Out-of-Band Security Solution // Solutions Overview

Transcription

1 Introduction A few years ago, IT managed security using the hard outer shell approach and established walls where traffic entered and departed the network assuming that the risks originated outside of their environment. Today, while outside the wall is still untrusted, the interior can no longer be assumed to be secure and trustworthy as attacks can originate from the inside as well as the outside. Today s network must accommodate a myriad of devices that are owned, controlled and provisioned by IT, by the employee or by third parties. With the wide-spread adoption of VPN technologies, devices that are outside the wall can effectively and easily connect to resources, applications and services within the enterprise hard outer shell. Furthermore, as organizations continue to adopt virtualization solutions, a new wave of challenges is created as IT architects and administrators attempt to maintain pervasive visibility across the enterprise. With many cloud-based services and applications being evaluated and adopted by business, the infrastructure that serves the user community can be deployed or located at hosted data centers outside the reach of the IT and Security departments responsible for network health and safety. While perimeter defense is still important, the urgency to also be able to monitor what is occurring inside the perimeter is growing rapidly. Compromises to the security of the environment can start through innocent and unknowing user activities a virus can gain access to an internal desktop through unprotected and monitored browsing, moving files from an enterprise device to a third-party external storage service, and on some occasions, a user may intentionally commence or create a security penetration point within the environment. Firewalls, including the latest generation of application-aware firewalls have proven to be a good first line of protection but the security hacking community has changed and evolved their tactics. As the wall at the edge can no longer be trusted to provide the complete solution, a focus on Advanced Persistent Threat (APT) penetration monitoring, Data Loss Prevention (DLP) and Intrusion Detection Systems (IDS) have all emerged to defend against an increasing number of known, and unknown, viruses, cyber threats and adaptive malware. To protect against known and unknown threats it is important to develop and maintain an agile and responsive security posture. Once an anomaly or threat is suspected or detected it is very important to contain and eradicate the threat as quickly as possible (a timeline example is provided in Figure 1). The need to respond quickly and effectively is complemented with the need to ensure operational stability and performance of the production network. While an ongoing and effective security architecture requires pervasive and efficient visibility of network traffic and communications, the architecture and approach adopted by many enterprises is based upon legacy technologies and thinking. It does, at best, attempt to address challenges from a tactical standpoint. 1

2 Figure 1: The anatomy of an attack. It is important to begin by taking a look at legacy approaches, and then building a more strategic approach based upon the limitations of the legacy model and the demands of the future. Legacy approaches include: Wide-spread proliferation of security tools across multiple locations of an enterprise Repurposing of Ethernet switches to establish simple traffic aggregation Use of mirror/span ports to replicate some percentage of the traffic that traverses the network Deployment of network TAPs as an in-band or inline traffic replication solution. This solution overview will discuss the challenges to gaining pervasive visibility to network traffic demanded by an effective out-of-band security strategy and explore how the deployment of a Gigamon Visibility Fabric solution can address these issues. The topics include: Pervasive Visibility: The need for, and solutions to deliver pervasive visibility Agility: Realizing the value of an agile environment and its ability to react to threats Network Reliability: Maintaining the reliability of the production network Scalability: The needs and opportunities to scale the out-of-band security infrastructure 2

