SlideShare una empresa de Scribd logo

10 Criteria for Evaluating NPB, Security Architect Edition

VSS Monitoring
VSS Monitoring

Top Ten Criteria for Evaluation a Network Packet Broker (aka Network Visibility) Solution, Security Architect Edition

Tecnología
1 de 4
Descargar para leer sin conexión
Most large organizations rely on network packet brokers (NPBs) to provide visibility to network tools and security systems, as NPBs enable the pervasive, scalable network access that TAPs alone cannot. If your IT group is tasked with evaluating an NPB solution for security deployments, you need an assessment framework to ensure both business and technical goals are achieved. The following ten criteria represent the key requirements of best practice network visibility deployments. Consider these criteria to help your organization preserve existing tool investments, reduce the costs of new investments, and ease the scale out of network infrastructure and security systems. Extend visibility across both physical and virtual infrastructure (in traditional and SDN/NFV environments) ƒƒ According to Gartner Research, over 70% of server workloads will be virtualized by 2014 (1) , so it’s critical for network security architects to gain visibility into traffic occurring on virtual servers in order to apply organizational monitoring and security policies to it—without disrupting or degrading traffic by deploying agents, taxing the hypervisor, or occupying compute slots. ƒƒ The NPB system must also be able to seamlessly scale packet access and delivery across both physical and logical network boundaries, delivering a fully interconnected mesh architecture over LAN and WAN segments. Such levels of network reach, resilience, and flexibility—not limited to daisy chain or hub-and-spoke—will ensure continuous uptime for network security systems. Deliver network traffic to active/inline tools, passive/out-of-band tools, and direct to network attached storage (NAS) ƒƒ Large scale network security deployments are typically designed to inspect data in motion (live traffic), as well as data at rest (newly copied and historical). Each tool type (active and passive) require unique capabilities in order to ensure optimization and protection. For instance, inline systems need to be continuously monitored to ensure they’re capable of remaining a bi-directional link in the monitoring chain. The NPB solution should be able to send traffic to both active and passive tools, while ensuring 100% network uptime and high-availability monitoring. ƒƒ The NPB solution should also be able to accommodate delivery of network data directly to NAS in an open format (e.g. libpcap). Capturing network traffic in an open format and storing on a high-end server of choice enables flexible visibility. Continuous capture for compliance can be made more cost effective, and libpcaps stored based on policy or at the event-driven command of the security systems can be analyzed by one or multiple tools or internally developed applications. Address traffic microbursts to ensure continuous capture and prevent tools from dropping packets ƒƒ When it comes to security and forensics, most tool vendors recommend copying and forwarding 100% of the network traffic from SPAN ports or passive TAPs to ensure the tools have full visibility at each access point. When copying 100% of SPAN/TAP traffic or when using NPBs to perform aggregation from multiple networks, there’s a risk the tools will suffer packet loss when the network experiences temporary volume spikes. SECURITY ARCHITECT EDITION Top Ten Criteria for Evaluating Network Packet Broker Solutions 1 2 3 (1) “Forecast Analysis: Data center, Worldwide, 2010-2016,” Gartner Research, 2012.
ƒƒ In any network experiencing microbursts, the NPB vendor must be able to accommodate them in the following ways: a) Provide buffering to handle microbursts and prevent packet loss to tools b) Help avoid major network redesign or additional tool costs by precisely identifying and measuring over time where and to what the degree the microbursts are occurring. Optimize network tools and reduce costs by preprocessing network traffic in hardware ƒƒ When delivering network traffic to the tools, the NPB vendor must be able to accommodate both active and passive aggregation. In the case of active tools, the aggregation function should support 802.1q and 802.1ad tagging standards (Q-in-Q), as well as MAC learning(2). These features effectively expand the network range of the security tools and enable them to analyze asymmetrically routed traffic in both 1G and 10G networks and beyond. ƒƒ Filtering L2-4 is an essential feature of NPB solutions, but additional L7 filtering can better optimize the network traffic consumed by security systems, particularly when different types of applications carry different risks. As an example, the NPB could filter out all Netflix and corporate VoD traffic before sending multi-gigabits of flows to the Advanced Web Malware Prevention Appliance, preventing the appliance from needlessly processing or analyzing traffic. ƒƒ This level of advanced traffic aggregation and filtering will help avoid tool oversubscription (or underutilization), maximizing the effective throughput for each security and monitoring tool. Throughput optimization can drastically reduce both initial capital investment and ongoing operating costs. Maintain service assurance for both security operations and network operations ƒƒ Network security operations teams are constantly under pressure to enhance security