grismThe Smartest L2-L7 Packet Processing System


Enterprises should maintain and improve their production network, majorly composed of switches and routers. The best practice is to utilize varied network analysis devices for multiple perspectives such as security, performance measurement, auditing and even behavior analysis.

There comes an outstanding issue today: budgets on analysis devices are increasing more sharply than the budget on production network. To protect their production network from cyber or social attack, lots of enterprises expand their investments on the network analysis devices for security functions: IPS/IDS/DLP/APT and so on…This also pushes enterprises to think about how to raise overall efficiency of those network analysis devices to justify ROI.

Analysis devices usually need to inspect the network traffic but, however, different device has its own “packets of interest” so that processing every packet without selection must be a waste. Thus, to boost the efficiency is to make “right packet to the right device”.

Moreover, most of the analysis devices cannot well inspect the inner packets inside the tunnels like GRE, VxLAN, QinQ, and MPLS. Such leakage should be amended ASAP by exposing the inner packets to those security devices.

GRISM, the intelligent network packet broker, powered by xUDN framework, tackles the challenges above. With the session-awareness DPI capability, It builds the analysis-assisted monitoring fabric which is connected to the production network, unwrap the tunnel encapsulation if there is any tunneled packets and then accurately direct the traffic critical to each analysis device no matter it is out-of- band or in-line.

Key Functions

Delivery Accuracy

GRISM aggregates several inputs and accurately delivers the packets by not only L2-L4 filtering but also the application-aware pattern-based filtering above L4 : filter HTTP connection packets by HTTP URL, filter SIP messages by SIP URI, filter DNS by domain and so on. Moreover, GRISM’s Fair-Distribution mechanism is different from the ACL-based distribution which is implemented in most network devices. GRISM satisfies every analysis device simultaneously by properly duplicating the packet that belongs to the demand intersection for multiple analysis devices.

Filtered traffic can be distributed to a group of egress ports with session-based balancing strategy to guarantee “same session to the same destination”. When one egress port is disconnected, GRISM failovers the stream to the stand-by port or redistribute to the other ports in the group.

Tunnel Handling and Packet Reengineering

The filtering functions can automatically apply on the tunnel payload if plain Ethernet packets and tunnel packets are mixed in the input traffic. Since most analysis devices can only handle plain packets well, GRISM is able to do tag-removal or re-capsulation to convert the tunnel packets to plain ones before delivering. Moreover, slicing packet payload is supported for analysis offload such as removing TCP/UDP payload for the device that works on L2-L4 header only.

Intelligent Content-based Bypass

GRISM supports Intelligent Bypass function to protect production network when in-line analysis devices are deployed. It detects the status of in-line device and immediately enable bypass when that device gets problems. The uniqueness of GRISM is to bypass the traffic which is not the packet of interest or with little risk. For example, the enterprise deploys IPS guarded by GRISM to avoid YouTube from entering IPS.

Intelligent Bypass Flow
Intelligent Bypass Flow

Netflow Generation

Some analysis devices also have a lightweight approach: processing Netflow instead of raw packets. Routers or switches are able to generate Netflow but the performance downgrade is inevitable. The better alternative is to let GRISM generate Netflow v5/v9 by aggregating and analyzing the span traffic from those routers or switches while span is not a heavy burden. Besides Netflow, GRISM is able to generate the application log for HTTP requests.

Visualize the Visibility Architecture

GRISM has the web-based GUI, GRISM web console, for configuration and management. Users can easily design the complex filter which is a union (or) or intersection (AND) of several atomic filtering rules. Moreover, the user-specific visibility architecture can be designed by manipulating the graph which represents the relation between ports/filters and configuration.

Using GUI tool to design your monitoring infrastructure
Using GUI tool to design your monitoring infrastructure

Software-defined Monitoring

GRISM xUDN provides a XML script interface to fully control GRISM. Comparing to APIs library, XML script is much easier for implementation with little learning overhead.

An out-of- band monitoring infrastructure implemented by GRISM
An out-of- band monitoring infrastructure implemented by GRISM

Monitoring Network Virtualization

To centralize the analysis resources such as network security devices, we can create the tunnel between two GRISMs so that monitoring traffic, mirror span, from different offices can be aggregated to the single site, the tunnel receiver, through IP network. GRISM support the proprietary X-tunnel and ERSPAN to carry the span traffic to form a many-to-one topology. The tunnel receiver unwraps the tunnel traffic and distinguish the sender by tunnel ID.

Build a centralized security analysis pool by GRISM’s tunnel mechanism
Build a centralized security analysis pool by GRISM’s tunnel mechanism

VM Traffic Monitoring

With today’s virtualization technology, we can have quite a few VM instances in a single physical server. Unfortunately, intra-server traffic, the communication between the VMs, is not visible for network analysis devices any more. It seriously weakens the functions of DLP, APT, behavior analysis devices, performance measurement devices and so on. GRISM can direct the traffic inside the virtualization environment to those analysis resources which have been in physical networks.