3 Pervasive Visibility Achieve pervasive traffic visibility across the network for your centralized security tools The simple, yet costly, proliferation of network security monitoring tools and systems across a network does not provide pervasive visibility. Not only will it increase overall costs as well as environment complexity, but it is also incapable of ensuring that critical network traffic is always seen. At Gigamon we believe a better approach exists our Visibility Fabric accepts traffic from many mirror ports, SPAN ports or TAP links, and then intelligently filters, forwards and if necessary, transforms the network traffic before delivering the traffic flows to centralized monitoring, analysis and security tools and systems. The Visibility Fabric is vendor and network agnostic. It can seamlessly integrate into an environment with a wide range of monitoring, analysis or security tools, and with various network architectures built on many different Ethernet switch and router platforms. Most organizations developing a security strategy discover that there s no shortage of data and traffic to monitor and analyze, and hence focusing on the most relevant, most interesting and most important traffic is essential. With rising volumes of network traffic, continuing growth of scale from 1Gb to 10Gb and from 10Gb to 50/100Gb, and the adoption of virtual networking, the challenge of finding the proverbial needle-in-the-haystack is becoming increasingly complex. With active and dynamic selection, filtration and manipulation of traffic that is inherent in the Visibility Fabric, enterprises can now establish rules and logic to forward the most relevant information from across their physical and virtual environments to their security tools and systems. Furthermore, with the legacy approach of using mirror/span ports, it was necessary to prioritize which tools would be connected to the limited mirror/span ports available on a typical Ethernet switch. Frequently this would leave some tools disconnected, or finding them connected at less-than-optimal locations within the network. Figure 2: SPAN or mirror port contention too many tools, not enough connections While addressing mirror/span-port contention problems, a Visibility Fabric can also customize or personalize the profile of network traffic that is delivered to each security tool or system. Traffic can be drawn from multiple collection points and aggregated prior to filtering for the exact packet selection criteria desired. Traffic can be delivered from remote source locations and provided to a centralized group of security tools and systems. In simple terms, the Visibility Fabric can receive traffic from a multitude of mirror/span ports or TAPs spread across an environment, apply dynamic filters to identify the most relevant network traffic and then aggregate all of the distributed feeds of traffic into one or many security tools. Centralizing security, monitoring and analysis systems and tools can provide potentially large cost savings. Rather than purchase a range of less capable monitoring and analysis tools to distribute across the network at specific traffic collection points, enterprise owners can instead purchase fewer but more capable tools, deployed in a central location and leverage the scale and capability of the Visibility Fabric to intelligently deliver the traffic. From central Network Operations Centers to thirdparty security service organizations or cloud-based services, by allowing the Visibility Fabric to deliver traffic to where it is needed and when it is needed, it is possible to establish full and pervasive visibility across a complete enterprise to one or many centralized locations. 3

4 Figure 3: Legacy approach of decentralized tools compared to a Visibility Fabric where tools can be centralized Agility React dynamically to threats As part of the management and operation of networks, a change management process is usually developed to control the design, review, approval and execution of changes within the environment. This process establishes specific time-bound windows during which change is allowed to help ensure higher availability and performance of enterprise infrastructure. According to the Information Technology Infrastructure Library (ITIL), a change is an event that: Has the appropriate approval prior to execution Can be implemented with a minimized and accepted risk to existing IT infrastructure Results in a new status of one or more configured devices Provides increased value to the business from the use of the new or enhanced IT systems Many situations require alterations of either network connections (the insertion of network TAPs, for example) or changes to infrastructure configuration (modifications to spanning or mirroring parameters) in order to improve the access and visibility to network traffic. When the change is executed as planned, the impact to the production environment during and after the change is well understood and can result in little to no downtime, outage or performance degradation. However, if the change does not follow the plan, it can have a multitude of results: network downtime, application unavailability, performance degradation, and so on. Needless to say, the potential downside is severe enough that changes occurring during infrastructure production hours are typically very low risk while also generating a very high return in order to be approved. For routine changes it is merely inconvenient to wait for a scheduled maintenance window. However, in the world of dynamic and fast-moving security threats, suspected virus or other outbreaks within the network, waiting for a predefined maintenance window may result in a serious security breach, data loss or compliance issues. In the past, out-of-band monitoring solutions were dependent upon receiving network traffic from either inline TAPs or switch mirror/span ports. The installation of a TAP requires that the network connection be severed, that the new TAP device is inserted, and then the connection reinstated. Since this process 4

