10 Criteria for Evaluating NPB, Security Architect Edition


Published on

Top Ten Criteria for Evaluation a Network Packet Broker (aka Network Visibility) Solution, Security Architect Edition

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

10 Criteria for Evaluating NPB, Security Architect Edition

  1. 1. Most large organizations rely on network packet brokers (NPBs) to provide visibility to network tools and security systems, as NPBs enable the pervasive, scalable network access that TAPs alone cannot. If your IT group is tasked with evaluating an NPB solution for security deployments, you need an assessment framework to ensure both business and technical goals are achieved. The following ten criteria represent the key requirements of best practice network visibility deployments. Consider these criteria to help your organization preserve existing tool investments, reduce the costs of new investments, and ease the scale out of network infrastructure and security systems. Extend visibility across both physical and virtual infrastructure (in traditional and SDN/NFV environments) ƒƒ According to Gartner Research, over 70% of server workloads will be virtualized by 2014 (1) , so it’s critical for network security architects to gain visibility into traffic occurring on virtual servers in order to apply organizational monitoring and security policies to it—without disrupting or degrading traffic by deploying agents, taxing the hypervisor, or occupying compute slots. ƒƒ The NPB system must also be able to seamlessly scale packet access and delivery across both physical and logical network boundaries, delivering a fully interconnected mesh architecture over LAN and WAN segments. Such levels of network reach, resilience, and flexibility—not limited to daisy chain or hub-and-spoke—will ensure continuous uptime for network security systems. Deliver network traffic to active/inline tools, passive/out-of-band tools, and direct to network attached storage (NAS) ƒƒ Large scale network security deployments are typically designed to inspect data in motion (live traffic), as well as data at rest (newly copied and historical). Each tool type (active and passive) require unique capabilities in order to ensure optimization and protection. For instance, inline systems need to be continuously monitored to ensure they’re capable of remaining a bi-directional link in the monitoring chain. The NPB solution should be able to send traffic to both active and passive tools, while ensuring 100% network uptime and high-availability monitoring. ƒƒ The NPB solution should also be able to accommodate delivery of network data directly to NAS in an open format (e.g. libpcap). Capturing network traffic in an open format and storing on a high-end server of choice enables flexible visibility. Continuous capture for compliance can be made more cost effective, and libpcaps stored based on policy or at the event-driven command of the security systems can be analyzed by one or multiple tools or internally developed applications. Address traffic microbursts to ensure continuous capture and prevent tools from dropping packets ƒƒ When it comes to security and forensics, most tool vendors recommend copying and forwarding 100% of the network traffic from SPAN ports or passive TAPs to ensure the tools have full visibility at each access point. When copying 100% of SPAN/TAP traffic or when using NPBs to perform aggregation from multiple networks, there’s a risk the tools will suffer packet loss when the network experiences temporary volume spikes. SECURITY ARCHITECT EDITION Top Ten Criteria for Evaluating Network Packet Broker Solutions 1 2 3 (1) “Forecast Analysis: Data center, Worldwide, 2010-2016,” Gartner Research, 2012.
  2. 2. ƒƒ In any network experiencing microbursts, the NPB vendor must be able to accommodate them in the following ways: a) Provide buffering to handle microbursts and prevent packet loss to tools b) Help avoid major network redesign or additional tool costs by precisely identifying and measuring over time where and to what the degree the microbursts are occurring. Optimize network tools and reduce costs by preprocessing network traffic in hardware ƒƒ When delivering network traffic to the tools, the NPB vendor must be able to accommodate both active and passive aggregation. In the case of active tools, the aggregation function should support 802.1q and 802.1ad tagging standards (Q-in-Q), as well as MAC learning(2). These features effectively expand the network range of the security tools and enable them to analyze asymmetrically routed traffic in both 1G and 10G networks and beyond. ƒƒ Filtering L2-4 is an essential feature of NPB solutions, but additional L7 filtering can better optimize the network traffic consumed by security systems, particularly when different types of applications carry different risks. As an example, the NPB could filter out all Netflix and corporate VoD traffic before sending multi-gigabits of flows to the Advanced Web Malware Prevention Appliance, preventing the appliance from needlessly processing or analyzing traffic. ƒƒ This level of advanced traffic aggregation and filtering will help avoid tool oversubscription (or underutilization), maximizing the effective throughput for each security and monitoring tool. Throughput optimization can drastically reduce both initial capital investment and ongoing operating costs. Maintain service assurance for both security operations and network operations ƒƒ Network security operations teams are constantly under pressure to