Whitepaper Active Visibility into SSL Traffic for Multi-tiered Security

Transcription

1 Whitepaper Active Visibility into SSL Traffic for Multi-tiered Security Faced with a landscape of dynamic and expanding threats, many organizations today are compelled to take a multi-tiered approach to security, utilizing both inline and out-of-band security appliances and tools to protect critical information assets. Whereas an inline approach places the security appliance inline with the network at critical locations needing protection, the out-of-band approach uses a copy of the traffic that is fed to the security appliance in order to perform the necessary inspection. A multi-tiered security deployment may span web application firewalls, malware detection, intrusion detection or prevention (IDS or IPS), data loss prevention (DLP) and other network security devices that inspect various components of network traffic in real time. These security solutions depend on relevant, consistent, and accurate streams of network traffic to identify threats and stop attacks. But an underlying shift in enterprise payload types and patterns is preventing data center administrators from having pervasive network visibility that is so essential to the deployment of a multi-tiered security strategy. The SSL Hurdle in Multi-tiered Security Lack of visibility has been exacerbated by some 25% to 35% of enterprise traffic being carried over Secure Sockets Layer (SSL) connections. Ironically, SSL encryption has been vital in keeping , ecommerce, voice-over-ip (VoIP), online banking, remote health, and other web services secure. Yet, many security tools are unable to decrypt or monitor data within this growing traffic segment, which often carries sensitive or personal data. These blind spots in the data center impede network visibility and consequently, monitoring and security. Even security tools that can process SSL traffic degrade in performance by up to 80%. With SSL being central to today s enterprise infrastructure, poor traffic visibility exposes endpoints and DMZ servers to potential cyber attacks. The Heartbleed vulnerability in OpenSSL, which is used by about 20% of the world s web servers, showed how big an impact a single vulnerability could have on organizations. Cyber criminals easily bypassed any protection based on the encryption and signatures in the X509 certificates without detection. Indeed, analysts at Gartner 1 believe that more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls in Instead of assuring safety, encrypted SSL sessions have become an emerging source of threats as hackers and cyber criminals increasingly hide botnets and other malware in them. Hence, delivering visibility to detect threats in these sessions is an essential enterprise security initiative. Growing Complexity of Traffic Compounded by Growth in Encrypted Traffic At the same time, virtualization and distributed mission-critical applications are driving higher east-west traffic volumes in leafspine data center topologies and spurring migration to 40Gb and 100Gb network connectivity. As data center administrators begin to monitor network and VM-to-VM activity between leaf and spine es, the number of points from which data has to be acquired for the security solutions grows. Initiatives such as cloud computing, mobility, and bring your own device (BYOD) all add new layers of complexity, variability, and barriers to the visibility required for adequate monitoring according to EMA Research. 2 1 D Hoinne, Jeremy and Hils, Adam. Security Leaders Must Address Threats From Rising SSL Traffic. Gartner report, 9 Dec Software Defined Monitoring: Keeping Monitoring and Management in Synch with Dynamic Networks & Infrastructures, An Enterprise Management Associates (EMA) White Paper, October,

2 Amid increased complexity, industry studies have found that monitoring tools directly connected to the network can drop up to 70% of traffic; and more than half of CIOs are struggling with the torrent of data that comes with virtualization. 3 NSS Labs has reported that decrypting SSL traffic on a firewall implies a loss of 74% for throughput and 87.8% for transactions per second. And as certificate authorities shift from 1024-bit RSA keys in favor of 2048-bit or larger keys, the SSL decryption engine will have to bear an even greater workload. The drastic slowdown in the performance of a firewall, web gateway, or an intrusion prevention system also called to decrypt or re-encrypt traffic effectively doubles the network traffic inspection spend. This is due to increases in the initial hardware purchase cost to handle the additional workload, as well as support and software costs, which are often a percentage of the initial appliance cost. The Need for Active Visibility As visibility for security and operations management depends on live network traffic feeds, the traditional method