|
|
| Tap related Monitoring Tools |
 prev | index | next  |
 |
| Intrusion Detection |
|
Network Security Issues & Challenges
Evolving cyber-security threats in combination with a converging global economy has transformed the role and importance of information security. Cyber crimes continue to rise at an alarming rate. Hackers have become better organized, and malicious intrusions require less skill due to the availability of easy-to-use hacking tools. According to the 2005 CSI/FBI Computer Crime and Security Survey, in 2004, 90 percent of organizations surveyed reported a security incident, and 80 percent of those organizations acknowledged resulting financial losses. A recent Carnegie Mellon study shows that known hacker attacks are up 277 percent in the past two years.
The growing need for IDS
Deploying firewalls and VPNs provide some measure of threat reduction but they no longer guarantee sufficient security. Attackers often mask traffic to avoid detection by perimeter devices. The growth of wireless devices used in corporate environments demand additional access points, thereby increasing vulnerabilities and overall security risks. The security engineer's task is made further challenging by offshore partnerships, outsourcing and other corporate M&A activity.
And, what is most important: firewalls don't protect you from malicious insider activity. Gartner research indicates that 70 percent of the "cyber" attacks that cost the victim $20,000 or more are caused by insiders. Organizations have to expect attacks from all quarters, both inside and out. Without adequate visibility into the network the company's operations are at significant risk. If companies tolerate low network security they face the threat of client lawsuits, stock devaluation and possibly industry specific fines and sanctions depending on that industry's regulatory requirements.
Deployment challenges facing Security Engineers:
When implementing an IDS system, Security Engineers are concerned with various requirements. Among them:
- Ensuring that all traffic is visible to the IDS in both directions
- Achieving greater visibility into network flow without dropping any packets
- Determining where IDS devices should be placed: perimeter network, core network, or distribution network
- Justifying deployment of distributed IDS
- Creating an effective event correlation system
- Leveraging the IDS installation across multiple physical locations
- Aggregating the IDS traffic
- Having multiple IDS look into one network
- Aggregating the existing span ports
- Getting the ultimate balance between aggregation and tolerable packet loss
- Deciding what networks to monitor through span sessions and what networks to monitor inline
VSS monitoring products provide actionable, comprehensive solutions to these challenges.
Implementing IDS the VSS Way
In a modern corporate environment, an enterprise is dependant upon the network, which constitutes the lifeline of information flow. Since the network touches all aspects of an organization, a properly secured network can become a highly effective tool to combat operational threats and protect vital assets. Through a well developed security monitoring application, it is possible to convert a network from a vulnerable component of a company's operations, into a primary protective security mechanism. VSS monitoring devices have proven that they can optimize IDS deployments (see Case Studies) by simultaneously leveraging fewer IDS servers, providing a better view into the network, and significantly lowering the cost of implementing security architecture.
Traditional IDS installations
IDS devices have traditionally been installed using span ports, hubs and network taps. As data collection tools, both span ports and hubs have proven to be undesirable primarily due to their lack of traffic visibility, packet loss and other network specific limitations.
Typical problems with span ports include:
- Packet loss
- Over-subscription
- Least priority routing
- No visibility into layer 1 and 2 errors
- Problems related to configuration & setup
Typical limitations with hubs include:
- Potential point of failure
- Reduced link bandwidth by over 50%
- False collisions
- No gigabit solutions
Why use Network Taps?
Intrusion Detection Systems rely on complete packet visibility to recognize intruder patterns. If packets are dropped from the monitoring stream, the IDS cannot possibly identify would-be intrusions. Network Taps are non-blocking devices which pass through data at line rate without introducing any network interference. Taps provide 100% visibility on all packets to provide a solution that is fail safe, stealthy and supportive of continuous connectivity. Taps support the ease of substituting or replacing IDS equipment, if necessary, without disruption to the network operations - providing a transparent plug-and-play solution. For more information on the differences between taps and traditional tools see our whitepaper on the subject - Taps vs. Span Ports and Hubs.
Why use VSS Taps?
While network taps are available from several sources, VSS monitoring taps provide benefits beyond those inherent to taps from other vendors. They enable cost savings, leverage a variety of IDS architectures and preserve the original packet order of aggregated data - a crucial element for any IDS solution. VSS taps are available with a number of physical interfaces, providing access for both fiber and copper and all major network topologies-10/100/1000 Ethernet, Fiber channel, ATM, SONET, etc.-making it simple to set up IDS monitoring in all kinds of networks. Fail-safe and link safe features guarantee network up time - all VSS taps are 'carrier class.'
VSS monitoring's product portfolio includes a number of units that optimize IDS deployment:
Converter taps are indispensable when it comes to aggregating network data from one media type to another in order to deliver it to your IDS equipment.
Regeneration taps allow monitoring of the network with multiple IDSes. Sometimes it is useful to have multiple IDSes or additional monitoring devices such as Network Analyzers look into the same streams of data. This solution is ideal for the evaluation of the IDS devices, allowing multiple different devices to look into the same data stream and correlate the results.
Aggregation taps enable the monitoring of multiple networks with just one or only a few IDS servers. The aggregation feature combines each network port onto a single stream, thereby reducing the port usage on the IDS device(s).
Filter taps allow users to filter monitored traffic by protocol, port, MAC addresses, and source and destination IP address ranges. These taps allow multiple filters per port and are easily manageable (locally or remotely) via telnet, HTTP, SNMP and serial port.
Span taps allow consolidation of the output ports from other taps or span sessions. Consolidating the monitoring outputs from multiple taps enables further centralization and cost savings. Monitoring through span sessions is not desirable for the reasons discussed earlier but it is still a part of many topologies in a number of organizations.
The VSS Distributed IDS solution
VSS monitoring's distributed taps combine a number of IDS optimizing features to provide a total IDS solution:
- Remote Management (Telnet, HTTPS, SNMP)
- High port density Aggregation
- Independent port control (allows each IDS to look into user-selected groups of network ports)
- Port configurations: inline / span; on / off; auto-negotiation, timing, etc.
- Speed conversion, including gigabit
- Media conversion and SPF modules
- Data injection capability (optional)
- Port filtering (input / output) by protocol, MAC address, IP address ranges, etc.
Distributed tap architectures enable significant cost savings, greater coverage and improved monitoring quality, thereby fully leveraging IDS infrastructure.
VSS monitoring's product portfolio compliments any network architecture and provides the opportunity for a variety of robust solutions and cost savings opportunities. Features like aggregation and regeneration allow for the consolidation of traffic for viewing by just one or a few IDS servers. Remote management is easy and available via multiple interfaces (HTTPS, Telnet, SNMP), and port selection options allow viewing into different port groups with separate IDS devices.
Installation of the VSS Distributed Solution is easy and requires minimal network impact. Security Engineers can now take full advantage of complete access to all network traffic while saving time and operational costs.
For assistance in selecting the right solution, please contact a VSS pre-sales Engineer. |
|
|
|
prev | index | next |
|
