Deploying Network Taps for improved security

Similar documents
Observer Probe Family

Any-to-any switching with aggregation and filtering reduces monitoring costs

Network Management and Monitoring Software

Observer Probe Family

How To Monitor A Network With A Network Probe

Architecture Overview

Network Instruments white paper

Analyzing Full-Duplex Networks

Chapter 1 Reading Organizer

Using ODVA Common Industrial Protocol to Enhance Performance White Paper

Best Practices in Gigabit Capture

Deploying Probes and Analyzers in an Enterprise Environment

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Developing an Effective Incidence Response Plan

Huawei One Net Campus Network Solution

Using ODVA Common Industrial Protocol to Enhance Performance White Paper

Network Management System (NMS) FAQ

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Efficient Network Monitoring Access

Choosing Tap or SPAN for Data Center Monitoring

REMOTE ASSISTANCE SOLUTIONS Private Server

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

Application Note Gigabit Ethernet Port Modes

Best Practices for DanPac Express Cyber Security

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

TOTAL RECALL MAX Potential Connection Diagrams CALL RECORDING. Product Specifications YOU NEED TOTAL RECALL MAX

HIGH-PERFORMANCE SOLUTIONS FOR MONITORING AND SECURING YOUR NETWORK A Next-Generation Intelligent Network Access Guide OPEN UP TO THE OPPORTUNITIES

Secure Access Complete Visibility

domain is known as the high side, and the less secure domain is the low side. Depending on the application, the

State of Texas. TEX-AN Next Generation. NNI Plan

WHITE PAPER. Static Load Balancers Implemented with Filters

Network Agent Quick Start

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

Layer-2 Design: Link Balancers Simplified

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

Where do you Install Cyber Predator on your Network so you can collect all the data packets?

MERAKI WHITE PAPER Cloud + Wireless LAN = Easier + Affordable

Cisco Advanced Services for Network Security

How To Use A Network Instrument Ntap

Whitepaper. Controlling the Network Edge to Accommodate Increasing Demand

Industrial Automation - The Importance of Network Management Software

Structured Threats 21 External Threats 22 Internal Threats 22 Network Attacks 22 Reconnaissance Attacks 22 Access Attacks 23 Data Retrieval 23 System

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Designing Networks with Palo Alto Networks Firewalls

Cisco Unified MobilityManager Version 1.2

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Enhancing Cisco Networks with Gigamon // White Paper

Standard: Event Monitoring

White Paper. Intrusion Detection Deploying the Shomiti Century Tap

tap into your network product brochure

EXINDA NETWORKS. Deployment Topologies

Out-of-Band Security Solution // Solutions Overview

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Network Instruments white paper

Microsoft Technologies

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

IP Telephony Management

IBM QRadar Security Intelligence Platform appliances

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

Enhanced Visibility, Improved ROI

Tk20 Network Infrastructure

Network Security Guidelines. e-governance

Truffle Broadband Bonding Network Appliance

Best Practices for Network Monitoring How a Network Monitoring Switch Helps IT Teams Stay Proactive

COMMAND YOUR DATA CENTER

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

System 800xA Networks Control. Monitor. Communicate.

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

1.0 Basic Principles of TCP/IP Network Communications

Huawei esight Brief Product Brochure

Net Optics and Cisco NAM

Network/Cyber Security

Enterprise Network Management. March 4, 2009

C-more Remote HMI App

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Securely Access and Manage Firewall- Protected Equipment From Anywhere

How Cisco IT Uses QoS for Critical Applications

Secure, Scalable and Reliable Cloud Analytics from FusionOps

How OpenFlow-based SDN can increase network security

CM for Hardware/Software Supporting ITU Services Policy

The Importance of Cybersecurity Monitoring for Utilities

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Cisco Bandwidth Quality Manager 3.1