of connecting traffic-based appliances directly to the network is no longer sustainable for the modern, agile enterprise. Now, the processing power of security and operational analysis systems that rely on traffic has to keep pace with higher network speeds, and relevant data has to be delivered to specialized tools. That means an efficient way to distribute relevant network traffic to these security tools is essential. While ensuring comprehensive and scalable security, administrators have to avoid any single device from becoming a single point of failure in the network and minimize disruption and downtime due to inline security maintenance and upgrades. To attain these goals, organizations require Active Visibility, or the secure, intelligent, and pervasive use of traffic-based visibility in real time. Active Visibility provides intelligent access to traffic anywhere in the network at the interface to the WAN, in the core of a data center, inside a server, between servers, before or after an application delivery controller (ADC) or security appliance, or even in a remote site such as a branch office. Combining high availability and intelligent traffic distribution across multiple inline and out-of-band security tools, Active Visibility ensures that requisite data is fed to the right analytics application or operational tool in real time. This enables organizations to consolidate the operational tools deployed. Active Visibility to both high-speed links and specific traffic, including encrypted SSL traffic, is required for the administrator to gain full and unobstructed view across various payload types and patterns. Applying SSL Decryption To deliver Active Visibility for multi-tiered security, including deeper insight into blind spots created by SSL encryption, organizations have to decrypt SSL traffic for out-of-band monitoring to expose hidden threats without disrupting IT service delivery or network performance, while still assuring the privacy of the underlying application and data. But while SSL/Transport Layer Security (SSL/TLS) the most common encryption employed by organizations and application developers shields communications from eavesdropping, it has made diagnostics and troubleshooting difficult. Given multi-tiered security and the often-sensitive nature of encrypted traffic, administrators should assess the requirements of a performance monitoring solution for SSL/TLS-encrypted network conversations. By studying and understanding each stage of the analysis process, and by setting appropriate policies and filters, they can establish visibility of critical SSL/TLS traffic and ensure proper handling of decrypted data so sensitive data is not exposed to additional risk. For example, to prevent sensitive data from being used for malicious purposes, decrypted packets should be secured at rest with AES 256 encryption or via TLS while in transit with user access controlled via strong Authentication, Authorization and Accounting, or AAA, functionality. Proper handling of the SSL/TLS traffic lets IT teams gain full visibility of application performance while safeguarding sensitive enterprise data. However, even then, the traditional tools used by IT for performance monitoring and security forensics are not geared to take on the additional processing burden of real-time SSL traffic decryption. Deploying monitoring tools that also decrypt SSL typically lead to degraded tool performance and higher cost of monitoring. 3 Gartner s 2014 CIO Agenda: An Asia/Pacific and Japan Perspective 2

3 Gigamon alleviates this problem by supplying clear, decrypted traffic to multiple tools. Relying on dedicated decryption appliances, organizations are poised to handle multi-tiered security in the following ways: Eliminate the need for security tools to decrypt SSL traffic. This removes a tremendous processing burden on security tools and enables the security tools to operate at full performance. By offloading SSL decryption, the monitoring environment can be extended or scaled to handle high-volume traffic from multiple TAPs across the network. Filter and replicate decrypted traffic to multiple monitoring tools so organizations do not need to procure multiple decryption licenses for multiple tools. It also ensures that network traffic will be decrypted only once. SSL Decryption, coupled with Active Visibility, aims to deliver realtime, pervasive, intelligent access, and insight into traffic flowing through an enterprise s multi-tiered security infrastructure that can be applied to: Malware detection Data loss prevention Application performance monitoring Cloud services monitoring Active Visibility Via Visibility Fabric Gigamon has pioneered an approach where the Gigamon Visibility Fabric delivers: The characteristics of Active Visibility SSL Decryption as a common service to security and performance management tools The high-performance