The Network Security Evolution
Over the years, security threats have evolved from being singular attacks to being a complex combination of threats. Their nature has also changed. For example, Distributed Denial of Service (DDoS) attacks are now launched by many thousands of Internet of Things (IoT) devices.
Software-Defined Networks (SDN), cloud infrastructure, Bring Your Own Device (BYOD) options, and IoT devices have resulted in less well-defined network perimeters and less clear network boundaries. More traffic is encrypted, making it difficult for security applications to see threats. Security teams are challenged to detect and protect against multi-faceted threats.
To address this change in landscape, security applications and systems have become more specialized to detect and mitigate new complex threats. Different applications are used together as a combined solution, for layered security protection or defense-in-depth, which can consist of a number of passive and active security applications. Some are deployed at multiple points throughout a network and others deployed at network boundaries.
Typical Deployment Challenges
After selecting the types and combination of security applications and systems needed, and at which places in the network to monitor, the following challenges need to be considered:
- Sufficient visibility into all necessary segments and all traffic, particularly in virtualized and cloud environments
- Effectiveness and performance of security applications due to high traffic volume overload
- Hidden threats in encrypted traffic
- Potential single points of failure for inline security appliances
- Cohesive monitoring across geographically separated locations, as well as cloud or hybrid cloud environments.
- Contention for TAP and SPAN ports by multiple teams
As a result, the effectiveness of security solutions, when used alone for protecting networks, is not sufficient and can adversely affect the networks they are meant to be protecting.
Introducing the Unified Visibility Plane
The proven way to address these challenges is to build a visibility fabric using network packet broker (NPB) devices and virtual agents, in combination with network tapping.
Passive network tapping and active bypass tapping are the best ways to gain access to traffic on physical network segments, without impacting the elements in the network nor the integrity of the. They provide full line-rate and fail-safe access to the traffic, which is far superior to relying on network switch port analyzer (SPAN) ports. A test access port (TAP) can be a separate tapping appliance or be integrated into a proprietary NPB appliance.
For fully virtualized networks, where the traffic between applications does not hit a physical link, a virtual TAP or SPAN solution is required. This may be available by communicating directly with the hypervisor or virtual switch. However, in a public cloud environment, access to the hypervisor or virtual switch is typically not available. Therefore, a virtual tapping function, installed alongside each virtual application on its respective VM instances, is more logical and appropriate. This tapping function can be used to filter traffic and forward it on to a virtual monitoring application or to an application (e.g. packet broker, monitoring probe) outside the virtual server environment.
Within a unified visibility plane, NPBs receive traffic from physical and virtual TAPs, and then forward the traffic on, ensuring the right packets are delivered to security and monitoring tools. These NPBs utilize a number of base level capabilities, such as:
- Tunnel termination to receive traffic, copied from between two virtual applications within a virtual server, from a virtual tapping function
- Selective filtering to separate different traffic flows and/or traffic types to be forwarded to different destinations, such as different security monitoring applications, or even to bypass the monitoring applications
- Tool chaining to forward network traffic to each active inline security application, one after another, from/to a single pair of ports for each network segment
- Tool checking function which sends controlled packets to active inline security applications, along with the network traffic, for ensuring each security application is up and running
- NPB stacking to interconnect physically separated NPB appliances for forwarding traffic between sites (e.g. remote to central “tool farm”)
The Security 2.0 Approach
A newer security approach leverages a unified visibility plane, leveraging newer software-driven, cost-effective Open Compute Project (OCP)-based NPBs to acquire and optimize packets from across an enterprise, virtual or cloud environment. This architecture addresses the challenges highlighted previously.
Visibility across different environments is possible, performance of security appliances can be optimized, and hidden threats may be identified with an SSL appliance in a security chain decrypting traffic before analysis by each application. Redundancy and load balancing can address the single point of failure issue, and cohesive monitoring can be achieved across different environments and geographies. With a unified visibility plane, IT teams can unify security and service assurance monitoring infrastructures across different network environments and monitoring applications.
Unified Network Visibility for Evolving Security Challenges
With the ever-evolving demands on modern networks, security visibility is critical. Evolving your security architecture to meet these needs requires visibility for any environment, whether on-premise, or in the cloud. Creating a unified visibility plane, that serves these needs for network and security teams is possible. A Security 2.0 architecture make ubiquitous network visibility easier with different procurement and deployment options, and reduced upfront investment, facilitating a common unified visibility plane for all network and security monitoring needs across your organization.