB and often pushes out or eliminates the need to purchase additional devices, improving the ROI on the original full featured device.
Ultimately the selection of NPBs is highly dependent on the network and needs of security and operations teams. Understanding the different devices under the NPB umbrella can help simplify the process for finding the right vendor and device.
[Want more on Network Packet Brokers? Read EMA's new whitepaper Best Practices for Building a Network Visibility Fabric]