In-Band Security Solution // Solutions Overview

Transcription

1 Introduction The strategy and architecture to establish and maintain infrastructure and network security is in a rapid state of change new tools, greater intelligence and managed services are being used to not only monitor and secure the network, but also meet compliance requirements. In addition, big data, cloud computing and BYOD are changing how organizations manage, analyze and secure their networks. And, as if that was not enough, always on access to the network is no longer demanded, but expected by today s users. As a result, network and security teams grapple with maintaining performance while keeping the network secure and compliant. The greatest security threats continue to exist outside the perimeter of the network. For perimeter security, many organizations turn to an in-band security strategy (also known as an inline security strategy) as a first line of defense when confronting the growing number of user-owned and mobile devices accessing the network. However, in-band security can introduce new challenges and is often costly to scale. This solution overview addresses these challenges and explores the advantages of an in-band security strategy that incorporates a bypass/pass-through solution. Bypass/pass-through switching advantages include: Network Reliability: Reduce risk of network outage with pass-through or failover contingencies Security Reliability: Ensure liveliness of Intrusion Prevention System (IPS) and security tool reliability using features such as heartbeat detection Flexibility and Agility: Simplifying additions/removals of multiple security tools within your DMZ without compromising security or network availability Scalability: Extending the usability of 1Gb tools with application-aware filtering and load balancing Network Reliability Reduce risk of network outage with pass-through or failover contingencies An in-band architecture is fundamentally different from an outof-bound approach that is classically used for monitoring and detection, rather than an enforcement approach that in-band solutions offer. In-band security solutions enable decisions to be made on traffic as it traverses the device, with well understood functionality such as allow, deny or in some cases, modify. Since the in-band device is a gatekeeper for all traffic in and out of the protected environment, there is the risk that it can cause the network link to fail and as a result, the organization or enterprise could be disconnected from an external resource, service, cloud-based application or the internet. Often perimeter 1

2 security requires more than one type of protection, which can result in daisy-chained tools a series of security tools that process the traffic in sequence and through which each packet must pass when moving between the trusted and untrusted environments. Each tool presents another reliability, performance and scalability risk for the enterprise due to the potential of tool failure. Logical pass-through or bypass control. If the traffic forwarding state is controllable, then it is possible to briefly bypass the perimeter security tool while it is replaced, upgraded or repaired. Then switch back to pass-through when the perimeter protection is again available. Figure 1: Daisy-chained or series protection In addition to service interruptions that can be triggered by tool failures, maintenance activities for in-band tools can represent another scenario which may result in the monitored connection being interrupted. Since a primary connection is, by definition, critical, activities are restricted to scheduled maintenance windows typically taking place at exceptionally low-use time intervals (very early mornings, late evenings and/or weekends). Rather than risk impacting the connection during maintenance activities for a specific security tool in line of the protected connection, an alternative is to install a Bypass Solution that provides a range of failover configuration options. A bypass is an inline device that can direct traffic from primary routes to secondary routes without impacting the stability of the protected connection. Most bypass solutions offer three operational choices: Fail open or closed upon loss of power. Some networks are so critical that continued operation is better than a temporary loss of perimeter security. Other networks are so sensitive that a loss of perimeter security requires that connectivity be suspended. Bypass solutions allow the enterprise owners to select the mode that is most appropriate for their organization. Figure 2: Bypass or pass-through solution using GigaVUE-2404 with GigaBPS blade. Distributing network traffic across multiple security tools. Whether dividing a high-bandwidth link across several lower speed tools or selectively forwarding specific traffic types to specialized tools, this approach can extend the life of existing solutions and defers (or eliminates) the need to upgrade to higher capacity tools. There are two choices for traffic distribution: 1. A hashing algorithm based approach that distributes traffic across ports 2. Traffic filtered/selection based on specific criteria and the selected traffic forwarded to specific inline tools 2

3 Figure 3: The Gigamon G-SECURE-0216 system shows examples of distribution of selected traffic to the appropriate security tool and load sharing across security tools. The advantages in selecting which traffic is directed to specific in-band security tools include: Avoiding a complete failure of a daisy-chained architecture of tools in the event of a single tool failure. Improving the performance of each tool by filtering out inappropriate traffic and providing only the traffic relevant for the particular tool. Gaining the ability to temporarily take a single tool offline without affecting the other tools, to either perform maintenance or to upgrade the tool. Security Reliability Ensure liveliness of IPS and security tool reliability using features such as heartbeat detection Perimeter protection provided by such tools as firewalls and IPS devices play a critical role in the security of a network acting as gatekeepers to prevent attacks and other disruptive or unauthorized traffic from entering the protected environment. In order to ensure that a security tool is performing its job, it is not enough to just verify the link state of the tool, or the ability of the tool to respond to a network ping. Instead, a better way is to simulate, or determine a heartbeat for the tool. Traffic which would normally be forwarded by the security tool is injected into the connection, and then the bypass switch is able to maintain active proof that the security tool or device is fully operational. If the heartbeat traffic fails to pass through the tool or device, the bypass switch is able to respond or react and flow traffic to alternative devices as appropriate. Whenever a heartbeat fails to pass within the specified time interval, a bypass switch can be configured to assume that tool is in a failed state and take one of the following three actions: Bypass the protection and forward all traffic directly into the network. Disconnect the connection so that no traffic is forwarded. Forward the traffic to another similar tool within a loadshared pool of security tools. This heartbeat approach is able to detect the failure of the connection to security tool, the failure of the security tool hardware, the failure of the security application itself, and, depending upon the environment, the misconfiguration of the tool. 3

