Flow-Based Network Intelligence You Can Depend On

NetFlow Auditor is a complete and flexible toolkit for flow based network analysis, which includes real-time analysis, long-term trending and base-lining.

NetFlow Auditor uses NetFlow based analysis as opposed to the traditional network analysis products which focus on the health of network gateway devices with basic information and overview trends.

Netflow analysis looks at end-to-end performance using a technological approach that is largely independent of the underlying network infrastructure thus providing greater visibility of the IP environment as a whole.

NetFlow Auditor provides an entire team in a box and is focussed on delivering four main value propositions for reporting for IP based networks:

NetFlow Auditor Network Performance

Network Performance

 NetFlow Auditor Network Security

Network Secutiry
NetFlow Auditor Anomaly Detection

Network Intelligence

 NetFlow Auditor Network Team in a Box

Network Accounting

Network Performance

Bandwidth management, bottleneck identification and alerting, resource and capacity planning, asset management, content management, quality of service

Network Security

Network data forensics and anomaly detection, e-security surveillance, network abuse, P2P discovery, access management, Compliance, track and trace and risk management

Network Intelligence

Network Anomaly Detection and Data metrics.

Network Accounting

Customer billing management for shared networks which translates to other costs, invoicing, bill substantiation, chargeback, 95th Percentile, total cost of ownership, forecasting, Information Technology ROI purchases substantiation.

How NetFlow Auditor Shines

Scalability – NetFlow Auditor can handle copious amounts of flows per second and therefore key data won’t be missed when pipes burst or when flows increases. Auditor can analyze large network cores, distribution and edge points. This includes point solutions or multi-collector hierarchies.

Granularity- NetFlow Auditor provides complete drill down tools to fully explore the data and to perform Comparative Base-lining in real time and over long term. This gives users the ability to see Network data in all perspectives.

Flexibility – NetFlow Auditor allows easy customization of every aspect of the system from tuning of data capture to producing templates and automated Reporting and Alerting thus decreasing the workload for engineers, management and customers.

Anomaly Detection – NetFlow Auditor’s ability to learn a baseline on any kind of data is unsurpassed. The longer it runs the smarter it becomes.

Root Cause Analysis – NetFlow Auditor’s drill filter and discovery tool allows real-time forensic and trending views, with threshold alerting and scheduled reporting.

QoS Analysis – NetFlow Auditor can help analyze VoIP impact, and Multicast and Separate traffic by Class of Service and by Location.

Key Issued Solved using Flow-Based Network Management

Absolute Visibility – As businesses use their data networks to deliver more applications and services, the monitoring and managing the network for problems performance can become a challenge. NetFlow Auditor real time monitoring and improve reaction times to solve network issues such as identifying and shutting down malicious traffic when it appears on the network.

Compliance and Risk – System relocations, Business and System Mergers.

Convergence – Organizations that are moving disparate networks to a converged platform in an effort to streamline costs and increase productivity can use NetFlow Auditor to understand its impact on security and to address security blind spots in the converged network

Proactive Network Management – NetFlow Auditor can be used as a tool by Risk Management to reduce risk and improve incident management by comparing normal network behaviours and performance at different times of the day to compare the current problems with a baseline.

Customers include Internet Service Providers, Banks, Education, Healthcare and Utilities such as:

  • Bell Aliant
  • KDDI
  • BroadRiver
  • First Digital
  • NSW Department of Education and Training
  • IBM
  • StreamtheWorld
  • Desjardins Bank
  • Commonwealth Bank of Australia
  • Miami Dade County
  • Miami Herald
  • Sheridan College
  • Mitsui Sumitomo
  • Caprock Energy
  • Zesco Electricity
  • Self Regional Healthcare

Thanks to NetFlow Auditor for the article.

Solving 3 Key Network Security Challenges

With high profile attacks from 2014 still fresh on the minds of IT professionals and almost half of companies being victims of an attack during the last year, it’s not surprising that security teams are seeking additional resources to augment defenses and investigate attacks.

As IT resources shift to security, network teams are finding new roles in the battle to protect network data. To be an effective asset in the battle, it’s critical to understand the involvement and roles of network professionals in security as well as the 3 greatest challenges they face.

Assisting the Security Team

The recently released State of the Network Global Study asked 322 network professionals about their emerging roles in network security. Eighty-five percent of respondents indicated that their organization’s network team was involved in handling security. Not only have network teams spent considerable time managing security issues but the amount of time has also increased over the past year:

  • One in four spends more than 10 hours per week on security
  • Almost 70 percent indicated time spent on security has increased

Solving 3 Key Network Security Challenges

Roles in Defending the Network

From the number of responses above 50 percent, the majority of network teams are involved with many security-related tasks. The top two roles for respondents – implementing preventative measures (65 percent) and investigating security breaches (58 percent) – mean they are working closely with security teams on handling threats both proactively and after-the-fact.

Solving 3 Key Network Security Challenges

3 Key Security Challenges

Half of respondents indicated the greatest security challenge was an inability to correlate security and network performance. This was followed closely by an inability to replay anomalous security issues (44 percent) and a lack of understanding to diagnose security issues (41 percent).