  1. Any-to-Any Delivery
    1. Each interface can be INPUT or OUTPUT
    2. 1-to-many, many-to-1, many-to-many
    3. To any selected interface after filtering
  1. Advanced Distribution
    1. Filter Processor
      1. Composed of a set of rules with AND/OR operation
      2. Session-based filtering vs. packet-based filtering
      3. L2-L4 header filtering rule: MAC address, Ethertype, VLAN ID, IP, IP range, TCP/UDP port…
    2. DPI-enabled Filter Processor
      1. L4-L7 Pattern-based filtering
      2. Pattern format: HEX, ASCII strings and Regular Expression
    3. Tunnel-awareness Filter
      1. apply all filtering rules on in-tunnel packets where GRE/VxLAN/QinQ/MPLS
      2. tunnel ID(ERSPAN/X-tunnel) filtering
    4. Processor Chain
      1. User-defined graphs of Filter Processors
      2. Ingress ports to egress ports
    5. Fair Distribution(non ACL)
      1. Duplicate the packets needed in multiple egress ports
  1. Out-of- band Load Balance
    1. Same Dst IP/Src IP/Dst Port/Src Port sticky to same egress ports
    2. Same 5-tuple hash sticky to same egress ports
    3. Delivery HA: Re-distribute to link-up egress ports
    4. Balance port groups: Max 8 egress ports
  1. Packet Engineering
    1. Tag removal: MPLS/VLAN/QinQ…
    2. Unpacking Tunnel(Tag removal and re-encapsulation): GRE/GTP/ERSPAN/NvGRE/VxLAN
    3. User-defined VLAN tagging for input packets or output packets
    4. Packet Deduplication
  1. Monitoring Network Virtualization
    1. GRISM to GRISM tunnel
    2. Encapsulation: GRE, VxLAN, ERSPAN, X-tunnel
  1. Network Traffic Intelligence Extraction
    1. Generate Netflow V5/V9
    2. Generate HTTP log
  1. Sensitive Data Protection
    1. Packet slicing:(1) preserve N bytes (2)remove TCP/UDP payload
    2. Data mask
      1. Replace sensitive data segment in TCP/UDP payload
      2. Data segment can be defined in regular expression
  1. In-Line Aggregation and Re-Distribution
    1. N network links x M monitoring links (NxM)
    2. In-line session-based load balance with HA strategy
    3. Intelligent content-based bypass
      1. IP address List
      2. User-defined pattern in regular expression
  1. PCAP File Prcoessing
    1. Stream snapshot in PCAP format
    2. Replay/filter PCAP files with timestamp persistance
    3. Remote recording agent over L2-L4 switch
  1. Telecom Correlation Processing
    1. Mobile 3G/LTE data netwok
      1. Filter GTP-C/GTP- U by IMSI/IMEI
      2. Subscriber-based load balance
    2. Fixed ISP network
      1. Filter user-plane packets by RADIUS ID
      2. Subscriber-based load balance
  1. Virtula Machine Traffic Monitoring
    1. VM traffic refdirection by GRISM-V (as a VM instance)
    2. Supporting environment
      1. KVM
      2. VMware ESXi/vSphere
  1. System Control and Operation
    1. Web GUI agent for authenticated users
    2. Advanced Control
      1. XML script over HTTP
    3. Management protocol: Telnet, HTTP, SNMP V2

Hardware Spec

Operating System xUDN xUDN xUDN xUDN xUDN
19-inch rack mount Yes
17.3” W x 8.6” D x 1.7” H
17.3” W x 13.7” D x 1.7” H
17.3” W x 16.5” D x 1.7” H
17.3” W x 16.5” D x 3.4” H
17.3” W x 16.5” D x 5.1” H
Network Interface 1G RJ45 *8 10G SFP+ *2
1G RJ45 *8
10G/1G SFP+ *16 10G/1G SFP+ *24 10G/1G SFP+ *32
Management Interface 1G RJ45 *1 1G RJ45 *1 1G SFP *1 1G SFP *1 1G SFP *1
Management Protocol HTTP/HTTPS
Data Processing 1.Ethernet
2.PCAP file
2.PCAP file
Ethernet Ethernet Ethernet
Storage SATA2 *1 SATA2 *2 2GB (virtual disk) 2GB (virtual disk) 2GB (virtual disk)
Back Plane N/A N/A N/A 40Gbps 40Gbps
Forwarding or Replication 8Gbps 28Gbps 160Gbps 240Gbps 320Gbps
NetFlow Processing Max 3Gbps Max 10Gbps Max 30Gbps Max 30Gbps Max 60Gbps
Mechanical Appliance Appliance Appliance ATCA 2U, two blade ATCA 3U, two blade
Power AC 110V-220V input AC 110V-220V input 1.Dual DC -48V input
2.Dual AC 110V-220V input(with external PDU)
1.DC -48V input
2.Dual AC 110V-220V input(either 1 or 2)
Dual AC 110-220V input