Blog

Secure and Enhance Network Topology - Intrusion Detection and Prevention Systems

Yigal Amram By: Yigal Amram October 29, 2018

What Network IDS/IPS Can Do For You

IDS and IPS function together as network intrusion detection and prevention systems – generally called IPS or IDPS. The IDS (intrusion detection system) is limited in functionality, because its sole role is to detect. When it detects a potential intrusion, all it is designed to do is to alert an IT administrator or IT security personnel of the potential threat or breach, and they will then take it from there and trigger a protocol to either secure the breach and eliminate the malefactor, or at least minimize the damage to the network. They will then initiate relevant activities to prevent future such intrusions.

While in first generation IDS, detection was carried out predominantly by standard packet capture and analysis based on a signatures. Next generation IDS use a much wider breadth of detection tools involving application awareness, netflow analysis, threat intelligence, protocol analysis and more

The process of packet capture is similar to telephone wiretapping in that it detects everything passing through the network. The main function of the packet capture capability is to record and store the entire packet for forensics so that IT and/or the network manager will be able to troubleshoot any problems that may appear.

The intrusion prevention system (IPS), on the other hand, will also detect potential threats, but it has built-in policies to contain threats and prevent them from moving further into the network. The IPS does this by dropping the affected packet from the network flow, sending an alert, and storing it for further (often enough, later) review and analysis.

Network Monitoring and Network Analysis - A Winning Combination

Network monitoring consists of scanning the network for key indicators of health and performance , for example, traffic levels and endpoints for each each flow. Network analysis is a key second component of an IDS/IPS system. Its purpose is different from that of traditional monitoring devices. It functions to looks deeper into the specific data packets to inspect them and see the access level of each server, and who may be accessing a specific server. However, in order to be able to carry out a comprehensive analysis, two key factors are required: 1) pervasive visibility to ensure that the maximum data is actually being collected, and 2) a scalable and quickly accessible data storage repository to store all the data for quick retrieval and thorough analysis.

After all, network forensics cannot be carried out systematically and in-depth, if the network does not have a scalable enough storage system for collecting the data. If data collection is not accomplished, then any anomaly that is picked up by the monitoring and detection mechanism (that is, the IDS) cannot be analyzed, and you will need to wait for that abnormality to reappear before being able to do anything about it.

Quantea’s QP Contribution

Quantea, an emerging leader in real-time network monitoring and analysis, has recently begun collaborating with Niagara Networks to provide a highly scalable traffic monitoring, full-packet recording and analysis solution that provides visibility across various network deployments and applications. An added bonus is the ability to filter and replay historic network data and analyze and track any anomalies.

Whereas maintaining searchable network traffic records has traditionally been a challenge due to cost, complexity, and lack of analytics for inspecting terabytes (to even petabytes) of data – the combined offering of the two leaders in their respective fields enables viable solutions to meet these and similar challenges.

In addition, being able to monitor, record, and analyze large amounts of network traffic across the enterprise or service provider network typically requires multiple network analyzers placed separately in different networks. By connecting a Niagara Networks system to a Quantea QP device, different areas of the network can be easily monitored and recorded. With Niagara systems’ high port density, expanding coverage of network links to be monitored and recorded can be easily accomplished with all of the traffic seamlessly stored in the QP system.

The Niagara Networks system can also mirror or bypass traffic in the event of a network failure in order to ensure that the QP system captures network traffic seamlessly without interruptions. The Quantea QP device also acts as a Network Attached Storage (NAS) appliance, offering network administrators significant flexibility in connecting network capture infrastructure to a storage warehouse or content management platform for storing large amounts of PCAP records. This joint solution allows a flexible network recording platform, leveraging the power of Niagara’s packet broker and Quantea’s ability to store and process large amounts of PCAP data.

Niagara Networks products (such as bypass/multi-function chassis, etc.) can flexibly direct traffic to tools such as the inline IPS, and, together with Quantea’s QP system, allow potentially huge amounts of captured data traffic to be used for:

  • Network forensics and auditing purposes (GDPR compliance)
  • Measuring data flow and resource usage (high versus low)
  • Carrying out a comprehensive analysis for false positives versus real threats
  • Tracing events such as possible network firewall security breaches (observing specific time slots and timelines)

Together, Quantea and Niagara Networks offer a cost-effective and highly scalable, network monitoring and recording solution to address key IDPS challenges.

The Packetron Promise

However, since network traffic is, more often than not, encrypted, IDPS systems cannot carry out their functions due to not being able to process secured data packets. Nor can the forensic analysis tools do anything with all the data that the Quantea solution may be storing.

To handle these issues, Niagara Networks packet broker solutions also include an integrated packet processor - the Packetron, our preeminent offload processing engine that is an open system packet processor module for the N2 modular multi-purpose visibility node. With the Packetron, any organization can integrate its custom software directly into the system hardware, such as SSL decryption, allowing them to take advantage of advanced packet broker flexibility. For example, the NPB’s host L5 filtering, replication, aggregation, and load-balancing capabilities, will ensure that only relevant traffic reaches the custom software on the Packetron module in an efficient and cost effective deployment.

Packetron’s network functionality includes deduplication and packet slicing as it minimizes overhead and offloads processing from other attached network tools as the Quantea QP. The packet slicing feature also ensures that only required data is transmitted to data storage, thus improving storage efficiency. For optimal deployment flexibility, and as part of the Packetron’s open architecture model, Quantea QP can run on the Packetron module for optimal deployment flexibility.

Summary

Network security and increasing network data generation, together with the need to analyze if the data complies with regulatory requirements requires the right combinations of tools. Combining the strengths of Niagara Networks and Quantea into one amalgamated, powerful, security system helps achieve a high level of network security and visibility.

The IDS/IPS monitoring and collection mechanisms ensure the optimum data packet capture and storage. The repository containing network data can then be viably accessed, as required, and a deep and thorough forensic analysis can be undertaken to ensure that network robustness and stability is protected from unwanted intrusion. Introducing the Packetron further empowers network IT with an open system architecture, future proofing the deployment by providing the ability to add best of breed 3rd party performance and security applications.