The Hidden Foundation of Network Security: Why Precision Time Matters in a Zero Trust World

Zero Trust Architecture has fundamentally changed how organizations think about network security. Identity must be continuously verified. Every access request is interrogated. Trust is earned moment to moment, not granted by default. It’s a powerful model, but it rests on a foundation that many network architects and SOC teams rarely examine closely enough: time. (If you’re looking for a grounding primer on Zero Trust itself, our practical guide to Zero Trust implementation is a good starting point.)

Precise, synchronized, and trustworthy time underpins nearly every security control that Zero Trust depends on. Without it, logs become unreliable, authentication tokens can be manipulated, and anomaly detection loses its ability to reconstruct the sequence of events. In a ZTNA environment, where the accuracy of continuous verification depends on precise event ordering and time-bounded access grants, clock drift is not merely an operational inconvenience, it’s a security gap.

This post explores how Network Time Protocol (NTP), Precision Time Protocol (PTP), and advanced solutions like White Rabbit-based timing systems enable and strengthen network security and Zero Trust implementations, and why investing in a hardened time infrastructure deserves a place on every security architect’s roadmap.

Why Time Is a Security Primitive

Most security practitioners understand that time matters at an abstract level. Logs need timestamps. Certificates have validity windows. Kerberos tokens expire. But the operational reality of just how much security-critical logic depends on synchronized time is often underappreciated until something goes wrong.

Consider what precise, trustworthy time enables across a modern security stack:

  • Log correlation and SIEM accuracy : When endpoints, firewalls, identity platforms, and network devices have misaligned clocks, even small discrepancies (tens of milliseconds to seconds) make it impossible to accurately reconstruct attack timelines. A security incident that spans multiple systems becomes a jigsaw puzzle without a common temporal reference.
  • Certificate and PKI validation : TLS certificates, code signing, and identity certificates all rely on clock accuracy to determine whether a certificate is valid, expired, or revoked. Clock skew can cause valid certificates to appear expired, or, more dangerously, allow expired certificates to be accepted as valid.
  • Authentication token lifetimes : Kerberos, OAuth, JWT, and SAML tokens are all time-bounded. Drift between the issuing authority and the verifying endpoint creates windows of vulnerability. Excessive skew can lock out legitimate users; insufficient skew checking can allow replayed or extended tokens.
  • Behavioral baselines and anomaly detection : Machine learning-driven NDR and SIEM tools build behavioral models based on temporal patterns of activity. Without a consistent time reference, “working hours” anomalies, connection frequency thresholds, and lateral movement detection all become less reliable.
  • Forensic integrity : During incident response, timestamps in logs, packet captures, and audit trails are submitted as evidence. If timestamps across systems cannot be traced to a common, authoritative time source, the forensic value of the data is diminished and potentially challenged.

In a Zero Trust model, where every transaction must be continuously verified and logged for later audit, each of these functions is load-bearing. The accuracy of your time infrastructure directly affects the integrity of your security posture.

Understanding the Timing Stack: NTP, PTP, and White Rabbit

Not all time synchronization is created equal. The protocol you use, and how it’s deployed, determines the accuracy, security properties, and attack surface of your time infrastructure. For a deeper technical foundation, our complete guide to network time synchronization covers the full landscape.

Network Time Protocol (NTP)

NTP has been the workhorse of network time synchronization for decades. It provides millisecond-level accuracy across IP networks and is supported by virtually every device on the planet. For many security use cases like log correlation, certificate validation, and authentication token management, NTP is entirely sufficient, provided it’s properly secured.

The challenge is that traditional NTP deployments are often not. NTP was not designed with security in mind. Without NTS (Network Time Security), the modern authenticated extension to NTP, synchronization traffic can be subject to:

  • On-path manipulation: An attacker positioned between a client and an NTP server can alter timestamps in transit, shifting a device’s clock forward or backward.
  • Replay attacks: Recorded NTP responses can be replayed to steer a target’s clock without active interception.
  • Denial of service: Flooding or disrupting NTP servers can cause clients to drift, degrading authentication and log accuracy across the network.

For SOC teams and security architects, the key takeaway is this: if your environment is running unauthenticated, internet-sourced NTP without monitoring, your time infrastructure is an unaudited trust surface. In a Zero Trust context, that’s an inconsistency worth closing. Our cybersecurity checklist for secure timing outlines the core security features every time server deployment should include.

Precision Time Protocol (PTP / IEEE 1588)

Where NTP operates at millisecond precision, PTP (IEEE 1588) achieves sub-microsecond accuracy, and in hardware-assisted deployments, sub-nanosecond performance. PTP uses a combination of timestamping at the hardware level and a master-slave hierarchy (now referred to as grandmaster-boundary clock architecture in IEEE 1588-2019) to distribute highly accurate time across a network.

From a security standpoint, PTP offers meaningful advantages over NTP:

  • Hardware timestamping eliminates software-layer jitter and makes it significantly harder for attackers to introduce timing manipulation without physical access to network infrastructure.
  • Cryptographic authentication options in PTP profiles allow grandmaster clocks and boundary clocks to sign their synchronization messages, verifying source integrity.
  • Tighter accuracy means better event ordering in high-frequency environments , critical for financial-grade logging, high-speed trading, and industrial control systems, but increasingly important for any organization generating high volumes of security telemetry.