Solving 3 Key Network Security Challenges

The Packet Capture Solution

These three challenges point to an inability of the network team to gain context to quickly and accurately diagnose security issues. The solution lies in the packets.

  • Correlating Network and Security Issues

Within performance management solutions like Observer Platform, utilize baselining and behavior analysis to identify anomalous client, server, or network activities. Additionally, viewing top talkers and bandwidth utilization reports, can identify whether clients or servers are generating unexpectedly high amounts of traffic indicative of a compromised resource.

  • Replaying Issues for Context

The inability to replay and diagnose security issues points to long-term packet capture being an under-utilized resource in security investigations. Replaying captured events via retrospective analysis appliances like GigaStor provides full context to identify compromised resources, exploits utilized, and occurrences of data theft.

As network teams are called upon to assist in security investigations, effective use of packet analysis is critical for quick and accurate investigation and remediation. Learn from cyber forensics investigators how to effectively work with security teams on threat prevention, investigations, and cleanup efforts at the How to Catch a Hacker Webinar. Our experts will uncover exploits and share top security strategies for network teams.

Thanks to Network Instruments for the article.

Application Intelligence Supercharges Network Security

I was recently at a conference where the topic of network security came up again, like it always does. It seems like there might be a little more attention on it now, not really due to the number of breaches—although that plays into a little—but more because companies are being held accountable for allowing the breaches. Examples include Target (where both the CIO and CEO got fired over that breach in 2013) and the fact that the FCC and FTC are fining companies (like YourTel America, TerraCom, Presbyterian Hospital, and Columbia University) that allow a breach to compromise customer data.

This is an area where application intelligence could be used to help IT engineers. Just to be clear, application intelligence won’t fix ALL of your security problems, but it can give you additional and useful information that was very difficult to ascertain before now. For those that haven’t heard about application intelligence, this technology is available through certain network packet brokers (NPBs). It’s an extended functionality that allows you to go beyond Layer 2 through 4 (of the OSI model) packet filtering to reach all the way into Layer 7 (the application layer) of the packet data.

The benefit here is that rich data on the behavior and location of users and applications can be created and exported in any format needed—raw packets, filtered packets, or NetFlow information. IT teams can identify hidden network applications, mitigate network security threats from rogue applications and user types, and reduce network outages and/or improve network performance due to application data information.

Application Intelligence Supercharges Network SecurityIn short, application intelligence is basically the real-time visualization of application level data. This includes the dynamic identification of known and unknown applications on the network, application traffic and bandwidth use, detailed breakdowns of applications in use by application type, and geo-locations of users and devices while accessing applications.

Distinct signatures for known and unknown applications can be identified, captured, and passed on to specialized monitoring tools to provide network managers a complete view of their network. The filtered application information is typically sent on to 3rd party monitoring tools (e.g. Plixer, Splunk, etc.) as NetFlow information but could also be consumed through a direct user interface in the NPB. The benefit to sending the information to 3rd party monitoring tools is that it often gives them more granular, detailed application data than they would have otherwise to improve their efficiency.

With the number of applications on service provider and enterprise networks rapidly increasing, application intelligence provides unprecedented visibility to enable IT organizations to identify unknown network applications. This level of insight helps mitigate network security threats from suspicious applications and locations. It also allows IT engineers to spot trends in application usage which can be used to predict, and then prevent, congestion.

Application intelligence effectively allows you to create an early warning system for real-time vigilance. In the context of improving network security, application intelligence can provide the following benefits:

  • Identify suspicious/unknown applications on the network
  • Identify suspicious behavior by correlating connections with geography and known bad sites
  • Identify prohibited applications that may be running on your network
  • Proactively identify new user applications consuming network resources

Application Intelligence Supercharges Network Security

A core feature of application intelligence is the ability to quickly identify ALL applications on a network. This allows you to know exactly what is or is not running on your network. The feature is often an eye opener for IT teams, and they are surprised to find out that there are actually applications on their network they knew nothing about. Another key feature is that all applications are identified by a signature. If the application is unknown, a signature can be developed to record its existence. These unknown application signatures should be the first step as part of IT threat detection procedures so that you can identify any hidden/unknown network applications and user types. The ATI Processor correlates applications with geography, and can identify compromised devices and malicious activities such as Command and Control (CNC) communications from malicious botnet activities.

A second feature of application intelligence is the ability to visualize the application traffic on a world map for a quick view of traffic sources and destinations. This allows you to isolate specific application activity by granular geography (country, region, and even neighborhood). User information can then be correlated with this information to further identify and locate rogue traffic. For instance, maybe there is a user in North Korea that is hitting an FTP server in Dallas, TX and transferring files off network. If you have no authorized users in North Korea, this should be treated as highly suspicious. At this point, you can then implement your standard security protocols—e.g., kill the application session immediately, capture origin and destination information, capture file transfer information, etc.