defenses and forensics capabilities, while adhering to Service Level Agreements (SLA) and increasing Governance, Risk and Compliance (GRC) mandates. Teams are often engaged in security system evaluations and proof-of-concept (POC) deployments. These POCs might be pilot deployments of next generation firewall or IPS solutions, or the evaluations of best-of- breed advanced malware tools or SSL decryption appliances to help protect against hidden threats. Each POC, along with other ongoing projects and fire drills, involve change management requests and collaboration with the network operations team. The network security design team and the network engineering team each has its own challenges and pressures, particularly around migration and service assurance. ƒƒ It’s critical that the NPB solution offer failsafe assurance both on the network and the tool side. For the security team in particular, it must provide active, failsafe bypass capability to simulate bump-in-the-wire functionality, replicating the link state on both sides to allow the network’s link aggregation and redundancy to work. In other words, it should ensure that both east and westbound switches see any link failure state and fail traffic over to backup links accordingly (HSRP, active/active fail over design). The NPB system must make each of the POCs simpler to bring up and deploy. ƒƒ The NPB solution must maintain network service assurance (99.999% uptime) while providing fault tolerance and High Availability (HA) for each active security and passive forensics and monitoring tool. This level of service assurance to both teams will enable the entire IT organization to rapidly evaluate and deploy best-in-class security solutions without the need for re-instrumenting the network or negatively impacting network services and SLAs. Enhance & expand security service chaining to achieve “defense in depth” ƒƒ Service chaining allows security teams to effectively scale defense depth and proactively mitigate against evolving advanced targeted attacks, malware and zero day exploits—but it’s imperative the NPB vendor have a proven reference architecture for service chaining with both inline and passive security and monitoring tools. ƒƒ In addition to active failsafe bypass features, the NPB solution needs to perform customizable tool health checks and event triggers to check both the software stack and the heartbeat (power or link up state) for each tool in the security service chain. Health check monitoring enables the flexibility and confidence needed to add best-in-class inline and passive security tools as needed. Ensure health checks can be performed not just by each tool’s NPB device but across all NPB devices, and that they can monitor tool or link failures on local and remote NPB devices before redirecting traffic or sending copies of actionable traffic to them. 6 (2) “MAC learning,” uses a learning algorithm based on MAC addressing to map traffic from multiple network links with their respective internal aggregated network identifier. Contact VSS for additional detail: http://www.vssmonitoring.com/corporate/info.asp?subject=question&src=10crit Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 2 4 5
Integrate network tools with NPBs to intelligently define capture controls in real time ƒƒ Some NPBs promise to improve continuous monitoring initiatives, but most do not leverage the intelligence of the security systems to determine capture parameters in real time. The following features can greatly enhance the relevance of captured traffic to enable proactive and intelligent monitoring: ƒƒ RESTful API that can be configured & invoked via XML ƒƒ Triggers for traffic filtering, full or selective packet capture and/or traffic flow redirection based on known intelligence (e.g. L2-L7 information like IP, MAC, URL, specific Hex value in header section) ƒƒ Targeted, tool directed capture and store, where security systems initiative a command to the NPBs to send traffic to tools, or libpcaps to NAS, for further analysis/troubleshooting ƒƒ Validated reference architecture for integrating with security and forensic vendors. Optimize and scale bi-directional SSL visibility to monitor encrypted applications (e.g. social media) and protect against hidden malware ƒƒ Many security and forensics tools are rapidly losing traffic visibility due to widespread adoption of cloud based services and social media applications which use SSL/TLS to meet privacy requirements. Promised ROI from existing IPS and Security Gateway solutions, as well as new Advanced Malware Prevention tools, are simultaneously diminishing, along with the ability to defend against advanced targeted attacks leveraging SSL/TLS channels for spear phishing, command and control communications, and data exfiltration. Relying on onboard tool decryption may not be the answer, as the associated performance costs and overall limitations are high. This assessment is shared by Security Analysts, such as John Pirc and Dave Shackleford (3) . ƒƒ A proven alternative to onboard tool decryption is the use of NPBs that are capable of both inline active and passive packet delivery and load balancing in conjunction with dedicated, transparent SSL proxies. This combined solution will enable the security tools to monitor and protect Gmail, Facebook and other social media applications that are using advanced public key encryption and key exchange standards like DHE, ECDHE, and DSA. ƒƒ The need to provide 100% network visibility (including inside SSL/TLS tunnels) to your inline