A major airport was recently shut down due to a security violation. A man rushed into the terminal through an exit-only passage and blended into the crowd before the security guard could stop him. Worse still, the security guard did not get a good look at the man to find him among all the other people.Fortunately, the airport had recently purchased the latest image-based security software. This software included sophisticated face recognition software along with software designed to identify other characteristics of a person and match these characteristics to live images. The airport was prepared for this sort of security violation. All they had to do was engage a pre-configuration and let the software go to work. In short order, they would have the security violation identified, isolated, and – with a quick call and some instructions to the security guards – apprehended.
There was only one small problem. The airport had spent hundreds of thousands of dollars on sophisticated software but never took into account the data capture infrastructure, which in this case were the cameras. Many of the cameras were broken or had such poor image quality, the software could not zero in on any characteristics. Some cameras were working but rotated on so many different areas of the airport, they were not pointing in the wrong direction at the wrong time. Compared to the cost of the software, cameras were inexpensive. The airport had spent considerable time and money selected and deploying the analysis software but put for scant effort on the devices that would actually capture the precious data. The foundation for this security system was the data capture infrastructure.
This sounds like a careless mistake in airport security, yet this sort of error occurs regularly in network security. IT managers spend an enormous amount of time and budget on software analysis tools and well they should. These tools are critical for preventing network security breaches and when a breach does take place, these tools are absolutely essential in preventing a subsequent occurrence. However, these expensive and critical tools are often sub-optimized because little consideration is given to the data capture infrastructure.
Data capture infrastructure refers to the method by which data on a network is copied in service of the network analysis tool. And it is more than just copied. A copied data stream may be aggregated, regenerated, and filtered with the goal optimizing the efficiency of the analysis tool or probe. The data capture infrastructure is the foundation that supports network security. A faulty or haphazard foundation leads to unreliable network security.
The two fundamental elements of data capture infrastructure are the TAP and the SPAN port. Most organizations will use a combination of TAPs and SPANs but preference is the TAP. The TAP offers a view into the traffic on the link as opposed to the traffic through a switch or router. A network element is designed to move packets. Therefore, a SPAN port is easily misconfigured or superseded when the CPU is stressed with other more important tasks. TAPs form a purpose-built network with the sole purpose of copying data for analysis.
Moving beyond the TAP or SPAN, data capture infrastructure can be designed to significantly enhance the efficiency of network security. Three powerful capabilities can be used:
These essential functions can be used in combination and can be performed on a single data capture infrastructure device. These functions are performed in hardware so they can be done reliably at line rate. This approach is highly complementary to the software-based approach performed by the analysis tool.
Before deploying a network security analysis tool, take the time to consider the foundation on which that tool will rest. That foundation is the data capture infrastructure. The foundation should be purpose built and designed to optimize the function of the analysis tool. IT