Data Masking with Ixia’s ATI Processor
Today I’d like to talk about a really useful feature we recently introduced in Ixia’s ATI Processor (ATIP), available in the new Vision ONE platform. The new feature is called Data Masking, and it’s very useful if you need to record network data without recording sensitive data. For example, you may have compliance requirements that preclude your storage of PII (Personally Identifiable Information) for HIPAA, PCI, or even internal best-practices guidelines. With Data Masking, we overwrite the sensitive data with your choice of characters.
As with all features we take on, we aren’t content to just offer a feature if it’s merely functional – with all products in Ixia’s IxVision architecture, we focus on usability and efficiency. This means that for most common data masking scenarios, it’s just point-and-click; you don’t have to do any scripting or write any regular expressions or complicated code. We’ll pinpoint the applications you’re interested in and forward the relevant flows with the desired data obfuscated.
We’ve added a new Data Masking panel as part of our newly enhanced UI for the ATI Processor, shown here:
How It Works
In my first example, I’ll focus on the Payload Masks. As you can see in the above screen shot, we’ve provided predefined matches for many common examples of PII – email addresses, Social Security numbers, and popular credit cards. Of course, if you need something else, you can just click on “New Payload Mask” and define a new one, but we’ve tried to tackle most common cases for you.
Note that there are two columns with digits for Mask Start and Mask End offset. These settings let you decide how many digits from the start or end of the target string to leave unaltered. When you get a credit card receipt at a restaurant, it typically has all but the last four or five digits overwritten with hash marks, so you can verify which of your credit cards you used for a transaction, but someone who finds the receipt can’t read your entire credit card number. The Offset settings do exactly the same thing.
In this example, I’ve run a simple e-commerce transaction through the ATI Processor with Data Masking enabled for Visa credit card numbers. I used Visa number 4123456789123456, as you can see in Wireshark display of the original PCAP:
Here’s a PCAP of the same exchange run through the ATI Processor, configured to mask all but the last 4 digits:
As you can see, the Visa credit card number was correctly matched and overwritten, so it could be safely recorded without exposing any sensitive customer information. If you’d like to set this up yourself, use this .bpt file with BreakingPoint to generate simple web transactions with credit card numbers.
But we didn’t stop with just payload masking. As you can see in the UI screen shot above, we added support for point-and-click overwriting of Layer 2-4 headers. In this example, I’ve enabled masking for the L2 header, starting at offset 6 with length 6 to hide the original source address. Here’s the original packet:
And the same packet with the L2 Data Masking rule applied:
As you can see, the source MAC address has been overwritten. I can even combine multiple masks in the same ATIP filter, overwriting both packet header and payload, and I can have multiple Data Masking operations active at the same time – e.g., enabling me to hide email addresses in SMTP connections and credit card numbers in e-commerce transactions.
We think our customers will find the simplicity and power of the new Data Masking feature as useful as it is user-friendly, and we look forward to your suggestions for new features or feature write-ups.
If you have a question or suggestion about the ATI Processor, feel free to reach me at firstname.lastname@example.org or @swregister on Twitter.