For enterprise and government networks running OT/IT converged environments, 5G infrastructure, or latency-sensitive applications, PTP is the appropriate baseline. It is also increasingly specified in regulatory frameworks that require traceable, tamper-evident timekeeping. Telnet’s precision timing solutions span the full range from NTP grandmasters to hardware-assisted PTP deployments.

White Rabbit: Sub-Nanosecond Precision for Critical Infrastructure

Originally developed at CERN for particle accelerator control systems, White Rabbit (WR) is an open-standard extension of PTP that achieves sub-nanosecond accuracy across fibre-optic networks, synchronizing over 1,000 nodes to within less than 1 nanosecond over links up to 10 kilometres in length.

White Rabbit combines Synchronous Ethernet (SyncE) with precise hardware phase measurements and IEEE 1588 PTP messaging to achieve a level of timing precision that has historically been the domain of laboratory and scientific computing environments. That is changing. As critical infrastructure protection, defence networks, and high-assurance environments increasingly demand verifiable, traceable time with sub-nanosecond integrity, White Rabbit is moving from the research world into operational security infrastructure.

For ZTNA deployments in high-security or critical infrastructure contexts such as telecommunications, power grids, defence, or large financial networks, White Rabbit-based timing provides a hardened, verifiable timing root that supports the most demanding requirements for log integrity, event reconstruction, and forensic accuracy. Learn more about White Rabbit solutions available through Telnet Networks.

Precision Time as a Zero Trust Enabler

The connection between precision time and Zero Trust is not theoretical — it’s structural. ZTNA operates on time-bounded tokens, continuous re-authentication, just-in-time access windows, and behavioral anomaly detection that depends on accurate event ordering. Every one of those controls degrades when clocks drift or diverge.

Clock manipulation is also a legitimate attack vector. An adversary who can skew a target device’s clock, even by a few seconds, can extend the validity of stolen tokens, corrupt the ordering of forensic logs, or cause authentication failures that mask lateral movement. In an environment built around “assume breach,” leaving time as an unverified trust input is a design inconsistency.

A well-designed time infrastructure doesn’t replace the other pillars of Zero Trust; It makes each of them more accurate and harder to subvert.

Building a Hardened Time Infrastructure

Implementing precision time as part of a security strategy involves more than pointing devices at a public NTP pool. A hardened time infrastructure for a security-conscious environment typically includes:

  • Authenticated time sources: Deploying NTS-secured NTP or cryptographically authenticated PTP to ensure time signals cannot be forged or manipulated in transit.
  • Redundant, diverse time references: Relying on a single GNSS source creates a single point of failure. Hardware-based grandmaster clocks with multiple reference inputs (GNSS, OCXO holdover, PTP upstream) provide resilience against spoofing, jamming, and outage. Interference Detection and Mitigation (IDM) capabilities add another layer of protection for GNSS-dependent timing infrastructure.
  • Network-internal distribution: Minimizing dependence on external NTP servers by deploying boundary clocks and internal PTP grandmasters reduces exposure to external attack surfaces.
  • Time monitoring and alerting: Just as you monitor network traffic for anomalies, monitoring clock health across critical nodes,  detecting drift, jitter, or unexplained offsets should be part of SOC operations.
  • Traceability to authoritative UTC sources: For regulated environments, demonstrating that timestamps are traceable to UTC through an auditable chain of custody is increasingly a compliance requirement.

Safran’s timing portfolio, including their SecureSync platform and White Rabbit solutions, represents the high-assurance end of this spectrum, delivering GNSS-disciplined, highly redundant grandmaster clocks capable of maintaining sub-microsecond accuracy even during GNSS outage through precision oscillator holdover. Their White Rabbit implementations bring this level of accuracy directly into critical network infrastructure.

Timebeat takes a complementary approach, delivering software-defined PTP synchronization that enables accurate, resilient time distribution across hybrid and cloud-connected environments. Timebeat’s mesh-based PTP architecture removes traditional single points of failure in timing distribution trees, making high-accuracy time achievable in dynamic, distributed environments where hardware-only solutions face constraints.

Together, solutions like these address the full range of enterprise time infrastructure needs — from the hardened core of a critical facility to the distributed edges of a hybrid cloud environment.

Time Security Is Network Security

Time synchronization rarely gets a line item in a security budget, but in a Zero Trust environment, it should. An unauthenticated, unmonitored NTP deployment is an unaudited trust surface, and that’s an inconsistency that Zero Trust was designed to eliminate.

The right answer isn’t always a full PTP overhaul. For many organizations, the first step is simply authenticating existing NTP with NTS, monitoring for clock drift as part of SOC operations, and ensuring time sources are resilient and traceable. From there, the path to hardware-assisted PTP or White Rabbit is well-understood and incremental.

At Telnet Networks, we work with organizations across Canada to assess time infrastructure gaps and align timing solutions with broader network security and Zero Trust strategies. Get in touch to start the conversation.