IPS solutions is clear, but it may also be advantageous to offer similar (SSL inclusive) visibility to passive forensics, monitoring and full packet analytic tools. These tools may not be in close proximity to your inline tools, so the NPB solution needs to be able to deliver copies of decrypted traffic in a reliable and secure manner (e.g. encapsulated over TCP/IP with support for AES 128 or better) across LAN or WAN network boundaries. ƒƒ Select an NPB vendor that has proven reference designs for joint deployments with transparent SSL proxies. Use Deep Packet Inspection (DPI) to capture flows containing keywords or email targets ƒƒ Most NPB vendors offer L2-L4 filtering; however, there are many use cases such as lawful interception (LI), forensic analysis, and DPI enabled performance monitoring for video and VoIP analytics, where more advanced filtering is required. Consider NPB systems that can filter based on payload content. Look for NPB vendors that offer deep packet filtering, e.g. Regular Expression (RegEx) based, so you can gain flexibility to perform custom searches across packet boundaries and identify specific network flows. ƒƒ In some use cases (e.g. LI), specific flows need to be identified with a very high assurance level before they are forwarded to an analytics or forensics tool. In other cases, specific flows need to be filtered out from large volumes of traffic before forwarding the remainder traffic to security tools—this may be required to ensure compliance with stringent legislative or risk mandates. ƒƒ An NPB capable of deep traffic grooming before data comes to rest (stored in disk) will uniquely optimize the toolsets (including those leveraging DPI), and enable considerable CAPEX and OPEX savings. 9 (3) “The Elephant in the Room” by John Pirc. <https://www.nsslabs.com/blog/ssl-decryption-elephant-room> “Blind as a Bat” by Dave Shackleford. SANS <http://www.sans.org/reading-room/analysts-program/vss-BlindasaBat?ref=117957> 7 8 Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 3
Preserve 1G tool investments and maximize ROI on expensive 10G systems ƒƒ Although many security tools offer 10G sensors today, these tools come at a premium. They also only offer limited port density (typically a pair of ports for inline tools such as IPS). To operate efficiently and to control costs, existing 1G tools must continue to be leveraged, and 10G tools need to be maximized. Both of these goals can be accomplished using preprocessing on NPBs. Traffic operating at 10G, 40G, and even 100G, can be intelligently load balanced across multiple 1G (or 10G) tools. Individual segment traffic can also be optimized using filters to ensure only relevant, “actionable” data is sent to each tool, particularly those operating at a premium. In addition to features such as filtering and load balancing, the NPB system should be able to support the full spectrum of speeds and feeds operating in Ethernet networks. Summary Using the above criteria to select the right NPB system for your network will enable you to effectively secure your infrastructure and maintain regulatory compliance, while drastically reducing capital and operational expenditures. Be sure to confirm vendors under consideration can meet each of these best practice criteria. In sum, any considered NPB vendor should at a minimum offer the following capabilities: ƒƒ Failsafe capture for both copper and fiber networks ƒƒ Visibility into physical and virtual network traffic ƒƒ Traffic delivery to active and passive network tools and direct to storage ƒƒ Scalable interconnection/stacking between NPBs for high availability monitoring ƒƒ Traffic aggregation (active, inline and copied packets) ƒƒ Filtering, L2-7 ƒƒ Flow-based load balancing ƒƒ Protocol de-encapsulation ƒƒ Tag stripping ƒƒ Packet slicing ƒƒ In series chaining for multiple inline security tools ƒƒ DPI filtering ƒƒ SSL de-encryption ƒƒ Single pane management for entire NPB infrastructure ƒƒ APIs for tool-driven capture ƒƒ Validated integration with SDN controllers ƒƒ High densities for datacenter deployments ƒƒ Blade/slot in chassis and fixed port options Today, these capabilities are required to roll out large scale security systems, whether those systems include passive tools (IDS, forensics), active tools (IPS), and/or sustained packet capture for compliance. About VSS Monitoring VSS Monitoring is the industry leader in network packet brokers (NPB), providing a unique Unified Visibility Plane for network tools and security systems, enabling network-wide and link-layer visibility. Deployed globally by 80% of the world’s tier 1 service providers, F500 corporations and major government agencies, VSS Monitoring packet brokers improve tool usage and efficiency, simplify IT operations, and greatly enhance tool ROI. 10 © Copyright 2003 – 2014. VSS Monitoring Inc. All rights reserved.www.vssmonitoring.com VSS Monitoring, the VSS Monitoring logo, vBroker Series, Distributed Series, vProtector Series, Finder Series, TAP Series, vMC, vAssure, LinkSafe, vStack+, vMesh, vSlice, vCapacity, vSpool, vNetConnect and PowerSafe are trademarks of VSS Monitoring, Inc. in the United States and other countries. Any other trademarks contained herein are the property of their respective owners. VSS Monitoring is a world leader in network packet brokers (NPB), providing a visionary, unique systems approach to integrating network switching and the broad ecosystem of network analytics, security, and monitoring tools. Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 4