Another way of using application intelligence is to audit your network policies and usage of those policies. For instance, maybe your official policy is for employees to use Outlook for email. All inbound email traffic is then passed through an anti-viral/malware scanner before any attachments are allowed entry into the network. With application intelligence, you would be able to tell if users are following this policy or whether some are using Google mail and downloading attachments directly through that service, which is bypassing your malware scanner. Not only would this be a violation of your policies, it presents a very real threat vector for malware to enter your network and commence its dirty work.

Ixia’s Application and Threat Intelligence (ATI) Processor brings intelligent functionality to the network packet broker landscape with its patent pending technology that dynamically identifies all applications running on a network. The Ixia ATI Processor is a 48 x 10GE interface card that can be used standalone in a compact 1 rack unit high chassis or within an Ixia Net Tool Optimizer (NTO) 7300 network packet broker (NPB) for a high port density option.

As new network security threats emerge, the ATI Processor helps IT improve their overall security with better intelligence for their existing security tools. To learn more, please visit the ATI Processor product page or contact us to see a demo!

Additional Resources:

Thanks to Ixia for the article.

Validating Networks with Ixia

We work with majority the top carriers worldwide, as well as many of their largest customers and the companies who provide infrastructure technology for their networks. We’re the “application performance and security resilience” company – we help you make sure technology works the way you expect it to out of the gate, and keeps on doing it throughout the deployment lifecycle.

Today’s mobile subscribers are what we call “tough customers”: they expect instant availability and high performance, all the time, everywhere they go, and they tend to remember the “hiccups” more than all the times everything works just fine. No one has patience for dropped calls or choppy video or slow downloads anymore.

And that’s where Ixia comes in. We helps carriers and other providers worldwide exceed the expectations of their toughest customers. Physical or virtualized, wired or wireless, we can help you build and validate, secure, and optimize networks that deliver.

We do this with powerful and versatile hardware and software solutions, expert global support, and professional services, all designed to ensure user satisfaction and a great bottom line.

So what does this mean to you? What do “validate,” “secure” and “optimize” mean to you?

Let’s start with “validate,” and the beginning stages of the technology lifecycle.

To meet expectations, network designs, upgrades, and expansions all need to be carefully planned –and proven to work—before new technologies and services are put into production. For this you need real data based on realistic scenarios, and to assess performance from subscribers’ point of view.

You can’t rely on vendor data sheets alone to make decisions about new technologies. These specifications may be based on very specific scenarios that don’t address your unique deployment needs and business usage.

And since we know that retooling a network after a launch costs a lot more than getting it right before you go live, you need to validate critical new technologies yourself.

Ixia solutions are used to validate new products and services end-to-end including:

  • Equipment used in LTE networks, HetNets, and Wi-Fi offload
  • The quality of services like VoLTE and Wi-Fi calling
  • Virtualized network functions—these actually need to be validated throughout migration, using a mix of physical and virtualized testing to net the greatest insights every step of the way

Ixia lets you put new designs to the test designs against real-world scenarios, using real-world traffic. Our hardware and software emulates application traffic, scaling to millions of users, across nearly any link speed – including 400GbE.

And, we can tailor use-case scenarios that specifically match the needs of your network and customers. So you’ll see what they’ll see, and how your network responds to peak traffic and scales to meet rising demand.

We help meet two main goals for nearly every project: faster time to market, and lower cost. In one recent virtualization effort, Ixia helped a provider achieve a 25% performance improvement by identifying latency bottlenecks, along with faster time-to-market at a lower total cost.

And that’s just the beginning!

In today’s market, application traffic IS the network, and providers will increasingly be looking to monetize subscribers’ experience with applications and services.

Validating the performance of applications of the network early on in design is a critical step that can’t be overlooked, and that’s Ixia’s focus. Whether it’s games, social media, online banking, video streaming, online shopping, automotive Ethernet, audio/visual services, or the next big thing, customers expect it to just work, and we help you make sure it does.

Partnering with service providers, equipment providers, and enterprises to seamlessly and securely deliver a quality experience to subscribers and customers is Ixia’s business. Once you validate your network design, we can help secure the rollout, and monitor and optimize performance during operation.

Additional Resources:

Ixia virtualization solutions

Thanks to Ixia for the article.

State of Networks: Faster, but Under Attack

Two recent studies that look at the state of mobile and fixed networks show that while networks are getting ever faster, security is a paramount concern that is taking up more time and resources.

Akamai recently released its fourth quarter 2014 State of the Internet report. Among the findings:

  • In terms of network security, high tech and public sector targets saw increased numbers of attacks from 2013 to 2014, while enterprise targets had fewer attacks over the course of the year – except Q4, where the commerce and enterprise segment were the most frequently targeted.

“Attacks against public sector targets reported throughout 2014 appear to be primarily motivated by political unrest, while the targeting of the high tech industry does not appear to be driven by any single event or motivation,” Akamai added.

