As networks get faster and more complex, many IT shops find that plugging network security appliances into SPAN...
ports and taps doesn’t offer full visibility and protection. To address the issue, some security vendors are partnering with network traffic capture specialists to offer a better solution.
Network traffic capture vendors, including Net Optics, VSS Monitoring, Gigamon and Anue Systems, provide network taps that split live traffic from switches and routers and feed it to network security appliances. They also offer matrix switches that aggregate traffic from these taps and feed them to multiple network security appliances. These aggregation devices allow a single network security appliance to inspect or monitor multiple network segments simultaneously. Network traffic capture systems can also load balance aggregated traffic across multiple network security appliances in order to increase overall throughput and capacity.
The problem with using SPAN ports and taps for network traffic capture
Relying on individual SPAN ports and taps to capture network traffic for network security appliances can result in spotty overall visibility, especially in an era where perimeter-based security only serves as the first layer of protection.
“One of the problems with SPAN ports, which people tend to use because they’re cheap, is that you won’t get to keep it for your use all the time. Someone will come along and need that because there’s a limited number of them,” said John Kindervag, senior analyst with Forrester Research. “Whenever you are under attack and need that data, the switch is going to get saturated and the first port that quits functioning is the SPAN port so that it can have some extra compute capacity. So at the exact time that you need it, the whole system is designed not to get that data to you.”
Network capture systems: One device to monitor many streams of traffic
Kindervag has been advocating a zero-trust network security strategy that abandons reliance on perimeter-based defense and instead uses network analysis and visibility tools to inspect and log all traffic on the corporate network. Such an approach requires a network traffic capture system that is able to feed all data traversing the network into network security appliances
“It’s hard to get the data you need to those tools [with only SPAN ports],” Kindervag said. “This requires creating a specialized data acquisition network … that provides enough data so that you have the visibility to see attacks that are normally invisible, including these pesky APT [advanced persistent threat] attacks that people are dealing with. People need to gain visibility on the network to try to find that.”
To deal with this issue, network traffic capture systems give enterprises flexibility with how they distribute workloads for their network security appliances. This way an engineer can set the system to collect several streams and feed them into one box.
“So instead of having multiple IDSes distributed on 10 different links that you need to keep an eye on, you can have one device that gets an aggregated and consolidated data stream from one of these network access management devices,” said Jim Frey, research director with Enterprise Management Associates.
“Another thing in play is extending the life of your security tools,” Frey continued. “As data rates get to 10 gigs or even 40 gigs, your security tools are not necessarily rated fully for those higher speed networks.”
Network traffic capture systems can perform media conversion, sending lower bandwidth data streams to these network security appliances. They can also load balance these data streams across multiple appliances.
Network traffic capture helps passive and active network security
Most enterprises won’t rely on network traffic capture systems to feed data to active, inline devices like a firewall or intrusion prevention system (IPS). Those devices need access to the live data stream in order to allow or deny traffic. Instead, enterprises feed data from network traffic capture systems to passive monitoring devices such as an intrusion detection system (IDS) or a security network monitoring appliance like NetWitness. These tools can alert a network security team to security incidents and anomalous behavior.
However, some network traffic capture specialists offer inline solutions for active network security tools, too. VSS Monitoring offers the Protector, an inline tap device that redirects live traffic to network security tools for active inspection. This month IBM certified VSS Protector as compatible for use with its ISS Systems IPS appliance.
These VSS inline devices can forward traffic into an overall network traffic capture system for passive inspection while also sending live traffic to the inline devices. They have the ability to filter Layer 2 data streams by protocol and application, according to Mike Grever, director of business development for VSS Monitoring. This allows the network traffic capture system to send specialized traffic streams to different network security appliances.
“Some people will only want to look at Web traffic while others will only want to look at VoIP,” said Grever. “They many only want to send Port 80 traffic to an IPS box and send all the rest of traffic to a passive IDS. Even if you have an inline VSS device used by an IPS, you can also use passive tools like IDS with the same VSS box.”
Next-generation firewall specialist Palo Alto Networks partners with both Gigamon and Net Optics to deploy its firewalls as inline IPS appliances instead, using Gigamon or Net Optics bypass switches to redirect traffic around the network security appliance in case it fails.
“One of the implications of being a firewall is that if it fails, it shuts you down,” said Chris King, director of product marketing for Palo Alto. “Firewalls are fail-close devices. With that said, one of the attributes of an IPS is that it is fail-open. In cases where customers want to use us in more of an IPS-style deployment, Gigamon [and Net Optics] offer customers strong IPS functionality without the fail-close function of a firewall.”
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.