Private Modbus Serial Bus Functionality via DeviceMaster UP Modbus Router

SECURING AN INTEGRATED SCADA SYSTEM. Technical Paper April 2007

Business Cases for Brocade Software-Defined Networking Use Cases

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Release: 1. ICANWK607A Design and implement wireless network security

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CLOUD FRAMEWORK & SECURITY OVERVIEW

TrustNet Group Encryption

Computer Networking. Definitions. Introduction

SCADA/Business Network Separation: Securing an Integrated SCADA System

Implementing VoIP monitoring solutions. Deployment note

Jive Core: Platform, Infrastructure, and Installation

Chapter 9 Firewalls and Intrusion Prevention Systems

Transcription:

DATACOM SYSTEMS INC Deploying Network Taps for improved security A guide to improving security visibility A DATACOM SYSTEMS WHITE PAPER

Improve Visibility A network security detection and prevention scheme using a combination of network taps and aggregation devices can improve visibility and redundancy, reduce system complexity and diminish initial and continuing costs for implementation. Companies are continuously improving their security infrastructure to combat both internal and external threats. The deployment and resources required to improve security are under constant assessment. Improved methods to monitor and troubleshoot security problems can have a significant impact on uptime and customer satisfaction. A network security detection and prevention scheme using a combination of network taps and aggregation devices can improve visibility and redundancy, reduce system complexity and diminish initial and continuing costs for implementation. Placing security monitoring solutions in multiple locations around the network is not always technically or financially feasible. Managing a large number of devices and the alarm information that they produce can be overwhelming. A more practical approach is to determine the most desirable information that exists in the company, and begin placing safeguards around that information or the devices where it is stored. Consider the following figure that demonstrates a common network physical topology. The most common location for a security probe is at external points of egress. This architecture evaluates incoming and outgoing traffic and intercepts malicious traffic just inside the firewall. External threats have traditionally been the primary concern for security professionals. Currently, internal threats from existing employees with authorized accounts represent a major security threat. Authorized accounts can gain access via a VPN, wireless or wired connection which is usually terminated beyond the firewall. The deployment of security devices and probes inside the network to combat these internal threats is becoming increasing common. Managing a large number of devices and the alarm information that they produce can be overwhelming. A more practical approach is to determine the most desirable information that exists in the company, and begin placing safeguards around that information or the devices where it is stored. Typical network deployment Certain critical servers hold information that should be strictly prohibited. Critical records include company financial data, customer information, and employee passwords or Social Security numbers. The servers with this information are often found at the core of the network and connected to high-availability network devices. Protecting this information is the primary goal of strong security protection architectures. The following figure depicts these typical locations of security probes within the network. The dashed lines represent the links that the probes are receiving data from, for their analysis. While this is a perfectly valid solution, there are additional details that should be considered when designing this type of security system. 2 Deploying Network Taps WHITE PAPER Deploying Network Taps 3

s and port mirrors A network device can support a restricted number of port mirrors. This limitation is increasingly important as more security and analysis devices try to access the same data. Security probes or Intrusion Detection Systems (IDS) use a variety of algorithms to analyze potential threats. While each manufacturer has their own unique way of analyzing, categorizing and reporting potential threats they are only as effective as the information that they receive. Many security devices receive data via methods that do not provide them complete information on the traffic traveling on a network link. A port mirror is a software based connection that is created inside a network device, most commonly an Ethernet switch or Router. The port mirror makes copies of traffic coming from specific port(s) on the Ethernet switch and copies the traffic to the port mirror. When a security device is connected to the port mirror in theory, it will see the traffic coming from the designated ports. While port mirrors have the advantage of being integrated into the network device and are able to show traffic crossing the Ethernet switch backplane, they have some drawbacks. Many security professionals use port mirrors but are unaware that less than 100% of the traffic will be sent to the mirror port. Since the port mirror is a software implementation, traffic destined to the mirror may be dropped if the Ethernet switch becomes congested. A network device can support a restricted number of port mirrors. This limitation is increasingly important as more security and analysis devices try to access the same data. A variety of groups and departments are also creating and maintaining their own monitoring solutions, independent of the IT (Information Technology) Group. Providing network access to these additional departments is another challenge faced by the maintainers of corporate communication systems and drives the need for greater network visibility. mirrors are configured using the Ethernet switch software. mirrors can be accidentally or intentionally turned off. The ability to remotely turn off the traffic feeding a network security device gives security and audit personnel cause for alarm. Curing a critical event, the last thing a network engineer needs to worry about is taking time and care to setup a port mirror, and ensure that the appropriate traffic is copied to recording or analysis tools. An incorrectly created port mirror can create additional network congestion or shutdown required ports. The port mirror makes copies of traffic coming from specific port(s) on the Ethernet switch and copies the traffic to the port mirror. When a security device is connected to the port mirror in theory, it will see the traffic coming from the designated ports. deployment using port mirrors User Traffic Critical Server Traffic 4 Deploying Network Taps Title: Subtitle of whitepaper Deploying Network Taps 5