  • Akamai customers saw DDoS attacks up 20% from the third quarter, although the overall number of such attacks held steady from 2013 to 2014 at about 1,150.
  • Average mobile speeds differ widely on a global basis, from 16 megabits per second in the U.K., to 1 Mbps in New Caledonia. Average peak mobile connection speeds continue to increase, from a whopping 157.3 Mbps in Singapore, to 7.5 Mbps in Argentina. And Denmark, Saudi Arabia, Sweden and Venezuela had 97% of unique IP addresses from mobile providers connect to Akamai’s network at speeds faster than the 4 Mbps threshold that is considered the minimum for “broadband.”

Meanwhile, Network Instruments, part of JDSU, recently completed its eighth annual survey of network professionals. It found that security is an increasing area of focus for network teams and that they are spending an increasing amount of time focused on security incidents and prevention.

NI reported that its survey found that the most commonly reported network security challenge is correlating security issues with network performance (reported by 50% of respondents) – meanwhile, the most common method for identifying security issues are “syslogs” (used by 67% of respondents). Other methods included simple network management protocol and tracking performance anomalies, while long-term packet capture and analysis was used by slightly less than half of the survey participants – 48%. Network Instruments said that relatively low utilization of long-term packet capture makes it “an under-utilized resource in security investigations” and that “replaying the events would provide greater context” for investigators.

NI also found that “application overload” is driving a huge increase in bandwidth use expectations, due to users accessing network resources and large files with multiple devices; real-time unified communications applications that require more bandwidth; as well as private cloud and virtualization adoption. See Network Instrument’s full infographic below:

Network Instruments' State of the Network infographic

Thanks to RCR Wireless News for the article.

See How Ixia’s NTO 7300 Vastly Outperforms the Closest Competitor in 100GbE Visibility, Scalability, Capacity, and Cost-Efficiency

Visibility Is an Urgent Challenge

Lack of visibility is behind the worst of IT headaches, leaving the network open to malicious intrusions, as well as compliance, availability, and performance problems. Today’s soaring traffic volumes are bringing greater complexity, proliferating apps and devices, and rising virtual traffic—in fact, “east-west” traffic between virtual machines now makes up half of all traffic on the network. Virtual traffic is the culprit that spawns unmonitored “blind spots,” a breeding ground for errors and attacks.

All these challenges make visibility critical to network security and management. Customers need a highly scalable visibility architecture—one that can eliminate blind spots and reduce complexity, while providing resilience and control. Visibility relies on monitoring tools, and new tool investment can be a real budget-buster. That’s why companies need to protect their investments in 1GbE and 10GbE monitoring tools, and why load balancing has become such a smart approach. Now, as networks move into the 100GbE environment, Ixia offers the NTO 7300, enabling total visibility into multiple 100GbE links and dominating its competition.

Dramatic Design Difference

The NTO 7300 delivers the ability to optimize 1GbE and 10GbE monitoring tools for the intensive 100GbE environment and offers decisive advantages over competitors. No other solution packs as many ports into a compact footprint for industry-leading density and cost-efficiency. The NTO 7300’s one-two punch of design ingenuity plus advanced technology makes it the clear choice in every comparison. If you take a typical 100GbE deployment that requires 8 100GbE ports, advanced filtering, and 10GbE ports for tool access, it becomes clear that other solutions cannot keep up with the density and performance Ixia provides.

The Numbers Speak for Themselves

Compare the Ixia NTO 7300 to its closest competitor, and you see a striking difference in capacity, scalability and performance. The NTO 7300 commands every category for customer needs by providing more performance in 71% less space!

Ixia's Net Tool Optimizer 7300 b2ap3_thumbnail_competitor_0.png
7300: Port-Plentiful

The Ixia NTO7300 configuration fits neatly and entirely in a single 8U chassis, with many unused ports.

 Competition: Port-Poor

This competitor requires 28U and has insufficient 40GbE ports. It’s significantly lower in density, with no ports on advanced processing blades and fabric modules placed awkwardly in front.
Per Chassis:24 40GbE ports (or 96x10GbE)

64 10GbE AFM ports

8 100GbE ports

640Gbps Deduplication

 Per Chassis (2 chassis required):2x40GbE ports

40x10GbE ports

4x100GbE ports

240Gbps Deduplication

With its “pay as you grow” scalability; savings on rack space and power; a simple, rack-mountable chassis; superior advanced features such as header stripping and deduplication; and wire-speed performance in any configuration, the NTO 7300 is ideal for filling that critical visibility gap in the 100GbE environment.

Ixia NTO7300 Other
Fabric Module location Rear panel Occupy front slots
100GbE configuration 2x100GbE + 4x40GbE or 16x10GbE 2x100GbE + 8x10GbE
Advanced Processing capacity per slot Up to 640Gbps (320Gbps ingress + 320Gbps egress) Up to 80Gbps
Advanced Processing card configuration 2xAFM16s + 4xQSFP + 640Gbps AFM, per slot No tool or network ports, “the other’s” processor only
Slots per chassis 6 8
Chassis RU 8 (with AC shelf) 14
Total Configuration Ixia NTO7300 Other Advantage
10GbE ports 64 (up to 160) 80 (up to 96) Ixia (67% more max)
40GbE ports 96 8* Ixia (1100% more max
100GbE ports 8 8
Deduplication bandwidth 640Gbps 480Gbps* Ixia (33% more)
Total RU 8 28 Ixia (71% less)
*Doesn’t meet requirements

Additional Resources:

Ixia Visibility Architecture

Ixia NTO 7300

Thanks to Ixia for the article.

