domain is known as the high side, and the less secure domain is the low side. Depending on the application, the



Similar documents
Efficient Network Monitoring Access

Net Optics Learning Center Presents The Fundamentals of Passive Monitoring Access

Net Optics and Cisco NAM

Fail-Safe IPS Integration with Bypass Technology

Network Performance Channel

Installation Guide for. 10/100 to Triple-speed Port Aggregator. Model TPA-CU Doc. PUBTPACUU Rev. 1, 12/08. In-Line

Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

How To Monitor A Network With A Network Probe

Table of Contents. Network Critical NA LLC Tel: Franklin Street, Suite

Installation Guide for. 10/100BaseT Port Aggregator Tap with Active Response. Models PA-CU-AR, PAD-CU-AR. Doc. PUBPACUARU Rev.

HIGH-PERFORMANCE SOLUTIONS FOR MONITORING AND SECURING YOUR NETWORK A Next-Generation Intelligent Network Access Guide OPEN UP TO THE OPPORTUNITIES

Installation Guide for GigaBit Fiber Port Aggregator Tap with SFP Monitor Ports

Implementing VoIP monitoring solutions. Deployment note

Taps vs. SPAN The Forest AND the Trees: Full Visibility into Today's Networks

Designing Reliable IP/MPLS Core Transport Networks

WHITE PAPER. Tap Technology Enables Healthcare s Digital Future

How To Use A Network Instrument Ntap

Installation Guide for Gig Zero Delay Tap and 10/100/1000BaseT Tap

How To Use An Iboss For Free On A Network With A Network (Networking) On A Pc Or Mac Or Ipod On A Server (For A Pnet) On An Ipon (For Free) On Your Ipon On A

tap into your network product brochure

Simplifying Data Center Network Architecture: Collapsing the Tiers

Network Instruments white paper

WHITE PAPER. Monitoring Load Balancing in the 10G Arena: Strategies and Requirements for Solving Performance Challenges

Analyzing Full-Duplex Networks

White Paper: Deploying Network Taps with Intrusion Detection Systems

Question: 3 When using Application Intelligence, Server Time may be defined as.

SECURE WEB GATEWAY DEPLOYMENT METHODOLOGIES

Static Load Balancers Implemented with Filters

Deploying Network Taps for improved security

13 Ways Through A Firewall

CriticalConneX. 10/100 CriticalTAP User Guide

REMOTE MONITORING MATRIX

A-7: SPAN Out of the Box Wednesday June 16, :15 pm 2:45 pm

Life of a Packet CS 640,

Chapter 9 Firewalls and Intrusion Prevention Systems

Secure Access Complete Visibility

Using ODVA Common Industrial Protocol to Enhance Performance White Paper

Lab VI Capturing and monitoring the network traffic

Networking and High Availability

Net Optics xbalancer and McAfee Network Security Platform Integration

How To Create An Intelligent Infrastructure Solution

Networking Devices. Lesson 6

Save Budget Dollars using Smart Data Access Technology

WHITE PAPER. Network Traffic Port Aggregation: Improved Visibility, Security, and Efficiency

Ten top problems network techs encounter

Region 10 Videoconference Network (R10VN)

BIG-IP ASM plus ibypass Switch

SSVP SIP School VoIP Professional Certification

STAR-GATE TM. Annex: Intercepting Packet Data Compliance with CALEA and ETSI Delivery and Administration Standards.

The OSI and TCP/IP Models. Lesson 2

Design Guide. SYSTIMAX InstaPATCH 360 Traffic Access Point (TAP) Solution.

Technical Note. ForeScout CounterACT: Virtual Firewall

Networking and High Availability

13 Ways Through A Firewall What you don t know will hurt you

3.1 TELECOMMUNICATIONS, NETWORKS AND THE INTERNET

Introduction to computer networks and Cloud Computing

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Network Design. Yiannos Mylonas

Architecture Overview

INTELLIGENT ACCESS AND MONITORING ARCHITECTURE PRODUCT BROCHURE

Installation Guide for GigaBit Fiber Port Aggregator Tap with SFP Monitor Ports

EBOOK. The Network Comes of Age: Access and Monitoring at the Application Level

CriticalConneX. 100/1000 CriticalTAP User Guide

Power over Ethernet technology for industrial Ethernet networks

CriticalConneX. 100/1000 CriticalTAP User Guide. CC1220-V: CriticalConneX TAP Module CC1220-VP: CriticalConneX Portable TAP

Local-Area Network -LAN

Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

CSE 3461 / 5461: Computer Networking & Internet Technologies

R2. The word protocol is often used to describe diplomatic relations. How does Wikipedia describe diplomatic protocol?