nodes in the Visibility Fabric provide pervasive visibility across physical, virtual, remote sites and future software-defined and Network Functions Virtualization (NFV) production networks. The Gigamon GigaVUE fabric nodes, which form the foundation of the Visibility Fabric, are modular and extensible for a range of scale and performance requirements from 1Gb 1RU nodes to 2.4Tb chassis-based solutions. An example of the advanced traffic intelligence powered by GigaSMART is SSL Decryption. When the Visibility Fabric is enabled with this capability, it decrypts SSL sessions and sends the traffic to out-of-band monitoring tools. Gigamon s approach can help ensure that the tools maintain full performance by delivering comprehensive and sophisticated security services for out-of-band security tool deployments. Dedicated hardware-based platforms such as visibility appliances show a distinct advantage over software-based solutions running on commodity platforms for handling high traffic volume, according to Zeus Kerravala, founder and principal analyst with ZK Research. 4 Gigamon Visibility Fabric nodes are designed for scale including modules to address inline traffic security with high availability modes, as well as intelligent load distribution across multiple inline and out-of-band security tools. The nodes use intelligence and robust bypass capabilities to better protect both critical IT traffic and the inline tools designed to prevent malicious activity. Any traffic bound for out-of-band monitoring tools can also benefit from GigaSMART intelligence regardless of where it entered the Visibility Fabric. Gigamon Visibility Fabric nodes send data that is specifically relevant to each tool; continuously monitors the health of attached inline tools; and leverages bypass capabilities so the network remains available and protected. Gigamon s ability to load balance traffic across multiple solutions in the FireEye platform, whether inline or out-of-band, makes them an ideal partner to enable organizations to detect and mitigate the latest cyber threats customers will be able to scale out their security architecture, move the products inline and deploy high availability pairs to improve their overall security posture. Steve Pataky, Senior Vice President of Worldwide Channels and Alliance, FireEye The Visibility Fabric nodes leverage fabric services such as Gigamon s patented Flow Mapping, and advanced traffic intelligence applications powered by Gigamon s patented GigaSMART technology to intelligently select, access, transform, and deliver traffic to the security tools. 4 GKerravala, Zeus. (2014, Oct. 29) Network Intelligence 3

4 Five Steps to Implementing an Effective Multi-tiered Security Deployment with the Visibility Fabric Step 1 TAP all critical links and connect them to Gigamon s Visibility Fabric The visibility that is essential for security begins by tapping multiple places in the network and supplementing these with SPAN ports. TAPs do not impact network or application performance, even in high-speed networks with 40Gb bidirectional links. Linking the IT infrastructure and the security and monitoring tools that need access to data, the Gigamon Visibility Fabric receives traffic from the connected network TAPs and SPANs. Step 2 Select the flows to monitor and connect security tools Security tools must have access to relevant traffic though the Visibility Fabric, monitoring the network for threats and sending alerts when action is required. For inter-vm traffic within a server, for instance, tapping only at the physical layer does not provide full coverage. Hence, administrators have to not only tap virtual traffic, but also select which traffic is forwarded to the Visibility Fabric. Tools can be installed, configured and optimized out-of-band before being brought inline to be more responsive to detected threats. Risks of an inline deployment being a potential point of failure can be mitigated through bypass technology, which either fails to wire during a power failure, or allows failover to a redundant path when the failure of an inline tool is detected. Step 3 Secure encryption keys Once the flows that require monitoring have been identified, the GigaSMART engine uses private and public encryption keys to decrypt SSL traffic. It identifies the exchange of public keys at the start of the transaction, while the private keys uploaded by the administrator are encrypted and stored under tight password and role-based access controls. Step 4 Leverage GigaSMART Traffic Intelligence The GigaSMART modules contain high-performance compute engines that handle SSL Decryption. Adding more GigaSMART modules to a Visibility Fabric node or clustering multiple nodes in the Visibility Fabric further increases throughput as SSL processing needs increase. A broad spectrum of GigaSMART applications can be service chained or applied to