Your security tools are as good as the data that is put into them.
The effectiveness of any system, including your cloud environment, analytics tools, IPS (Intrusion Prevention System), and IDS (Intrusion Detection System), depends on the information provided to it. It has never been more crucial to know where you are getting your data from and if you are seeing the whole data stream.
So having complete visibility into your network traffic is critical, however, it might not be as easy as merely mirroring your traffic to another SPAN port on a switch. Many modern firewalls and switches will, by default, discard or change a large portion of the network traffic that they perceive to be errors. For some applications, this is acceptable and is done to reduce bandwidth/latency. But when it comes to supplying network traffic for security-related applications, all the raw data is needed.
Given the high possibility that they are a sign that your network is being scanned or fingerprinted, fragmented packet visibility is crucial for any security appliance or application. For example, to protect TCP packets from firewall filters, IP fragments might be employed. Typically, a firewall will attempt to reassemble these packets before forwarding them. However, this raw traffic should be examined by your network security appliance or application, but if you position your network TAP on a switch behind the firewall, you risk missing it. IP fragmentation may also be an indication of an ongoing DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack directed at your network or a device connected to it.
Critical Role of Network TAPs
So the critical question is: Where can I get data that can capture all of it without jeopardizing my network security? The answer to this is by placing network TAPs where, in case of a failure, it would not affect network functionality.
TAPs are independent devices that connect network security and monitoring appliances to network links safely and securely. Network traffic flows into the TAP. A mirror copy of the traffic is then passed on to an appliance that is also connected to ports on the TAP. While the mirror traffic is passed to the appliance, live network traffic continues to pass back into the network without significant delay. TAPs also provide network fail-safe technology which will keep network traffic flowing even if power to the TAP or connected appliance is lost. Therefore, multiple security appliances can safely be connected to links using TAPs without impacting the reliability or availability of the live network.
TAPs can be deployed out-of-band or in-line. Monitoring appliances generally use out-of-band mode which, as noted above, sends a mirror copy of the data to the appliance for analysis but does not interact with live data. Deploying TAPs in-line means that live data travels from the TAP through the appliance and then back into the live network. This method allows security appliances to interact in real-time with live data allowing the appliance to immediately isolate and block malware before damage is done to the network. In-line TAPs automatically bypass an appliance if it is taken offline for any reason. This feature keeps live traffic flowing even if an appliance is down simplifying maintenance windows and troubleshooting.
Advanced features that are found in intelligent TAPs offer aggregation, filtering, and port mapping. These features also provide economic efficiencies allowing flexibility in determining traffic flows to the appliances. By aggregating underutilized links, appliances can support multiple links providing CAPEX savings. Filtering unneeded traffic also lessens the traffic burden on appliances allowing more efficient operation and faster response times to threats. Port mapping provides a simple method of directing traffic from the TAP to the appliance and back into the network.
When developing a network protection strategy, it is important to deploy the right monitoring and security appliances. It is critical, however, to include TAPs in the architecture plan from the beginning. Appliance connectivity with TAPs will allow maximum protection and budget discipline without compromising network reliability or availability. To learn more about network monitoring and visibility, contact Network Critical’s expert team at networkcritical.com