Recomendados

Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined Networking
Priyanka Aash
 
Observability
ObservabilityObservability
Observability
Maganathin Veeraragaloo
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
Ali Kapucu
 
Sdn&security
Sdn&securitySdn&security
Sdn&security
Cristiano Monteiro
 
Next Generation Firewall and IPS
Next Generation Firewall and IPSNext Generation Firewall and IPS
Next Generation Firewall and IPS
Data#3 Limited
 
Software defined networking players
Software defined networking playersSoftware defined networking players
Software defined networking players
Ameer Sameer
 
SDN-ppt-new
SDN-ppt-newSDN-ppt-new
SDN-ppt-new
Gifty Susan Mani
 
Sdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksSdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networks
ahmad abdelhafeez
 

Recomendados

Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined Networking
Priyanka Aash
 
Observability
ObservabilityObservability
Observability
Maganathin Veeraragaloo
 
Why Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation FirewallWhy Its time to Upgrade a Next-Generation Firewall
Why Its time to Upgrade a Next-Generation Firewall
Ali Kapucu
 
Sdn&security
Sdn&securitySdn&security
Sdn&security
Cristiano Monteiro
 
Next Generation Firewall and IPS
Next Generation Firewall and IPSNext Generation Firewall and IPS
Next Generation Firewall and IPS
Data#3 Limited
 
Software defined networking players
Software defined networking playersSoftware defined networking players
Software defined networking players
Ameer Sameer
 
SDN-ppt-new
SDN-ppt-newSDN-ppt-new
SDN-ppt-new
Gifty Susan Mani
 
Sdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksSdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networks
ahmad abdelhafeez
 
AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
aksit_services
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
Saurabh Kumar
 
Software defined security-framework_final
Software defined security-framework_finalSoftware defined security-framework_final
Software defined security-framework_final
Lan & Wan Solutions
 
RSA-Pivotal Security Big Data Reference Architecture
RSA-Pivotal Security Big Data Reference ArchitectureRSA-Pivotal Security Big Data Reference Architecture
RSA-Pivotal Security Big Data Reference Architecture
EMC
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
David Sweigert
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
Brent Salisbury
 
2008-03-06 Harris Corp Security Seminar
2008-03-06 Harris Corp Security Seminar2008-03-06 Harris Corp Security Seminar
2008-03-06 Harris Corp Security Seminar
Shawn Wells
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware
 
Firewalls in network
Firewalls in networkFirewalls in network
Firewalls in network
sheikhparvez4
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014
Michael Bunn
 
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
ncct
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Tal Lavian Ph.D.
 
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHMPERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
IJNSA Journal
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
Gyan Prakash
 
A proposed architecture for network
A proposed architecture for networkA proposed architecture for network
A proposed architecture for network
IJCNCJournal
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
James W. De Rienzo
 
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET Journal
 
2013 Subaru XV Crosstrek
2013 Subaru XV Crosstrek2013 Subaru XV Crosstrek
2013 Subaru XV Crosstrek
Stradablog
 
2010 Impreza Massachusetts
2010 Impreza Massachusetts2010 Impreza Massachusetts
2010 Impreza Massachusetts
North Reading Subaru
 
Infographics PlasticsToday
Infographics PlasticsTodayInfographics PlasticsToday
Infographics PlasticsToday
TecnoKal International Marketing and Technology Consulting
 
2012 Acura TSX Brochure | DCH Acura of Temecula
2012 Acura TSX Brochure | DCH Acura of Temecula2012 Acura TSX Brochure | DCH Acura of Temecula
2012 Acura TSX Brochure | DCH Acura of Temecula
DCH Acura of Temecula
 

Más contenido relacionado

La actualidad más candente

AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
aksit_services
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
David Sweigert
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014
Michael Bunn
 
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
ncct
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Tal Lavian Ph.D.
 
A proposed architecture for network
A proposed architecture for networkA proposed architecture for network
A proposed architecture for network
IJCNCJournal
 

La actualidad más candente (18)

AKS IT Corporate Presentation
AKS IT Corporate PresentationAKS IT Corporate Presentation
AKS IT Corporate Presentation
 
Aksit profile final
Aksit profile finalAksit profile final
Aksit profile final
 
Software defined security-framework_final
Software defined security-framework_finalSoftware defined security-framework_final
Software defined security-framework_final
 
RSA-Pivotal Security Big Data Reference Architecture
RSA-Pivotal Security Big Data Reference ArchitectureRSA-Pivotal Security Big Data Reference Architecture
RSA-Pivotal Security Big Data Reference Architecture
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
 
2008-03-06 Harris Corp Security Seminar
2008-03-06 Harris Corp Security Seminar2008-03-06 Harris Corp Security Seminar
2008-03-06 Harris Corp Security Seminar
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
 
Firewalls in network
Firewalls in networkFirewalls in network
Firewalls in network
 
Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014Gartner Magic Quadrant for Secure Email Gateways 2014
Gartner Magic Quadrant for Secure Email Gateways 2014
 
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
4 Sw 2009 Ieee Abstracts Dot Net, Ncct Chennai
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
 