Tapping the link Aggregators can eliminate the use of multiple probes by merging outputs from several TAPs together. A network TAP (Test Access Point) makes a copy of information in a network connection. The TAP is designed so that it does not become a point of failure in the network. TAPs are designed so that traffic on the network link continues to flow, even if the TAP loses power. TAPs also minimize latency between the network link and the monitor port on the TAP. TAPs will aggregate duplex traffic onto a single output port, while providing buffering capability to handle traffic utilization surges. TAPs can also provide identical copies of traffic so that multiple tools all see the same data. These regeneration TAPs are deployed when redundant probes or security tools need to have 24X7 visibility to a network segment. The failure of one security device does not create an issue, since the other security device sees the same network data from the TAP. Placement of TAPs is typically in the locations with the most critical information in the network. TAPs will provide continuous monitoring on links where critical information travels, or on links leading to servers or storage devices where the data resides. TAPs are designed around a hardware-based architecture that minimizes latency, so their deployment can be made anywhere in the network. Similar to security probes, some common locations for TAPs include inside the firewall, network trunks or links to or from critical servers. Deploying a combination of network TAPs and probes is an alternative method to placing security probes throughout the network. The passive nature of TAPs, ensure that network communication is maintained. Combining TAP outputs with the use of an aggregation device means greater visibility for the network probe. An aggregator is a device that combines many inputs into a single output. Aggregators can eliminate the use of multiple probes by merging outputs from several TAPs together. Aggregators are deployed where the sum of the inputs is less than the capacity of the output. Many aggregators have an added benefit of creating multiple outputs, where each output is identical to the other. Since the aggregator sends identical traffic to its output ports, all probes on an aggregator see the same traffic. If one probe fails, the other is able to continue securing the network. TAPs and Aggregators are a cost effective solution to an organization that is starting to do security analysis with low utilization on their links. Improved security visibility using network TAPs to monitor and troubleshoot security problems is one method currently being employed by most Fortune 500 companies. They are always on, and eliminate the time to setup, configure and troubleshoot port mirrors. TAPs whose outputs are aggregated together can also effectively simplify and reduce the cost of the security solution. TAPs can provide an improved method of network access over port mirrors. TAP deployment is a proven and secure mechanism for improved visibility and redundancy. Placement of TAPs should be in accordance with the location of the most critical information in the network. Common network TAP locations Combining TAP outputs with the use of an aggregation device means greater visibility for the network probe. Aggregation of TAP outputs Aggregator 6 Deploying Network Taps Deploying Network Taps 7

DATACOM SYSTEMS INC Datacom Systems Inc. 9 Adler Drive East Syracuse, NY 13057 Enquiries US & Canada: +1 315 463 1585 Europe: +44 (0)20 7397 3795 250 Park Ave. 7th Floor (Suite 7072) New York, New York 10177 www.datacomsystems.com Datacom Systems Inc. UK 107 Cheapside London EC2V6DT Datacom Systems. 2013. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information