Security and Monitoring Requirements in Civilian and Military Networks

Transcription

1 Security and Monitoring Requirements in Civilian and Military Networks Introduction In our experience, commercially available security and monitoring tools rarely satisfy the unique mandate and complex cyber-security environments that military and government agencies deal with. However, preventing rapid obsolescence of highly customised solutions demands the judicious use of commercial off-the-shelf technology products. The optimal solution is a blend of commercial and custom equipment; the challenge is identifying commercial products that have been designed to integrate and perform, while still meeting the mission-critical demands of national cyber security. Whether commercial or bespoke, the critical feature of any monitoring system is its network monitoring interface. Traffic received from a switch/router SPAN port or captured directly from a network tap is sent via the monitoring interface to its analysis engine. The problem is that most monitoring port hardware is under-engineered. Above certain network packet rates for example when the network is under DDOS attack - the processor within the monitoring tool becomes saturated and the system starts to drop packets. In our experience this is happening at much lower packet rates than most people realise as low as 1Gb/s in certain situations. In a world where 10Gb/s is becoming the norm rather than the exception, having a system that is capable of sustaining full line rate capture without dropping packets is not a niceto-have, it s a must-have. About Endace Endace has specialised in monitoring and securing some of the fastest and most sophisticated government, military, telecommunication and financial networks on the planet. We understand that one size does not fit all, so we offer a range of products to cater for every situation. DAG CARDS Over a decade ago we began supplying our customers with high performance Data Acquisition and Generation (DAG ) cards. In response to our customers asking us to provide a more comprehensive platform on which to run their applications, we developed the Endace Probe, a line of high-performance, multi-application, open-architecture appliances with full central management functionality. Using DMA and programmable FPGAs, our DAG cards guarantee 100% capture regardless of traffic load on all significant network interfaces (STM, PDH, Ethernet, SONET, OC-X, UMTS, LTE) up to 40Gb/s making them the ideal foundation for high-performance network security and monitoring appliances. Hardware timestamping at point of capture gives Endace products the highest level of accuracy (to nanosecond level). Endace s multi-site timing solutions guarantee the absolute real-time accuracy of every packet s timestamp regardless of where in the world the packet was observed. Having truly reliable packet arrival times means your forensics and security applications can pinpoint, with sub-microsecond accuracy, when and where every packet crossed the network. power to see all page 1

2 ENDACE PROBES authoritative source of network truth ; a reliable final word on what happened, when and where. It provides the best of both worlds: a single source of captured traffic combined with flexible and open support for multiple applications. Endace Probes give every application both real-time and historical access to the captured traffic. Real-time forwarding of the timestamped packets is available to external applications over two standard interfaces: Optimised for Endace Probes, the Endace OSm operating system creates a unique open-architecture that provides: Centralised management for distributed deployments; essential when Probes need to be distributed globally. A multi-application environment, based on Virtual Machine technology, that enables Endace applications, third-party applications, and our customers own in-house custom applications to run simultaneously on a Probe which can then provide a single, authoritative source of captured network traffic to all these applications. A unique, high-performance, real-time traffic- forwarding capability that enables captured packets to be forwarded to applications that reside anywhere on the network. The combination of best-in-class hardware, open architecture, management software, and virtualisation technology creates a new class of monitoring platform ideally suited to highly specialised and customised environments. Forwarding and Data Mining By deploying a distributed capture fabric across the network, Endace customers provide high-performance data capture and timestamping to all their monitoring and security applications. This relieves these highly specialised applications (and their developers) from worrying about low-level packet capture performance. It also gives all applications a single Sent to the transmit side of any monitoring port. Wrapped in an Ethernet frame and sent to any TCP/IP address over the Probe s standard Ethernet port. To support historical data mining the Endace Probe provides several methods for specifying which subset of traffic should be extracted from the probe s rotating packet capture buffer. Data mining methods include: Using the web browser based GUI. By logging into any Endace Probe via a secure terminal session. For custom software applications, a SOAP/XML interface is available via the standard Ethernet management port or within the Endace Probe s virtual machine environment. Consistent with our open-architecture philosophy, Endace has partnered with market leaders and open-source organisations to bring a suite of best-in-breed monitoring and security applications to market. Not only are these applications optimised to run on Endace Probes, they can reliably run simultaneously due to Endace s virtualisation technology. Endace s high-performance DAG packet-capture technology ensures that the packet-capture load on the CPU is minimal, leaving the Probe s CPU capacity free to run applications at full speed. Endace Analytics Examining complex network traffic requires sophisticated packet protocol decoders and analysers. Endace has partnered with CACE Technologies to include Pilot, a powerful yet intuitive network analyser, in every Endace Probe. power to see all page 2 EndTheDebate