Ready to assess your time infrastructure’s role in your Zero Trust strategy? Contact the Telnet Networks team to start the conversation.

Everything You Need to Know About Flyaway Kits — And How to Build One for IT and OT Networks

In the world of network performance and cybersecurity, the ability to move fast can make the difference between a quick fix and a costly outage. That’s where flyaway kits come in — compact, portable, and ready-to-deploy network visibility and monitoring systems designed to travel anywhere you need them.

Whether you’re troubleshooting a remote site, validating a new deployment, or investigating an industrial network incident, a flyaway kit gives you everything you need to capture, analyze, and act on network data in the field.

In this guide, we’ll break down what a flyaway kit is, why they’re so valuable, and how to build the right one for enterprise IT visibility and OT/ICS network monitoring.

What Is a Flyaway Kit?

A flyaway kit is a self-contained, portable network monitoring and analysis solution built for rapid deployment in the field. Think of it as a mini NOC in a box — rugged, compact, and designed to help you gain instant visibility into live network traffic anywhere.

Each kit typically includes:

Flyaway kits are common in telecom, defense, utilities, and enterprise IT — anywhere fast, reliable diagnostics are critical.

Why a Flyaway Kit Matters

When a problem happens outside the lab or NOC, every minute counts. A well-built flyaway kit allows engineers to:

  • Diagnose problems faster – No waiting for remote access or site setup.
  • Collect accurate data – Direct packet capture and real-time visibility.
  • Reduce downtime – Identify and isolate performance or security issues on-site.
  • Work anywhere – From a factory floor to a remote substation or a pop-up site.

In short, flyaway kits bring reliable and fast acting visibility to where the problem is — not the other way around.

Design Priorities: Portability, Reliability, Compatibility

A well-engineered flyaway kit should emphasize:

  • Portability: Compact, lightweight, and quick to deploy — ideally airline carry-on size.
  • Reliability: Proven tools and set ups along with ruggedized hardware and power systems that work in challenging conditions if needed.
  • OT Compatibility: Passive, non-intrusive data access that respects operational safety.
  • Flexibility: Interchangeable SFPs, adapters, and tools to cover multiple network types.
  • Ease of Use: Familiar, pre-configured systems with dashboards ready to run out-of-the-box.

Building a Flyaway Kit for IT / Network Visibility & Packet Capture

If your focus is enterprise, service provider, or data center troubleshooting, your kit should deliver deep packet visibility, high-speed capture and real time analytics without compromising portability.

Typical Build

ComponentRoleRecommended Solutions
Network TAPs / AggregatorsCapture traffic safely and non-intrusivelyGarland Technology copper/fiber portable TAPs, Profitap Booster Aggregator
Capture & Analysis AppliancePerform packet capture, DPI, and traffic replayProfitap IOTA, Allegro Packets Multimeter 1000/3000 Series
Analysis SoftwareView, filter, and interpret trafficProfiShark, Wireshark, Allegro
Timing & SynchronizationEnsure accurate timestampsSafran GPS Sync or integrated modules
Ruggedized Laptop / Mini ServerPortable workstation for analysisToughbook or field laptop with SSD storage
Transport CaseProtect and organize equipmentPelican 1600/1650 series case

With this setup, engineers can perform on-site performance analysis, validate QoS, or capture forensic data in minutes — without impacting live services.

Building a Flyaway Kit for OT / ICS Networks

Industrial environments have unique challenges: legacy devices, sensitive protocols, and air-gapped networks that can’t tolerate disruptions.

An OT/ICS flyaway kit focuses on safe, passive monitoring and asset visibility — helping operators and cybersecurity teams understand what’s really happening on the network.

Typical Build

ComponentRoleRecommended Solutions
Industrial TAPsPassive access to ICS traffic (Modbus, DNP3, PROFINET)Garland Technology Industrial TAPs, Profitap Industrial Series
OT Visibility / Security ApplianceAnalyze OT protocols, assets, and anomaliesNozomi Guardian, Claroty Edge, or portable Allegro Multimeter for performance-level monitoring
Ruggedized Data CollectorCompact compute device with monitoring softwareIntel NUC or Advantech ARK with Nozomi or Zeek installed
Time SynchronizationTimestamp event data accuratelySafran GPS Sync or integrated modules
Visualization & ReportingDashboards for asset inventory and traffic baselinesNozomi Vantage or Claroty xDome
Rugged Field CaseShockproof, weather-resistant transportPelican Storm or Nanuk 935 case

This build allows operators to quickly deploy visibility in industrial or critical infrastructure networks — without interrupting production or compromising safety.

How Flyaway Kits Speed Up Diagnostics

Engineers who rely on flyaway kits report 50–70% faster mean time to resolution (MTTR) on field issues. Why? Because they can capture and analyze traffic instantly, without waiting for remote access, permissions, or central analysis.

A kit can be deployed at a remote branch, in an industrial facility, or during a network migration — and within minutes, provide insight into:

  • Where packets are being dropped
  • Which device is causing latency
  • Whether an issue is network or application-related

In industrial networks, they also help map assets, identify misconfigurations, and detect unauthorized devices — all without downtime.

