During the past several years, the types of security threats have evolved from being singular types of threats — e.g. denial of service (DoS), Botnet, viruses, Trojan, phishing — to being a coordinated combination of threat types — e.g. distributed denial of service (DDoS) attacks followed by login hack attempts and Botnet intrusions. The nature of the attack sources, such as DDoS, has also changed. The use of software-defined networks (SDN), virtualization, bring your own device (BYOD) options, and Internet of Things (IoT) devices has led to less defined network perimeters and unclear network boundaries with cloud infrastructure.
As a result, each security application has become more targeted in how it detects and what it is able to detect (e.g. it becomes more specialized for certain types of threats). They are often used together as a combined solution — sometimes referred to as layered/multi-level security protection or defense-in-depth. This leads to the use of a variety of passive and active security applications, where some are deployed at multiple points throughout the network, and others are deployed at the various identifiable perimeters or boundaries.
Today’s Network Security ChallengesOf course, challenges start with selecting the types and combination of security applications and systems to use, deciding which points in the network need to be monitored actively (normally close to boundaries and perimeters) and passively (could be deeper in the network). Budget restrictions will likely have an impact on these.
Once those choices have been made, you need to determine how to gain access to the network traffic and deploy security devices. The following challenges then come into play:
- Numerous network segments and high traffic volumes make it difficult to gain sufficient visibility into all necessary segments and all traffic with available resources
- Asymmetrical routing and link aggregation result in portions of conversations or sessions scattered across multiple network segments
- High and disparate network link speeds don’t match ports speeds available on security applications/appliances
- Multiple points of failure due to each active inline security appliance representing a potential point of failure, if and when they completely fail or begin to malfunction
- Latency sensitive network discovery protocols cause links to be brought down and alternate routing to occur due to the total latency through the active inline security appliances
- Encrypted traffic hides packets’ payloads including any threats
The only real way to address these challenges and provide support to the security applications and systems is to build a visibility fabric using network packet broker (NPB) devices, in combination with passive network tapping and active bypass tapping. Passive network tapping and active bypass tapping are the best way to gain access to traffic on physical network segments without impacting the elements in the network or the integrity of the traffic. This traffic is either on the network or being forwarded to monitoring applications and tools. Taps provide full line-rate and failsafe access to the traffic, which is far superior to using switch port analyzer (SPAN) ports. NPBs receive and forward the traffic with the aim of ensuring the right packets are delivered to security and monitoring tools. They can be delivered via aggregation, replication, filtering, load balancing, deduplication, tool chaining, and other capabilities.
Issues With Traditional NPBsThe main issue with using traditional NPBs is that they are vendor proprietary, monolithic hardware designs. When applied to active inline security, the active bypass tapping is also generally built into the NPB hardware. This means traditional NPBs are rigid in design, inflexible, difficult to scale, and relatively expensive to purchase and upgrade. The rigidity of these designs generally results in traffic bottlenecks and “less than optimal” implementations of functionalities that are beyond base-level NPB functionality.
New Security Infrastructure ApproachThe new disaggregated architecture, which separates NPB software from the underlying hardware, allows users to take advantage of the software-driven, cost-effective open compute project (OCP)-based approach to network packet brokering. This architecture can now be used for active inline and passive out-of-band security monitoring, which unifies security and service assurance monitoring infrastructures.
[caption id="attachment_68953" align="aligncenter" width="908"] New Network Packet Broker Approach. (Source: NETSCOUT Arbor 2018 Worldwide Infrastructure Security Report)[/caption]
The active inline bypass tapping is also disaggregated from the switch platform as a separate bypass tap. This means that the various monitoring teams within an organization can now leverage and use the same NPB infrastructure for their different monitoring needs, and therefore are able to pool their budgets to obtain the best visibility fabric possible across the organization.
Rethink and Upgrade Your Security VisibilityA software-driven approach to security makes advanced capabilities possible even on a tight budget. Look for these capabilities:
- Advanced tool chaining, to facilitate deployment of any combination of security applications: Easily configure a chain of active inline security applications, with or without load-balancing at each application in the chain.
- Comprehensive health checks, to ensure that failed or degraded security applications do not adversely affect the network: Send positive (return expected) and negative (no return expected) packets for checking the correct operation of each security application.
- Intelligent interconnect: Automatically sense and heal interconnections between a mesh of NPB appliances, which should not be dependent on a separate management server.