enhance security defenses and forensics capabilities, while adhering to Service Level Agreements (SLA) and increasing Governance, Risk and Compliance (GRC) mandates. Teams are often engaged in security system evaluations and proof-of-concept (POC) deployments. These POCs might be pilot deployments of next generation firewall or IPS solutions, or the evaluations of best-of- breed advanced malware tools or SSL decryption appliances to help protect against hidden threats. Each POC, along with other ongoing projects and fire drills, involve change management requests and collaboration with the network operations team. The network security design team and the network engineering team each has its own challenges and pressures, particularly around migration and service assurance. ƒƒ It’s critical that the NPB solution offer failsafe assurance both on the network and the tool side. For the security team in particular, it must provide active, failsafe bypass capability to simulate bump-in-the-wire functionality, replicating the link state on both sides to allow the network’s link aggregation and redundancy to work. In other words, it should ensure that both east and westbound switches see any link failure state and fail traffic over to backup links accordingly (HSRP, active/active fail over design). The NPB system must make each of the POCs simpler to bring up and deploy. ƒƒ The NPB solution must maintain network service assurance (99.999% uptime) while providing fault tolerance and High Availability (HA) for each active security and passive forensics and monitoring tool. This level of service assurance to both teams will enable the entire IT organization to rapidly evaluate and deploy best-in-class security solutions without the need for re-instrumenting the network or negatively impacting network services and SLAs. Enhance & expand security service chaining to achieve “defense in depth” ƒƒ Service chaining allows security teams to effectively scale defense depth and proactively mitigate against evolving advanced targeted attacks, malware and zero day exploits—but it’s imperative the NPB vendor have a proven reference architecture for service chaining with both inline and passive security and monitoring tools. ƒƒ In addition to active failsafe bypass features, the NPB solution needs to perform customizable tool health checks and event triggers to check both the software stack and the heartbeat (power or link up state) for each tool in the security service chain. Health check monitoring enables the flexibility and confidence needed to add best-in-class inline and passive security tools as needed. Ensure health checks can be performed not just by each tool’s NPB device but across all NPB devices, and that they can monitor tool or link failures on local and remote NPB devices before redirecting traffic or sending copies of actionable traffic to them. 6 (2) “MAC learning,” uses a learning algorithm based on MAC addressing to map traffic from multiple network links with their respective internal aggregated network identifier. Contact VSS for additional detail: http://www.vssmonitoring.com/corporate/info.asp?subject=question&src=10crit Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 2 4 5
  3. 3. Integrate network tools with NPBs to intelligently define capture controls in real time ƒƒ Some NPBs promise to improve continuous monitoring initiatives, but most do not leverage the intelligence of the security systems to determine capture parameters in real time. The following features can greatly enhance the relevance of captured traffic to enable proactive and intelligent monitoring: ƒƒ RESTful API that can be configured & invoked via XML ƒƒ Triggers for traffic filtering, full or selective packet capture and/or traffic flow redirection based on known intelligence (e.g. L2-L7 information like IP, MAC, URL, specific Hex value in header section) ƒƒ Targeted, tool directed capture and store, where security systems initiative a command to the NPBs to send traffic to tools, or libpcaps to NAS, for further analysis/troubleshooting ƒƒ Validated reference architecture for integrating with security and forensic vendors. Optimize and scale bi-directional SSL visibility to monitor encrypted applications (e.g. social media) and protect against hidden malware ƒƒ Many security and forensics tools are rapidly losing traffic visibility due to widespread adoption of cloud based services and social media applications which use SSL/TLS to meet privacy requirements. Promised ROI from existing IPS and Security Gateway solutions, as well as new Advanced Malware Prevention tools, are simultaneously diminishing, along with the ability to defend against advanced targeted attacks leveraging SSL/TLS channels for spear phishing, command and control communications, and data exfiltration. Relying on onboard tool decryption may not be the answer, as the associated performance costs and overall limitations are high. This assessment is shared by Security Analysts, such as John Pirc and Dave Shackleford (3) . ƒƒ A proven alternative to onboard tool decryption is the use of NPBs that are capable of both inline active and passive packet delivery and load balancing in conjunction with dedicated, transparent SSL proxies. This combined solution will enable the security tools to monitor and protect Gmail, Facebook and other social media applications that are using advanced public key encryption and key exchange standards like DHE, ECDHE, and DSA. ƒƒ The need to provide 100% network visibility (including inside SSL/TLS tunnels) to