Cookie policy: This site uses cookies (small files stored on your computer) to simplify and improve your experience of this website. Cookies are small text files stored on the device you are using to access this website. For more information on how we use and manage cookies please take a look at our privacy and cookie policies. Some parts of the site may not work properly if you choose not to accept cookies.

sections

Hardening defenses against hackers

  • Print
  • Share
  • Comment
  • Save

With notable security breaches at several major retailers, social media companies, and even the US Federal Reserve, CIOs and CTOs are under pressure to harden their networks against a tide of cyber-attacks that seems to only be getting worse. The proliferation of mobile devices, BYOD and the cloud is changing the way people work and collaborate and this adds further complexity to the network and security monitoring challenge.

Data threats go far beyond the traditional foes everyone knows. Newer dangers include Advanced Persistent Threats (APTs) and so-called “man-in-the-middle” attacks that intercept traffic between machines operating on Internet Protocol version 6 (IPv6) and older routers running IPv4.

In the rush to secure every vulnerable network portal, CIOs and security managers should not overlook the critical need for 100 percent network visibility. This requires a comprehensive monitoring strategy implemented with techniques that ensure all data is available, at line rate, to all monitoring tools at all times. For enterprises that have yet to consider this critical fact — and the research indicates many companies aren’t even trying to analyze all the traffic moving through their networks — it’s time to sit up and take notice.

Intelligent networks
What you don’t know — and, more importantly, what you can’t monitor — is the Achilles heel of any network security strategy. In many cases, the information speeding into networks at upwards of 40G is simply too much to handle for tools installed in the 1G era. But with an intelligent network monitoring strategy, using the appropriate network monitoring architecture, taps/tools and packet manipulation techniques, you can maintain your 1G tools in these expanding networks.

I’ll give you an example. Consider the case of a large financial services institution with responsibilities to shareholders and millions of customers. The company’s credibility resides in its ability to maintain a secure network. To ensure that security, the organization needs to apply five or six tools to the critical data flowing through its network. There might be an Intrusion Protection System (IPS), an Intrusion Detection System (IDS), a Data Loss Prevention (DLP) tool and other tools that watch for signs of hacking or troublesome domains.

In such a case, one of the concerns is how to ensure all those tools get simultaneous access to the network at multiple monitoring points, in real time without dropping packets.

It’s done by rethinking network monitoring architecture. The data center infrastructure traditionally consists of network switches that with one or two outlets called Switched Port Analyzers (SPAN) can be used for sending production data to a monitoring tool. If you have six or more security tools that need to access data, two ports simply won’t do. The problem is referred to as SPAN port contention, and it’s one of the biggest challenges we face in a security environment.

Further, SPAN ports won’t catch everything that crosses your network, leaving blind spots in your visibility. In heavily loaded networks, if you configure too much traffic to be replicated by a SPAN port you are likely to lose packets as the port tries to keep up.

The use of network taps that sit in line between switches offers the advantage of accessing all of the data, without the possibility of dropped packets, regardless of bandwidth. Total visibility is possible only through the adequate use of network taps and the right switching architecture with advanced monitoring techniques that ensure all data is available, at line rate, to all monitoring tools at all times.

After achieving access to all that data, it’s important to take other steps to ensure that your tools are not overwhelmed.

An intelligent network monitoring switch will support complete packet manipulation and modification including aggregation, filtering, packet slicing/stripping, deduplication, and network load balancing to reduce the combined stream to meet available bandwidth.

Multi-stage filtering offers limitless flexibility in filtering rules and provides pinpoint accuracy, allowing users to specify exactly which packets are delivered to each egress port on the switch and eliminating the threat of oversubscribing ports and dropping packets.

Many critical security monitoring tasks are concerned only with the data contained in the packet header. Packet slicing can be used to discard packet payload information sent to monitoring tools to reduce overall data volume, increase tool performance, enhance network visibility and save scarce budget resources.

The need to eliminate duplicate packets has become fundamentally important for both security and network performance monitoring. With up to 50 percent of network monitoring traffic being duplicates, implementing a packet deduplication function with the network monitoring switch is foundational to ensuring security monitoring tools remain efficient.

As you can see, the fight for full network visibility depends on many factors. But with some strategic thought and planning, and by employing the latest intelligent network monitoring technology and techniques, it is possible to harden your defenses.

The first step is to open an internal discussion on network monitoring switch architecture to ensure that your company’s tools have 100-percent visibility. Any company that lacks complete visibility leaves itself vulnerable.

The views expressed in this article are those of the author, not DatacenterDynamics FOCUS

Related images

  • APCON's Paul Ginn

Have your say

Please view our terms and conditions before submitting your comment.

required
required
required
required
required
  • Print
  • Share
  • Comment
  • Save

Webinars

  • Next Generation Data Centers – Are you ready for scale?

    Wed, 24 Aug 2016 16:00:00

    This presentation will provide a general overview of the data center trends and the ecosystem that comprises of “hyperscale DC”, “MTDC”, and “enterprise DC”.

  • White Space 46: We'll always have Paris

    Fri, 15 Jul 2016 10:35:00

    This week on White Space, we look at the safest data center locations in the world, as rated by real estate management firm Cushman & Wakefield. It will come as no surprise that Iceland comes out on top, while the US and the UK have barely made the top 10. French data center specialist Data4 is promoting Paris as a global technology hub, where it is planning to invest at least €100 million. Another French data center owned by Webaxys is repurposing old Nissan Leaf car batteries in partnership with Eaton. Brexit update: We’ve also heard industry body TechUK outline an optimistic vision of Britain outside the EU – as long as the country remains within the single market and subscribes to the principles of the General Data Protection Regulation.

  • Powering Big Data with Big Solar

    Tue, 12 Jul 2016 18:00:00

    The data center industry is experiencing explosive growth. The expansion of online users and increased transactions will result in the online population to reach 50% of the world’s projected population, moving from 2.3 billion in 2012 to an expected 3.6 billion people by 2017. This growth is requiring data centers to address the carbon impact of their business and to integrate more renewable resources into their projects. Join First Solar to learn: -Why major C&I companies are looking to utility-scale solar as a viable addition to their energy sourcing portfolios. -How cost-effective utility-scale solar options can support datacenters in securing renewable supply. -Case study of how a major data center player implemented solar into their portfolio

  • DC Professional - Meet John Laban

    Tue, 12 Jul 2016 15:25:00

    John has worked in the Telecommunications and Information Transport Systems (ITS) industry for over 35 years, beginning his career at the London Stock Exchange as a BT telecommunication technician. Believing there was a general lack of quality in the ITS industry, John was driven to "professionalize" the ITS industry – starting with a professional diploma programme for the Telecommunications Managers Association – which led to him becoming the first BICSI RCDD in the UK and soon after, a BICSI Master Instructor teaching RCDD and Technician programmes. Find out more about John and upcoming sessions here https://www.dc-professional.com/people/284/

  • White Space 45: Waste Not

    Sun, 10 Jul 2016 15:50:00

    In this episode of White Space, we look back at the news of the week with a special guest Adrian Barker, general manager for EMEA at RF Code and specialist in sensors and data.

More link