In-Band Security Solution // Solutions Overview

Similar documents
Out-of-Band Security Solution // Solutions Overview

Enhancing Cisco Networks with Gigamon // White Paper

Whitepaper Unified Visibility Fabric A New Approach to Visibility

Intelligent Data Access Networking TM

Active Visibility for Multi-Tiered Security. Juergen Kirchmann Director Enterprise Sales EMEA

Solutions Guide End-to-End Visibility for Your Cisco Infrastructure

Visibility in the Modern Data Center // Solution Overview

Traffic Visibility Fabric for Revenue and Differentiation in the Cloud Provider Market // White Paper

Enhancing Cisco Networks with Gigamon // White Paper

Visibility into the Cloud and Virtualized Data Center // White Paper

End-to-End Visibility

Secure Access Complete Visibility

Monitoring, Managing, and Securing SDN Deployments // White Paper

Efficient Network Monitoring Access

Whitepaper SSL Decryption: Uncovering The New Infrastructure Blind Spot

Whitepaper Active Visibility into SSL Traffic for Multi-tiered Security

Database Security in Virtualization and Cloud Computing Environments

Fail-Safe IPS Integration with Bypass Technology

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

On-Premises DDoS Mitigation for the Enterprise

F5 and Microsoft Exchange Security Solutions

50. DFN Betriebstagung

Virtualized Security: The Next Generation of Consolidation

Network Access Control in Virtual Environments. Technical Note

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Net Optics xbalancer and McAfee Network Security Platform Integration

McAfee Next Generation Firewall Optimize your defense, resilience, and efficiency.

Network Packet Monitoring Optimizations in Data Centre

Cisco Advanced Services for Network Security

Whitepaper Software-Defined Visibility (SDV): The New Paradigm for IT

Whitepaper Continuous Availability Suite: Neverfail Solution Architecture

HIGH-PERFORMANCE SOLUTIONS FOR MONITORING AND SECURING YOUR NETWORK A Next-Generation Intelligent Network Access Guide OPEN UP TO THE OPPORTUNITIES

Enabling Visibility for Wireshark across Physical, Virtual and SDN. Patrick Leong, CTO Gigamon

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Virtual PortChannels: Building Networks without Spanning Tree Protocol

Technical Note. ForeScout CounterACT: Virtual Firewall

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

Network Instruments white paper

COMMAND YOUR DATA CENTER

IBM QRadar Security Intelligence Platform appliances

Pervasive Security Enabled by Next Generation Monitoring Fabric

Complete Protection against Evolving DDoS Threats

Virtualization, SDN and NFV

Achieving Zero Downtime for Apps in SQL Environments

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

VXLAN: Scaling Data Center Capacity. White Paper

Accelerate Private Clouds with an Optimized Network

Multi-layered Security Solutions for VoIP Protection

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Building A Secure Microsoft Exchange Continuity Appliance

Testing Network Security Using OPNET

Managed Security Services for Data

High Availability Solutions & Technology for NetScreen s Security Systems

March

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Packet Optimization & Visibility with Wireshark and PCAPs. Gordon Beith Director of Product Management VSS Monitoring

Recommended IP Telephony Architecture

Moving Beyond Proxies

Network Virtualization Solutions - A Practical Solution

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Load Balancing 101: Firewall Sandwiches

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

VMware vcloud Networking and Security Overview

DOWNTIME CAN SPELL DISASTER

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

Visibility into the Cloud and Virtualized Data Center // White Paper

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

SonicWALL Corporate Design System. The SonicWALL Brand Identity

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Huawei One Net Campus Network Solution

Sitefinity Security and Best Practices

Contact Center Security: Moving to the True Cloud

Network Security Topologies. Chapter 11

WHITE PAPER. Static Load Balancers Implemented with Filters

THE VX 9000: THE WORLD S FIRST SCALABLE, VIRTUALIZED WLAN CONTROLLER BRINGS A NEW LEVEL OF SCALABILITY, COST-EFFICIENCY AND RELIABILITY TO THE WLAN

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Scalability in Log Management

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

FIREWALLS & CBAC. philip.heimer@hh.se

SummitStack in the Data Center

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

EVOLVING ENTERPRISE NETWORKS WITH SPB-M APPLICATION NOTE

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

Reference Architecture: Enterprise Security For The Cloud

F5 and Oracle Database Solution Guide. Solutions to optimize the network for database operations, replication, scalability, and security

The Trivial Cisco IP Phones Compromise

Network Enabled Cloud

The Software-as-a Service (SaaS) Delivery Stack

Transcription:

