The Fight for Full Network Visibility in a Dangerous World

Transcription

1 The Fight for Full Network Visibility in a Dangerous World Total network visibility is a core element of today s fight against emerging security threats. Sponsored by ebook: The Fight for Full Network Visibility in a Dangerous World

2 Introduction Network data security is surely one of the most discussed and publicized topics in technology circles today. Hardly a day passes without headlines of another massive phishing attack, data heist or privacy breach. And yet, there is an element of data security that gets too little attention, given all that is at stake: the role of network monitoring switching architecture and the capabilities of tools employed in day-to-day operations. If you, as a network security officer, haven t considered this critical facet, it s time to sit up and take notice. Without the right monitoring aggregation switching architecture, you and your network operations partners are not likely getting the full visibility you need to fend off threats that, as we ve seen in recent months, are constantly growing in scope and severity. One study last year indicated that the number of known security incidents only those that were detected, mind you increased by 117 percent in North America, year-over-year. The financial losses due to those losses went up 48 percent. Today s data threats go far beyond the traditional foes everyone knows hackers and malware although both remain a grave presence. Newer dangers include Advanced Persistent Threats (APTs) and so-called man-inthe-middle attacks that intercept traffic between machines operating on Internet Protocol version 6 (IPv6) and older routers running IPv4. That s a lot of stuff for Chief Security Officers to worry about and, as PricewaterhouseCoopers said in its 2014 Global State of Information Security Survey, the new threats demand new tactics. You can t fight today s threats with yesterday s strategies, PwC Principal Gary Loveland said in the report, a survey of nearly 10,000 C-suite leaders and information security officials around the world. What s needed is a new model of information security, one that is driven by knowledge of threats, assets, and the motives and targets of potential adversaries. ebook: The Fight for Full Network Visibility in a Dangerous World 2

3 Total Network Visibility is Vital to Confronting New Threats Loveland could also have noted one vital component to battling the new and emerging threats: total network visibility. The 2013 U.S. State of Cybercrime Study found woeful deficiencies in this area. Many companies aren t even trying to analyze all the traffic moving through their networks. Of organizations surveyed, only: 51 percent use malware analysis to counter advanced persistent threats. 41 percent inspect outbound traffic. 27 percent perform deep packet inspection. 21 percent employ threat-modeling tools. 31 percent perform analysis and geolocation of IP traffic. As with a lot of things, what you don t know what you can t see really hurts you in network security. Security professionals are well aware of the dangers in today s world. The problem is they re struggling to cope with a constantly changing landscape and an explosion in data, fueled in part by the BYOD revolution, mobility, the cloud and virtualization. In many cases, the information flooding into networks at speeds upwards of 10 gigabits (that s 10 billion bits per second) is simply too much for the tools they ve put in place to secure networks. Only a tiny portion of that data is being analyzed, leading to a lack of visibility that impedes any ability to respond when security problems arise. ebook: The Fight for Full Network Visibility in a Dangerous World 3

4 Total Network Visibility is Vital to Confronting New Threats What s needed is an entirely new approach to network architecture and analysis. Over the following chapters, we ll explore some of the biggest challenges in the quest for network visibility, from SPAN port contention to the tidal wave of data volume that overwhelms myriad security tools now in use. We ll also discuss some of the techniques being employed to deal with these challenges, from network taps that help eliminate port contention (and the resulting dropped packets) to advanced intelligent packet filtering and load balancing capabilities that help extend the life and performance of monitoring tools even as data volume increases. Beyond that, we ll address scalability, uptime and other critical considerations to be made when rethinking network architecture with security in mind. Our goal will be to envision a network where no data packet escapes inspection 100 percent network visibility and where operators can slice and dice the data any way they want, with as many tools as are necessary, with maximum effectiveness and without breaking the bank. It s a tall order, but one within reach with today s intelligent network monitoring switch technology. By the end of this book, we hope you re inspired to start some conversations with your network operations managers, and that your group will ask, collectively, how you are delivering 100-percent visibility to the security tools that stand between you and a widening sea of threats. ebook: The Fight for Full Network Visibility in a Dangerous World 4

5 How SPAN Alone is Insufficient When the first dial-up Internet Service Provider was introduced just 25 years ago, the top available speed was 0.1Kbps. Back then, it could take hours to download a single, two-minute song. Downloading a movie unthinkable in those early years would have taken days or weeks. Monitoring network traffic back then was, relatively speaking, a snap. Today, of course, all that has changed. Thanks to networks increasingly moving at speeds of 10 gigabytes per second and soon to reach speeds of 40G or even 100G, customers can enjoy streaming movies on Netflix or manage their bank accounts from a smart phone. But for security professionals, data speed and volume poses a new set of challenges. Securing a 10G data stream is like trying to sip water from a fire hose. More accurately, it s like trying to redirect the flow of a fire hose into many different, smaller hoses without losing a single drop of water. ebook: The Fight for Full Network Visibility in a Dangerous World 5