Network Instruments State of the Network Global Study 2015

Eighth Annual “State of the Network” Global Study from JDSU’s Network Instruments Finds 85 Percent of Enterprise Network Teams Now Involved in Security Investigations

Deployment Rates for High-Performance Network Visibility and Software Defined Solutions Expected to Double in Two Years

Network Instruments, a JDSU Performance Management Solution released the results of its eighth annual State of the Network global study today. Based on insight gathered from 322 network engineers, IT directors and CIOs around the world, 85 percent of enterprise network teams are involved with security investigations, indicating a major shift in the role of those teams within enterprises.

Large-scale and high-profile security breaches have become more common as company data establishes itself as a valuable commodity on the black market. As such, enterprises are now dedicating more IT resources than ever before to protect data integrity. The Network Instruments study illustrates how growing security threats are affecting internal resources, identifies underutilized resources that could help improve security, and highlights emerging challenges that could rival security for IT’s attention.

As threats continue to escalate, one quarter of network operations professionals now spend more than 10 hours per week on security issues and are becoming increasingly accountable for securing data. This reflects an average uptick of 25 percent since 2013. Additionally, network teams’ security activities are diversifying. Teams are increasingly implementing preventative measures (65 percent), investigating attacks (58 percent) and validating security tool configurations (50 percent). When dealing with threats, half of respondents indicated that correlating security issues with network performance is their top challenge.

“Security is becoming so much more than just a tech issue. Regular media coverage of high-profile attacks and the growing number of malware threats that can plague enterprises – and their business – has thrust network teams capable of dealing with them into the spotlight. Network engineers are being pulled into every aspect of security, from flagging anomalies to leading investigations and implementing preventative measures,” said Brad Reinboldt, senior product manager for Network Instruments. “Staying on top of emerging threats requires these teams to leverage the tools they already have in innovative ways, such as applying deep packet inspection and analysis from performance monitoring solutions for advanced security forensics.”

The full results of the survey, available for download, also show that emerging network technologies* have gained greater adoption over the past year.

Highlights include:

  • 40, 100 Gigabit Ethernet and SDN approaching mainstream: Year-over-year implementation rates for 40 Gb, 100 Gb and SDN in the enterprise have nearly doubled, according to the companies surveyed. This growth rate is projected to continue over the next two years as these technologies approach more than 50 percent adoption. Conversely, survey respondents were less interested in 25 Gb technology, with over 62 percent indicating no plans to invest in equipment using the newer Ethernet specification.
  • Enterprise Unified Communications remains strong but lacks performance-visibility features: The survey shows that Voice-over-IP, videoconferencing and instant messaging technologies, which enable deeper collaboration and rich multimedia experiences, continue making strides in the enterprise, with over 50 percent penetration. Additionally, as more applications are virtualized and migrated to the cloud, this introduces new visibility challenges and sources that can impact performance and delay. To that end, respondents noted a lack of visibility into the end-user experience as a chief challenge. Without visibility into what is causing issues, tech teams can’t ensure uptime and return-on-investment.
  • Bandwidth use expected to grow 51 percent by 2016: Projected bandwidth growth is a clear factor driving the rollout of larger network pipes. This year’s study found the majority of network teams are predicting a much larger surge in bandwidth growth than last year, when bandwidth was only expected to grow by 37 percent. Key drivers for future bandwidth growth are being fueled by multiple devices accessing network resources and larger and more complex data such as 4K video. Real-time unified communications applications are also expected to put more strain on networks, while unified computing, private cloud and virtualization initiatives have the potential to create application overload on the backend.

Key takeaways: what can network teams do?

  • Enterprises need to be on constant alert and agile in aligning IT teams and resources to handle evolving threats. To be more effective in taking on additional security responsibilities, network teams should be trained to think like a hacker and recognize increasingly complex and nefarious network threats.
  • They also need to incorporate performance monitoring and packet analysis tools already used by network teams for security anomaly detection, breach investigations, and assisting with remediation.
  • Security threats aren’t the only thing dictating the need for advanced network visibility tools that can correlate network performance with security and application usage. High-bandwidth activities including 4K video, private clouds and unified communications are gaining traction in the enterprise as well.

State of the Network Global Study Methodology

Network Instruments has conducted its State of the Network global study for eight consecutive years, drawing insight about network trends and painting a picture of what challenges IT teams face. Questions were designed based on interviews with network professionals as well as IT analysts. Results were compiled from the insights of 322 respondents, including network engineers, IT directors, and CIOs from around the world. In addition to geographic diversity, the study’s sample was evenly distributed among networks and business verticals of different sizes. Responses were collected from December 16, 2014 to December 27, 2014 via online surveys.