Active Visibility for Multi-Tiered Security // Solutions Overview

CTS2134 Introduction to Networking. Module 07: Wide Area Networks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Carrier Ethernet: New Game Plan for Media Converters

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Fiber Distributed Data Interface

Aruba Mobility Access Switch and Arista 7050S INTEROPERABILITY TEST RESULTS:

SummitStack in the Data Center

Any-to-any switching with aggregation and filtering reduces monitoring costs

NETWORKING TECHNOLOGIES

COMMAND YOUR DATA CENTER

Based on Computer Networking, 4 th Edition by Kurose and Ross

Observer Probe Family

Choosing Tap or SPAN for Data Center Monitoring

CompTIA Network+ (Exam N10-005)

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...

SummitStack in the Data Center

Security Design.

Flow Analysis Versus Packet Analysis. What Should You Choose?

Chapter 8: Computer Networking. AIMS The aim of this chapter is to give a brief introduction to computer networking.

Network Instruments white paper

DHS ICSJWG Fall Conference Maintaining Necessary Information Paths Over Unidirectional Gateways

Enhanced Visibility, Improved ROI

SECURITY FOR TODAY S PHYSICAL NETWORK AND DATA TRAFFIC

Lab Testing Summary Report

Chapter 7 Configuring Trunk Groups and Dynamic Link Aggregation

SSVVP SIP School VVoIP Professional Certification

1.264 Lecture 37. Telecom: Enterprise networks, VPN

Transcription:

Data diodes refer to unidirectional network links used in some high-security network architectures. This paper explains how data diodes are used to secure information and protect against intrusions; it also shows that Net Optics Taps and other monitoring access and control devices are, in fact, data diodes. The Highs and Lows of a Secure Environment When the highest possible data security is needed, an air gap is maintained between the secure domain and the rest of the world. The secure network domain simply has no physical connection to the outside world, so nothing can enter or leave by wire or wireless, only by sneaker net. ( Sneaker net means a person carrying a removable domain is known as the high side, and the less secure domain is the low side. Depending on the application, the not the other.) goal is to keep information secure within the high side. Figure 1 illustrates this type of application. In this case, leaving the defense contractor s network, satisfying the security requirement. However, the data diode does allow data from outside to move into the defense contractor s network so the contractor can receive important information from partners and suppliers. Traffic can flow in this direction data can be sent to the Defense Contractor High Side (More secure) Defense Contractor Internet Low Side (Less secure) Data Diode Traffic can NOT flow in this direction Defense Contractor s data is secure Figure 1: July 2011-1 -

is to prevent intrusions and infections, but allow sharing of information from the high side. Figure 2 illustrates this type of application. In this case, a voting machine is connected through a data diode to the Internet, enabling the machine to send its vote count results to vote counting headquarters and to Web sites, while being completely secure from intruders hacking into the voting machine. Traffic can flow in this direction the Voting Machine can send vote counts to headquarters High Side (More secure) Voting Machine Internet Low Side (Less secure) Data Diode Traffic can NOT flow in this direction Intruders cannot hack into the Voting Machine Figure 2: How a Data Diode Works Full duplex fiber cable each direction of traffic flow has a dedicated fiber Return fiber broken. There is no path for data to flow from the switch to the router. Figure 3: July 2011-2 -

