Rethinking the Approach to Real-time Network Security - Part Two

In part one of this article, we learned how cloud computing, big data analysis and mobility are three recent trends in the IT industry that, while improving the efficiency and effectiveness of digital services, have also generated significant threats to network security. Here we will take a look at new ways to utilize existing technologies and consolidate multiple functions to provide a holistic view of the network.

Securing the Network Step-by-step

Most networks already have network or application performance monitoring appliances installed. These are capable of providing real-time information on network and application usage.

By collecting and analyzing this data, it is possible to build a profile of usage over time. This is a type of network behavior analysis that can provide insight into typical traffic flows and application usage at different times of the day and days of the year.

Monitoring the network in real-time can help detect anomalies. An example could be an increase in traffic between two nodes that do not normally communicate with each other. This can be the first sign of an attack and at the very least demands closer scrutiny.

As mentioned earlier, traffic flows are likely to change and real-time monitoring in this way can provide the first signs that a new traffic flow profile is being established and that there is potentially a need for extra bandwidth, or a need to provide increased security at these points in the network. Big data analysis, in particular, could result in critical data being transported over network links that are not normally protected or have limited bandwidth. Real-time monitoring helps to identify these needs early, allowing action to be taken before it affects customer service level agreements.

Introducing Security Information and Event Management (SIEM) as a concept on top of this network behavior monitoring, allows correlation of information from the various network security appliance solutions with network behavior information. With SIEM, network behavior anomalies can be compared against information from network security appliances to identify if an attack is underway or not.

If network security appliances cannot provide confirmation, then the attack could potentially be a zero-day threat, which has not been seen before and has evaded detection. With this real-time information it is possible to react immediately to take the necessary actions to limit the extent of the attack.

Conversely, the network security appliance can indicate that an attack is taking place, but the network behavior analysis indicates that no anomalies are seen in the network. This could be an indication of a false positive in the network security appliance, which can occur, often to the irritation of users who cannot understand why their legitimate transaction is not being processed.

Rethinking Network Security Appliance Design

By thinking holistically, we can begin to see network security in a new light. Network security products today are functionally focused with different appliances providing different functions that in combination provide increased security. For example, network security solutions would normally comprise a firewall, Intrusion (News - Alert) Detection or Prevention System (IDS/IPS), a web and/or email security gateway, Data Loss Prevention (DLP) system and other more focused network security appliances.

We have seen a desire to consolidate this functionality into one appliance with Universal Threat Management (UTM) appliances and recently Next-Generation Firewalls. There are also vendors with “software blade” concepts that allow different types of security functionality to be introduced on the same platform on an as-needed basis.

What is important is the ability to introduce the functionality needed as quickly and easily as possible at different locations in the network in line with shifts in traffic profiles. It is therefore advantageous if the functionality in some way can be disassociated from the underlying hardware allowing multiple functions to be introduced at the same location or easily moved.

In short, what is required is a universal hardware platform that is capable of supporting multiple functions, but can be scaled independently of functionality, in-line with network speeds and loads.

Standard Servers Rising to the Task

Standard servers are now in a position to support the need for a universal hardware platform and can today support up to 100 Gbps of throughput. The strong roadmaps of leading server CPU vendors promise annual improvement in performance by as much as 60 percent. This, combined with the fact that these vendors are also some of the first to adopt new manufacturing geometries, makes it very hard to compete with this kind of roadmap.

With standard servers, performance can be scaled on a per CPU core basis. This means that if the network security application is designed for multi-threaded performance on standard server architecture, then it is possible to improve performance by adding more CPU cores to the server. If that is not enough, then it is possible to port the application to a newer server with more powerful CPU cores.

Using standard servers effectively de-couples the network security application from the underlying hardware allowing scalability and flexibility.

However, to reap these benefits, it is also important to have the right data input/output solution.

Assuring Monitoring and Analysis Performance

Today, intelligent network adapters have been designed for applications that need to monitor and analyze large amounts of data in real-time. This includes the network and application performance appliances needed to understand network behavior, but also many network security appliances. This is because these appliances face some of the same challenges of analyzing large amounts of data in real-time in an effective way.

There are basically two deployment modes for network security appliances that need to be considered. Many appliances are deployed in an off-line, passive mode where data is captured in real-time for analysis. An example of this type of security appliance is an Intrusion Detection System (IDS). The second kind of deployment is in-line where the appliance is receiving traffic, analyzing the traffic in real-time and then transmitting the traffic onwards. An example of this type of appliance is an Intrusion Prevention System (IPS), which provides the same functionality as an IDS, but has the capability to block traffic immediately.

For Data Loss Prevention (DLP) appliances, there are examples of appliances that can be deployed in a passive off-line mode and others that are deployed in-line.

By implementing intelligent network adapters for off-line and in-line modes, including bypass options for in-line deployments that receive data at full line-rate even when network links are fully loaded, network managers have the ability to identify flows up to layer 4 including tunneled fragmented traffic. These flows can then be intelligently distributed to the various CPU cores in the server.

With this capability, it is possible to develop multi-threaded network security applications that can run on the multiple powerful CPU cores available in the standard server. Today, network security appliance vendors are implementing various products, such as IDS/IPS, DLP, Secure Web Gateways and other security solutions using this approach.

Consolidating Multiple Functions

Not all links in the network need to run at 10 Gbps, though more consolidation of services in larger data centers will drive higher data loads and network speeds. Nevertheless, there will be opportunities to combine functionality into a single physical server. This can be driven by a need to offer multiple functions at one location, but can also be driven by a need to scale an analysis application to higher network speeds, where the application software is not capable of handling this amount of data today. In this case, multiple instances can be run simultaneously on the same server.

Through this technology, intelligent network adapters are able to support these consolidation cases by providing data merging and sharing capabilities. Data from multiple ports on multiple network adapters can be merged into a single analysis stream that can then be shared amongst multiple applications. The stream is shared and not replicated, which allows this solution to be used in high speed, high data load environments.

As mentioned earlier, the data stream can be intelligently distributed to multiple CPU cores based on the type of traffic detected. However, it can also be load balanced providing an equal load to each CPU core.

This approach allows multiple simultaneous applications to run on the same server and lends itself to the “software blade” approach of offering optional application packages.

Another option is to virtualize application software. In this case, each application can be run in its own virtual machine. The advantage of this approach is that application software from various appliances with different environments and operating systems can be run on the same server, with each application seeing an environment that is familiar despite the fact that it is now running on a new server. This is very useful in porting existing solutions to a consolidated server.

By using standard servers, we thus de-couple the generic hardware from the application-specific software allowing new combinations of functionality in a more modular fashion that lends itself well to the increasingly dynamic nature of networks that we expect to see in the near future.

Think Holistically and Re-Think Specifically

It is possible to build a highly responsive network security solution by using all the appliances at our disposal, and the information they provide, in a more holistic fashion. Using SIEM as a driving concept, it is possible to provide a correlation of network behavior information with information from security appliances to build an accurate picture of what is happening in real-time. This enables the ability to respond immediately to any anomalies detected.

By ensuring that each individual appliance has the capacity to handle the data load and speeds, OEM vendors can ensure that these appliances are available and are providing actionable information. By basing development of these appliances on standard servers with intelligent network adapters, it is possible to take advantage of strong roadmaps to keep up with increasing data loads and speeds.

About the Author

Daniel Joseph Barry (News - Alert) is VP of Marketing at Napatech and has over 20 years experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK (News - Alert), a leading supplier of transport chip solutions to the Telecom sector. He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.