6 What Companies Are Up Against Take, for example, a large financial services institution with enormous responsibilities to both shareholders and millions of customers. All the company s credibility resides in its ability to maintain a secure network. To ensure that security, the organization needs to apply five or six tools to the critical data flowing through its network. There might be: An Intrusion Protection System (IPS), more commonly known as a firewall, to keep out known threats. An Intrusion Detection System (IDS), which is actively looking for incidents or security policy violations. A Data Loss Prevention (DLP) tool that raises alerts to sensitive information leaving the network. Several tools that scour traffic to company sites looking for the telltale signs of hacking or the signatures or domains of known security threats. In such a case, the security professional s biggest concern is effectively one of physics: How to give so many security tools access to the same 10G of network traffic, in real time, and without dropping any packets? Network switching infrastructure traditionally consisted of data centers filled with devices that typically each have one or two outlets (called a Switch Port Analyzer, or SPAN, in the case of Cisco equipment, or mirror ports in a Juniper environment) for sending mirrored production data to a monitoring tool. Obviously, if you have six or more security tools needing to access data, one port simply won t do. Not to mention, there s a whole other suite of tools used for network diagnostics that also need access to the same data, at the same time. The problem is referred to as SPAN port contention, and it s one of the biggest challenges we face in a security environment. ebook: The Fight for Full Network Visibility in a Dangerous World 6

7 TAPs Can Offer Several Advantages SPAN is not, in and of itself, necessarily a bad solution for accessing data for some low-bandwidth use cases where successful reporting and analysis are not dependent on seeing every packet. One advantage, obviously, is that a SPAN exists on the switch you already own. Typically, we ve seen companies using SPAN in a 1G setting. The first problem is that SPAN is terribly limiting in a large, 10G or higher network environment, and relying on it can set a security manager up to fail. Cisco itself acknowledges that its switches treat SPAN data as a lower priority, meaning packets will get dropped and never analyzed by tools. Typically, the packets start dropping far below full utilization in a 10G network, in part because SPAN traffic is getting combined with production traffic, resulting in degradation of the production traffic. Switches, and by extension their SPAN ports, also filter out bad packets or CRC errors, and a security manager typically wants to see all packets, good or bad. The only way to ensure total visibility is by also using network taps that sit in line between switches, or wherever data access is required. Tapping offers the huge advantage of accessing all of the data, without the possibility of dropped packets, regardless of bandwidth. ebook: The Fight for Full Network Visibility in a Dangerous World 7

8 TAPs Can Offer Several Advantages Taps also offer several other advantages in a security setting: Since they re not addressable network devices, they can t be hacked. They have no setup or command line issues, so they save your team time. Taps do not alter time relationships in the data something that can be critical in settings such as the financial industries and no jitter or distortion is introduced. Taps are indifferent to the type of web traffic, whether it s IPv4 or IPv6, passing through. Many taps are completely passive, offering a way to non intrusively get data out of the network and to your various analytical tools. Taps can be used at any level of the network design. In a security environment, people will typically tap before and after the firewall, so they re able to see traffic on both sides of the network, if you will. You tap at those touch points and then you feed those tap points back to a switch that directs data to monitoring tools. A good solution is to use SPANs and TAPs together, spanning at the access layer (i.e. servers) and tapping at all connections, including the server ports. ebook: The Fight for Full Network Visibility in a Dangerous World 8

9 Intelligent Taps Add Capabilities While Lowering Costs Technology today has evolved toward managed, intelligent tapping solutions that enable enterprises to connect existing monitoring tools to the flow of data without the need to purchase additional switches. These taps provide managers with statistics, diagnostics and Simple Network Management Protocol (SNMP) capabilities, all while maintaining the passive characteristics that enable 100-percent visibility. This allows insight into the performance of the tap and allows replacement before it fails and takes the network down. The bottom line when deciding whether to rely on SPAN or taps to access data, your primary factors are what type of analysis you hope to perform and what bandwidth you re dealing with. If you re in the network security business, and with bandwidth reaching near-universal 10G speeds, the choice would appear to be an easy one. ebook: The Fight for Full Network Visibility in a Dangerous World 9