Introduction The strategy and architecture to establish and maintain infrastructure and network security is in a rapid state of change new tools, greater intelligence and managed services are being used to not only monitor and secure the network, but also meet compliance requirements. In addition, big data, cloud computing and BYOD are changing how organizations manage, analyze and secure their networks. And, as if that was not enough, always on access to the network is no longer demanded, but expected by today s users. As a result, network and security teams grapple with maintaining performance while keeping the network secure and compliant. The greatest security threats continue to exist outside the perimeter of the network. For perimeter security, many organizations turn to an in-band security strategy (also known as an inline security strategy) as a first line of defense when confronting the growing number of user-owned and mobile devices accessing the network. However, in-band security can introduce new challenges and is often costly to scale. This solution overview addresses these challenges and explores the advantages of an in-band security strategy that incorporates a bypass/pass-through solution. Bypass/pass-through switching advantages include: Network Reliability: Reduce risk of network outage with pass-through or failover contingencies Security Reliability: Ensure liveliness of Intrusion Prevention System (IPS) and security tool reliability using features such as heartbeat detection Flexibility and Agility: Simplifying additions/removals of multiple security tools within your DMZ without compromising security or network availability Scalability: Extending the usability of 1Gb tools with application-aware filtering and load balancing Network Reliability Reduce risk of network outage with pass-through or failover contingencies An in-band architecture is fundamentally different from an outof-bound approach that is classically used for monitoring and detection, rather than an enforcement approach that in-band solutions offer. In-band security solutions enable decisions to be made on traffic as it traverses the device, with well understood functionality such as allow, deny or in some cases, modify. Since the in-band device is a gatekeeper for all traffic in and out of the protected environment, there is the risk that it can cause the network link to fail and as a result, the organization or enterprise could be disconnected from an external resource, service, cloud-based application or the internet. Often perimeter 1

security requires more than one type of protection, which can result in daisy-chained tools a series of security tools that process the traffic in sequence and through which each packet must pass when moving between the trusted and untrusted environments. Each tool presents another reliability, performance and scalability risk for the enterprise due to the potential of tool failure. Logical pass-through or bypass control. If the traffic forwarding state is controllable, then it is possible to briefly bypass the perimeter security tool while it is replaced, upgraded or repaired. Then switch back to pass-through when the perimeter protection is again available. Figure 1: Daisy-chained or series protection In addition to service interruptions that can be triggered by tool failures, maintenance activities for in-band tools can represent another scenario which may result in the monitored connection being interrupted. Since a primary connection is, by definition, critical, activities are restricted to scheduled maintenance windows typically taking place at exceptionally low-use time intervals (very early mornings, late evenings and/or weekends). Rather than risk impacting the connection during maintenance activities for a specific security tool in line of the protected connection, an alternative is to install a Bypass Solution that provides a range of failover configuration options. A bypass is an inline device that can direct traffic from primary routes to secondary routes without impacting the stability of the protected connection. Most bypass solutions offer three operational choices: Fail open or closed upon loss of power. Some networks are so critical that continued operation is better than a temporary loss of perimeter security. Other networks are so sensitive that a loss of perimeter security requires that connectivity be suspended. Bypass solutions allow the enterprise owners to select the mode that is most appropriate for their organization. Figure 2: Bypass or pass-through solution using GigaVUE-2404 with GigaBPS blade. Distributing network traffic across multiple security tools. Whether dividing a high-bandwidth link across several lower speed tools or selectively forwarding specific traffic types to specialized tools, this approach can extend the life of existing solutions and defers (or eliminates) the need to upgrade to higher capacity tools. There are two choices for traffic distribution: 1. A hashing algorithm based approach that distributes traffic across ports 2. Traffic filtered/selection based on specific criteria and the selected traffic forwarded to specific inline tools 2

Figure 3: The Gigamon G-SECURE-0216 system shows examples of distribution of selected traffic to the appropriate security tool and load sharing across security tools. The advantages in selecting which traffic is directed to specific in-band security tools include: Avoiding a complete failure of a daisy-chained architecture of tools in the event of a single tool failure. Improving the performance of each tool by filtering out inappropriate traffic and providing only the traffic relevant for the particular tool. Gaining the ability to temporarily take a single tool offline without affecting the other tools, to either perform maintenance or to upgrade the tool. Security Reliability Ensure liveliness of IPS and security tool reliability using features such as heartbeat detection Perimeter protection provided by such tools as firewalls and IPS devices play a critical role in the security of a network acting as gatekeepers to prevent attacks and other disruptive or unauthorized traffic from entering the protected environment. In order to ensure that a security tool is performing its job, it is not enough to just verify the link state of the tool, or the ability of the tool to respond to a network ping. Instead, a better way is to simulate, or determine a heartbeat for the tool. Traffic which would normally be forwarded by the security tool is injected into the connection, and then the bypass switch is able to maintain active proof that the security tool or device is fully operational. If the heartbeat traffic fails to pass through the tool or device, the bypass switch is able to respond or react and flow traffic to alternative devices as appropriate. Whenever a heartbeat fails to pass within the specified time interval, a bypass switch can be configured to assume that tool is in a failed state and take one of the following three actions: Bypass the protection and forward all traffic directly into the network. Disconnect the connection so that no traffic is forwarded. Forward the traffic to another similar tool within a loadshared pool of security tools. This heartbeat approach is able to detect the failure of the connection to security tool, the failure of the security tool hardware, the failure of the security application itself, and, depending upon the environment, the misconfiguration of the tool. 3