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHMPERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
PERFORMANCE EVALUATION OF ENHANCEDGREEDY- TWO-PHASE DEPLOYMENT ALGORITHM
 
Internet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detectionInternet ttraffic monitering anomalous behiviour detection
Internet ttraffic monitering anomalous behiviour detection
 
A proposed architecture for network
A proposed architecture for networkA proposed architecture for network
A proposed architecture for network
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
 
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
 

Destacado

Cerritos Acura 2011 Full Line Brochure
Cerritos Acura 2011 Full Line BrochureCerritos Acura 2011 Full Line Brochure
Cerritos Acura 2011 Full Line Brochure
Cerritos Acura
 

Destacado (7)

2013 Subaru XV Crosstrek
2013 Subaru XV Crosstrek2013 Subaru XV Crosstrek
2013 Subaru XV Crosstrek
 
2010 Impreza Massachusetts
2010 Impreza Massachusetts2010 Impreza Massachusetts
2010 Impreza Massachusetts
 
Infographics PlasticsToday
Infographics PlasticsTodayInfographics PlasticsToday
Infographics PlasticsToday
 
2012 Acura TSX Brochure | DCH Acura of Temecula
2012 Acura TSX Brochure | DCH Acura of Temecula2012 Acura TSX Brochure | DCH Acura of Temecula
2012 Acura TSX Brochure | DCH Acura of Temecula
 
2010 Subaru Impreza
2010 Subaru Impreza2010 Subaru Impreza
2010 Subaru Impreza
 
2011 Subaru Impreza WRX Digital Brochure
2011 Subaru Impreza WRX Digital Brochure2011 Subaru Impreza WRX Digital Brochure
2011 Subaru Impreza WRX Digital Brochure
 
Cerritos Acura 2011 Full Line Brochure
Cerritos Acura 2011 Full Line BrochureCerritos Acura 2011 Full Line Brochure
Cerritos Acura 2011 Full Line Brochure
 

Similar a 10 Criteria for Evaluating NPB, Security Architect Edition

Agent based intrusion detection, response and blocking using signature method...
Agent based intrusion detection, response and blocking using signature method...Agent based intrusion detection, response and blocking using signature method...
Agent based intrusion detection, response and blocking using signature method...
Mumbai Academisc
 
Ciss previsionnotes
Ciss previsionnotesCiss previsionnotes
Ciss previsionnotes
madunix
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
Tom Kopko
 
jn_fs_tech_insider_march_032516
jn_fs_tech_insider_march_032516jn_fs_tech_insider_march_032516
jn_fs_tech_insider_march_032516
Tony Evans
 
Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015
Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015
Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015
Scott Van Valkenburgh
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Cyber Resiliency 20120420
Cyber Resiliency 20120420Cyber Resiliency 20120420
Cyber Resiliency 20120420
Steve Goeringer
 

Similar a 10 Criteria for Evaluating NPB, Security Architect Edition (20)

Agent based intrusion detection, response and blocking using signature method...
Agent based intrusion detection, response and blocking using signature method...Agent based intrusion detection, response and blocking using signature method...
Agent based intrusion detection, response and blocking using signature method...
 
Ciss previsionnotes
Ciss previsionnotesCiss previsionnotes
Ciss previsionnotes
 
Gigamon - Network Visibility Solutions
Gigamon - Network Visibility SolutionsGigamon - Network Visibility Solutions
Gigamon - Network Visibility Solutions
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
 
jn_fs_tech_insider_march_032516
jn_fs_tech_insider_march_032516jn_fs_tech_insider_march_032516
jn_fs_tech_insider_march_032516
 
Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015
Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015
Novetta Cyber Analytics Product Brochure Final_Web_4.20.2015
 
Proposal for System Analysis and Desing
Proposal for System Analysis and DesingProposal for System Analysis and Desing
Proposal for System Analysis and Desing
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
M.Phil Computer Science Network Security Projects
M.Phil Computer Science Network Security ProjectsM.Phil Computer Science Network Security Projects
M.Phil Computer Science Network Security Projects
 
M phil-computer-science-network-security-projects
M phil-computer-science-network-security-projectsM phil-computer-science-network-security-projects
M phil-computer-science-network-security-projects
 
M.E Computer Science Network Security Projects
M.E Computer Science Network Security ProjectsM.E Computer Science Network Security Projects
M.E Computer Science Network Security Projects
 
Performance management strategy
Performance management strategyPerformance management strategy
Performance management strategy
 
Security Delivery Platform: Best practices
Security Delivery Platform: Best practicesSecurity Delivery Platform: Best practices
Security Delivery Platform: Best practices
 
Cisco NGFW AMP
Cisco NGFW AMPCisco NGFW AMP
Cisco NGFW AMP
 
Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17
 
A Comprehensive Guide to Choosing the Best Network Monitoring Software
A Comprehensive Guide to Choosing the Best Network Monitoring SoftwareA Comprehensive Guide to Choosing the Best Network Monitoring Software
A Comprehensive Guide to Choosing the Best Network Monitoring Software
 
IEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network Security
 
Cyber Resiliency 20120420
Cyber Resiliency 20120420Cyber Resiliency 20120420
Cyber Resiliency 20120420
 
Juniper competitive cheatsheet
Juniper competitive cheatsheetJuniper competitive cheatsheet
Juniper competitive cheatsheet
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

10 Criteria for Evaluating NPB, Security Architect Edition

  • 1. Most large organizations rely on network packet brokers (NPBs) to provide visibility to network tools and security systems, as NPBs enable the pervasive, scalable network access that TAPs alone cannot. If your IT group is tasked with evaluating an NPB solution for security deployments, you need an assessment framework to ensure both business and technical goals are achieved. The following ten criteria represent the key requirements of best practice network visibility deployments. Consider these criteria to help your organization preserve existing tool investments, reduce the costs of new investments, and ease the scale out of network infrastructure and security systems. Extend visibility across both physical and virtual infrastructure (in traditional and SDN/NFV environments) ƒƒ According to Gartner Research, over 70% of server workloads will be virtualized by 2014 (1) , so it’s critical for network security architects to gain visibility into traffic occurring on virtual servers in order to apply organizational monitoring and security policies to it—without disrupting or degrading traffic by deploying agents, taxing the hypervisor, or occupying compute slots. ƒƒ The NPB system must also be able to seamlessly scale packet access and delivery across both physical and logical network boundaries, delivering a fully interconnected mesh architecture over LAN and WAN segments. Such levels of network reach, resilience, and flexibility—not limited to daisy chain or hub-and-spoke—will ensure continuous uptime for network security systems. Deliver network traffic to active/inline tools, passive/out-of-band tools, and direct to network attached storage (NAS) ƒƒ Large scale network security deployments are typically designed to inspect data in motion (live traffic), as well as data at rest (newly copied and historical). Each tool type (active and passive) require unique capabilities in order to ensure optimization and protection. For instance, inline systems need to be continuously monitored to ensure they’re capable of remaining a bi-directional link in the monitoring chain. The NPB solution should be able to send traffic to both active and passive tools, while ensuring 100% network uptime and high-availability monitoring. ƒƒ The NPB solution should also be able to accommodate delivery of network data directly to NAS in an open format (e.g. libpcap). Capturing network traffic in an open format and storing on a high-end server of choice enables flexible visibility. Continuous capture for compliance can be made more cost effective, and libpcaps stored based on policy or at the event-driven command of the security systems can be analyzed by one or multiple tools or internally developed applications. Address traffic microbursts to ensure continuous capture and prevent tools from dropping packets ƒƒ When it comes to security and forensics, most tool vendors recommend copying and forwarding 100% of the network traffic from SPAN ports or passive TAPs to ensure the tools have full visibility at each access point. When copying 100% of SPAN/TAP traffic or when using NPBs to perform aggregation from multiple networks, there’s a risk the tools will suffer packet loss when the network experiences temporary volume spikes. SECURITY ARCHITECT EDITION Top Ten Criteria for Evaluating Network Packet Broker Solutions 1 2 3 (1) “Forecast Analysis: Data center, Worldwide, 2010-2016,” Gartner Research, 2012.
  • 2. ƒƒ In any network experiencing microbursts, the NPB vendor must be able to accommodate them in the following ways: a) Provide buffering to handle microbursts and prevent packet loss to tools b) Help avoid major network redesign or additional tool costs by precisely identifying and measuring over time where and to what the degree the microbursts are occurring. Optimize network tools and reduce costs by preprocessing network traffic in hardware ƒƒ When delivering network traffic to the tools, the NPB vendor must be able to accommodate both active and passive aggregation. In the case of active tools, the aggregation function should support 802.1q and 802.1ad tagging standards (Q-in-Q), as well as MAC learning(2). These features effectively expand the network range of the security tools and enable them to analyze asymmetrically routed traffic in both 1G and 10G networks and beyond. ƒƒ Filtering L2-4 is an essential feature of NPB solutions, but additional L7 filtering can better optimize the network traffic consumed by security systems, particularly when different types of applications carry different risks. As an example, the NPB could filter out all Netflix and corporate VoD traffic before sending multi-gigabits of flows to the Advanced Web Malware Prevention Appliance, preventing the appliance from needlessly processing or analyzing traffic. ƒƒ This level of advanced traffic aggregation and filtering will help avoid tool oversubscription (or underutilization), maximizing the effective throughput for each security and monitoring tool. Throughput optimization can drastically reduce both initial capital investment and ongoing operating costs. Maintain service assurance for both security operations and network operations ƒƒ Network security