Network Packets Broker for cyber security
What Is a Network Packets Broker?
Keeping networks safe and users thriving amid the relentless flux requires a host of sophisticated tools performing real-time analysis. Your monitoring infrastructure might feature network packets and application performance monitors, data recorders, and traditional network analyzers.
Your defenses might leverage firewalls, intrusion prevention systems (IPS), data loss prevention (DLP), anti-malware, and other point solutions.
However specialized security and monitoring tools may be, they all have two things in common:
• They need to know exactly what is happening in the network
• Their output is only as good as the data they receive
Ideally, a company would monitor 100% of its network with security and monitoring tools. In reality, this is not always the case.
A 2018 survey conducted by Enterprise Management Associates (EMA) found that the majority of enterprises monitor less than 70% of their networks.1 When asked why they do not monitor 100% of their networks, the top response (38%) from IT professionals was “network complexity”.
This feedback equates to having blinds spots in the network, and ultimately, to wasted effort, redundant cost, and a higher risk of being hacked.
To avoid waste and blind spots, start by collecting data about what is taking place across your network. Network taps and mirror ports on network equipment—also known as a switched port analyzer or SPAN ports—create access points for capturing traffic for analysis.
This can be considered the “easy part.” The real challenge lies in efficiently funneling data from the network packets to each tool that needs it. If you only have a few network segments and relatively few analysis tools, the two may be connected directly.
More often, 1:1 connection may pose a management nightmare that becomes unwieldy, if not logistically impossible as the network grows. Additionally, ports on high-end analysis tools, such as firewalls, may also be in even shorter supply, and it is critical not to overtax devices to the point of compromising performance.
Why Do I Need NPBs?
NPBs reside between taps and SPAN ports. They can access network data and sophisticated security and monitoring tools that typically reside in data centers.
Network packet brokers do just what their name says: they broker network packets data to ensure every analysis tool
sees exactly the data it needs to perform at the highest possible level.
The NPB adds an increasingly critical layer of intelligence—one that reduces cost and complexity to help you achieve the following:
Better data for better decisions
A fabric of packet brokers with advanced filtering capabilities serves to organize and streamline data for your monitoring, performance, and security tools.
It is hard to stop threats when you do not see them coming. NPBs work to assure that your firewalls, IPSs, and other defenses see exactly the right data, all of the time.
Faster problem resolution
Zeus Kerravala, the principal analyst at ZK Research, observes, “Problem identification is IT’s biggest challenge.” Identifying that there is, in fact, an issue consumes up to 85% of the mean time to repair (MTTR).
Downtime is money, and starting down the wrong path can have devastating effects for your business. Context-aware filtering provided by NPBs helps you detect and determine the root cause of issues faster by introducing advanced application intelligence.
The use of metadata, provided through NetFlow by intelligent NPBs, also aids in accessing the empirical data used to manage bandwidth usage, trending, and growth. That prevents problems from occurring in the first place.
Better return on investment (ROI)
Intelligent NPBs do not merely aggregate traffic from monitoring points the way a switch might. They filter and groom data to enhance the utilization and productivity of security and monitoring tools.
With only relevant traffic to process, they help improve tool performance, reduce congestion, minimize false positives, and achieve better coverage using fewer devices
What exactly does the NPB do?
Conceptually, aggregating, filtering, and delivering data sounds simple. In practice, intelligent NPBs perform sophisticated functions to produce exponentially higher efficiency and security gains.
One way they do this is by load balancing traffic. For example, if you upgrade your data center network from 1Gbps to 10Gbps, 40Gbps, or higher, NPBs can downshift speeds.
That allows you to distribute high-speed traffic across a pool of existing lower-speed 1G or 2G monitoring tools for analysis.
This extends the value of your existing monitoring investments and avoids costly rip-and-replace upgrades as you migrate. Other powerful features and functions the NPB performs include the following:
Deduplicating redundant network packets
Analysis and security tools stand to receive a slew of duplicate packets as multiple taps forward traffic. NPBs can eliminate duplicates to keep tools from wasting processing capacity by handling redundant data.
Secure Socket Layer (SSL) encryption is the standard technology used to safely send private information. However, hackers can hide cyberthreats in encrypted packets.
Decryption is necessary to inspect this data, but unraveling code takes valuable processing power. Leading packet brokers can offload decryption from security tools to ensure total visibility while easing the burden on high-cost resources.
SSL decryption leaves data visible to anyone with access to security and monitoring tools. NPBs can mask personally identifiable information such as credit card and Social Security numbers, protected health information, and other sensitive data, before passing it on. That means tools and their administrators cannot see it.
Protocol header stripping
An NPB may strip out protocol headers such as VLAN, VXLAN, and L3VPN, allowing tools that process these protocols to receive and process packet data. Context-aware visibility helps in spotting rogue applications running on your network and footprints attackers leave as they work their way through your systems and networks.
Application and threat intelligence
Early detection of breaches mitigates the loss of sensitive information and the ultimate cost. Context-aware visibility that NPBs deliver can expose indicators of compromise, identify the geolocation of attack vectors, and combat encrypted threats.
Application intelligence extends beyond Layers 2 through 4 (of the OSI model) to Layer 7 (the application layer) of the packet data. Creating and exporting rich data about the behavior and location of users and applications helps thwart application-layer attacks featuring malicious code masquerading as normal data and valid client requests.
Application-aware visibility also has profound implications for performance and management. Maybe you would like to know when employees are using cloud-based services such as Dropbox, or web-based email to bypass security policies and transfer company files. Perhaps former employees are attempting to access files using personal cloud-based storage services.
Contact Musato Technologies to learn more about our innovative and smart ICT solutions that empower businesses and communities. Content powered by Ixia