Bringing It All Together

At Telnet Networks, we help organizations across Canada build customized flyaway kits that meet their exact operational and visibility requirements.
By combining solutions from trusted partners like Profitap, Allegro Packets, Garland Technology, Cubro, and Nozomi Networks, we deliver kits that are:

  • Portable and ruggedized
  • Fully interoperable across IT and OT environments
  • Preconfigured for rapid deployment and analysis

Whether you need a packet capture toolkit for IT troubleshooting or an industrial visibility system for OT security, we can help you design the right flyaway kit — ready to go wherever your network takes you.

Ready to Build Your Own Flyaway Kit?

Contact Telnet Networks to learn more about designing a custom, field-ready flyaway kits for your organization

Load Balancing Your Security Solution for Fun and Profit!

Maximizing the Value and Resiliency of Your Deployed Enterprise Security Solution with Intelligent Load Balancing

Correctly implementing your security solution in the presence of complex, high-volume user traffic has always been a difficult challenge for network architects. The data in transit on your network originates from many places and fluctuates with respect to data rates, complexity, and the occurrence of malicious events. Internal users create vastly different network traffic than external users using your publically available resources. Synthetic network traffic from bots has exceeded real users as the most prevalent creators of network traffic on the internet . How do you maximize your investment in a security solution while gaining the most value from the deployed solution? The answer is intelligent deployment through realistic preparation.

Let’s say that you have more than one point of ingress and egress into your network, and predicting traffic loads it is very difficult (since your employees and customers are global). Do you simply throw money at the problem by purchasing multiple instances of expensive network security infrastructure that could sit idle at times and then get saturated during others? A massive influx of user traffic could overwhelm your security solution in one rack, causing security policies to not be enforced, while the solution at the other point of ingress has resources to spare.

High speed inline security devices are not just expensive—the more features you enable on them the less network traffic they can successfully parse. If you start turning on features like sandboxing (which spawns virtual machines to deeply analyze potential new security events) you can really feel the pain.

Using a network packet broker with load balancing capability with multiple inline Next Generation Firewalls (NGFW) into a single logical solution, allows you to maximize your secruity investment.  To test the effectiveness we ran 4 scenerio’s using an advanced featured packet broker and load testing tools to see how effective this strategy is.

TESTING PLATFORM

Usung two high end NGFWs, we enabled nearly every feature (including scanning traffic for attacks, identifying user applications, and classifying network security risk based on the geolocation of the client) and load balanced the two devices using an advanced featured packet broker. Then using our load testing tools we created all of my real users and a deluge of different attack scenarios.  Below are the results of 4 testing scenerios

Scenario One: Traffic Spikes

Your 10GbE NGFW will experience inconsistent amounts of network traffic. It is crucial to be able effectively inforce security policies during such events. In the first test I created a baseline of 8Gbps of real user traffic, then introduced a large influx of traffic that pushed the overall volume to 14Gbps. The packet broker load balancer ensured that the traffic was split between the two NGFWs evenly, and all of my security policies were enforced.

Load Balancing Your Security Solution for Fun and Profit!

Figure 1: Network traffic spike

Scenario Two: Endurance Testing

Handling an isolated event is interesting, but maintaining security effectiveness over long periods of time is crucial for a deployed security solution. In the next scenario, I ran all of the applications I anticipated on my network at 11Gbps for 60 hours. The packet broker gave each of my NGFWs just over 5Gbps of traffic, allowing all of my policies to be enforced. Of the 625 million application transactions attempted throughout the duration of the test, users enjoyed a 99.979% success rate.

Load Balancing Your Security Solution for Fun and Profit!

Figure 2: Applications executed during 60 hour endurance test

Scenario Three: Attack Traffic

Where the rubber meets the road for a security solution is during an attack. Security solutions are insurance policies against network failure, data exfiltration, misuse of your resources, and loss of reputation. I created a 10Gbps baseline of the user traffic (described in Figure 2) and added a curveball by launching 7261 remote exploits from one zone to another. Had these events not been load balanced with the packet broker, a single NGFW might have experienced the entire brunt of this attack. The NGFW could have been overwhelmed and failed to inforce policies. The NGFW might have been under such duress mitigating the attacks that legitimate users would have been collateral damage of the NGFW attempting to inforce policies. The deployed solution performed excellently, mitigating all but 152 of my attacks.

Concerning the missed 152 attacks: the load testing tool library contains a comprehensive amount of undisclosed exploits. That being said, as with the 99.979% application success rate experienced during the endurance test, nothing is infallible. If my test worked with 100% success, I wouldn’t believe it and neither should you.

Load Balancing Your Security Solution for Fun and Profit!