operations teams are constantly under pressure to enhance security defenses and forensics capabilities, while adhering to Service Level Agreements (SLA) and increasing Governance, Risk and Compliance (GRC) mandates. Teams are often engaged in security system evaluations and proof-of-concept (POC) deployments. These POCs might be pilot deployments of next generation firewall or IPS solutions, or the evaluations of best-of- breed advanced malware tools or SSL decryption appliances to help protect against hidden threats. Each POC, along with other ongoing projects and fire drills, involve change management requests and collaboration with the network operations team. The network security design team and the network engineering team each has its own challenges and pressures, particularly around migration and service assurance. ƒƒ It’s critical that the NPB solution offer failsafe assurance both on the network and the tool side. For the security team in particular, it must provide active, failsafe bypass capability to simulate bump-in-the-wire functionality, replicating the link state on both sides to allow the network’s link aggregation and redundancy to work. In other words, it should ensure that both east and westbound switches see any link failure state and fail traffic over to backup links accordingly (HSRP, active/active fail over design). The NPB system must make each of the POCs simpler to bring up and deploy. ƒƒ The NPB solution must maintain network service assurance (99.999% uptime) while providing fault tolerance and High Availability (HA) for each active security and passive forensics and monitoring tool. This level of service assurance to both teams will enable the entire IT organization to rapidly evaluate and deploy best-in-class security solutions without the need for re-instrumenting the network or negatively impacting network services and SLAs. Enhance & expand security service chaining to achieve “defense in depth” ƒƒ Service chaining allows security teams to effectively scale defense depth and proactively mitigate against evolving advanced targeted attacks, malware and zero day exploits—but it’s imperative the NPB vendor have a proven reference architecture for service chaining with both inline and passive security and monitoring tools. ƒƒ In addition to active failsafe bypass features, the NPB solution needs to perform customizable tool health checks and event triggers to check both the software stack and the heartbeat (power or link up state) for each tool in the security service chain. Health check monitoring enables the flexibility and confidence needed to add best-in-class inline and passive security tools as needed. Ensure health checks can be performed not just by each tool’s NPB device but across all NPB devices, and that they can monitor tool or link failures on local and remote NPB devices before redirecting traffic or sending copies of actionable traffic to them. 6 (2) “MAC learning,” uses a learning algorithm based on MAC addressing to map traffic from multiple network links with their respective internal aggregated network identifier. Contact VSS for additional detail: http://www.vssmonitoring.com/corporate/info.asp?subject=question&src=10crit Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 2 4 5
  • 3. Integrate network tools with NPBs to intelligently define capture controls in real time ƒƒ Some NPBs promise to improve continuous monitoring initiatives, but most do not leverage the intelligence of the security systems to determine capture parameters in real time. The following features can greatly enhance the relevance of captured traffic to enable proactive and intelligent monitoring: ƒƒ RESTful API that can be configured & invoked via XML ƒƒ Triggers for traffic filtering, full or selective packet capture and/or traffic flow redirection based on known intelligence (e.g. L2-L7 information like IP, MAC, URL, specific Hex value in header section) ƒƒ Targeted, tool directed capture and store, where security systems initiative a command to the NPBs to send traffic to tools, or libpcaps to NAS, for further analysis/troubleshooting ƒƒ Validated reference architecture for integrating with security and forensic vendors. Optimize and scale bi-directional SSL visibility to monitor encrypted applications (e.g. social media) and protect against hidden malware ƒƒ Many security and forensics tools are rapidly losing traffic visibility due to widespread adoption of cloud based services and social media applications which use SSL/TLS to meet privacy requirements. Promised ROI from existing IPS and Security Gateway solutions, as well as new Advanced Malware Prevention tools, are simultaneously diminishing, along with the ability to defend against advanced targeted attacks leveraging SSL/TLS channels for spear phishing, command and control communications, and data exfiltration. Relying on onboard tool decryption may not be the answer, as the associated performance costs and overall limitations are high. This assessment is shared by Security Analysts, such as John Pirc and Dave Shackleford (3) . ƒƒ A proven alternative to onboard tool decryption is the use of NPBs that are capable of both inline active and passive packet delivery and load balancing in conjunction with dedicated, transparent SSL proxies. This combined solution will enable the security tools to monitor and protect Gmail, Facebook and other social media applications that are using advanced public key encryption and key exchange standards like DHE, ECDHE, and DSA. ƒƒ The need to provide 100% network visibility (including inside SSL/TLS tunnels) to