3 With Pilot you can: Easily isolate and identify traffic of interest through an extensive collection of network analysis metrics. Visualise long-duration live and historical traffic statistics by moving back in time through large data sets with just a few mouse clicks. Track global trends by efficiently collating and visualising traffic from multiple capture points distributed anywhere on the network. Detect anomalies via a trigger-alerting mechanism called Watches. Perform deep packet analysis by accessing Wireshark s extensive dissector library directly from within Pilot. on security agents distributed throughout the network. The security agent is built upon Endace Probes that capture, inspect and write to disk 100% of traffic at speeds up to 10Gb/s. Alerts generated by security agents are sent to a centralised Endace security server where they are aggregated and reported. From there, events from anywhere in the network can be viewed and managed via a personal computer based client - the Endace Security Dashboard. Because the distributed security agents are also simultaneously storing captured traffic, applications such as Endace Analytics, or custom and third-party analytics applications, can extract and inspect all traffic associated with a security event, including traffic that occurred before and after the alert was generated. For network forensics, investigation of packets is performed directly on historical data stored on the probe, providing security professionals with the ability to quarantine packets (capture to disk) and gain easy access to raw packets at the point of capture for data mining and full packet traffic export. The Probe s onboard forensic tools facilitate accurate and comprehensive post-event investigation right down to individual packet level. ENDACE CYBER SECURITY MONITORING Endace Security Manager is a three-tier agent/server/client architecture. Traffic is initially captured and inspected locally Additionally, through the Endace management GUI, rules can quickly be created to identify and store network events with a specific profile indicating fraud, malicious activity, human resource violations, inappropriate and illegal activity, or network reconnaissance (i.e. snooping) behaviour. It is widely accepted that the best-performing security power to see all page 3

4 systems use open-source DPI engines combined with community, commercial and custom rules. Endace supports both SNORT and Suricata (the next generation DPI engine from the OISF). The Endace security agent has been fully optimised to enable both engines to handle high network loads on networks operating at 10Gb/s and beyond without dropping a single packet. Suricata offers a host of new and exciting features that provide a deeper and more extensive level of packet investigation, making it the natural choice for organisations leveraging the numerous advantages of open source. Endace Security Manager provides a leading-edge management dashboard for alerting and responding to threats, and a sophisticated rules management interface. The advantage for security professionals is that it offers a highly granular threat-management and mitigation solution for running and managing a blend of open-source, commercial and custom rules, allowing configuration to be managed easily right down to the individual Probe level. the Probe s hardware and software resources without requiring dedicated LI appliances. power to see all We understand that government agencies require a unique combination of vendor-supplied and customdeveloped products and applications. Endace s flexible and open architecture is specifically designed to enhance and accelerate our customers ability to implement exactly the monitoring and security applications they require, while ensuring a reliable, consistent, accurately timestamped dataset is available to all applications and tools. From long experience, we know that properly leveraging existing infrastructure is often the only way to get budget approval for that next project. So when Endace s products and solutions are brought into a network they protect current investment by encouraging reuse of, and integration with, existing monitoring and security applications. To help organisations develop the most complete and robust rules structure/framework, Endace has partnered with Emerging Sigs Pro and is able to supply, tune and optimise the ESPro Rule Set (compatible with both SNORT and Suricata), which now includes coverage for zero day threats. Endace Probes also include the ability to generate network flow records for every communication (sampled or 1:1) and can automatically forward them to third-party network behavioural analysis and security applications. Endace provides support for all major Lawful Intercept products including Endace LI, Verint Lawful Intercept and Palladion. Endace also supports custom lawful intercept applications through the Endace real-time forwarding and data-mining interfaces, while Endace s multi-application virtualisation architecture allows LI applications to leverage power to see all page 4

5 Probe Feature/Benefit Summary Probe feature 100% data capture using interruptfree and zero-copy packet capture High port density Nanosecond time stamping of every captured packet. High-speed write-to-disk Open architecture and application programming interfaces (APIs) TCP/IP session-aware traffic filtering, load balancing and replication. Comprehensive network interface options Centralised management NetFlow summaries exported to multiple collectors and/or to local disk with programmable sampling rates up to 1:1. Benefit Ensuring 100% traffic capture from heavily-utilised or bursty network segments while guaranteeing almost all CPU cycles are available for post-capture data processing requires the type of high performance technology that has been core to Endace products for over a decade. This capture once, use many approach minimises memory copies among applications and eliminates post-capture bottlenecks. Capture performance is maintained even with multiple applications sharing the captured data. Endace s specialised, high-density DAG card technology enables Endace Probes to monitor numerous network links simultaneously. This reduces the number of probes required, eliminates external aggregation devices, and saves on data centre rack space and power consumption. Highly accurate timestamping supercharges the accuracy of monitoring applications while actually reducing application complexity by eliminating the need to accommodate timing inaccuracies due to unsynchronised software generated (thus intrinsically less accurate) packet timestamps. Endace Probes have been designed to allow 100% of captured traffic to be written to onboard RAID storage at full line-rate. The Endace 7000 Probe offers up to 32TB of onboard storage. Applications can be integrated and run directly on the Endace Probe, or they can continue to execute on their existing hardware but be enhanced to receive filtered capture traffic through our open interfaces and protocols. This ensures all network monitoring tools are using the same dataset. It also reduces integration costs and increases return on investment by retaining and leveraging existing custom or third-party applications and tools. Whether the solution is built directly on Endace hardware such as the DAG card family or on top of the higher level functionality provided by Endace Probes, the Endace architecture ensures the correct packet streams are sent to every application that needs them, and only to those applications authorised to receive them. Supporting the industry s widest range of network interfaces enables monitoring of all interfaces from the network edge to the network core using the same underlying monitoring architecture, thereby simplifying deployment and reducing operations and maintenance costs. For large-scale deployments Endace offers a centralised operations, administration, maintenance and provisioning server to accelerate and simplify multi-probe and multi-site monitoring systems. Endace supports multiple flow collectors performing a multitude of functions from security to traffic engineering. This ensures flow records are generated accurately without overloading routers, thereby avoiding expensive network upgrades. For more information on Endace products visit: For enquiries enquiries@ power to see all page 5