Figure 3: Attack success rate

Scenario Four: The Kitchen Sink

Life would indeed be rosy if the totality of a content aware security solution was simply making decisions between legitimate users and known exploits. For my final test I added another wrinkle. The solution also had to deal with large volume of fuzzing to my existing deluge of real users and attacks. Fuzzing is the concept of sending intentionally flawed network traffic through a device or at an endpoint with the hopes of uncovering a bug that could lead to a successful exploitation. Fuzzed traffic can be as simple as incorrectly advertised packet lengths, to erroneously crafted application transactions. My test included those two scenarios and everything in between. The goal of this test was stability. I achieved this by mixing 400Mbps of pure chaos via load testing fuzzing engine, with Scenario Three’s 10Gbps of real user traffic and exploits. I wanted to make certain that my load-balanced pair of NGFWs were not going to topple over when the unexpected took place.

The results were also exceptionally good. Of the 804 million application transactions my users attempted, I only had 4.5 million go awry—leaving me with a 99.436% success rate. This extra measure of maliciousness only changed the user experience by increasing the failures by about ½ of a percent. Nothing crashed and burned.

Load Balancing Your Security Solution for Fun and Profit!

Figure 4: Application Success rates during the “Kitchen Sink” test

Conclusion

All four of the above scenarios illustrate how you can enhance the effectiveness of a security solution while maximizing your budget. However, we are only scratching the surface. What if you needed your security solution to be deployed in a High Availability environment? What if the traffic your network services expand? Setting up the packet broker to operate in HA or adding additional inline security solutions to be load balanced is probably the most effective and affordable way of addressing these issues.

Let us know if you are intrested in seeing a live demonstration of a packet broker load balancing attacks from secruity testing tool over multiple inline security solutions? We would be happy to show you how it is done.

Additional Resources:

Network Packet Brokers

CyPerf

Year-End Network Monitoring Assessment

Planning for the Future

As we approach the New Year, many organizations’ data centers and network configurations are in lockdown mode. Whether this is due to assuming a defensive posture against the onslaught of holiday ecommerce traffic, or an accommodation to vacationing staff, the situation provides network managers an opportunity to perform a year-end network monitoring assessment

Establish Future Goals, Identify Current Weaknesses and Make Sure Core Tasks and Goals Are Achieved

Q. How many locations will you need to monitor in the New Year?

If there are new server clusters or even new data centers in the works, be sure to plan accordingly, and ensure that your network monitoring tools will have visibility into those areas.  Network Taps can be used to incorporate more points of visibility for your existing monitoring tools within your growing network. Advanced appliances such as Network Packet Brokers (NPBs) can perform more sophisticated switching and filtering to optimize visibility within that network sprawl.

Q. What traffic will you be responsible for monitoring?

If you are providing network support, you need to understand immediately the nature, volume and security of the traffic flowing over your network. Is your organization planning to implement new applications or services on the network? Even the introduction or expansion of virtualization will require a monitoring plan that incorporates Virtual Taps. Additionally using advanced features on a packet broker like load balancing can extend the useful life of existing tools by sharing current traffic across a pool of devices.

Q. What new threats will the network face, and what preventative measures will you add?

The growing phenomena of advanced persistent threats (APTs) and directed attacks against network vulnerabilities demand a stronger response from security personnel. Up to 75 percent of devices within an organization’s network can contain a known security vulnerability. Many organizations deploy a defense-in-depth strategy with overlapping security tools to provide more robust security coverage. Be sure to schedule software updates for all of your network security tools, and make sure those security tools have total visibility of the traffic they are monitoring.

Q. What is your replacement plan for older equipment?

Take inventory of network equipment that have reached end-of-life, end-of-sale or end-of-support.. Budgeting for, and planning ahead for the obsolescence or re-tasking of these devices should be included in your plan for the coming year.

Q. What are your redundancy and failover plans?

One option for extending the useful life of your legacy monitoring tools is to utilize them as redundant tools in case of failover. Utilizing a bypass switch or high-availability modes in NPBs can make use of these tools in the event a primary device is put in maintenance mode, taken offline, or experiences a hardware failure. Consider assessing your older equipment on the basis of discarding the equipment entirely OR re-purposing it as a hot-standby.

Q. Have you included hardware/software maintenance in your annual budget?

Most hardware vendors offer annual maintenance and service plans for their devices. Renewing and maintaining these plans is critical to ensuring that you have access to the latest software updates. Additionally, should any of your devices experience hardware failure, advance replacement plans can get replacement equipment into your network as soon as possible.

ThreatARMOR Reduces Your Network’s Attack Surface

2014 saw the creation of more than 317 million new pieces of malware. That means an average of nearly one million new threats were released each day.

Here at Ixia we’ve been collecting and organizing threat intelligence data for years to help test the industry’s top network security products. Our Application and Threat Intelligence (ATI) research center maintains one of the most comprehensive lists of malware, botnets, and network incursions for exactly this purpose. We’ve had many requests to leverage that data in support of enterprise security, and this week you are seeing the first product that uses ATI to boost the performance of existing security systems. Ixia’s ThreatARMOR continuously taps into the ATI research center’s list of bad IP sources around the world and blocks them.

Ixia’s ThreatARMOR represents another innovation and an extension for the company’s Visibility Architecture, reducing the ever-increasing size of their global network attack surface.

A network attack surface is the sum of every access avenue an individual can use to gain access to an enterprise network. The expanding enterprise security perimeter must address new classes of attack, advancing breeds of hackers, and an evolving regulatory landscape.