different traffic profiles. By performing multiple visibility services in combination, security coverage can be maximized. For example, SSL traffic can be decrypted and then portions of the packets sliced or masked to keep private data secure. Or NetFlow can be generated from traffic before or after encapsulation headers have been removed. That way, organizations can address the specific needs of their vertical market, while controlling all distributed devices via a central management system. Step 5 Unified Management of the Visibility Fabric Gigamon s Fabric Manager, GigaVUE-FM, centrally administers these capabilities across the Visibility Fabric. It helps organizations to lower cost of ownership, increase performance and improve agility by providing: Fabric-wide reporting capabilities Summarized and customizable dashboards Enhanced reporting to visualize the most or least utilized tool ports and traffic maps across the Visibility Fabric Audit trail support for security compliance The ability to export reports for offline review A REST-based interface to integrate with external systems Gigamon s Visibility Fabric gives us visibility and enables tremendous collaboration across the silos of the IT organization to the various security tools that keep our organization, and the data we keep, safe. This ensures that our network of providers and members has secure access to the information they need when they need it. J. Scott Haugdahl, A Principal Architect, a Leading Minnesota Health Plan Organization 4

5 Extending Gigamon Visibility Fabric Intelligence The Visibility Fabric is a flexible, extensible visibility platform for multi-tiered security. Additional Flow Mapping and/or GigaSMART applications can be applied inside the Visibility Fabric. When security tools are placed inline, their performance can be enhanced by delivering only traffic of interest to that inline security tool and bypassing the rest. Gigamon s inline Flow Mapping selectively sends traffic to inline security tools based on specific applications of interest. This capability allows specific traffic to be forwarded to one or more tools based on user-defined map rules without dropping traffic that other tools need to analyze. Out-of-band tools can supplement inline tools by inspecting a copy of the traffic sent to or received from the inline tools. For example, traffic that is known to be secure can bypass the inline tools entirely and/or be sent in parallel to out-of-band tools such as a recording system for network forensics. The traffic could also be sent to a high-performance NetFlow generation engine to generate NetFlow records. The efficiency of inline bypass can be further enhanced with many-to-many and many-to-one traffic consolidation from multiple network links. The ability to bypass any tool that is unhealthy or removed for maintenance boosts redundancy for serial inline tool deployments and minimizes disruption to the production network. Alerts sent from the Visibility Fabric when a bypass action is taken also allows for timely and orderly maintenance, removing the need for an emergency escalation. Maximizing Reach With the increasing use of SSL, it is important for any visibility solution to have maximal reach so that traffic from any part of the infrastructure can be quickly inspected without having to force a proliferation in deployment of SSL decryption appliances. This can be achieved by having cost-effective access solutions that extend the reach of the Visibility Fabric, and yet can be clustered with the feature-rich core nodes in the Visibility Fabric. Gigamon offers a variety of options to extend the reach of traffic acquisition, some of which are described below: The GigaVUE TA Series for traffic aggregation provide efficient access to traffic from network links of 10Gb and beyond The GigaVUE-VM extends the reach of visibility into virtualized infrastructure 40Gb BiDi TAPs, offered in compact 1RU and 3RU enclosures, and 40Gb BiDi optics. As the first vendor to introduce visibility into 40Gb BiDi links, Gigamon offers an excellent way for Cisco customers considering 40Gb BiDi upgrades to retain visibility after the upgrade The ability to run GigaVUE-OS, the underlying operating system software that powers Gigamon s GigaVUE H Series platforms and GigaVUE TA Series on select third-party white box ing hardware such as Quanta bare metal es REST API Closed Loop Monitoring GigaVUE-FM Multi-tiered security appliances (inline or out-of-band) NGFW Core Core Inline Bypass SSL Decryption Generation NetFlow IPS WAF Spine Spine ANTI-MALWARE Leaf Leaf VM VM HYPERVISOR GigaVUE-VM Visibility Fabric IDS DLP NETWORK FORENSICS APT Figure 1: The Gigamon Unified Visibility Fabric supports multi-tiered security and delivers Active Visibility by consolidating access to traffic for operational systems and security devices from any location in the enterprise 5