10 Beyond Data Access: Deduplication, Filtering and Load Balancing Identifying the best method to access 100 percent of the data that needs to be analyzed in a 10 gigabits per second world is only half the battle. Next is to channel the proverbial fire hose to monitoring tools without overwhelming them. Many of tools in use today can handle speeds of only about 500 megabits without being overrun. Even if a tool is designed to accommodate 10G, you might be monitoring four junctures of a network and aggregating the traffic all to a single 10G appliance. Without further preventive steps to ensure you don t lose packets, you ll never achieve total visibility without buying a bunch of expensive, redundant tools just to keep up with your traffic. Fortunately, there are other ways to sift and sort the data stream and get your monitoring tools all the data they need without overloading them or requiring you to purchase more. Appliances known variously in the industry as aggregation switches, packet aggregators or network packet brokers are available today that provide the ability to perform advanced packet filtering, packet deduplication and load balancing, among other tasks, at line rate. Critically, these switches also provide packet slicing capabilities that reduce the unnecessary replication of sensitive data, helping enterprises meet an increasing number of regulatory and compliance requirements. The capabilities also can extend the recording time for IDS. ebook: The Fight for Full Network Visibility in a Dangerous World 10

11 Deduplication: A Critical Technique to Extending Tool Life, Effectiveness By some estimates, up to 55 percent of data packets in a typical enterprise network are duplicates recorded from the many desired monitoring points in a network. Sometimes it s two redundant packets. Other times it s 10. The duplicates quickly build up, and this redundant, identical information can not only overrun security tools but also confuse them. (Some tools can t process duplicates at all.) The solution is packet deduplication, which eliminates copies before they arrive at the monitoring tools. So-called deduping processes examine and compare every packet flowing from a tap or SPAN port within up to a half second and passes along only one copy. The most obvious benefit is to reduce the load on your tools. Tool effectiveness also is increased, and the number of false positive alarms is reduced. On top of that, because tools are tasked with processing perhaps half as much data, the number of tools that must be purchased is reduced. APCON s market-leading tools offer the ability to define each individual connection and determine whether or not the traffic flowing through it is to be considered duplicate. ebook: The Fight for Full Network Visibility in a Dangerous World 11

12 Load Balancing A second critical capability in controlling the flow of high-speed data to your monitoring tools is load balancing, the ability to equally distribute packets across many tools. This capability comes into play if you have more data coming in than can be captured on a single port on the tool, if you have multiple ports on that tool or if you have multiple tools doing the same thing. With load balancing, you can distribute the traffic evenly across tool ports so you don t drop packets there as well. The best products on the market do more than balance traffic loads across tools. They do it intelligently and dynamically. Here s what we mean: let s say your company is a large-scale retailer. Customers jump on your website to shop, and they browse a couple dozen pages while filling their virtual shopping carts. Eventually (you hope) they check out and pay you. Along the way, each mouse click is another piece of data. All the many bytes in that customer s session have more significance to monitoring tools if they re kept together versus being sent to, say, 10 different tools. Some tools won t tolerate the data being separated they lose context, and you lose visibility. With dynamic load balancing, you equally distribute packets, but you also keep sessions intact in the proper order for maximum effectiveness. ebook: The Fight for Full Network Visibility in a Dangerous World 12

13 Multi Stage Filtering Especially as data centers grow beyond 10G to 40G or even 100G, filtering will take an increasingly important role in network security. The latest filtering technology enables operators to not only ease the load on their monitoring tools, but also to exercise maximum flexibility and control while distributing and sharing data from multiple sources to multiple destinations. On a very basic level, data filtering allows you to forward only the relevant data to a monitoring tool. Maybe you re looking only for certain traffic, for example traffic from a particular Virtual Local Area Network (VLAN). Whatever it is, you can filter out the traffic you don t care about and forward only VLAN traffic, or whatever data you specified. And, with standard-setting multi stage filtering, you can choose to filter at any or all of three levels and to define the filter at each step of the process. Dynamic filtering allows you to be very granular in defining what a tool captures. The best products on the market today allow you to create an essentially unlimited number of rules and to store them in a filter library that saves time down the line. INGRESS SWITCH EGRESS Stage 1S Stage 2 Stage 3 Filter Stack 1 Filter 1 Filter 6 Filter Stack 3 Output 1 Input 1 Filter 2 Filter 7 Filter 6 Output 2 Filter Stack 2 Input 2 Aggregated Stream Filter 3 Filter 8 Output 3 Filter 9 Input 3 Filter Stack 4 Filter 4 Filter 6 Output 4 Filter 5 Output 5 ebook: The Fight for Full Network Visibility in a Dangerous World 13