5 will result in the network connection going down for the duration of the procedure, this type of activity is normally scheduled to occur within a maintenance window. Alternatively, mirror/ SPAN-port configurations are potentially non-disruptive, but the change does require the administrator to modify parameters on a network switch or router that is in the production network. This in itself does represent a risk. Furthermore, it is possible to incorrectly specify the parameters for the mirror/span collection and in doing so either lose visibility to specific traffic or to overburden the switch CPU and directly impact the behavior and stability of the network. A clear and tangible advantage of a Visibility Fabric is that once all critical network connections are established with the Fabric, any future change to the selection, filtering, modification or forwarding of the traffic has no effect on the production network. A Visibility Fabric accepts traffic from the network and forwards it to monitoring, analysis and security tools, but it will not allow traffic to pass from the tool side to the network. In doing so the Fabric protects the network in the event of any tool being comprised by a virus or malware of some specific variant. With the flexibility provided by the Fabric, the enterprise Network or Security Operations teams are able to simply change the selection and filtering configuration of the Visibility Fabric to modify the criteria by which traffic is extracted, and the destination of the traffic passing through the Fabric. As a result, there is no need to wait for a maintenance window and therefore the alteration may be executed during regular business hours without the risk of service interruption. expedite the diagnosis of network traffic anomalies or variances. With all security tools and systems connecting to the Fabric, as situations arise that require different types of analysis, or require recording or analytics, the single stream of network traffic ingressing the Fabric can be replicated and forwarded to multiple tools concurrently, or one portion of that replicate stream can be simplified to reduce the burden of irrelevant information for a specific type of analysis. This new approach the Visibility Fabric empowers Security teams to respond rapidly and effectively by being able to quickly and unnoticeably select and modify the forwarding of traffic from any network connection to watch for an intrusion, abnormal or unauthorized behavior. Changes do not impact network or infrastructure stability, performance or reliability, but any change to the Fabric is undetectable by the hacker not alerting them to the fact that the Operations team are closing in on the source. The Fabric can also bring value to the IT group as a whole. The team typically will no longer have to react to unscheduled or emergency alterations to the network in response to virus attacks, to fast moving threats or network traffic anomalies. Infrastructure maintenance associated with the monitoring and analysis of the environment can generally be scheduled into existing and predefined maintenance or change windows in advance. Furthermore, with the scalability provided by the Visibility Fabric, the IT department may maintain a separate set of monitoring and analysis tools for network performance management and, if desired, remains completely independent from the security monitoring. Network Reliability Enhance reliability with a solution that is non-invasive to the production network Following deployment of a Visibility Fabric, all traffic that ingresses the Fabric becomes available for selection and forwarding without requiring any change to the production network. This effectively protects the production network from any erroneous change when responding to dynamic threats and attacks, and also enables network traffic to be intelligently selected and forwarded to specific tools to improve and 5

6 Scalability Protect your investment and prepare for the future with a scalable platform With the increasing breadth, scale and performance of the network, there is an implicit need for the security tools and systems to keep pace. However, this can be a very costly proposition. Budget for monitoring, analysis and security tools is frequently an overlooked consideration. A Visibility Fabric can help address this issue in two ways firstly, adapting the network traffic bandwidth to match the bandwidth of the destination tool or system through intelligent filtering and selection of only relevant traffic. And secondly, by load sharing or aggregating connections together to provide a single or load-shared traffic stream destined for centralized tools. A common security challenge happens when a production network is upgraded to 10Gb and the monitoring and security tools are still operating at 1Gb. With the appropriate selection and filtration criteria in place, the 1Gb tool will be able to protect the most valuable traffic on the higher speed network. Following an upgrade, bandwidth requirements on core network connections may not change instantly; it can take time before the traffic grows to fill the available space. During this time it is possible to aggregate traffic from recently upgraded 1Gb or 10Gb connections and send the traffic to existing, lower speed monitoring and analysis tools. When the volume of traffic exceeds the capacity of the tool, acquiring additional similar tools represents a lower-cost option than the higher-speed tool. Although network upgrades create one type of specific challenge for existing monitoring and security tools, the organic growth of the network often results in more specific locations on the network that require monitoring and yet the cost of additional tooling is prohibitive. Figure 4: Too many links, not enough tools. With the breadth of the Fabric, enterprises are able to simply connect the new additional points that require monitoring into the Fabric. With the use of simple filtering and forwarding rules, the Fabric can now aggregate traffic from the existing and new points in order to protect expanded areas of the environment. Conclusion Regardless of size, network security is a top priority for all organizations. Networks are more vulnerable than ever due to the inherent risk of facilitating remote access in conjunction with the volume of traffic and the speed at which that traffic is flowing. As organizations migrate from 1Gb to 10Gb and beyond, network security tools struggle to keep up with these increasing connection speeds as the tools may not be designed to process the volume of network packet traffic going through the protected link. Therefore, it is vital to implement security architectures and strategies that not only prevent security breaches, but also dynamically react to potential threats and scale to meet future needs. An out-of-band security strategy leveraging a Gigamon Visibility Fabric can deliver pervasive visibility, address the need to provide a more dynamic and agile environment, and scale in line with the growth of the network. 6

7 About Gigamon Gigamon provides an intelligent Traffic Visibility Fabric for enterprises, data centers and service providers around the globe. Our technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic across both physical and virtual environments without affecting the performance or stability of the production network. Through patented technologies and centralized management, the Gigamon GigaVUE portfolio of high availability and high density products intelligently delivers the appropriate network traffic to security, monitoring or management systems. With over eight years experience designing and building traffic visibility products in the US, Gigamon solutions are deployed globally across vertical markets including over half of the Fortune 100 and many government and federal agencies. For more information about our Gigamon products visit: Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Gigamon 598 Gibraltar Drive Milpitas, CA PH