|
|
| Tap related Monitoring Tools |
 prev | index | next  |
 |
| Network Forensics |
|
Drivers affecting the growth of Forensics monitoring
Industry regulations as well as internal corporate standards often create a need to scrutinize electronic communications beyond the capabilities of most Analyzer and IDS devices. Forensics analysis enables deep packet inspection as well as real-time recording which distinguishes it from other monitoring types.
Nearly every industry is subject to some form of regulation regarding information breach and accountability: HIPAA tightly regulates the Healthcare industry, Gramm-Leach-Bliley (GLB) affects deployments in the financial sector, and Sarbanes-Oxley (SOX) regulates the security and management of financial data of all publicly traded companies. Other regulations such as the European Union's Basel II and US state breach laws affect every industry operating within certain regions. The general regulatory climate is that companies are fully responsible for the effect their networks have on the privacy and accessibility of customer, patient, and investor information.
Attacks are becoming more sophisticated and common. They can emerge from either the organization's internal or external environment. Insider attacks can be more costly and destructive because the perpetrator has better understanding and access to the network. A recent study jointly published by the United States Secret Service and Carnegie Mellon University though the CERT®; Coordination Center confirms the prevalence of computer crimes perpetrated by insiders across American organizations. Because the time and location of network breaches cannot be predicted, data must be collected at all times and, where relevant, recorded on a hard drive for later use and deep packet analysis.
Technology and Approaches
Network Forensics and especially 'Real-Time' Network Forensics (sometimes referred to as Proactive Forensics) is a relatively new approach to network security. Firewalls and IDS devices cannot always stop malicious traffic and do not necessarily give enough attention to extrusion. These devices satisfy this need by examining raw network data using advanced analysis to identify how an organization's assets are affected by network exploits, internal data theft, and security policy violations.
Forensics tools should always be deployed 'inline' using network taps to ensure that zero packet loss occurs. Loss of any traffic can eliminate the potential to detect a threat and will impair forensics compliance* by creating an incomplete record.
* One of the key principles of Forensic Compliance is that records may not be deleted or altered in any way within a stated retention period. A forensic record is a complete record otherwise it has little evidential weight.
Forensics appliances have emerged largely due to the higher availability in processing power and larger data storage capability. Faster processors with the ability to write to a hard drive in real time make deep packet analysis and proactive forensics possible. The goal of rapid detection and classifying malicious activity with configurable security alerts is driving this new approach to network security.
Questions to consider when determining your readiness for Forensics tools
Can you determine if you are being hacked? If so, then:
- Where the intruder attacked you from?
- How the intruder managed to circumvent your security?
- What system/systems were compromised by the intruder?
- Can you collect sufficient information to analyze and reproduce the attack?
- Was the data treated as potential evidence from the moment it was created?
Choosing the right solution and deployment architecture
Security engineers responsible for implementing forensics tools have a lot to consider, namely:
- Where on my network the Forensics appliances should be installed?
- Can I monitor multiple networks in remote locations?
- How do I collect data from multiple networks and forward it to the Forensics server?
- Can I perform on demand Forensics investigations without physically moving the forensics server?
- How do I manage remote port selection?
- Can I filter the traffic before I view it with the Forensics tool?
- How do I implement a distributed Forensics solution?
- How do I integrate the Forensics tool with other monitoring servers in my monitoring architecture?
These and many other questions are addressed using the VSS monitoring solutions shown on the next page.
Traditional forensics deployments
Network-based forensics technologies require an instant view into the network data.
Traditionally companies used span ports, hubs and taps to provide the view into the traffic. Using span ports and hubs is not desirable due to the multiple inherent issues.
The problems with span ports are the following:
- Packet loss
- No visibility into layer 1 and 2 errors
- Potential point of failure
Using hubs is not advisable for the following reasons:
- False collisions
- Potential point of failure
- Reduces link bandwidth by half
- No gigabit solutions
Why taps?