“What’s killing security is not technology, it’s operations,” stated Jon Oltsik, ESG senior principal analyst and the founder of the firm’s cybersecurity service. “Companies are looking for ways to reduce their overall operations requirements and need easy to use, high performance solutions, like ThreatARMOR, to help them do that.”

Spending on IT security is poised to grow tenfold in ten years. Enterprise security tools inspect all traffic, including traffic that shouldn’t be on the network in the first place: traffic from known malicious IPs, hijacked IPs, and unassigned or unused IP space/addresses. These devices, while needed, create a more work than a security team could possible handle. False security attack positives consume an inordinate amount of time and resources: enterprises spend approximately 21,000 hours per year on average dealing with false positive cyber security alerts per a Ponemon Institute report published January 2015. You need to reduce the attack surface in order to only focus on the traffic that needs to be inspected.

“ThreatARMOR delivers a new level of visibility and security by blocking unwanted traffic before many of these unnecessary security events are ever generated. And its protection is always up to date thanks to our Application and Threat Intelligence (ATI) program.” said Dennis Cox, Chief Product Officer at Ixia.

“The ATI program develops the threat intelligence for ThreatARMOR and a detailed ‘Rap Sheet’ that provides proof of malicious activity for all blocked IP addresses, supported with on-screen evidence of the activity such as malware distribution or phishing, including date of the most recent confirmation and screen shots.”

ThreatARMOR: your new front line of defense!

Additional Resources:

ThreatARMOR

Thanks to Ixia for the article.

The Network Design and Equipment Deployment Lifecycle

As we all know, technology has a life cycle of birth, early adoption, mainstream, and then obsoletion. Even the average consumer is very in touch with this lifecycle. However, within this overarching lifecycle there are “mini” lifecycles. One of these mini lifecycles that is particularly important to enterprises is the network design and equipment deployment lifecycle. This lifecycle is the basic roadmap of how equipment gets deployed within a company data network and key a topic of concern for IT personnel. While it’s its own lifecycle, it also aligns with the typical ITIL services of event management, incident management, IT operations management, and continual service improvement.

There are 5 primary stages to the network design and equipment deployment lifecycle: pre-deployment, installation and commissioning, assurance monitoring, troubleshooting, and decommissioning. I’ll disregard the decommissioning phase in this discussion as removing equipment is fairly straightforward. The other four phases are more interesting for the IT department.

The adjacent diagram shows a map of the four fundamental components within this lifecycle. The pre-deployment phase is typically concerned with lab verification of the equipment and/or point solution. During this phase, IT spends time and effort to ensure that the equipment/solution they are receiving will actually resolve the intended pain point.

During the installing and commissioning phase, the new equipment is installed, turned on, configured, connected to the network and validated to ensure that the equipment is functioning correctly. This is typically the least costly phase to find set-up problems. If those initial set-up problems are not caught and eliminated here, it is much harder and more costly to isolate those problems in the troubleshooting phase.

The assurance monitoring stage is the ongoing maintenance and administration phase. Equipment is monitored on an as-needed or routine basis (depending upon component criticality) to make sure that it’s functioning correctly. Just because alarms have not been triggered doesn’t mean the equipment is functioning optimally. Changes may have occurred in other equipment or the network that are propagating into other equipment downstream and causing problems. The assurance monitoring stage is often linked with proactive trend analysis, service level agreement validation, and quality of service inspections.

Troubleshooting is obviously the reactionary portion of the lifecycle devoted to fixing equipment and network problems so that the network can return to an optimized, steady state condition. Most IT personnel are extremely familiar with this stage as they battle equipment failures, security threats and network outages due to equipment problems and network programming changes.

Ixia understands this lifecycle well and it’s one of the reasons that it acquired Breaking Point and Anue Systems during 2012. We have capabilities to help the IT department in all four of the aspects of the network design and equipment deployment lifecycle. These tools and services are focused to directly attack key metrics for IT:

  • Decrease time-to-market for solutions to satisfy internal projects
  • Decrease mean-time-to-repair metrics
  • Decrease downtime metrics
  • Decrease security breach risks
  • Increase business competitiveness

The exact solution to achieve customer-desired results varies. Some simple examples include the following:

  • Using the NTO monitoring switch to give your monitoring tools the right information to gain the network visibility you need
  • Using the NTO simulator to test filtering and other changes before you deploy them on your network
  • Deploying the Ixia Storm product to assess your network security and also to simulate threats so that you can observe how your network will respond to security threats
  • Deploying various Ixia network testing tools (IxChariot, IxNetwork) to characterize the new equipment and network during the pre-deployment phase

Additional Resources:

Ixia Solutions

Network Monitoring

Related Products

Ixia Net Optics Network Taps Ixia Net Tool Optimizer
Ixia Network Tap
Ixia Net Optics network taps provide access for security and network management devices.		 Net Tool Optimizers
Out-of-band traffic aggregation, filtering, dedup, load balancing

Thanks to Ixia for the article.