JDSU Network Instruments State of the Network 2015 Video

Thanks to Network Instruments for the article. 

Visibility Architectures Enable Real-Time Network Vigilance

Ixia's Network Visibility Architecture

A couple of weeks ago, I wrote a blog on how to use a network lifecycle approach to improve your network security. I wanted to come back and revisit this as I’ve had a few people ask me why the visibility architecture is so important. They had (incorrectly, IMO) been told by others to just focus on the security architecture and everything else would work out fine.

The reason you need a visibility architecture in place is because if you are attacked, or breached, how will you know? During a DDoS attack you will most likely know because of website performance problems, but most for most of the other attacks how will you know?

This is actually a common problem. The 2014 Trustwave Global Security Report stated that 71% of compromised victims did not detect the breach themselves—they had no idea and attack had happened. The report also went on to say that the median number of days from initial intrusion to detection was 87! So most companies never detected the breach on their own (they had to be told by law enforcement, a supplier, customer, or someone else), and it took almost 3 months after the breach for that notification to happen. This doesn’t sound like the optimum way to handle network security to me.

The second benefit of a visibility architecture is faster remediation once you discover that you have been breached. In fact, some Ixia customers have seen an up to 80% reduction in their mean time to repair performance due to implementing a proper visibility architecture. If you can’t see the threat, how are you going to respond to it?

A visibility architecture is the way to solve these problems. Once you combine the security architecture with the visibility architecture, you equip yourself with the necessary tools to properly visualize and diagnose the problems on your network. But what is a visibility architecture? It’s a set of components and practices that allow you to “see” and understand what is happening in your network.

The basis of a visibility architecture starts with creating a plan. Instead of just adding components as you need them at sporadic intervals (i.e., crisis points), step back and take a larger view of where you are and what you want to achieve. This one simple act will save you time, money and energy in the long run.

Ixia's Network Visibility Architecture

The actual architecture starts with network access points. These can be either taps or SPAN ports. Taps are traditionally better because they don’t have the time delays, summarized data, duplicated data, and the hackability that are inherent within SPAN ports. However, there is a problem if you try to connect monitoring tools directly to a tap. Those tools become flooded with too much data which overloads them, causing packet loss and CPU overload. It’s basically like drinking from a fire hose for the monitoring tools.

This is where the next level of visibility solutions, network packet brokers, enter the scene. A network packet broker (also called an NPB, packet broker, or monitoring switch) can be extremely useful. These devices filter traffic to send only the right data to the right tool. Packets are filtered at the layer 2 through layer 4 level. Duplicate packets can also be removed and sensitive content stripped before the data is sent to the monitoring tools if that is required as well. This then provides a better solution to improve the efficiency and utility of your monitoring tools.

Access and NPB products form the infrastructure part of the visibility architecture, and focus on layer 2 through 4 of the OSI model. After this are the components that make up the application intelligence layer of a visibility architecture, providing application-aware and session-aware visibility. This capability allows filtering and analysis further up the stack at the application layer, (layer 7). This is only available in certain NPBs. Depending upon your needs, it can be quite useful as you can collect the following information:

  • Types of applications running on your network
  • Bandwidth each application is consuming
  • Geolocation of application usage
  • Device types and browsers in use on your network
  • Filter data to monitoring tools based upon the application type

These capabilities can give you quick access to information about your network and help to maximize the efficiency of your tools.

These layer 7 application oriented components provide high-value contextual information about what is happening with your network. For example, this type of information can be used to generate the following benefits:

  • Maximize the efficiency of current monitoring tools to reduce costs
  • Gather rich data about users and applications to offer a better Quality of Experience for users
  • Provide fast, easy to use capabilities to spot check for security & performance problems

Ixia's Network Visibility Architecture

And then, of course, there are the management components that provide control of the entire visibility architecture: everything from global element management, to policy and configuration management, to data center automation and orchestration management. Engineering flexible management for network components will be a determining factor in how well your network scales.

Visibility is critical to this third stage (the production network) of your network’s security lifecycle that I referred to in my last blog. (You can view a webinar on this topic if you want.) This phase enables the real-time vigilance you will need to keep your network protected.

As part of your visibility architecture plan, you should investigate and be able to answer these three questions.

  1. Do you want to be proactive and aggressively stop attacks in real-time?
  2. Do you actually have the personnel and budget to be proactive?
  3. Do you have a “honey pot” in place to study attacks?

Depending upon those answers, you will have the design of your visibility architecture. As you can see from the list below, there are several different options that can be included in your visibility architecture.