4 Figure 4: Gigamon G-SECURE-0216 failover states: roll over to the next tool configuration and load sharing across remaining functional tools. Flexibility and Agility Simplifying additions/removals of multiple security tools within your DMZ without compromising security or network availability The failure recovery configuration shown in Figure 4 is readily adapted to allow for routine maintenance. If a load-shared configuration has been established, then the disconnection of one of the security tools for maintenance purposes results in minimal, if any, impact to the production network. Network and security administrators now have the ability to complete additions and/or removals from the protected connection as required without being subject to maintenance windows. Also, with no impact to the production network, would-be attackers who could be monitoring switch configurations for changes are not alerted to a change because monitoring and security topology changes are occurring out of band. If a serial in-band security is required, then the advantages of a bypass switch will provide improved uptime and link protection by daisy-chaining the bypass switches themselves. This provides the failsafe operation and in-band heartbeat protection capability while still ensuring that all traffic is subject to multiple inspections. In-band security is only one of the advantages of a bypass switching solution from Gigamon. The bypass switch can be a component of a more feature-rich Traffic Visibility Fabric solution. Traffic passing through a bypass switch can also be made available to out-of-band monitoring solutions through the traffic duplication functionality inherent in the Gigamon platform. Using a bypass solution, the same packet can be inspected simultaneously by both IPS (in-band) and IDS (out-of-band) solutions (See Figure 5). Once out of band, packets can be subjected to advanced traffic manipulation prior to delivery to monitoring and analysis solutions. That manipulation can include: Packet de-duplication based on selectable fields or an offset bitmask Packet routing tag removal of protocols such as MPLS Tags, VLAN Tags, and Cisco VN Tags Packet slicing for PCI, HIPAA and other compliances Payload masking for PCI, HIPAA and other regulations Packet time stamping And tunneling of the packet across a network infrastructure to other Traffic Visibility Fabric Nodes and delivery to centralized monitoring and analysis tools 4

5 Figure 5: Deployement Example Scalability Extend the useful life of 1Gb tools with application-aware filtering and load balancing As shown earlier in Figure 3, in-band security devices may be connected in parallel as well as serial. Parallel operation is particularly desirable in situations where connections have been upgraded to faster speeds. When the connection is initially upgraded from 1Gb to 10Gb the original traffic level is unchanged only the connection capacity is increased. It may take some time before the new capacity is fully exercised, but in the meantime network and/or security teams are forced to either buy unnecessary and expensive perimeter security device upgrades, or forego some types of perimeter protection. When deploying a multi-port bypass switch, it is possible to load share the new higher link speed across one or more existing 1Gb security or monitoring tools, effectively extending their useful life and deferring equipment upgrades into future budget cycles where the expenses may be more easily accommodated. Connection speed upgrades should not obsolete otherwise satisfactory in-band protection devices. Furthermore, as companies perform connection speed upgrades, it is often possible to acquire additional lower-speed in-band protection devices at a substantial cost savings to share the load until such time as link utilization justifies purchase of the higher speed protection. Conclusion Regardless of size, network security is a top priority for all organizations. Networks are more vulnerable than ever due to the inherent risk of facilitating remote access in conjunction with the volume of traffic and the speed at which that traffic is flowing. As organizations migrate form 1Gb to 10Gb and beyond, network security tools struggle to keep up with these increasing connection speeds as the tools may not be designed to process the volume of packet traffic going through the protected link. Therefore, it is vital to implement security architectures and strategies that not only prevent security breaches, but can also dynamically react to potential threats and scale to meet future needs. An in-band security strategy of protection devices coupled with a bypass switch solution from Gigamon can address the challenges and requirements of network and security professionals, and provide the flexibility and scalability they require without impacting network reliability or performance. 5

6 About Gigamon Gigamon provides an intelligent Traffic Visibility Fabric for enterprises, data centers and service providers around the globe. Our technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic across both physical and virtual environments without affecting the performance or stability of the production network. Through patented technologies and centralized management, the Gigamon GigaVUE portfolio of high availability and high density products intelligently delivers the appropriate network traffic to security, monitoring or management systems. With over eight years experience designing and building traffic visibility products in the US, Gigamon solutions are deployed globally across vertical markets including over half of the Fortune 100 and many government and federal agencies. For more information about our Gigamon products visit: Copyright Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Gigamon 3300 Olcott Street, Santa Clara, CA USA PH +1 (408) /14