Latest forensics technologies rely on the complete data stream to examine the packets and recognize the unusual data patterns and behavior. Only taps provide the solution to all of the above problems. Tap are non-blocking devices and pass through the data at line rate without introducing any network interference. Placing the tap inline insures the total 100% packet capture of the full-duplex traffic which is absolutely crucial for Forensics servers while providing the fail-safe reliable network connectivity and maintaining the stealth from intruders (see whitepaper-'Taps vs. span ports and hubs').
Why use VSS Taps?
While network taps are available from several sources, VSS monitoring taps provide benefits beyond those inherent to taps from other vendors. They enable cost savings, leverage a variety of Forensics architectures and preserve the original packet order of aggregated data - a critical element for any Forensics solution. VSS taps are available with a number of physical interfaces, providing access for both fiber and copper and all major network topologies-10/100/1000 Ethernet, Fiber channel, ATM, SONET, etc.-making it simple to set up Forensics monitoring in all kinds of networks. Fail-safe and link safe features guarantee network up time - all VSS taps are 'carrier class.'
VSS monitoring's product portfolio includes a number of units that optimize Forensic deployment:
Converter taps are indispensable when it comes to aggregating network data from one media type to another in order to deliver it to your Forensics equipment. This all-in-one device is both tap and converter. Conversion is available from copper to fiber (SX, LX, ZX), fiber to copper, fiber to fiber, fiber to copper / fiber, copper to copper / fiber, etc. VSS conversion units are also available with features such as aggregation, high port density, filtering, remote management and other distributed options.
Regeneration taps allow monitoring of the network with multiple Forensic devices. Sometimes it is useful to have multiple Forensic devices or additional monitoring devices such as Network Analyzers look into the same streams of data. This solution is ideal for the evaluation of the Forensics equipment, allowing multiple different devices to look into the same data stream and correlate the results. VSS fiber regeneration taps are available with optional proprietary data reclocking.
Aggregation taps enable the monitoring of multiple networks with just one or only a few Forensics servers. The aggregation feature combines each network port onto a single stream, thereby reducing the port usage on the Forensics device(s).
Filter taps allow users to filter monitored traffic by protocol, port, MAC addresses, and source and destination IP address ranges. These taps allow multiple filters per port and are easily manageable (locally or remotely) via Telnet. HTTPS, SNMP and serial port.
Span taps allow consolidation of the output ports from other taps or span sessions. Consolidating the monitoring outputs from multiple taps enables further centralization and cost savings. Monitoring through span sessions is not desirable for the reasons discussed earlier but it is still a part of many topologies in a number of organizations.
The VSS Distributed Forensics solution
VSS monitoring's distributed taps combine a number of Forensics optimizing features to provide a total protocol or performance analysis solution:
- Remote Management (Telnet, HTTPS, SNMP)
- High port density Aggregation
- Independent port control (allows each Forensics tool to look into user-selected groups of network ports)
- Port configurations: inline / span; on / off; auto-negotiation, timing, etc.
- Speed conversion, including gigabit
- Media conversion and SPF modules
- Data injection capability (optional)
- Port filtering (input / output) by protocol, MAC address, IP address ranges, etc.
Distributed tap architectures enable significant cost savings, greater coverage and improved monitoring quality, thereby fully leveraging Forensic infrastructure.
VSS monitoring's product portfolio compliments any network architecture and provides the opportunity for a variety of robust solutions and cost savings opportunities. Features like aggregation and regeneration allow for the consolidation of traffic for viewing by just one or a few Forensic servers. Remote management is easy and available via multiple interfaces (HTTPS, Telnet, SNMP), and port selection options allow viewing into different port groups with separate Forensics devices.
Installation of the VSS Distributed Solution is easy and requires minimal network impact. Network managers can now take full advantage of complete access to all network traffic while saving time and operational costs.
For assistance in selecting the right solution, please contact a VSS pre-sales Engineer.
|
|
|
prev | index | next |
|
|
