ixia's inline security framework - support.ixiacom.com · youtube traffic is slowing down...
TRANSCRIPT
WHITE PAPER
915-6687-01 Rev. A, July 2015www.ixiacom.com
Ixia's Inline Security FrameworkMaximize Your Security Resilience with Easy-to-Manage Inline Visibility Solutions
2
3
Table of ContentsMaximize Your Security Resilience with Easy-to-Manage Inline Visibility Solutions ..............................................................................1
Executive Summary .................................................................................... 4
Introduction ............................................................................................... 5
The Early Days .......................................................................................... 5
Traditional Inline Security Deployments ................................................... 5
The Ixia Inline Security Framework ............................................................ 8
4
Executive SummaryToday’s threat landscape demands multiple proactive security systems throughout the network for a strong, layered security posture. These proactive security devices, like firewalls, next-gen firewalls, web-application firewalls and intrusion prevention systems (IPSs) all require inline deployment in the network. But the introduction of multiple inline security systems raises concerns and questions about network uptime, performance, operational ownership, security flexibility, and overall costs.
Ixia’s Inline Security Framework is an industry-proven solution for deployment of multiple inline security tools that improves overall network availability, performance, and operational functions, while providing greater security flexibility and resilience, and lowering overall costs and personnel workloads.
Today's threat landscape demands
a strong, layered security posture
5
Networks need the protection of additional tools beyond the firewall
Introduction Security is increasing in both importance and complexity in the world of IT, which is driving research and investment across the globe to outpace attackers’ inventive ways of penetrating networks. Ixia has over a decade of experience helping our customers stay ahead of the security curve, maximizing security while helping keep network security costs under control.
The Early DaysSecurity has been one of the most rapidly evolving aspects of IT since the first firewalls emerged in the late 1980s. These single devices quickly moved from basic packet filtering to stateful inspection and in the early 1990s became application-aware. Today, we still rely on application-aware firewalls, many of which are now called Next Generation Firewalls (NGFW) as they provide deeper and wider application awareness and security.
Figure 1: Inline security started with a simple firewall deployment
While firewalls are great at protecting against many attacks that can be detected via policy, application, and session information, there are many attacks that have emerged in the last 20 years that circumvent such protections. These firewalls are typically deployed in critical points of the network where data security is most needed, usually at boundaries between internal and external networks, campuses and data centers, or private and public clouds. To keep things simple, we will focus our discussion on the network edge use case where the private and public networks meet, though most of these concepts apply in all use cases.
In the ever-changing battle between IT security and hackers, networks need the protection of additional tools beyond the firewall, many of which need to be inline to actively filter traffic. In the next section we will look at some common tools and the deployment challenges that come with them.
Traditional Inline Security DeploymentsAs security needs have become more diverse, the tools to defend networks and applications have expanded as well. This results in the need to deploy multiple tools inline, typically in a serial fashion, to provide total security for the network.
Figure 2: Inline security now requires multiple specialized tools to secure the network.
6
Let’s take a quick look at some of the tools that are commonly found inline in the blue box shown above. This will not only provide familiarity with their functions, but will also give a feel for how they work together to secure the network.
• Firewall: The security tool with which most IT generalists are familiar, firewalls control incoming and outgoing traffic based on rule sets, signatures, and security policy. This is often done from packet header information. Due to ubiquity and high familiarity with this term, many firewall companies are building in additional capabilities to enable some functions from other security devices in this list.
• Web App Firewall: This applies a set of rules to an HTTP conversation that covers many attacks aimed at web apps, such as cross-site scripting (XSS) and SQL injection, but does not provide the general protection offered by a traditional firewall.
• Intrusion Prevention System (IPS): An IPS monitors and blocks malicious activity on the network, often monitoring both header and payload information in packets while looking for signatures or known events.
• Intrusion Detection System (IDS): The IDS monitors network or system activities for malicious activities or policy violation and reports (but does not block) that traffic. IDSs monitor both header and payload information. While often deployed out-of-band, they can function inline in some instances.