your inline IPS solutions is clear, but it may also be advantageous to offer similar (SSL inclusive) visibility to passive forensics, monitoring and full packet analytic tools. These tools may not be in close proximity to your inline tools, so the NPB solution needs to be able to deliver copies of decrypted traffic in a reliable and secure manner (e.g. encapsulated over TCP/IP with support for AES 128 or better) across LAN or WAN network boundaries. ƒƒ Select an NPB vendor that has proven reference designs for joint deployments with transparent SSL proxies. Use Deep Packet Inspection (DPI) to capture flows containing keywords or email targets ƒƒ Most NPB vendors offer L2-L4 filtering; however, there are many use cases such as lawful interception (LI), forensic analysis, and DPI enabled performance monitoring for video and VoIP analytics, where more advanced filtering is required. Consider NPB systems that can filter based on payload content. Look for NPB vendors that offer deep packet filtering, e.g. Regular Expression (RegEx) based, so you can gain flexibility to perform custom searches across packet boundaries and identify specific network flows. ƒƒ In some use cases (e.g. LI), specific flows need to be identified with a very high assurance level before they are forwarded to an analytics or forensics tool. In other cases, specific flows need to be filtered out from large volumes of traffic before forwarding the remainder traffic to security tools—this may be required to ensure compliance with stringent legislative or risk mandates. ƒƒ An NPB capable of deep traffic grooming before data comes to rest (stored in disk) will uniquely optimize the toolsets (including those leveraging DPI), and enable considerable CAPEX and OPEX savings. 9 (3) “The Elephant in the Room” by John Pirc. <https://www.nsslabs.com/blog/ssl-decryption-elephant-room> “Blind as a Bat” by Dave Shackleford. SANS <http://www.sans.org/reading-room/analysts-program/vss-BlindasaBat?ref=117957> 7 8 Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 3
  4. 4. Preserve 1G tool investments and maximize ROI on expensive 10G systems ƒƒ Although many security tools offer 10G sensors today, these tools come at a premium. They also only offer limited port density (typically a pair of ports for inline tools such as IPS). To operate efficiently and to control costs, existing 1G tools must continue to be leveraged, and 10G tools need to be maximized. Both of these goals can be accomplished using preprocessing on NPBs. Traffic operating at 10G, 40G, and even 100G, can be intelligently load balanced across multiple 1G (or 10G) tools. Individual segment traffic can also be optimized using filters to ensure only relevant, “actionable” data is sent to each tool, particularly those operating at a premium. In addition to features such as filtering and load balancing, the NPB system should be able to support the full spectrum of speeds and feeds operating in Ethernet networks. Summary Using the above criteria to select the right NPB system for your network will enable you to effectively secure your infrastructure and maintain regulatory compliance, while drastically reducing capital and operational expenditures. Be sure to confirm vendors under consideration can meet each of these best practice criteria. In sum, any considered NPB vendor should at a minimum offer the following capabilities: ƒƒ Failsafe capture for both copper and fiber networks ƒƒ Visibility into physical and virtual network traffic ƒƒ Traffic delivery to active and passive network tools and direct to storage ƒƒ Scalable interconnection/stacking between NPBs for high availability monitoring ƒƒ Traffic aggregation (active, inline and copied packets) ƒƒ Filtering, L2-7 ƒƒ Flow-based load balancing ƒƒ Protocol de-encapsulation ƒƒ Tag stripping ƒƒ Packet slicing ƒƒ In series chaining for multiple inline security tools ƒƒ DPI filtering ƒƒ SSL de-encryption ƒƒ Single pane management for entire NPB infrastructure ƒƒ APIs for tool-driven capture ƒƒ Validated integration with SDN controllers ƒƒ High densities for datacenter deployments ƒƒ Blade/slot in chassis and fixed port options Today, these capabilities are required to roll out large scale security systems, whether those systems include passive tools (IDS, forensics), active tools (IPS), and/or sustained packet capture for compliance. About VSS Monitoring VSS Monitoring is the industry leader in network packet brokers (NPB), providing a unique Unified Visibility Plane for network tools and security systems, enabling network-wide and link-layer visibility. Deployed globally by 80% of the world’s tier 1 service providers, F500 corporations and major government agencies, VSS Monitoring packet brokers improve tool usage and efficiency, simplify IT operations, and greatly enhance tool ROI. 10 © Copyright 2003 – 2014. VSS Monitoring Inc. All rights reserved.www.vssmonitoring.com VSS Monitoring, the VSS Monitoring logo, vBroker Series, Distributed Series, vProtector Series, Finder Series, TAP Series, vMC, vAssure, LinkSafe, vStack+, vMesh, vSlice, vCapacity, vSpool, vNetConnect and PowerSafe are trademarks of VSS Monitoring, Inc. in the United States and other countries. Any other trademarks contained herein are the property of their respective owners. VSS Monitoring is a world leader in network packet brokers (NPB), providing a visionary, unique systems approach to integrating network switching and the broad ecosystem of network analytics, security, and monitoring tools. Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 4