  • In-line components
  • Out-of-band components
  • Physical and virtual data center components
  • Layer 7 application filtering
  • Packet broker automation
  • Monitoring tools

In-line and/or out-of-band security and monitoring components will be your first big decision. Hopefully everybody is familiar with in-line monitoring solutions. In case you aren’t, an in-line (also called bypass) tap is placed in-line in the network to allow access for security and monitoring tools. It should be placed after the firewall but before any equipment. The advantage of this location is that should a threat make it past the firewall, that threat can be immediately diverted or stopped before it has a chance to compromise the network. The tap also needs to have heartbeat capability and the ability to fail closed so that should any problems occur with the device, no data is lost downstream. After the tap, a packet broker can be installed to help traffic to the tools. Some taps have this capability integrated into them. Depending upon your need, you may also want to investigate taps that support High Availability options if the devices are placed into mission critical locations. After that, a device (like an IPS) is inserted into the network.

In-line solutions are great, but they aren’t for everyone. Some IT departments just don’t have enough personnel and capabilities to properly use them. But if you do, these solutions allow you to observe and react to anomalies and problems in real-time. This means you can stop an attack right away or divert it to a honeypot for further study.

The next monitoring solution is an out-of-band configuration. These solutions are located further downstream within the network than the in-line solutions. The main purpose of this type of solution is to capture data post event. Depending whether interfaces are automated or not, it is possible to achieve near real-time capabilities—but they won’t be completely real-time like the in-line solutions are.

Nevertheless, out-of-band solutions have some distinct and useful capabilities. The solutions are typically less risky, less complicated, and less expensive than in-line solutions. Another benefit of this solution is that it gives your monitoring tools more analysis time. Data recorders can capture information and then send that information to forensic, malware and/or log management tools for further analysis.

Do you need to consider monitoring for your virtual environments as well as your physical ones? Virtual taps are an easy way to gain access to vital visibility information in the virtual data center. Once you have the data, you can forward it on to a network packet broker and then on to the proper monitoring tools. The key here is apply “consistent” policies for your virtual and physical environments. This allows for consistent monitoring policies, better troubleshooting of problems, and better trending and performance information.

Other considerations are whether you want to take advantage of automation capabilities, and do you need layer 7 application information? Most monitoring solutions only deliver layer 2 through 4 packet data, so layer 7 data could be very useful (depending upon your needs).

Application intelligence can be a very powerful tool. This tool allows you to actually see application usage on a per-country, per-state, and per-neighborhood basis. This gives you the ability to observe suspicious activities. For instance, maybe an FTP server is sending lots of files from the corporate office to North Korea or Eastern Europe—and you don’t have any operations in those geographies. The application intelligence functionality lets you see this in real time. It won’t solve the problem for you, but it will let you know that the potential issue exists so that you can make the decision as to what you want to do.

Another example is that you can conduct an audit for security policy infractions. For instance, maybe your stated process is for employees to use Outlook for email. You’ve then installed anti-malware software on a server to inspect all incoming attachments before they are passed onto users. With an application intelligence product, you can actually see if users are connecting to other services (maybe Gmail or Dropbox) and downloading files through that application. This practice would bypass your standard process and potentially introduce a security risk to your network. Application intelligence can also help identify compromised devices and malicious botnet activities through Command and Control communications.

Automation capability allows network packet brokers to be automated to initiate functions (e.g., apply filters, add connections to more tools, etc.) in response to external commands. This automation allows a switch/controller to make real-time adjustments to suspicious activities or problems within the data network. The source of the command could be a network management system (NMS), provisioning system, security information and event management (SIEM) tool or some other management tool on your network that interacts with the NPB.

Automation for network monitoring will become critical over the next several years, especially as more of the data center is automated. The reasons for this are plain: how do you monitor your whole network at one time? How do you make it scale? You use automation capabilities to perform this scaling for you and provide near real-time response capabilities for your network security architecture.

Finally, you need to pick the right monitoring tools to support your security and performance needs. This obviously depends the data you need and want to analyze.

The life-cycle view discussed previously provides a cohesive architecture that can maximize the benefits of visibility like the following:

  • Decrease MTTR up to 80% with faster analysis of problems
  • Monitor your network for performance trends and issues
  • Improve network and monitoring tool efficiencies
  • Application filtering can save bandwidth and tool processing cycles
  • Automation capabilities, which can provide a faster response to anomalies without user administration
  • Scale network tools faster

Once you integrate your security and visibility architectures, you will be able to optimize your network in the following ways:

  • Better data to analyze security threats
  • Better operational response capabilities against attacks
  • The application of consistent monitoring and security policies

Remember, the key is that by integrating the two architectures you’ll be able to improve your root cause analysis. This is not just for security problems but all network anomalies and issues that you encounter.

Additional Resources

  • Network Life-cycle eBook – How to Secure Your Network Through Its Life Cycle
  • Network Life-cycle webinar – Transforming Network Security with a Life-Cycle Approach
  • Visibility Architecture Security whitepaper – The Real Secret to Securing Your Network
  • Security Architecture whitepaper – How to Maximize IT Investments with Data-Driven Proof of Concept (POC)
  • Security solution overview – A Solution to Network Security That Actually Works
  • Cyber Range whitepaper – Accelerating the Deployment of the Evolved Cyber Range

Thanks to Ixia for the article. 