• Data Loss Prevention systems: Data loss prevention systems monitor communications for intentional or unintentional loss or disclosure of confidential information. These systems often integrate with email or other communication systems and search out confidential information such as customer credit card numbers or Human Resources compensation details.
• Anti-virus and anti-malware: These security devices centralize IT policy enforcement and block suspect or unapproved applications, while also scanning valid application traffic for known virus and malware signatures before that traffic reaches clients or server devices.
• SSL/TLS Decryption: Much of the data going through an inline security solution will be encrypted, and many of these security tools require access to the unencrypted data to be effective. Decryption devices can unencrypt the traffic and send it through the above tools before it is re-encrypted for further transport across the network.
• Out-of-Band Access: Many customers deploy a tap or SPAN port in this portion of the network to allow out-of-band tools to inspect traffic in this zone. Common tools used out-of-band are IDS, forensics, or application performance tools.
Based on the above you can see how thousands of networks around the world have matured to the point where they have multiple inline security devices deployed to ensure data security. They often coordinate these devices with security information and event management (SIEM) to gain an overall view of their security status. The good news is that there are many security products available to make a network more bulletproof. However, several challenges come into play when deploying these security tools in critical junctures of the network.
FirewallFirewall
WAFWAF
IPS/IDSIPS/IDS
Data LossPreventionSystem
Data LossPreventionSystem
A/VA/MalwareA/VA/Malware
SSL/TLSDecryption
SSL/TLSDecryption
7
Edge security deployments create a challenge, as security tools have a direct impact on network performance and availability
Network Availability
With several tools inline, one after the other, the cumulative mean time between failure (MTBF) and maintenance needs of the tools start to have a negative effect on availability at the system level. For example, if you had four security devices inline with MTBF of 20,000 hours, 10,000 hours, 15,000 hours, and 30,000 hours each, the total system MTBF is 4,000 hours—significantly less than any one component. In addition to MTBF, which usually takes into account only hardware design, these systems will each need maintenance, upgrades, and configuration which can impact their time in the network and necessitate system-wide maintenance windows.
Performance
With many tools in the data path, the slowest tool becomes the bottleneck for the overall system. This means that fairly minor speed upgrades to an Internet connection could necessitate expensive security upgrades to deal with the new traffic. Additionally, deploying and adding new applications security rules can impact the scanning performance of these tools.
Operational Ownership
Edge security deployments create an organizational challenge, as the security tools have a direct impact on network performance and availability. This can make ownership of updating, maintenance windows, and adds/changes a complex coordination between teams with competing priorities of security, availability, and performance.
Security Flexibility
If security tools are directly inline with critical network traffic, teams can be constrained by network requirements such as maintenance windows, change review boards, and performance overhead based on anticipated attacks.
Overall Costs
Inline tools must also be upgraded to match network speeds and new attack profiles, so that distributed denial of service (DDoS), bandwidth amplification, and other attacks do not cripple the network. Unfortunately this often results in shortened lifecycles for security tools and in forklift upgrades as capacity needs increase.
8
The Ixia Inline security framework
creates a high availability zone in
the network
The Ixia Inline Security FrameworkThe Ixia Inline Security Framework uses bypass switch and packet broker technology to create a high availability zone in the network, where inline security tools can be deployed for optimal availability, security, and flexibility. Data enters from the “red” or untrusted network and is sent via the bypass switch up to the network packet broker (NPB), where it aggregates traffic, load balances it across security tools, and provides application-level filtering to improve tool utilization. The data is then sent back through the bypass switch and sent on to the network.
Figure 3: Ixia’s Inline Security Framework maximizes security, performance, and flexibility of inline security solutions
The key components of this design are a bypass switch with advanced heartbeat monitoring capabilities, and an application-aware NPB, such as Ixia’s Net Tool Optimizer™ (NTO) family or the Ixia xStream™. The bypass switch is a very simple device that provides fail-safe access to network traffic for the security tools. The primary benefits of this switch are that it is very highly available and can fail open or closed, based on policy or manual changes, when needed for maintenance or testing. Additionally, bypass switches can be configured with advanced heartbeat monitoring to maximize availability and security.