14 Packet Slicing When it comes to protecting the sensitive information that is most valuable to criminals, packet slicing is an indispensible capability in any network monitoring architecture. In addition to helping tool performance (since tools don t have to examine and deal with the entire packet), packet slicing also plays a critical role in compliance and staying on the right side of various laws and regulatory bodies, from Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) to the IntercontinentalExchange Group (ICE). Take the medical community, for example. All caregivers are subject to HIPAA in the handling of confidential patient information. A certain packet capture tool may not need and can t be provided without becoming noncompliant a patient s Social Security number, or address and credit card information, for example. Packet slicing enables you to drop that data when you pass along the packet. In the financial services world, the Sarbanes-Oxley Act of 2002 introduced all kinds of regulatory concerns for security managers. That may mean, for example, that you need to slice off authentication data or other sensitive information when packets enter a network monitoring system. ebook: The Fight for Full Network Visibility in a Dangerous World 14

15 Other Factors: Scalability, Manageability, Uptime Having covered the various tools and techniques for drawing 100 percent of network data into our monitoring devices with the greatest possible cost effectiveness, let s now turn to some often-overlooked factors. The scalability of your monitoring solutions, as well as their uptime performance and multi-switch management capabilities can all play a direct role in whether or not an enterprise achieves full visibility. In fact, beyond the basic functionality of the technology, they are your most important considerations. Any of the three, if not thoroughly considered when designing network architecture, can lead to exorbitant costs or damaging security breaches down the line. A well thought-out plan, on the other hand, can both account for existing needs and provide for future growth. ebook: The Fight for Full Network Visibility in a Dangerous World 15

16 Scalability and Port Density: Room to Grow Year after year, the challenges of network security keep growing. As they do, so will your need for more tools, more ports and so on. It s a very dynamic environment, and so you want to invest in a product that will grow with you. That s why scalability and high port density are so important. With a higher port density, you maximize enterprise data center space as your needs grow. APCON s industry-leading switching technology offers G ports in a compact, eight rack-unit chassis roughly half the footprint of other products. Port density goes beyond saving space to the question of investment value as your organization grows. With lower port density, you might be faced with ripping out and replacing the chassis in three years. Give a thought to whether you ll be able to repurpose older equipment as your needs or data rates grow. By purchasing a APCON chassis unit on Day One, you can simply add line cards to the chassis as you grow. There is no need to redesign the network or stack chassis together as your company gets bigger. If your network infrastructure is in different parts of the data center, APCON offers a trunking solution to make multiple switches look like one switch through our TITAN management system. The complete package represents the only enterpriseclass design of its kind with both high density 36 ports of 10G/1G and high availability. ebook: The Fight for Full Network Visibility in a Dangerous World 16

17 Multi-Switch Management As data networks grow in complexity, it s important that security managers retain the ability to keep it all under control for maximum effectiveness and efficiency. That s why you should look for technology that enables you to manage any number of switches from one screen. With today s multi-switch management software, you can manage multiple switches as if they are one switch, all from a single web-based interface that can be managed from desktop or even from a mobile device. As additional switches are added, they re simply directed to report to the same software interface. Benefits include the ability to review the use of every monitoring tool or network device in your inventory and to understand where and who is using it at all times. Multi-switch management is a key to maintaining your inventory of network switch devices efficiently and without losing visibility. ebook: The Fight for Full Network Visibility in a Dangerous World 17

18 Availability: If It s Not Up, You re Flying Blind Our last, but perhaps most important, advice is not to overlook high availability in your network architecture. Especially in the Fortune 1000 realm and most especially in financial services and government, if your monitoring system is down, you are literally flying blind. You should not settle for network switching equipment that is not designed from the ground up with redundant or hot-swappable controllers and other components for maximum resilience, compatibility and reliability. Industry leading switches actually have separate data and control planes, so you can disable both redundant controller cards and the switch will continue passing data through configured connections. Their chassis units also have redundant power supplies and hot-swappable cooling fans. In the end, the fight for full network visibility depends on many factors. But with careful thought and planning, and by employing the latest technology and techniques, it is possible to harden your defenses against threats old and new. The first step is to open that all-important internal discussion on network monitoring switch architecture. Are your security tools missing critical data they need to keep your network safe? Are they so overwhelmed that you are considering acquiring duplicate tools just to accommodate the load? If your answers are yes, then you don t currently have 100-percent network visibility, and it s time to do something about that. ebook: The Fight for Full Network Visibility in a Dangerous World 18

19 APCON, Inc SW Pioneer Court Wilsonville, Oregon USA Tel: Toll Free: Engineering Design Center 501 W President George Bush Highway, Suite 100 Richardson, Texas USA sales@apcon.com APCON, Inc. apcon.com ebook: The Fight for Full Network Visibility in a Dangerous World 2014 APCON, Inc. All Rights company/apcon APCON is an Equal Opportunity Employer MFDV R1-0114