6 These Visibility Fabric enhancements are a tremendous development in the monitoring fabric space. Extending visibility deeper into the datacenter will provide great information on demand. Extending the management fabric will increase the capabilities of all organizations across all levels of application, performance and security monitoring. Ted Turner, Senior Network Engineer, Intuit Inc GigaVUE-FM, the Fabric Manager, provides the control and management plane across the entire visibility infrastructure. In addition, all the Visibility Fabric nodes mentioned in this paper are powered by the same underlying software, significantly simplifying the ease of management of the visibility infrastructure. Armed with such a best-in-class visibility infrastructure, a security administrator has the flexibility to inspect any flows of interest without being constrained to specific locations in the infrastructure. Gigamon s Visibility Fabric allows security teams to rapidly shift traffic from one device to another, without having to wait days, weeks, or even months for a maintenance window. Summary The changing threat landscape and evolving network infrastructure have led security teams to deploy multi-tiered security architectures that rely on timely threat intelligence to protect their network. These tools are only as effective as the information they see. In addition, growth in encrypted traffic such as SSL severely limits visibility for both performance and security monitoring, while uninspected SSL sessions create a growing security threat. Gigamon addresses this challenge by decrypting SSL traffic for out-of-band monitoring and applying the capabilities of Flow Mapping and GigaSMART traffic intelligence. These capabilities are delivered by a common visibility platform called the Visibility Fabric, which provides end-to-end visibility coupled with traffic intelligence that is needed to efficiently manage risks and address threats in an ever-evolving threat and network environment. About the Visibility Fabric The Gigamon Visibility Fabric is a distributed system of nodes that enable an advanced level of visibility, modification, and control of network traffic. The Visibility Fabric can be deployed in both out-of-band and inline modes. In out-of-band mode, a copy of traffic from the production network is fed to the Visibility Fabric either from TAP ports or SPAN ports, which then applies the advanced filtering and processing intelligence before distributing it to the tools required to monitor and manage IT infrastructure such as security, application and network performance, and user experience monitoring tools. In inline mode, the Visibility Fabric node is a step in the wire as network traffic flows through the Visibility Fabric for distribution to other inline security appliances before forwarding it to the rest of the network. A Visibility Fabric is very different from a traditional networking /router. Unlike a networking or router that forwards traffic based on network address information (e.g. a Layer 2 or Layer 3 header), traffic within the Visibility Fabric is forwarded based on the content that is relevant to the tools. Traffic is thus sent based on the content of the packets, as well as based on correlated traffic flows that straddle multiple packets. Those traffic streams may need to be replicated within the Visibility Fabric so as to deliver them to multiple sets of tools. That packet replication is also based on the content of the packet, as well as based on correlated traffic streams, so as to ensure that just the relevant traffic is delivered to the tools. This makes the Visibility Fabric a highly specialized function that is very unique and different from traditional network es. Many forward-looking data center operators including some of the largest cloud operators, Fortune 1000 enterprises, government agencies, and service providers are all architecting visibility as an integral component into their security and data center build-out plans. About Gigamon Gigamon provides an intelligent Unified Visibility Fabric to enable the management of increasingly complex networks. Gigamon technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic across both physical and virtual environments without affecting the performance or stability of the production network. Through patented technologies, centralized management and a portfolio of high availability and high density fabric nodes, network traffic is intelligently delivered to management, monitoring and security systems. Gigamon solutions have been deployed globally across enterprise, data centers and service providers, including over half of the Fortune 100 and many government and federal agencies. For more information about the Gigamon Unified Visibility Fabric visit: Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice / Olcott Street, Santa Clara, CA USA +1 (408)