The NPB provides for advanced control of traffic as it traverses the security tools—control which is impossible in traditional deployments. In addition to low latency and easy management, here are a few key functions of the NPB in inline security deployments:
• High availability: The NPB must be deployable in a high availability (HA) architecture to ensure availability of the security tools.
• Aggregation: NPBs can aggregate traffic from multiple sources to a tool farm.
• Load Balancing: Network traffic can be spread across multiple security devices; extending current tool investments over time to increase capacity is more seamless and cost-effective.
9
The ability to reduce load on slower tools and load balance across multiple tools offers many more options for improving performance in the security zone
• Traffic Filtering: Traffic can be sent either through or around security tools as needed without any packet drops. This makes adds/removes/changes to any security tool an event that no longer needs to impact network availability or wait for maintenance windows.
• Application Filtering: Application-level filtering allows for significant flexibility in maximizing security effectiveness and cost savings. For example, if social media or YouTube traffic is slowing down tools that do not need to inspect this traffic, the NPB can “skip” these tools. Or, if the NPB sees unusual traffic, it can be routed to security tools for further analysis using API integration.
• Duplication for out-of-band access: Network traffic can be duplicated for out-of-band analysis by application performance, IDS, forensics, or other tools without interrupting inline traffic.
This framework has many significant advantages over traditional inline deployment, as it provides major improvements in the key challenge areas identified above.
Network Availability
Simply using the bypass switch inline greatly improves system MTBF as the switch provides for fewer devices inline directly and increased control over failover events
Performance
The ability to reduce load on slower tools and load balance across multiple tools offers many more options for improving performance in the security zone.
Operational Ownership
This is greatly simplified by the bypass switch becoming the only truly inline device. Now, the network team can focus on their priorities, while the security team has a dedicated area optimized for security in which adds/removes/changes can no longer impact the network and security patches can be rapidly applied.
Security Flexibility
New tools can be deployed, patches applied, or troubleshooting done without impacting the rest of the network. Many customers now find that A/B testing in the live network is much easier with this framework as well.
Overall Costs
Costs are greatly reduced as current tools can have extended life spans and upgrades can be carried out in a more granular fashion. The team is also spending less time in coordination and planning, which optimizes team efficiency. Several customers have saved so much on other costs that budget is freed up to purchase stand-by security tools and further increase availability and scalability as needed.
10
Ixia’s inline solution separates the key inline component,
the bypass, for maximum reliability
and availability
Ixia’s decade of history in inline security also provides several key capabilities to this deployment which are not available elsewhere in the industry. Ixia’s inline solution separates the key inline component, the bypass, for maximum reliability and availability. The NPBs provide application and geography-based traffic filtering to greatly increase control over traffic, and offer the most powerful user interface available. Ixia's solution also offers very low latency versus other NPBs on the market, ensuring maximum performance.
Summary Chart
Capability Basic Firewall Deployment
Traditional Inline Security Deployment
Ixia Inline Security Framework
Basic Security Yes Yes Yes
Robust Security No Yes Yes
Network Availability Average Reduced High Availability
Performance Average Average Granular Control
Add/Remove/Change Impact to Network
Scheduled Downtime
Scheduled Downtime Little/None
Organizational Alignment
Simple Complex Simple
ROI Standard Slow Rapid
Scalability Limited Good (but expensive) Very High
Comparison of Inline Security Approaches
11
WHITE PAPER
Ixia Worldwide Headquarters26601 Agoura Rd.Calabasas, CA 91302
(Toll Free North America)1.877.367.4942
(Outside North America)+1.818.871.1800(Fax) 818.871.1805www.ixiacom.com
Ixia European HeadquartersIxia Technologies Europe LtdClarion House, Norreys DriveMaidenhead SL6 4FLUnited Kingdom
Sales +44 1628 408750(Fax) +44 1628 639916
Ixia Asia Pacifi c Headquarters101 Thomson Road,#29-04/05 United Square, Singapore 307591
Sales +65.6332.0125Fax +65.6332.0127
915-6687-01 Rev. A, July 2015