By: Bakir MalikOrganizations across nearly all industries are increasingly strengthening their network security posture to gain an advantage in detecting anomalies promptly and responding appropriately. When choosing network threat detection and response solutions, the key question that arises is: “Where should we capture traffic to achieve complete visibility?"
A network detection and response system, network monitoring systems work on a raw network packet to draw its analysis and detect any anomalies in the network. So naturally getting the right network data at the critical points in the infrastructure is the first question that needs to be answered.
An organization has many paths through which packets traverse and cross the network either within or outside of the infrastructure. This data can be user traffic accessing outside services not hosted in the infrastructure, user data accessing the hosted services within the infrastructure, user-to-user communication or data that is chatter between the services in the infrastructure.
So, the question arises where to start? What to investigate first and build on top of it? Every organization has different objectives of achieving a robust network security and monitoring, but some general guidelines could be followed to get a headway into achieving comprehensive visibility.
The first and most important traffic in almost all of organizations that we have worked with is something called as north-south traffic. This is the data that is leaving the so-called infrastructural perimeter and going services that are hosted either in cloud infrastructure or on the internet. As this data is traversing through the permitter of a network, having visibility into this kind of traffic becomes most important as malicious traffic could be send from outside of network to in. Malicious hackers are trying to get access inside the network, scanning the network, malware, ransomware and of the other colors in the spectrum of anomalies are trying to get hold of the network from outside unless the malicious actor is already sitting inside the network.
To get visibility into this data, packets need to be captured close to the exist point of the network. This critical point could be at the core switch, between core and external firewalls or between core switch and distribution layer. One way of capturing this traffic with 100% guarantee is using a dedicated TAP (Terminal access point) solution. TAP solutions are dedicated hardware of software solutions that capture both sending and receiving traffic on a link such a Niagara Networks' 3255 passive tap. Using a tap solution ensures that traffic is captured all the time on the links and no blind spots are created in network detection and response solutions leaving the security analysts frustrated and without answers.
After the north-south traffic is captured the second step should be to gain visibility into traffic that is going from users-to-services hosted inside the infrastructure or between users. Often, a malicious actor will try to gain access to a service inside the infrastructure and pivot from that compromised service to other services or internal users or vice-versa. Gaining complete visibility into such traffic will providing network security systems insights into user-service communication and watch for any unwanted activities.
Data Capture points could be at the boundary between user segmentation and services for user-machine communication and at the distribution layer for user-to-user communication. Niagara networks 3225 passive tap could be placed at such boundaries to capture user-service traffic and gain complete visibility.
Third level interaction is service-to-service or application-to-application level which needs to be monitored. As one service or application gets compromised, pivoting becomes the second action plan for a malicious actor. And with virtualized services, often the machine-to-machine communication does not leave the physical boundaries of the server hardware.
To gain visibility into such micro-service environment, a software based tapping solution (VTAP) like Niagara Networks CloudRay could be used to gain application visibility. VTAP’s are lightweight virtual machines/agents that capture the traffic in the virtual environment and provide a complete visibility into machine-to-machine communication.
Services that are hosted outside of the infrastructure into a public cloud computing infrastructure provides another critical area to be monitored. Some cloud computing vendors do provide some sort of visibility into the traffic that is going in and out of those infrastructures but often times organizations find it difficult to tie them up with their own network security and monitoring solutions. Using a dedicated virtual tap like Niagara Networks CloudRay helps organizations capture 100% raw data packets and forward the data to their existing network security monitoring solutions thus gaining complete visibility.
Looking at only on type of data provides a very bleak idea about what’s going on inside an infrastructure both at the private data center or public cloud. Having robust visibility and network security requires careful planning of capturing data traversing through the network. It ensures that the security analyst has a 360 view of the infrastructure, and the network security monitoring systems can contextualize information in the right way and provide appropriate behavioral trends.
Summary: Niagara Networks TAP Solution
Flexible and Multi-Purpose Offering for Critical Capture Points and Complete Network Visibility
---
Niagara Networks are industry specialists in network visibility, providing advanced network solutions for the specific needs of individual enterprises and national large and complex networks.
Don’t leave your network vulnerable to security threats, schedule a consultation with one of our network visibility experts today to evaluate your network visibility challenges.