If it is that easy to create a data diode, what are data diode vendors providing? It turns out that, in practice, protocols depend on two-way communication to establish and maintain connections. To take an example, you cannot get any data from to the Web site. For another example, if a TCP request does not receive an acknowledgement, the TCP connection terminates and no data is transferred. In order to make one-way communication work, a sophisticated data diode terminates the full duplex connection the proxy servers. This arrangement is illustrated in Figure 4. Data Diode Server Proxy Proxy Figure 4: Network Monitoring Taps Are Data Diodes (but Span ports are not!) Network monitoring applications use unidirectional communications intrinsically, because mirrored copies of network Network Taps are natural data diodes, and the most secure way to connect a monitoring tool to the network. Note Therefore, Span ports not suitable for high-security installations. Full Duplex Traffic Flow Net Optics Span Port Fiber Tap Mirrored Copy of Traffic One Way Traffic Flow Bidirectional Connection! Figure 5: Network taps are natural data diodes; switch Span ports are not! July 2011-3 -

handshakes are expected from the monitoring tool. Therefore, proxy servers are not needed, and the simple data carry data from the tool to the Tap are completely absent. This can be seen in Figure 6. Fiber Tap Optical Splitter Optical Splitter No path for data to flow into the network link Monitoring Breakout Cable Figure 6: Network taps are natural data diodes The Fiber Tap is a device that consumes no power and needs no electricity. It is simply two optical splitters in a small chassis. Each splitter takes the signal being received at each network port and splits it in two, sending part of the signal down its usual path on the network, and the other part to the monitoring tool. To save space, the Fiber Tap provides a special monitoring breakout cable to break these two signals out to two standard duplex connectors which the network. The physics of the optical splitter guarantees that the signal will propagate towards the transmitting end July 2011-4 -

Copper Taps Are Data Diodes Network Taps for copper media follow essentially the same topology as the Fiber Tap, as shown in Figure 7. Copper Tap No path for data to flow into the network link Figure 7: Network taps are natural data diodes Ethernet Physical Interfaces (s) negotiate which pins will be used for transmitting data and which for receiving Data Monitoring es and Network Controller es Are Data Diodes tool (or from the device s management interface, or from the device itself) to the inline network link. A sampling of Director TM ilink Agg TM Regeneration Taps TM itap TM July 2011-5 -

Summary This paper has explained why data diodes are essential for creating completely secure network connections that access and control. Span ports, on the other hand, are n visibility including errors and malformed packets, totally passive behavior even when power fails, and never dropping topology, make Network Taps from Net Optics the best way to Tap into your Network. Sometimes Taps Are NOT Data Diodes As a rule, all Net Optics monitoring access and control devices are data diodes. But they say that rules are made to be broken, and the exception proves the rule. In this case, the exception is the Active Response Tap. This special type of Tap was created to meet the following customer requirement: When a monitoring Intrusion Detection System (IDS) detects certain types of illegal or unwanted network behavior, the IDS needs to be able to issue a TCP reset to the network to terminate the connection. The TCP reset is a normal set in the TCP header. In other words, the monitoring tool the IDS needs to be able to inject a packet onto the network. To meet this requirement, Net Optics developed the Active Response Tap, which is a copper Tap that has the and the connected. Active Response Taps are not data diodes, and therefore the possible security impacts should be evaluated carefully when choosing to use Active Response. But Active Response may not be the end of the story when it comes to Taps that are not data diodes. New applications are being invented that break the data diode model for monitoring access. One such invention is Link Layer Discovery Protocol (LLDP), which requires that every device, including monitoring access and control devices, must announce itself on the network to support auto-discovery of the network topology by network management systems. Like the Active Response case, LLDP requires that a small amount of traf- - rection into the network instead monitoring devices such as Intrusion Prevention Systems (IPSs) is another example where the data diode model is not appropriate. Therefore, Net Optics Bypass es, which create fail-safe ports for inline tools, are not data diodes. It will be interesting to see how the data diode model for monitoring access holds up as innovative new protocols and monitoring tools become part of the networking landscape. For further information about Network Taps and other data diode solutions: www.netoptics.com Net Optics, Inc. 5303 Betsy Ross Drive Santa Clara, CA 95054 (408) 737-7777 info@netoptics.com Distributed by: Network Performance Channel GmbH Ohmstr. 12 63225 Langen Germany T: +49 6103 906 722 netoptics@np-channel.com www.network-taps.eu July 2011-6 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information