your inline IPS solutions is clear, but it may also be advantageous to offer similar (SSL inclusive) visibility to passive forensics, monitoring and full packet analytic tools. These tools may not be in close proximity to your inline tools, so the NPB solution needs to be able to deliver copies of decrypted traffic in a reliable and secure manner (e.g. encapsulated over TCP/IP with support for AES 128 or better) across LAN or WAN network boundaries. ƒƒ Select an NPB vendor that has proven reference designs for joint deployments with transparent SSL proxies. Use Deep Packet Inspection (DPI) to capture flows containing keywords or email targets ƒƒ Most NPB vendors offer L2-L4 filtering; however, there are many use cases such as lawful interception (LI), forensic analysis, and DPI enabled performance monitoring for video and VoIP analytics, where more advanced filtering is required. Consider NPB systems that can filter based on payload content. Look for NPB vendors that offer deep packet filtering, e.g. Regular Expression (RegEx) based, so you can gain flexibility to perform custom searches across packet boundaries and identify specific network flows. ƒƒ In some use cases (e.g. LI), specific flows need to be identified with a very high assurance level before they are forwarded to an analytics or forensics tool. In other cases, specific flows need to be filtered out from large volumes of traffic before forwarding the remainder traffic to security tools—this may be required to ensure compliance with stringent legislative or risk mandates. ƒƒ An NPB capable of deep traffic grooming before data comes to rest (stored in disk) will uniquely optimize the toolsets (including those leveraging DPI), and enable considerable CAPEX and OPEX savings. 9 (3) “The Elephant in the Room” by John Pirc. <https://www.nsslabs.com/blog/ssl-decryption-elephant-room> “Blind as a Bat” by Dave Shackleford. SANS <http://www.sans.org/reading-room/analysts-program/vss-BlindasaBat?ref=117957> 7 8 Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 3
  • 4. Preserve 1G tool investments and maximize ROI on expensive 10G systems ƒƒ Although many security tools offer 10G sensors today, these tools come at a premium. They also only offer limited port density (typically a pair of ports for inline tools such as IPS). To operate efficiently and to control costs, existing 1G tools must continue to be leveraged, and 10G tools need to be maximized. Both of these goals can be accomplished using preprocessing on NPBs. Traffic operating at 10G, 40G, and even 100G, can be intelligently load balanced across multiple 1G (or 10G) tools. Individual segment traffic can also be optimized using filters to ensure only relevant, “actionable” data is sent to each tool, particularly those operating at a premium. In addition to features such as filtering and load balancing, the NPB system should be able to support the full spectrum of speeds and feeds operating in Ethernet networks. Summary Using the above criteria to select the right NPB system for your network will enable you to effectively secure your infrastructure and maintain regulatory compliance, while drastically reducing capital and operational expenditures. Be sure to confirm vendors under consideration can meet each of these best practice criteria. In sum, any considered NPB vendor should at a minimum offer the following capabilities: ƒƒ Failsafe capture for both copper and fiber networks ƒƒ Visibility into physical and virtual network traffic ƒƒ Traffic delivery to active and passive network tools and direct to storage ƒƒ Scalable interconnection/stacking between NPBs for high availability monitoring ƒƒ Traffic aggregation (active, inline and copied packets) ƒƒ Filtering, L2-7 ƒƒ Flow-based load balancing ƒƒ Protocol de-encapsulation ƒƒ Tag stripping ƒƒ Packet slicing ƒƒ In series chaining for multiple inline security tools ƒƒ DPI filtering ƒƒ SSL de-encryption ƒƒ Single pane management for entire NPB infrastructure ƒƒ APIs for tool-driven capture ƒƒ Validated integration with SDN controllers ƒƒ High densities for datacenter deployments ƒƒ Blade/slot in chassis and fixed port options Today, these capabilities are required to roll out large scale security systems, whether those systems include passive tools (IDS, forensics), active tools (IPS), and/or sustained packet capture for compliance. About VSS Monitoring VSS Monitoring is the industry leader in network packet brokers (NPB), providing a unique Unified Visibility Plane for network tools and security systems, enabling network-wide and link-layer visibility. Deployed globally by 80% of the world’s tier 1 service providers, F500 corporations and major government agencies, VSS Monitoring packet brokers improve tool usage and efficiency, simplify IT operations, and greatly enhance tool ROI. 10 © Copyright 2003 – 2014. VSS Monitoring Inc. All rights reserved.www.vssmonitoring.com VSS Monitoring, the VSS Monitoring logo, vBroker Series, Distributed Series, vProtector Series, Finder Series, TAP Series, vMC, vAssure, LinkSafe, vStack+, vMesh, vSlice, vCapacity, vSpool, vNetConnect and PowerSafe are trademarks of VSS Monitoring, Inc. in the United States and other countries. Any other trademarks contained herein are the property of their respective owners. VSS Monitoring is a world leader in network packet brokers (NPB), providing a visionary, unique systems approach to integrating network switching and the broad ecosystem of network analytics, security, and monitoring tools. Top Ten Criteria for Evaluating Network Packet Broker Solutions: Security Architect Edition | page 4