Figure 4: Gigamon G-SECURE-0216 failover states: roll over to the next tool configuration and load sharing across remaining functional tools. Flexibility and Agility Simplifying additions/removals of multiple security tools within your DMZ without compromising security or network availability The failure recovery configuration shown in Figure 4 is readily adapted to allow for routine maintenance. If a load-shared configuration has been established, then the disconnection of one of the security tools for maintenance purposes results in minimal, if any, impact to the production network. Network and security administrators now have the ability to complete additions and/or removals from the protected connection as required without being subject to maintenance windows. Also, with no impact to the production network, would-be attackers who could be monitoring switch configurations for changes are not alerted to a change because monitoring and security topology changes are occurring out of band. If a serial in-band security is required, then the advantages of a bypass switch will provide improved uptime and link protection by daisy-chaining the bypass switches themselves. This provides the failsafe operation and in-band heartbeat protection capability while still ensuring that all traffic is subject to multiple inspections. In-band security is only one of the advantages of a bypass switching solution from Gigamon. The bypass switch can be a component of a more feature-rich Traffic Visibility Fabric solution. Traffic passing through a bypass switch can also be made available to out-of-band monitoring solutions through the traffic duplication functionality inherent in the Gigamon platform. Using a bypass solution, the same packet can be inspected simultaneously by both IPS (in-band) and IDS (out-of-band) solutions (See Figure 5). Once out of band, packets can be subjected to advanced traffic manipulation prior to delivery to monitoring and analysis solutions. That manipulation can include: Packet de-duplication based on selectable fields or an offset bitmask Packet routing tag removal of protocols such as MPLS Tags, VLAN Tags, and Cisco VN Tags Packet slicing for PCI, HIPAA and other compliances Payload masking for PCI, HIPAA and other regulations Packet time stamping And tunneling of the packet across a network infrastructure to other Traffic Visibility Fabric Nodes and delivery to centralized monitoring and analysis tools 4

Figure 5: Deployement Example Scalability Extend the useful life of 1Gb tools with application-aware filtering and load balancing As shown earlier in Figure 3, in-band security devices may be connected in parallel as well as serial. Parallel operation is particularly desirable in situations where connections have been upgraded to faster speeds. When the connection is initially upgraded from 1Gb to 10Gb the original traffic level is unchanged only the connection capacity is increased. It may take some time before the new capacity is fully exercised, but in the meantime network and/or security teams are forced to either buy unnecessary and expensive perimeter security device upgrades, or forego some types of perimeter protection. When deploying a multi-port bypass switch, it is possible to load share the new higher link speed across one or more existing 1Gb security or monitoring tools, effectively extending their useful life and deferring equipment upgrades into future budget cycles where the expenses may be more easily accommodated. Connection speed upgrades should not obsolete otherwise satisfactory in-band protection devices. Furthermore, as companies perform connection speed upgrades, it is often possible to acquire additional lower-speed in-band protection devices at a substantial cost savings to share the load until such time as link utilization justifies purchase of the higher speed protection. Conclusion Regardless of size, network security is a top priority for all organizations. Networks are more vulnerable than ever due to the inherent risk of facilitating remote access in conjunction with the volume of traffic and the speed at which that traffic is flowing. As organizations migrate form 1Gb to 10Gb and beyond, network security tools struggle to keep up with these increasing connection speeds as the tools may not be designed to process the volume of packet traffic going through the protected link. Therefore, it is vital to implement security architectures and strategies that not only prevent security breaches, but can also dynamically react to potential threats and scale to meet future needs. An in-band security strategy of protection devices coupled with a bypass switch solution from Gigamon can address the challenges and requirements of network and security professionals, and provide the flexibility and scalability they require without impacting network reliability or performance. 5

About Gigamon Gigamon provides an intelligent Traffic Visibility Fabric for enterprises, data centers and service providers around the globe. Our technology empowers infrastructure architects, managers and operators with pervasive visibility and control of traffic across both physical and virtual environments without affecting the performance or stability of the production network. Through patented technologies and centralized management, the Gigamon GigaVUE portfolio of high availability and high density products intelligently delivers the appropriate network traffic to security, monitoring or management systems. With over eight years experience designing and building traffic visibility products in the US, Gigamon solutions are deployed globally across vertical markets including over half of the Fortune 100 and many government and federal agencies. For more information about our Gigamon products visit: www.gigamon.com Copyright 2012-2014 Gigamon. All rights reserved. Gigamon and the Gigamon logo are trademarks of Gigamon in the United States and/or other countries. Gigamon trademarks can be found at www.gigamon.com/legal-trademarks. All other trademarks are the trademarks of their respective owners. Gigamon reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Gigamon 3300 Olcott Street, Santa Clara, CA 95054 USA PH +1 (408) 831-4000 www.gigamon.com 3005-02 04/14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information