Optimizing Networks with Ixia

Ixia's Visibility Architecture

We work with more than 40 of the top 50 carriers worldwide, as well as many of their largest customers and the companies who provide infrastructure technology for their networks. We’re the “application performance and security resilience” company – we help you make sure technology works the way you expect it to out of the gate, and keeps on doing it throughout the deployment lifecycle.

Today’s mobile subscribers are what we call “tough customers”: they expect instant availability and high performance, all the time, everywhere they go, and they tend to remember the “hiccups” more than all the times everything works just fine. No one has patience for dropped calls or choppy video or slow downloads anymore.

And that’s where Ixia comes in. We helps carriers and other providers worldwide exceed the expectations of their toughest customers. Physical or virtualized, wired or wireless, we can help you build and validate, secure, and optimize networks that deliver.

We do this with powerful and versatile hardware and software solutions, expert global support, and professional services, all designed to ensure user satisfaction and a great bottom line.

So what does this mean to you?

The Growing Performance Challenge

Right now we’re going to talk about optimizing your network and security over time—after you’ve validated and deployed new technologies and services.

  • How do you maintain quality with more mobile devices connecting to more data from more sources?
  • How do you manage and help customers manage the impact of the “BYOD” trend?
  • How you monitor the performance of VNFs in a newly virtualized environment?

These and other challenges are complicated by customers’ high expectations for always-on access and immediate application response. Not to mention new “blind spots” created by virtualization and the growing complexity of networks.

Today’s monitoring systems can quickly become stressed, making it harder to keep up with traffic and filter data to the appropriate tools. Optimizing the network requires 100% visibility into traffic along with real-time intelligence.

During the operations phase of the technology lifecycle, companies are looking to obtain actionable insight into performance, and maintain seamless application delivery. More intelligence –and sometimes more advanced tools –are needed to maximize visibility, and maximize the value of existing investments.

To meet both business and technology goals requires a highly scalable visibility architecture like Ixia’s to eliminate blind spots, and add control without adding complexity.

Example

One leading European bank with more than 13 million customers, 5,000 branches, and 9,000 ATMs needed to upgrade its infrastructure to meet new internal compliance standards. The company was also upgrading data centers to 40GbE, and looking to integrate the new links with the current traffic monitoring systems.

Ixia’s Net Tool Optimizer solutions made for an easy transition. The NTO family of network packet brokers or “NPBs” –are we sure we have enough acronyms? – helped connect the new 40GbE links to their monitoring system with no downtime, and helped them meet the new compliance requirements while providing for future growth.

Benefits included reducing the load on existing monitoring tools by more than 40%. Pretty powerful stuff.

Ixia Difference

So what is the Ixia Visibility Architecture? Basically it’s the sum total of the industry’s most comprehensive product portfolio.

This includes the NPBs we just talked about that aggregate and filter traffic to monitoring tools, as well as “taps” that provide visibility into any network link, and virtualized taps or vTaps that eliminate new blind spots created during virtualization.

The Ixia portfolio delivers 100% visibility and into the network at speeds up to 100Gbps. No matter what type of traffic you’re running – games, online banking, video streaming, online shopping, automotive Ethernet, and the like – application traffic IS the network, and Ixia visibility solutions help optimize the customer experience in real time, and over time.

Additional Resources:

Ixia visibility solutions

Ixia NTO solutions

Ixia Net Optics taps

Thanks to Ixia for the article.

Network Device Backup is a Necessity with Increased Cyber Attacks

NMSaaS- Network Device backup is a necessity with increased cyber attacks

In the past few years cyber-attacks have become far more predominant with data, personal records and financial information stolen and sold on the black market in a matter of days. Major companies such as E-Bay, Domino’s, Montana Health Department and even the White House have fallen victim to cyber criminals.

Security Breach

The most recent scandal was Anthem, one of the country largest health insurers. They recently announced that there systems had been hacked into and over 80 million customer’s information had been stolen. This information ranged from social security numbers, email data, addresses and income material.

Systems Crashing

If hackers can break into your system they can take down your system. Back in 2012 Ulster banks systems crashed, it’s still unreported if it was a cyber-attack or not but regardless of the case there was a crisis. Ulster banks entre banking system went down, people couldn’t take money out, pay bills or even pay for food. As a result of their negligence they were forced to pay substantial fines.

This could have all been avoided if they had installed a proper Network Device Backup system.

Why choose a Network Device Backup system

If your system goes down you need to find the easiest and quickest way to get it back up and running, this means having an up-to-date network backup plan in place that enables you to quickly swap out the faulty device and restore the configuration from backup.

Techworld ran a survey and found that 33% of companies do not back up their network device configurations.

The reason why you should have a backup device configuration in place is as follows:

  • Disaster recovery and business continuity.
  • Network compliance.
  • Reduced downtime due to failed devices.
  • Quick reestablishment of device configs.

It’s evident that increased security is a necessity but even more important is backing up your system. If the crash of Ulster bank in 2012 is anything to go by we should all be backing up our systems. If you would like to learn more about this topic click below.

Telnet Networks- Contact UsThanks to NMSaaS for the article.