The State of Enterprise Security Resilience – An Ixia Research Report

Ixia, an international leader in application performance and security resilience technology, conducted a survey to better understand how network security resilience solutions and techniques are used within the modern enterprise. While information exists on security products and threats, very little is available on how it is actually being used and the techniques and technology to ensure that security is completely integrated into the corporate network structure. This report presents the research we uncovered.

During this survey, there were three areas of emphasis exploring security and visibility architectures. One portion of the survey focused on understanding the product types and use. The second area of emphasis was on understanding the processes in use. The final area of emphasis was on understanding the people components of typical architectures.

This report features several key findings that include the following:

  • Many enterprises and carriers are still highly vulnerable to the effects of a security breach. This is due to concerns with lack of following best practices, process issues, lack of awareness, and lack of proper technology.
  • Lack of knowledge, not cost, is the primary barrier to security improvements. However, typical annual spend on network security is less than $100K worldwide.
  • Security resilience approaches are growing in worldwide adoption. A primary contributor is the merge of visibility and security architectures. Additional data shows that life-cycle security methodologies and security resilience testing are also positive contributors.
  • The top two main security concerns for IT are data loss and malware attacks.

These four key findings confirm that while there are still clear dangers to network security in the enterprise, there is some hope for improvement. The severity of the risk has not gone away, but it appears that some are managing it with the right combination of investment in technology, training, and processes.

To read more, download the report here.

The State of Enterprise Security Resilience

Thanks to Ixia for the article.

The Importance of State

Ixia recently added passive SSL decryption to the ATI Processor (ATIP). ATIP is an optional module in several of our Net Tool Optimizer (NTO) packet brokers that delivers application-level insight into your network with details such as application ID, user location, and handset and browser type. ATIP gives you this information via an intuitive real-time dashboard, filtered application forwarding, and rich NetFlow/IPFIX.

Adding SSL decryption to ATIP was a logical enhancement, given the increasing use of SSL for both enterprise applications and malware transfer – both things that you need to see in order to monitor and understand what’s going on. For security, especially, it made a lot of sense for us to decrypt traffic so that a security tool can focus on what it does best (such as malware detection).

When we were starting our work on this feature, we looked around at existing solutions in the market to understand how we could deliver something better. After working with both customers and our security partners, we realized we could offer added value by making our decrypted output easier to use.

Many of our security partners can either deploy their systems inline (traffic must pass through the security device, which can selectively drop packets) or out-of-band (the security device monitors a copy of the traffic and sends alerts on suspicious traffic). Their flexible ability to deploy in either topology means they’re built to handle fully stateful TCP connections, with full TCP handshake, sequence numbers, and checksums. In fact, many will flag an error if they see something that looks wrong. It turns out that many passive SSL solutions out there produce output that isn’t fully stateful and can flag errors or require disabling of certain checks.

What exactly does this mean? Well, a secure web connection starts with a 3-way TCP handshake (see this Wikipedia article for more details), typically on port 443, and both sides choose a random starting sequence (SEQ) number. This is followed by an additional TLS handshake that kicks off encryption for the application, exchanging encryption parameters. After the encryption is nailed up, the actual application starts and the client and server exchange application data.

When decrypting and forwarding the connection, some of the information from the original encrypted connection either doesn’t make sense or must be modified. Some information, of course, must be retained. For example, if the security device is expecting a full TCP connection, then it expects a full TCP handshake at the beginning of the connection – otherwise packets are just appearing out of nowhere, which is typically seen as a bad thing by security devices.

Next, in the original encrypted connection, there’s a TLS handshake that won’t make any sense at all if you’re reading a cleartext connection (note that ATIP does forward metadata about the original encryption, such as key length and cipher, in its NetFlow/IPFIX reporting). So when you forward the cleartext stream, the TLS handshake should be omitted. However, if you simply drop the TLS handshake packets from the stream, then the SEQ numbers (which keep count of transmitted packets from each side) must be adjusted to compensate for their omission. And every TCP packet includes a checksum that must also be recalculated around the new decrypted packet contents.

If you open up the decrypted output from ATIP, you can see all of this adjustment has taken place. Here’s a PCAP of an encrypted Netflix connection that has been decrypted by ATIP:

The Importance of State

You’ll see there are no out-of-sequence packets, and no indication of any dropped packets (from the TLS handshake) or invalid checksums. Also note that even though the encrypted connection was on port 443, this flow analysis shows a connection on port 80. Why? Because many analysis tools will expect encrypted traffic on port 443 and cleartext traffic on port 80. To make interoperability with these tools easier, ATIP lets you remap the cleartext output to the port of your choice (and a different output port for every encrypted input port). You might also note that Wireshark shows SEQ=0. That’s not the actual sequence number; Wireshark just displays a 0 for the first packet of any connection so you can use the displayed SEQ number to count packets.

The following ladder diagram might also help to make this clear:

The Importance of State

To make Ixia’s SSL decryption even more useful, we’ve also added a few other new features. In the 1.2.1 release, we added support for Diffie Helman keys (previously, we only supported RSA keys), as well as Elliptic Curve ciphers. We’ve also added reporting of key encryption metadata in our NetFlow/IPFIX reporting:

The Importance of State

As you can see, we’ve been busy working on our SSL solution, making sure we make it as useful, fast, and easy-to-use as possible. And there’s more great stuff on the way. So if you want to see new features, or want more information about our current products or features, just let us know and we’ll get on it.

More Information

ATI Processor Web Portal

Wikipedia Article: Transmission Control Protocol (TCP)

Wikipedia Article: Transport Layer Security (TLS)

Thanks to Ixia for the article.

Don’t Miss the Forest for the Trees: Taps vs. SPAN

These days, your network is as important to your business as any other item—including your products. Whether your customers are internal or external, you need a dependable and secure network that grows with your business. Without one, you are dead in the water.

IT managers have a nearly impossible job. They must understand, manage, and secure the network all the time against all problems. Anything less than a 100 percent working network is a failure. There is a very familiar saying: Don’t miss the forest for the trees. Meaning don’t let the details prevent you from seeing the big picture. But what if the details ARE the big picture?

Today’s IT managers can’t miss the forest OR the trees!

Network visibility is a prime tool in properly monitoring your network. You need an end-to-end visibility architecture to truly see your network. This visibility architecture must reveal both the big picture and the smallest details to present a true view of what is happening in the network.

The first building-block to your visibility architecture is access to the data. To efficiently monitor a network, you must have complete visibility into that network. This means being able to reliably capture 100% of the network traffic under all network conditions.

To achieve this, devices need to be installed into the network to capture that data using “taps” or Switch Port Analyzers (SPANs).

A tap is a passive splitting mechanism placed between two network devices. It provides a monitoring connection. Using taps, you can easily connect monitoring devices such as protocol analyzers, RMON probes and intrusion detection and prevention systems to the network. The tap duplicates all traffic on the link and forwards this to the monitoring device. Any monitoring device connected to a tap receives the same traffic as if it were in-line. This includes all errors. Taps do not introduce delay, or alter the content or structure of the data. They also fail open so that traffic continues to flow between network devices, even if you remove a monitoring device or power to the device is lost.

A SPAN port – also known as a mirroring port – is a function of one or more ports on a switch in the network. Like a tap, monitoring devices can also be attached to this SPAN port.

So what are the advantages of taps vs SPAN?

  • A tap captures everything on the wire, including MAC and media errors. A SPAN port will drop those packets.
  • A tap is unaffected by bandwidth saturation. A SPAN port cannot handle heavily used full-duplex links without dropping packets.
  • A tap is simple to install. A SPAN port requires an engineer to configure the switch or switches.
  • A tap is not an addressable network device. It cannot be hacked. SPAN ports leave you vulnerable.
  • A tap doesn’t require you to dedicate a switch port to monitoring. It frees the monitoring port up for switching traffic.

Don’t Miss the Forest for the Trees: Taps vs. SPAN

Thanks to Ixia for the article.

Do You Have a Network Operations Center Strategy?

The working definition of a Network Operations Center (NOC) varies with each customer we talk with; however, the one point which remains unified is that the NOC should be the main point of visibility for key functions that combine to provide business services.

The level at which a NOC ‘product’ is interactive depends on individual customer goals and requirements. Major equipment vendors trying to increase revenue are delving into management and visibility solutions with acquisitions and mergers, and while their products may provide many good features; those features are focused on their own product lines. In mixed vendor environments this becomes challenging and expensive, if you have to increase the number of visibility islands.

One trend we have seen emerging is the desire for consolidation and simplification within the Operations Centre. In many cases our customers may have the information required to understand the root cause but, getting to that information quickly is a major challenge across multiple standalone tools. Let’s face it, there will never be one single solution that will fulfill absolutely all monitoring and business requirements, and having specialized tools is likely necessary.

The balance lies in finding a powerful, yet flexible solution; one that not only offers a solid core functionality and feature set, but also encourages the orchestration of niche tools. A NOC tool should provide a common point of visibility if you want to quickly identify which business service is affected; easily determine the root cause of that problem, and take measures to correct the problem. Promoting integration with existing business systems, such as CMDB and Helpdesk, both northbound and southbound, will ultimately expand the breadth of what you can accomplish within your overall business delivery strategy. Automated intelligent problem resolution, equipment provisioning, and Change and Configuration Management at the NOC level should also be considered as part of this strategy.

Many proven efficiencies are exposed when you fully explore tool consolidation with a goal of eliminating overlapping technologies and process related bottlenecks, or duplication. While internal tool review often brings forth resistance, it is necessary, and the end result can be enlightening from both a financial and a process aspect. Significant cost savings are easily achieved with fewer maintenance contracts, but with automation a large percent of the non-value adding activities of network engineers can be automated within a product, freeing network engineers to work on proactive new innovations and concepts.

Do You Have a Network Operations Center Strategy?The ‘Dark Side’

Forward thinking companies are deploying innovative products which allow them to move towards unmanned Network Operations Center, or ‘Dark NOC’. Factors such as energy consumption, bricks and mortar costs, and other increasing operational expenditures strengthen the fact that their NOC may be located anywhere with a network connection and still provide full monitoring and visibility. Next generation tools are no longer a nice to have, but a reality in today’s dynamic environment! What is your strategy?